It all started with me hunting for a point and shoot camera for my mother. To be frank , any camera with no hassles & fair performance would have qualified and I was personally looking for Nikon L26; but since it was deemed out-dated by Nikon itself, I hopped in for Nikon L27 violet colour camera. Now, to be frank I never wanted to go out of Flipkart/Infibeam since they have stood the test of time with me, but somehow I ordered it from another popular online portal Snapdeal.com & there the things start to get interesting. For starters, I never received any email of purchase confirmation, I thought it might have landed in junk/spam folder but hell no. I double checked my email filters, searched every label but nopes..zilch..nada..I simply didn't get any email receipt of purchase from Snapdeal. It was the first omen of a Bad Deal (aka Snapdeal) . Thankfully I didn't closed my browser windows, I was lucky to take the snapshot of transaction , noted down the transaction id from my bank statement , drank a glass of water & wiped away the sweat that scorching Delhi summer delightfully gave me.
5 minutes later I received an SMS from Snapdeal regarding my order number, I matched it with my snapshot, went online again and found after providing my details, the estimated shipping date was 20th May 2013.
I tried to login into Snapdeal and found that since I created an account long time ago (when Snapdeal was not into store business and was into deals business) , I didn't actually remembered its password. I tried to reset it, but received *NO EMAIL* from Snapdeal. Now that was alarming, I was not able to reset my password, not able to get an email receipt and I was not very sure about the delivering capability of Snapdeal (quick search on mouthshut.com was quite revealing).
Immediately I called customer care (+91-92126-92126) , after hearing to whistles and caller tune for 5 minutes (yes, *5 minutes*) , my call was picked. I explained to CCE -
- I am not getting email from Snapdeal.
- I did not received an receipt.
- I am unable to reset my password.
- What is the status of my order as of now and by what time will it get delivered.
- He can not reset password nor help me in any regards in account or email issue.
- My order was under processing and he can not provide an estimated delivery date.
Also, I logged into Snapdeal via FB authentication and was still not able to reset the password.
That was on 15th May 2013.
Now ,to be frank I have never ordered anything from Snapdeal before, one of my friends (Gurpreet Singh) had once ordered some stuff from it , but he warned me about Snapdeal's performance issues after I placed the order.
While I was gleefully cursing him "Saaley pehle kyu nahi bataya !!" , he reassured me that they are slow but they atleast deliver the goods.
"Also, shipping date is 20th,you might be getting goods before that in your hands", he finished gulping his last glass of lassi.
Nervously I reassured myself and crossed my fingers. Who knows, It wasn't for me, it was for my Mom and I wanted to get it delivered on a timely manner.
17th May came and status was still "processing" on the website. Furthermore I tried calling to customer care thrice with no one responding on the number. They also hanged up on me on one occasion without CCE interaction.
Now I was getting a bit angry. 18th May, it was Saturday noon and order was still under processing. I tweeted to Snapdeal
No response from Snapdeal as of now. Also, I sent the email to Snapdeal helpdesk (help@snapdeal.com)
Team,You guessed it right, no response from Snapdeal.
I bought Nikon Coolpix L27 16MP Point & Shoot Digital Camera (Purple) Order Number 994202497 Item code 1333471211, its been 3 days but I have NOT received the email reciept of order. Further more I am not able to verify my snapdeal account as I am not getting any emails from Snapdeal regarding verification and order.
I have looked into SPAM/JUNK folder to no avail. I mentioned the same to customer care on 9212692126 but they were helpless.
Furthermore, Why is it so much delay in processing the order ? 3 days and its still processing. Whats the bottleneck in it ? I never had such slow response from any of online retailers I have used ?
Please get back to me on the double.
On 20th May I shot another one.
Dear Team,
Still awaiting your response. Its quite incredulous that I am following up for an email response which should have been your duty . Its 20th may and the product page still shows shipping date of 20th May with no update. I had a word with CCE Maninder Sandhu (yeah I got lucky, finally your customer care picked the call) for an update on the order but then he himself was helpless regarding the same.
Its pathetic how you are keeping the money interest free without giving any proactive updates on the status of order and keeping customer completely blind on it.
Nevertheless, I will be waiting till 21 May on an update for a fair chance. After that , I will be cancelling the order and will be filing for a refund.
Regards
Seriously, I could have posted call records but then I think it would have been a bit overkill. But then, if they could record our calls for "quality & training purposes" then why cant we use them for some real "quality" purposes ?
I had no idea what was going on, at least an email response would have sufficed. We live in a country where consumer is hailed as king, I have no complains with late deliveries, I am actually angry with no/diminutive response from Snapdeal team. I have paid for an item first rate , online , in single transaction with no dues pending , no instalments and they are keeping my money interest free , processing it according to their whims and are providing no reasons for delay. Furthermore, response time is pathetic, I got the reply from Snapdeal on Facebook page / Twitter , 2 days later, & that too that they are looking into it and order will be shipped today.
Also, a quick look on their FB page reveals that I am not the only one frustrated from Snapdeal, see the below image or click the mentioned link.
