After running ls from linux-1.ece.iastate.edu the following output
[~/cpre308]
quanta-> ls
Debian-Jessie-AMD64-root_fs labs linux-4.4.3 newfile setup_labs.sh
The output is coming from the remote machine.
[~]
quanta-> ssh -l quanta linux-1.ece.iastate.edu
quanta@linux-1.ece.iastate.edu's password:
Logged into linux-1.ece.iastate.edu
Welcome Thomas
[~]
quanta->
[~]
quanta-> ssh quanta@linux-1.ece.iastate.edu
quanta@linux-1.ece.iastate.edu's password:
Logged into linux-1.ece.iastate.edu
Welcome Thomas
[~]
quanta->
Both are functionally the same!
SCP command to linux-1 to get a test file.
[~/cpre308]
quanta-> scp quanta@linux-1.ece.iastate.edu:cpre308/SCP_Test.txt .
quanta@linux-1.ece.iastate.edu's password:
SCP_Test.txt 100% 0 0.0KB/s 00:00
[~/cpre308]
quanta-> cat SCP_Test.txt
HELLO WORLD!
SCP command to a more remote server to get another test file.
[~/cpre308]
quanta-> scp thomas@thomasmoll.co:SCP_Test.txt .
thomas@thomasmoll.co's password:
SCP_Test.txt 100% 13 0.0KB/s 00:00
[~/cpre308]
quanta-> cat SCP_Test.txt
HELLO WORLD!
Using ssh scp and fg we have the following.
quanta->ssh linux-1.ece.iastate.edu
[~]
quanta-> ~^Z [suspend ssh]
[1]+ Stopped ssh linux-1.ece.iastate.edu
[~/cpre308]
quanta-> scp thomas@thomasmoll.co:SCP_Test.txt .
thomas@thomasmoll.co's password:
SCP_Test.txt 100% 13 0.0KB/s 00:00
[~/cpre308]
quanta-> fg
ssh linux-1.ece.iastate.edu
[~]
quanta-> hostname
linux-1.ece.iastate.edu
[~]
quanta->
Below is one of my public keys from my known-hosts file. Pls don't haxor me.
thomasmoll.co ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7ZrKnGcCgipIytH35H8t2Ak4gGFG2xzfFFqMpAwgFOPj0w6rV22ql/GvyR+T5GKAcbmH3C0iKsXRQRQAPDEsiSanDEZxt7+92SbiySfToDO1hHPpZkZqyuYyNjQvFkeL6jXqKeyb5uArPLw5HxQjFXnkEEIg85ljsQ7vAluCrquM0rmEUy7AhsE1FNVRuHL7YH04MM0ZYrbWcYz1D6i+QwYqKMVGVQIB4ecpe7pG/u6iM8/BCw+25BtU+sXHwylkTuJicZFf6z7wstbmbNINpqMcmpkx9momY769m6aLU1ZWShHYyQmIFcKAcMTUqmNlOXZ9YGbHWRRxVjk8nUf1x
192.73.234.28 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7ZrKnGcCgipIytH35H8t2Ak4gGFG2xzfFFqMpAwgFOPj0w6rV22ql/GvyR+T5GKAcbmH3C0iKsXRQRQAPDEsiSanDEZxt7+92SbiySfToDO1hHPpZkZqyuYyNjQvFkeL6jXqKeyb5uArPLw5HxQjFXnkEEIg85ljsQ7vAluCrquM0rmEUy7AhsE1FNVRuHL7YH04MM0ZYrbWcYz1D6i+QwYqKMVGVQIB4ecpe7pG/u6iM8/BCw+25BtU+sXHwylkTuJicZFf6z7wstbmbNINpqMcmpkx9momY769m6aLU1ZWShHYyQmIFcKAcMTUqmNlOXZ9YGbHWRRxVjk8nUf1x
In the .ssh directory, the file id_rsa contains my private key, the file id_rsa.pub contains my public key.
The passphrase is used to encrypt id_rsa so no rogue programs can copy the binary and impersonate me!