Later, I got an SMS from Snapdeal that order has been delayed.
But the online portal is still showing that order is under processing and I really dont know what information to trust.
I was also not able to cancel my order as I CANT REACH TO CUSTOMER CARE AND I AM NOT SURE IF MY EMAILS ARE EVEN READ. As per Snapdeal's guidelines, they can choose to accept or deny my request of cancelling the order based on their convenience and understanding of situation.
If you cant read it, to quote Snapdeal (Trust me, its an amusing read)
10.2 Cancellation by the User: In case of requests for order cancellations, Snapdeal reserves the right to accept or reject requests for order cancellations for any reason whatsoever. As part of usual business practice, if Snapdeal receives a cancellation notice and the order has not been processed/ approved by Snapdeal, Snapdeal shall cancel the order and refund the entire amount to You within a reasonable period of time. Snapdeal will not be able to cancel orders that have already been processed. Snapdeal has the full right to decide whether an order has been processed or not. You agree not to dispute the decision made by Snapdeal and accept Snapdeal's decision regarding the cancellation.Very cute .
Bet I would have called Snapdeal for cancellation and they would have cancelled my request because they “had processed my order” .. and because its written in clause 10.2 .
As of now, summing up my entire experience on Snapdeal echoes the following problems again and again -
- Lack of proper communication to customer.
- Unresponsive support &
- Broken implementation of information systems.
As of now, I haven't got any response on my tweet to Snapdeal
Another call to CCE Maninder Sandhu (I just got lucky) was fruitless although he was a nice chap and was trying to help.
Lessons learnt :
- I wont be shopping from Snapdeal again, thats for sure, unless they make some really radical changes in their system.
- Wont be ordering from my hard earned money from portals that are pathetic.
Meanwhile, I am still waiting for my camera to be delivered .. : (
(6 Days at the time of writing ) and counting..
Update 21 May 2013 6.04 PM IST :
To top it off as of now -
- Still estimated shipping time on webpage is showing 20th May, but it has been updated that tracking number will be available in 12 hours, so I actually dont know what is the correct update.
- Snapdeal_help on twitter promised a a shipping by today but to no avail . They actually update my Mother and not me regarding that, but alas, its still showing pending.
- According to CCE Akash, package is ready for courier and will be shipped by tomorrow first half. One more date..Lets see how it goes.
- Snapdeal FB page removed the negative comments, however you can see them in the picture which is given above.
Update 21 May 2013 7.00 PM IST :
Got a call from Snapdeal Okhla Office from Monika , provided courier tracking number and apologized for delay, I thanked her. Also, as per her, the tracking number will be active within 12 - 48 hours, I promptly checked the 11 digit tracking number which was not active on Courier service (Bluedart) page. She might be right. Will check it tomorrow morning.
Update 22 May 2013 6 PM IST :
AS of now, Snapdeal has *FINALLY* shipped my order (YAY!!) . But again, it has been delayed by Courier Service. As of now, I was in talks with Assistant Mgr at Courier service who was quite helpful and said the product will be delivered by tomorrow. All I hope it is a functional one as this long delay has shaken my already non existent faith in Snapdeal.
Update 23 May 2013 6 PM IST :
Finally, after numerous delays, Order was delivered. The bottomline ? Well, the issue was already escalated at Snapdeal end , the pity was that when I checked at support.snapdeal.com , my ticket was not updated in 3-4 days, and one was closed with remark that customer (thats me) was not reachable. Excellent, it was only when I started escalating the matter on online and social platforms, they came into action and hasted the matter. Still its 8 days, which is well beyond the norms of a normal e-comm site.
I am glad it all ended well. Mom got the camera and I got to see the inner workings of an e-comm site.
Update 22 May 2013 6 PM IST :
AS of now, Snapdeal has *FINALLY* shipped my order (YAY!!) . But again, it has been delayed by Courier Service. As of now, I was in talks with Assistant Mgr at Courier service who was quite helpful and said the product will be delivered by tomorrow. All I hope it is a functional one as this long delay has shaken my already non existent faith in Snapdeal.
Update 23 May 2013 6 PM IST :
Finally, after numerous delays, Order was delivered. The bottomline ? Well, the issue was already escalated at Snapdeal end , the pity was that when I checked at support.snapdeal.com , my ticket was not updated in 3-4 days, and one was closed with remark that customer (thats me) was not reachable. Excellent, it was only when I started escalating the matter on online and social platforms, they came into action and hasted the matter. Still its 8 days, which is well beyond the norms of a normal e-comm site.
I am glad it all ended well. Mom got the camera and I got to see the inner workings of an e-comm site.
I have been nagged a lot regarding guest posts, and almost 90% of them are related to some news, social media bullshit and half baked security crescendo. Until recently, I was contacted by amiable folks at Infosec Institute with a good article on Anti Debugging. This is an article by Dejan Lukan, a security researcher at Infosec Institute, in which he discusses the Anti Debugging techniques in an objective and direct manner. I loved the implementation part, reminded me of my rev days (you can learn about how to reverse Winrar or just have a look at a real noobs guide to reverse some more stuff) , and more importantly Dejan explains how to stop (read : slow down) people from reversing your code. Hope you will enjoy it.
Before we begin, we must mention that it’s impossible to
completely prevent reversing. What is possible is that we can place as many
obstacles on the way as we want to make the process slow enough that reverse
engineers will give up. Actually there are hardware implementations where you
can buy a black box that attaches to your computer which can do the encryption/decryption
for you, but this is far from being used in everyday life.
Techniques to Harden Reverse Engineering
The most basic approaches to harden the reverse engineering of
programs are the following [1]:
- Eliminating Symbolic Information
- Obfuscating the Program
- Embedding Antidebugger Code
This can easily be done in C/C++ programs where we only have to
append a few compiler flags to the command line that actually compiles the
program into the executable. It’s much harder with programming languages like
Java and .NET, where those symbols are used internally to reference variables,
functions, etc. This is also the reason why Java and .NET programs can easily
be converted into a pretty good source code of the original program. We can
still strip the symbols from such programs by renaming all the symbols from
their meaningful names into meaningless representations, which effectively does
the job.
Besides stripping the executable symbols, we can also obfuscate
the program. When obfuscating a program, we’re basically changing the code of
the program without actually changing the logic behind it, so the program does
the same as before but its code is far less readable. Here we have two
techniques that can achieve that:
- Encoding: With encoding, we must add the decoding instructions that decode the whole program before it’s being run. This can be done by appending the decoding instruction at the end of the program and changing the entry point to point to the decoding instructions. When the program is run, the decoding instructions are executed first, which decodes the whole program into its original form. After that, we must jump to the start of the program and actually run the original instructions as if the encoding didn’t even happen.
- Packing: When packing the executable, we’re basically reducing the size of the executable as well as encrypting it. When such a program is run, it must first be decoded in memory and then run.
- By obfuscating the program with nonstandard encoders/packers, we can greatly complicate the task of reverse engineering the executable, but at the end, a persistent reverse engineer will nevertheless be able to bypass that and get the non-obfuscated version of the executable, which can easily be reversed.
Last but not least, we can use an antidebugger code, where we
can include a code into the executable that can detect if the program is
currently being debugged. If that happens, the program terminates itself
prematurely without actually executing the functions that would normally be
executed if it wasn’t running under a debugger.
Antidebugging
Before discussing how anti-debugging tricks do their magic, we
must first talk about how the debugger is able to debug the program. We know
that we can stop and resume the program with the use of either software or
hardware breakpoints.
When using software breakpoints, we’re replacing the instruction
on which we’ve set the breakpoint with the INT 3 instruction (at least on the
x86 architecture), which is a special software interrupt. In this case, we’re
passing the value 3 to the instruction INT, which means that we’re generating
the software interrupt 3. This causes the function pointed to by the 3rd vector
in the interrupt address table (IAT) to be executed. I guess we’re all familiar
with the INT 80 interrupt that makes a system call on Linux systems.
The INT 3 instruction temporarily replaces the current
instruction in a running program. This is also a way for the debugger to know
that a software breakpoint has occurred and the program execution should be
stopped. After that, the debugger replaces the INT 3 instruction with the
original instruction so the program can continue without the loss of
instructions, which can otherwise cause abnormal program behavior.
When we use a hardware breakpoint, it’s the processor’s job to
know when the breakpoint has been hit and the program has to be stopped. This
is why the program is not modified when a hardware breakpoint is set.
When the breakpoint is hit, the program is stopped and we can
safely execute instructions in our favorite debugger. At that point, we can run
instructions step-by-step by entering into functions, or by executing them the
same time. If we’re interested in what the function does, we need to enter into
the function; otherwise we can safely ignore the function and step over it.
When stepping through the code, each instruction is executed on its own and
then the program is again stopped, so we’re able to analyze what the
instruction has just done.
When stepping through the code with a debugger, the Trap Flag (TF) in the EFLAGS register is used. When the TF is enabled, an interrupt will be generated after every executed instruction, so we get the feeling of stepping though the program instruction by instruction.
IsDebuggerPresent
The IsDebuggerPresent is a Windows API function, which we can
see on the picture below:
The function doesn’t take any arguments and returns a Boolean
value notifying us whether the program is running under a debugger or not. This
function can be used to trivially detect whether a debugger is being used to
run the program. The function uses the Process Environment Block (PEB) to get
information about whether the user-mode debugger is used.
Let’s create a simple program that prints the number 0 or 1 if
the debugger is present or not. We can do that by first creating an empty
console project under Visual Studio C++ and then changing the code of the main
cpp file into the following:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
//
isdebuggerpresent.cpp : Defines the entry point for the console application.