Since my home directory is mapped the keys were already transfered to the lab machine. I don't need to input my actual password now!
The passphrase is used to decrypt my private key to authenticate with the server. It's not sent to the server, but instead used to verify the client private key pair on my end.
quanta-> ssh-agent bash
bash-4.1$ ssh-add ~/.ssh/lab_key
Enter passphrase for /home/quanta/.ssh/lab_key:
Identity added: /home/quanta/.ssh/lab_key (/home/quanta/.ssh/lab_key)
bash-4.1$ ssh linux-3.ece.iastate.edu
Logged into linux-3.ece.iastate.edu
Welcome Thomas
[~]
quanta->
GNUPG. So basically for this part I had to use my own VPS because these lab computers don't have enough entropy.
thomas@quantumserver [11:25:58] [~]
-> % gpg --gen-key
gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Thomas Moll
Email address: quanta@iastate.edu
Comment: Lab12
You selected this USER-ID:
"Thomas Moll (Lab12) <quanta@iastate.edu>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
...+++++
.....+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.......+++++
+++++
gpg: key 83D22B6D marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
pub 2048R/83D22B6D 2016-04-20
Key fingerprint = FF79 AF8A 5A50 64FD 308A DF99 6143 100E 83D2 2B6D
uid Thomas Moll (Lab12) <quanta@iastate.edu>
sub 2048R/3E685551 2016-04-20
-> % scp michael@michaelsnook.us:/home/michael/myname.gpg .
The authenticity of host 'michaelsnook.us (107.161.17.147)' can't be established.
RSA key fingerprint is 4a:8d:af:74:2d:2d:5b:53:f6:85:59:72:26:a8:59:4b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'michaelsnook.us,107.161.17.147' (RSA) to the list of known hosts.
michael@michaelsnook.us's password:
myname.gpg 100% 1216 1.2KB/s 00:00
(env) thomas@quantumserver [12:11:47] [~]
-> % ls
Python-3.5.0 gunicorn.conf nginx-4-12-16.tar.gz repos web
Python-3.5.0.tgz myname.gpg projects tom-home-4-12-16.tar.gz werc
SCP_Test.txt nginx python tom-key.gpg
(env) thomas@quantumserver [12:11:49] [~]
-> % gpg --install myname.gpg
gpg: Invalid option "--install"
(env) thomas@quantumserver [12:12:04] [~]
-> % gpg --import myname.gpg
gpg: key 68DAA02C: public key "Michael Snook (This is for lab 12 of CPRE308) <snook@iastate.edu>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
(env) thomas@quantumserver [12:12:10] [~]
-> % gpg --list-keys
/home/thomas/.gnupg/pubring.gpg
-------------------------------
pub 2048R/985B5355 2016-04-20
uid Thomas Moll (Lab12) <quanta@iastate.edu>
sub 2048R/C1FB4BB2 2016-04-20
pub 2048R/83D22B6D 2016-04-20
uid Thomas Moll (Lab12) <quanta@iastate.edu>
sub 2048R/3E685551 2016-04-20
pub 2048R/68DAA02C 2016-04-20
uid Michael Snook (This is for lab 12 of CPRE308) <snook@iastate.edu>
sub 2048R/F535694D 2016-04-20
After we exchanged keys then I encrypted a file and sent it to him. We used SCP to transfer files.
(env) thomas@quantumserver [12:15:07] [~]
-> % gpg --output secret.gpg --encrypt --recipient snook secret.txt
gpg: F535694D: There is no assurance this key belongs to the named user
pub 2048R/F535694D 2016-04-20 Michael Snook (This is for lab 12 of CPRE308) <snook@iastate.edu>
Primary key fingerprint: 6A93 F1A9 C4C7 3C9E A681 BE96 9AF3 4E2A 68DA A02C
Subkey fingerprint: CE6D 6F45 0F49 6F90 4AC6 942B DADA 8F87 F535 694D
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
I then decrypted his document. Note that this process is the same for the keys, they're just files!