//
#include
"stdafx.h"
#include
<stdio.h>
#include
<Windows.h>
int _tmain(int argc,
_TCHAR* argv[])
{
int
num;
if(IsDebuggerPresent())
{
num
= 0;
}
else
{
num
= 1;
}
printf("Number:
%d\n", num);
/*
wait */
getchar();
return
0;
}
|
The program prints “Number: 0″ if the debugger is present and “Number: 1″ if the debugger is not. If we run the application under Visual Studio, the program will display the number 0 because it’s being run under a debugger. This can be seen on the picture below:
Let’s also run the program under OllyDbg to be sure that the
number 0 is displayed. This can be quickly confirmed by loading the executable
program and running it. On the picture below, we can see that the number 0 was
printed when the program was run under OllyDbg debugger:
But if we run the same program under normal cmd.exe, it will
display the number 1. This can be seen on the picture below:
We can see that the IsDebuggerPresent API function call works as
expected, but that the function call is easy to detect and bypass. This is
because we can quickly find this function call in the executable and delete it
or bypass it. To do this, we can simply open the executable in Ida debugger and
check out the Imports table to verify if that function exists somewhere in
there. We’re right, the function IsDebuggerPresent is listed among all the
imported functions as we can see on the picture below:
This is a clear indication that the executable is using the
function to do something different when the debugger is attached to the
executable. We can also locate the exact instructions that are used to call
that function. The whole Ida graph of the main function that does exactly the
same as the main function from the C++ source code above is presented on the
picture below:
We can see that, at first, we’re initializing the stack for the
function and calling the IsDebuggerPresent function. After that, we’re testing
the returned value in eax against itself to determine whether a true or false
value was returned. If the eax holds a value different than 0 (1 in our case),
then the zero flag will be set and the first box that sets the [ebp+num] to 0
is called. This is exactly what happens now, because we’re running the program
under a debugger, but otherwise the block that sets the [ebp+num] to 1 is
called. After that, we’re just moving the value of [ebp+num] into the register
eax and printing it with the printf function.
If we now set the breakpoint on the call to the
IsDebuggerPresent function and rerun the program, the execution will be stopped
right where we want it. After the breakpoint has been hit, we can step into the
function to see what the function actually does. On the picture below, we can
see the function in question:
We can see that the function is pretty simple: we’re loading the
address of the currently active thread (TIB) in the register eax and then accessing
the structure member that’s located at the 0×30 offset; the PEB data structures
lies at that offset. After that, we’re loading the address of PEB in eax and
then accessing its data member at 0×2 offset, which holds the data member
named BeingDebugged. Thus, we’ve successfully taken a look at what
the IsDebuggerPresent function actually does and how it does it. We can see
that it’s very simple and not really hard to bypass.
We can determine that IsDebuggerPresent is being used when we
try to reverse engineer an executable and the program terminates prematurely, a
different execution path is taken, or something else unexpected happens. In
such cases, we must first check the Imports table if the IsDebuggerPresent
function is being called anywhere in the executable. If that is the case, we
can simply delete the instructions that call the IsDebuggerPresent function
call, so it won’t bother us when reversing the executable.
On the other hand, if we’re developing a program and we would
like to use the IsDebuggerPresent function call, we can copy the above
instructions directly into our code, so that we’re not actually calling the
IsDebuggerPresent function directly, but using its function body instructions
to figure out whether the debugger is being used to run the executable. This is
just another trick so that reverse engineers won’t immediately notice the use
of IsDebuggerPresent function call and will make the debugging slightly more
complicated.
Conclusion
For a deeper understanding of reverse engineering, check out the
reverse engineeringtraining course offered by the InfoSec Institute. In this article we’ve
seen a few techniques to harden the reverse engineering process. The technique
easiest to bypass is symbol elimination where we have to delete all the symbols
presented in the executable. This effectively makes the names of the functions
unavailable when debugging, which leaves it up to the debugger to properly name
the functions. Another technique is program obfuscation, which can be a pretty
simple operation like xoring the whole executable then running it, but it can
also be pretty complicated. Things get further complicated if we’re using
obfuscation with the anti-reversing techniques, which detects if the program is
being reversed and terminates the program prematurely if so, greatly hardening
the reverse engineering of the executable.
References:
[1]: Reversing: Secrets of Reverse Engineering, Eldad Eilam.
Simulating CISCO ASA 8.4 on GNS3, on Ubuntu is a pain in the ass. Countless QEMU errors ,203 errors, results with no output on console and many more hair-pulling skull bashing events that *will* make you scratch your head and you will be motivated to buy an ASA for your personal use.
But fear not weary travelers if you have reached at this point of web while surfing (read:hunting) for your share of ASA & firewall stuff, you are right at home. Today I will be providing a step by step almost error free guide of simulating ASA, and fret not, this has been tested on more than 5 platforms with zero error rate (and that included machines of different platform - i386,x86_64; and different flavors of Fedora/Ubuntu).
Never-mind, my machine as of now is an amd64 E350 based HP dm1 3210 Laptop with 4 GB ram. Its a pretty under powered PC for running GNS3 (as compared to dedicated rigs I have seen, however I can run IOU & NX-OS Titanium over it and it balances every known equation for me) but it does the job with some tweaking and the result is very satisfactory.
Coming to the point, you will be needing -
Well this is simple, just type the commands and it will install safely. Make sure you dont have GNS3 installed previously else you might face some issues. Please note I am using compiling GNS3 for my 64 bit OS, however it should work for 32 but laptops too, make sure you choose correct version of dynamips from GNS3 website.
Step 2 - Compiling and Patching QEMU
This is the second most crucial step, do as instructed, by the time you are finished, you will be presented with a stable installation of patched Qemu. Make sure NO previous installation of Qemu in installed on your machine.
Step 3 - Preliminary Configuration
In general settings of GNS3, you will find Qemuwrapper is already configured, double check Qemu & Qemu-img path here, it should be the same as mentioned in "which" command output or better if you have placed the same it in GNS3 folder
Also, Set ASA options as
make sure your configuration looks like this
When done, its execution time follks :)
Step 4 - Running it.
Well..it will look like this.
You can also check the ps output of Qemu (quick and dirty output here..nothing flashy)
Miscellaneous Errors , which you *just might* encounter and how to deal with them.
If you followed my steps, I dont think you will encounter any errors, but for the sake of completeness, I am including the most basic errors which you might get.
"qemuwrapper path doesn't exist"
This one is a classic one. With proper GNS3 0.8.3x installation, you will *not* encounter it. If you are running classic 0.7.x build, God save you. Even if you have 0.8.3.x & still get this error , find Qemuwrapper (it will be there in one of GNS3 source folders) and select it, save it. Error gone. Make sure permissions are correct.
"203-Bad number of parameters (5 with min/max=6/6)"
Upgrade your GNS from 0.7x.x to 0.8.3, if you are following this guide, you should not get this error.
"You are running an old and unpatched version of qemu"
Now here things get interesting. In one case I installed Qemu before installing GNS3 and I got this error quite frequently. I uninstalled Qemu, cleared my /tmp & I then first installed GNS3 and then installed Qemu after configuring GNS3 fully (except the Qemu part that is) . Did a sudo make install for Qemu and restarted my laptop. Please note I am using Qemu 0.11
Ran GNS3 and tada..
This error will be rectified.
"You must use 'manual mode' to connect a link with a xyz module"
Simple as hell, use manual mode..duh..
"QEMU boots but no ASA boot output on console"
Use correct QEMU binary, no Qemu_i386 / Qemu_x86_64. Use only correctly patched Qemu 0.11 binary in GNS3 like previously specified.
In all cases, all errors are either will be some permutation or combination of the mentioned ones. Well , it summarizes my post on running ASA, hope it will help you.
Rishabh Dangwal
 |
| Yes folks..You will be running this..or a cousin of it. |
NOTE: I love linux but I hate Ubuntu, for my own personal reasons. I am a fedora guy & I love debian, but I hate Ubuntu.
Why I didnt covered this guide for Fedora as Fedora guys will figure out how to do it anyways :P , its Ubuntu ones who were facing maximum issues (just google it) and hence I wanted to cover a guide for it. Jokes aside, I intend to cover the subjected issue as I faced multiple issue myself.
Never-mind, my machine as of now is an amd64 E350 based HP dm1 3210 Laptop with 4 GB ram. Its a pretty under powered PC for running GNS3 (as compared to dedicated rigs I have seen, however I can run IOU & NX-OS Titanium over it and it balances every known equation for me) but it does the job with some tweaking and the result is very satisfactory.
Coming to the point, you will be needing -
- A laptop/desktop
- Any Ubuntu flavor installed (I use backbox, its better than backtrack)
- ASA 8.4.x files (initrd and kernel files, if you are reading this article, I know you have them)
- Patience.
Well this is simple, just type the commands and it will install safely. Make sure you dont have GNS3 installed previously else you might face some issues. Please note I am using compiling GNS3 for my 64 bit OS, however it should work for 32 but laptops too, make sure you choose correct version of dynamips from GNS3 website.
rishabh@xion$cd /optCheck if its installed by opening a terminal window and running GNS3. If it went well, proceed to next step.
rishabh@xion$sudo mkdir GNS3
rishabh@xi0n:/opt$ wget http://sourceforge.net/projects/gns-3/files/GNS3/0.8.3.1/GNS3-0.8.3.1-src.tar.gz
rishabh@xi0n:/opt$ unzip GNS3-0.8.3.1-src.zip
rishabh@xi0n:/opt$ sudo mv -f /GNS3-0.8.3.1-src/* /opt/GNS3
rishabh@xi0n:/opt$ sudo chmod 777 GNS3
rishabh@xi0n:/opt$ cd GNS3
rishabh@xi0n:/opt/GNS3$ sudo mkdir Dynamips Images Project Cache tmp
rishabh@xi0n:/opt/GNS3$ sudo chmod 777 Dynamips/ Images/ Project/ Cache/ tmp/
rishabh@xi0n:/opt/GNS3/Dynamips$ cd Dynamips/
rishabh@xi0n:/opt/GNS3/Dynamips$ http://sourceforge.net/projects/gns-3/files/Dynamips/0.2.8-RC3-community/dynamips-0.2.8-RC3-community-x86_64.bin
rishabh@xi0n:/opt/GNS3/Dynamips$ export PATH=$PATH:/opt/GNS3/GNS3-0.8.3.1-src/
Step 2 - Compiling and Patching QEMU
This is the second most crucial step, do as instructed, by the time you are finished, you will be presented with a stable installation of patched Qemu. Make sure NO previous installation of Qemu in installed on your machine.