(env) thomas@quantumserver [12:21:32] [~]
-> % scp michael@michaelsnook.us:/home/michael/doc.gpg .
michael@michaelsnook.us's password:
doc.gpg 100% 379 0.4KB/s 00:00
gpg: Invalid option "--ouptput"
(env) thomas@quantumserver [12:22:36] [~]
-> % gpg --output doc.txt --decrypt doc.gpg
You need a passphrase to unlock the secret key for
user: "Thomas Moll (Lab12) <quanta@iastate.edu>"
2048-bit RSA key, ID C1FB4BB2, created 2016-04-20 (main key ID 985B5355)
gpg: encrypted with 2048-bit RSA key, ID C1FB4BB2, created 2016-04-20
"Thomas Moll (Lab12) <quanta@iastate.edu>"
(env) thomas@quantumserver [12:23:49] [~]
-> % cat doc.txt
Hey Tom! I hope you are doing well.
We then signed and verified each others signatures
We used SCP to share the new files.
(env) thomas@quantumserver [12:24:48] [~]
-> % gpg --output signed.gpg --sign tom-key.gpg
You need a passphrase to unlock the secret key for
user: "Thomas Moll (Lab12) <quanta@iastate.edu>"
2048-bit RSA key, ID 985B5355, created 2016-04-20
I verified his signature.
(env) thomas@quantumserver [12:29:59] [~]
-> % scp michael@michaelsnook.us:/home/michael/myname_signed.gpg .
michael@michaelsnook.us's password:
myname_signed.gpg 100% 1544 1.5KB/s 00:00
(env) thomas@quantumserver [12:34:01] [~]
-> % ls
Python-3.5.0 doc.gpg myname_signed.gpg pub.gpg secret.txt web
Python-3.5.0.tgz doc.txt nginx python signed.gpg werc
SCP_Test.txt gunicorn.conf nginx-4-12-16.tar.gz repos tom-home-4-12-16.tar.gz
doc. myname.gpg projects secret.gpg tom-key.gpg
(env) thomas@quantumserver [12:34:03] [~]
-> % gpg --ouptput key.gpg --decrypt myname_signed.gpg
gpg: Invalid option "--ouptput"
(env) thomas@quantumserver [12:34:29] [~]
-> % gpg --output key.gpg --decrypt myname_signed.gpg
gpg: Signature made Wed Apr 20 12:32:29 2016 EDT using RSA key ID 68DAA02C
gpg: Good signature from "Michael Snook (This is for lab 12 of CPRE308) <snook@iastate.edu>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6A93 F1A9 C4C7 3C9E A681 BE96 9AF3 4E2A 68DA A02C
Shellshock was caused by BASH variables not being escaped and allowing for them to run arbitrary code if they were escaped correctly. For example, if a web app did get_env() on a variable with bash code, it would execute that code which could be malicious. For example if a web server had a function to save a variable like Language or something, and it didn't sanitize the input. (I'm looking at you Javascript validation :P) we could easily save bad code for the program to run the next time it wanted to look up our language.
Buffer overflows! An attacker can cause a buffer overflow easily by doing a bunch of these (((((((((((((((((((((((((((((((((((((((())))))))))))))))))))))))))))))))))))))))) until the upperlimit variable exceeds the buffer, hence overflowining it.
Since the variable never gets decremented, the program will allow that variable to grow and grow.
Then from there arbitrary code can be injected and possibly run.
In summary, I've learned a fair bit about SSH, SCP, GPG and Buffer Overflows. I've known about SSH, SCP, GPG for a while now. However, I didn't know about the escape command to temporarily run commands on the actual host you're running on. GPG I've used to encrypt my email for a number of years because I'm a bit paranoid about my communications (Unfortunately, I haven't figured out how to do this on iastate's email :().
I did learn a lot about buffer over flows from the provided material. I learned that they're the most widely used exploit because damn it's simple. Unlike stack pivoting which takes finese, buffer overflows are simple, especially paired with executable flags and shellcode, the world is your oyster.