rishabh@xion:/opt/GNS3$ wget http://download.savannah.gnu.org/releases/qemu/qemu-0.11.0.tar.gzOnce its installed, check by running
rishabh@xion:/opt/GNS3$tar xvzf qemu-0.11.0.tar.gz
rishabh@xion:/opt/GNS3$cd qemu-0.11.0
rishabh@xion:/opt/GNS3/qemu/qemu-0.11.0$wget http://downloads.sourceforge.net/gns-3/qemu-0.11.0-olive.patch?download
rishabh@xion:/opt/GNS3/qemu/qemu-0.11.0$patch -p1 -i qemu-0.11.0-olive.patch
rishabh@xion:/opt/GNS3/qemu/qemu-0.11.0$./configure --target-list=i386_softmmu
rishabh@xion:/opt/GNS3/qemu/qemu-0.11.0$make
rishabh@xion:/opt/GNS3/qemu/qemu-0.11.0$sudo make install
rishabh@xi0n:/opt/GNS3/qemu/qemu-0.11.0$ which qemuIt should display Qemu path, if not, you screwed up some where. Do it again.
/usr/local/bin/qemu
Step 3 - Preliminary Configuration
In general settings of GNS3, you will find Qemuwrapper is already configured, double check Qemu & Qemu-img path here, it should be the same as mentioned in "which" command output or better if you have placed the same it in GNS3 folder
Also, Set ASA options as
Qemu Options:Browse to the initrd & kernel images of ASA and set memory to 1024, once done, save it.
-vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32
Kernel cmd line:
-append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536
make sure your configuration looks like this
When done, its execution time follks :)
Step 4 - Running it.
Well..it will look like this.
You can also check the ps output of Qemu (quick and dirty output here..nothing flashy)
rishabh@xi0n:/opt/GNS3$ ps ax | grep 'qemu'Once you are up and running, its time to grab a can of redbull (or beer if you prefer) and get a pat on your back, good work soldier :)
7094 pts/0 Sl+ 0:00 /usr/bin/python /opt/GNS3/GNS3-0.8.3.1-src/qemuwrapper/qemuwrapper.py --listen 127.0.0.1 --port 10525 --no-path-check
7101 pts/0 SN+ 0:00 /bin/sh -c /usr/local/bin/qemu -name ASA1 -m 1024 -hda "/tmp/ASA1/FLASH" -kernel "/home/rishabh/Documents/asa842-vmlinuz" -initrd "/home/rishabh/Documents/asa842-initrd" -append "-append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536" -net nic,vlan=0,macaddr=00:00:ab:40:a4:00,model=e1000 -net nic,vlan=1,macaddr=00:00:ab:8d:12:01,model=e1000 -net nic,vlan=2,macaddr=00:00:ab:f0:c0:02,model=e1000 -serial telnet:127.0.0.1:3001,server,nowait -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32
7102 pts/0 R+ 0:19 /usr/local/bin/qemu -name ASA1 -m 1024 -hda /tmp/ASA1/FLASH -kernel /home/rishabh/Documents/asa842-vmlinuz -initrd /home/rishabh/Documents/asa842-initrd -append -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536 -net nic,vlan=0,macaddr=00:00:ab:40:a4:00,model=e1000 -net nic,vlan=1,macaddr=00:00:ab:8d:12:01,model=e1000 -net nic,vlan=2,macaddr=00:00:ab:f0:c0:02,model=e1000 -serial telnet:127.0.0.1:3001,server,nowait -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32
7175 pts/1 S+ 0:00 grep --color=auto qemu
Miscellaneous Errors , which you *just might* encounter and how to deal with them.
If you followed my steps, I dont think you will encounter any errors, but for the sake of completeness, I am including the most basic errors which you might get.
"qemuwrapper path doesn't exist"
This one is a classic one. With proper GNS3 0.8.3x installation, you will *not* encounter it. If you are running classic 0.7.x build, God save you. Even if you have 0.8.3.x & still get this error , find Qemuwrapper (it will be there in one of GNS3 source folders) and select it, save it. Error gone. Make sure permissions are correct.
"203-Bad number of parameters (5 with min/max=6/6)"
Upgrade your GNS from 0.7x.x to 0.8.3, if you are following this guide, you should not get this error.
"You are running an old and unpatched version of qemu"
Now here things get interesting. In one case I installed Qemu before installing GNS3 and I got this error quite frequently. I uninstalled Qemu, cleared my /tmp & I then first installed GNS3 and then installed Qemu after configuring GNS3 fully (except the Qemu part that is) . Did a sudo make install for Qemu and restarted my laptop. Please note I am using Qemu 0.11
Ran GNS3 and tada..
This error will be rectified.
"You must use 'manual mode' to connect a link with a xyz module"
Simple as hell, use manual mode..duh..
"QEMU boots but no ASA boot output on console"
Use correct QEMU binary, no Qemu_i386 / Qemu_x86_64. Use only correctly patched Qemu 0.11 binary in GNS3 like previously specified.
In all cases, all errors are either will be some permutation or combination of the mentioned ones. Well , it summarizes my post on running ASA, hope it will help you.
Rishabh Dangwal
I got an overwhelming response to my Wardriving at Delhi project and have got a lot of emails regarding the same. I am so thrilled that so many people want to contribute to the project. Inspired by your feedback, I am here by producing here an update to my mapping project. This time I went Via Saket to Gurgaon and as usual I got a lot of access points which were OPEN with no security, WEP secured vulnerable access points & WPA/WPA PSK2 secured points.
As usual, I used -
Happy Wardriving.
As usual, I used -
- Kismet
- Moocherhunter
- Aircrack
- G-MON & WiGLE
- The security awareness of people and organizations
- The devices they are using
- The security mechanisms they are using.
- Wifi range analysis of individual device.
- Hotspot details / BSSID (See if you are on the list) =))
- Google Maps KML Data (See it in Google Maps)
Happy Wardriving.
winAUTOPWN has been an old favourite to automate windows hacking and vulnerability testing. The project is the brainchild of Azim Poonawala of [C4]Closed Circuit Corporate Clandestine and saw its first release in 2009. Fast forward to 4 years; it has matured into a good exploitation framework with a plethora of options. As the Author states about it -
Autohack your targets - even if you have consumed and holding a bottle of 'ABSOLUT' in one hand and absolute ease (winAUTOPWN) in the other.
In layman terms, winAUTOPWN is a unique exploit framework which helps in gaining shell access and pwning (aka exploiting vulnerabilities) to conduct Remote Command Execution, Remote File/Shell Upload, Remote File Inclusion and other Web-Application attacks. To add cherry on the top, it can also help in conducting multiple types of Denial of Service attacks on targets, furthermore, It can also be used to test effectiveness of IDS/IPS and other monitoring sensors/softwares.
You can -
We have got a lot of packet sniffer/analyzer software out there, I am a self confessed Wireshark & Ettercap lover, but still, when it comes to analyzing network traffic from command line in a fast manner, ngrep is my one of my favourites. Written by Jordan Ritter its used to “grep” traffic patterns from the network interfaces. As per official documentation -
ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.
ngrep runs on Windows & *nix platforms alike and you need WinPCAP to run it since it relies on it.
Once you install it, it by default uses the first interface on your machine, so , make sure to check the detected interfaces by running -
C:\Users\RISHABH\Desktop>ngrep -L
idx dev
--- ---
1: \Device\NPF_{4D491111-D331-42BC-9A33-98EF8C40D422} (Microsoft)
2: \Device\NPF_{ADBF6AC1-D111-463D-8D99-C58FA1BEF979} (Sun)
3: \Device\NPF_{6F801AE0-CA61-4A6D-B5FF-DCB7CE8FC529} (VMware Virtual Ethernet Adapter)
4: \Device\NPF_{930B6EC8-A5E3-4FFA-B68F-F159FDFC2064} (VMware Virtual Ethernet Adapter)
5: \Device\NPF_{D1999293-A041-4C2A-B63F-5D8B4906000F} (Realtek PCIe GBE Family Controller)
exit
Now for example you want to check out whats going on at port 23 using interface 5
C:\Users\RISHABH\Desktop>ngrep -d 5 port 23
interface: \Device\NPF_{D1999293-A041-4C2A-B63F-5D8B4906000F} (192.168.1.0/255.255.255.0)
filter: (ip or ip6) and ( port 23 )
exit
0 received, 0 dropped
Piece of cake.. and if you want to filter any website in you are searching for keyword "password" then :
ngrep -d 5 “password” port 80
Easy aint it ? Ngrep does it all : ] With some complex grep commands , you can become a pcap ninja.
Well, you can
Cisco has issued a security advisory intimating that its new password hashing algorithm TYPE 4 is vulnerable,which allows Cisco TYPE 4 encoded hashes to be cracked easily. TYPE 4 is an update of TYPE 5 , and was supposed to salt passwords and apply 1000 iterations of SHA-256 . Well, engineers at Cisco actually miscoded the algorithm by forgetting to salt passwords and setting the number of iterations to 1 which makes it even weaker than TYPE 5 algorithm .
“This approach causes a Type 4 password to be less resilient to brute-force attacks than a Type 5 password of equivalent complexity.”
Also, the code base (CISCO IOS 15) also disables TYPE 5 encryption on devices. Well..talk about rubbing salt on wounds.
As per advisory -
"A device running a Cisco IOS or IOS XE release with support for Type 4 passwords lost the capability to create a Type 5 password from a user-provided plaintext password.Backward compatibility problems may arise when downgrading from a device running a Cisco IOS or IOS XE release with Type 4 password support and Type 4 passwords configured to a Cisco IOS or Cisco IOS XE release that does not support Type 4 passwords. Depending on the specific device configuration, the administrator may not be able to log in to the device or to change into privileged EXEC mode, requiring a password recovery process to be performed."
It was meant to be discovered inevitably. Folks at Hashcat - Philipp Schmidt and Jens Steube found it and were able to decode a hash posted at inetpro.org . Since hashes were weak, the information was more than enough to crack millions of hashes in hours if anyone gets their hands on hashes.
The aftermath ? Cisco says it will be creating new password type to counter it with new as of now unknown commands to implement it. In the meantime, Cisco says you “may” want to replace Type 4 password with Type 5 , as quoted -
There are two options to generate a Type 5 password:
- Using another device running a Cisco IOS or Cisco IOS XE release without Type 4 support
- Using the openssl command-line tool (part of the OpenSSL Project)
You can read the advisory here
You might also want to read -
“ Incredible”
thats one word when you describe CARNA botnet, which is a single handed attempt to map the entire Internet by a researcher, which makes it a single most herculean feat I have witnessed in digital domain which both grips me with mixed feelings of astonishment and Deja Vu.
As the paper states, the basic theory behind CARNA was
After completing the scan of roughly one hundred thousand IP addresses, we realized the number of insecure devices must be at least one hundred thousand. Starting with one device and assuming a scan speed of ten IP addresses per second, it should find the next open device within one hour. The scan rate would be doubled if we deployed a scanner to the newly found device. After doubling the scan rate in this way about 16.5 times, all unprotected devices would be found; this would take only 16.5 hours. Additionally, with one hundred thousand devices scanning at ten probes per second we would have a distributed port scanner to port scan the entire IPv4 Internet within one hour.
Impressive.. and the payload they devised was small, surgical and targeted routers with insecure logins.
The binary on the router was written in plain C. It was compiled for 9 different architectures using the OpenWRT Buildroot. In its latest and largest version this binary was between 46 and 60 kb in size depending on the target architecture.
Well, the end results ? ~ 420,000 infected routers are identified with 1,300,000,000 geolocated IPV4 devices with about one-third of those responding directly to pings.
Incredible..as I earlier said. Sceptics will say that It can be a hoax, as its difficult to verify with a 586GB bittorrent file compressed with ZPAQ which will decompress to 9TB , it needs somewhat of super human effort to download, unpack and analyze data if it really exists. But again, if its true, Its .. its awesome.
You can
Like I said, prepare to be amazed.
Security researchers in Finland have turned up thousands of unsecured Internet-facing SCADA systems in that country, using the Shodan search engine.The researchers, from Aalto University, ran their test in January, and found 2,915 exposed systems running functions from building automation to transport and water supply. Those responses were out of a total of 185,000 Finnish IP addresses that responded to an HTTP request. 
According to communications and networking professor Jukka Manner,exposed building automation systems, the researchers claimed, included a bank, a gaol, and a hospital. Researchers claimed that many systems were vulnerable through their remote user interfaces.Interestingly, when the university re-ran its test in March, it found that a large number of the systems had been removed from the Internet, although 1,969 of the systems were still present.
“A lot of problems can … still be hiding”,
according to research assistant Seppo Tillkainen, since as much as 30 percent of the Finnish IP address space is still not mapped by Shodan. While systems spotted in the Shodan search even included a wind turbine, the majority of poorly-secured systems were in office blocks and residential towers, the study says. The researchers did not go as far as to actually try to penetrate the systems, citing Finland's computer crimes laws.
A Google translation of the university's press release is here. For Finnish readers, the whole study is here.
Blogged on Android Via The Register
The last time I wardrived at Delhi was over 2 years ago, I was at Tulip Telecom then and was doing something of a personal project then. Well, now I am at Orange and thought of replicating the feat, this time I will be publishing the details of networks I wardrived while going to Gurgaon from Delhi. It was done using combination of G-Mon,Kismet, Moocherhunter and you just might find it useful. I intent to make a map of Delhi with all the access points , which does sounds incredulous & far fetched, but yep, I intend to do it and I am doing it bit by bit. It helps to analyse in layman terms -
Well, in all you can find the data from below links -
Happy Wardriving
- Rishabh Dangwal
- The security awareness of people and organizations
- The devices they are using
- The security mechanisms they are using.
- Wifi range analysis of individual device.
Well, in all you can find the data from below links -
- Hotspot details / BSSID (See if you are on the list) =))
- Google Maps KML Data (See it in Google Maps)
Happy Wardriving
- Rishabh Dangwal
Subscribe to:
Posts (Atom)
