|
|
0xdeadbeef dot info.
|
"A chain is only as strong as its weakest link." -- Charles A. Lindbergh
"I have seen the fnords." -- Historical graffiti on Anarchy Bridge, UK
"Testing can prove the presence of bugs, but not their absence." -- Edsger W. Dijkstra
"The enemy knows the system." -- Claude E. Shannon
"Perfection is achieved when there is nothing left to remove." -- Antoine de Saint-Exupery
"The GNU people aren't evil." -- /usr/src/linux/Documentation/CodingStyle
"You can't argue with a root shell." -- Felix "FX" Lindner
"Well, until that perfect world you need red team analysis" -- @thegrugq_ebooks
"Never whistle while you're pissing." -- Hagbard Celine
"When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl." -- Anonymous
I'm a seasoned information security
researcher
and consultant, specializing in networking (from
old school X.25 to modern Wi-Fi),
telephony (POTS, mobile, VoIP), and cyber-physical systems (SCADA and
process control technologies in general). I'm employed as Principal Security
Advisor at
@Mediaservice.net, a leading
information security consulting firm based in Italy, where I'm in charge of
project and team management, penetration testing, compliance audits,
vulnerability research, and
exploit development.
Basically, I'm a professional
hacker
and project manager. I hold the following certifications:
- (ISC)2 Certified Information Systems Security Professional (CISSP)
- PCI Qualified Security Assessor (QSA)
- PCI Approved Scanning Vendor (ASV)
- OSSTMM Professional Security Analyst (OPSA)
- OSSTMM Professional Security Tester (OPST)
- OSSTMM Wireless Security Expert (OWSE)
- ISO/IEC 27001 Lead Auditor
- PRINCE2 Foundation
As member of the
ISECOM Core Team,
I'm actively involved in the development of the Open Source Security Testing
Methodology Manual (OSSTMM), the
international standard for performing security testing and metrics. I'm also
contributing to the Hacker Highscool
(HHS), another ISECOM project
promoting security awareness for teens. As a technical writer, I've co-authored
some popular books and I've published many articles about hacking, security,
and privacy. I co-founded
Linux&C (the first Italian
magazine about Linux and open source), Linux Pratico, and H&C.
This is my personal homepage and playground. Despite being a busy guy, I try
to keep it up to date. Take a look below for
(new) stuff. Please send your feedback to: Marco
Ivaldi
<raptor[at]0xdeadbeef.info>
(PGP key updated on 2014-07-01).
Here's the list of my current research projects related to ethical hacking and
information security.
- OSSTMM. I'm a primary contributor of ISECOM's Open Source Security Testing Methodology Manual.
- HHS. I'm contributing to the Hacker Highscool, another ISECOM project providing security awareness for teens.
- Raptor's GitHub. This is my GitHub page, where some of my more recent projects are hosted.
- Tech Blog @ Media. This is the on-line repository of research projects sponsored by my employer.
- Antifork Research. I'm one of the founders of the project (formerly known as disLESSici team).
This is a collection of books, articles, research papers, presentations, and
advisories I've written or contributed to. A list of relevant mailing lists is
also included. Links to more modern social media platforms are in the footer
of this homepage.
Articles and Books
Interviews and Mentions
Advisories
- CVE-2003-0190. I discovered and published this OpenSSH/PAM Delay Information Disclosure Vulnerability.
- CVE-2006-1242. I discovered and published this Linux Kernel IP ID Information Disclosure Weakness.
- CVE-2006-5229. I discovered and published yet another OpenSSH information disclosure via timing leak.
Related Works
- Buffer Overflow in passwd(1). This white paper has been written by Shaun McAdams for his GIAC GCIH practical.
- Whoppix-raptor. A flash demo showing raptor_chown.c in action done for whoppix.net by ports@portsonline.net.
- SSH Enumusers. A Metasploit module that implements the time-based attack against SSH I discovered back in 2003.
Mailing Lists
- Bugtraq. The first public mailing list dedicated to issues about computer security, and how to fix them.
- Full-Disclosure. An unmoderated high-traffic discussion list for disclosure of security information.
- Vuln-Dev. Low-traffic vulnerability research and exploit development mailing list, hosted by SecurityFocus.
- Pen-Test. Another mailing list from SecurityFocus, dedicated to security testing and network auditing.
- DailyDave. The premier list for discussion of security issues, 0days, and reverse engineering.
- Cabal. Marketing-free security mailing list dedicated to discussions which are too long to fit in Twitter.
- SCADASEC. Discussion group about critical infrastructure protection and SCADA/control systems security.
- ISECOM Research. The official mailing list of ISECOM researchers, busy to make sense of security.
As a hacker and programmer of weird machines, I study how things can go wrong.
Here are some of the exploits I've developed during my vulnerability research
activities (for educational purposes only).
Linux
- raptor_chown.c. Linux 2.6.x < 2.6.7-rc3 (CVE-2004-0497). Missing DAC controls in sys_chown() on Linux.
- raptor_prctl.c. Linux 2.6.x from 2.6.13 up to versions before 2.6.17.4 (CVE-2006-2451). Suid_dumpable bug.
- raptor_prctl2.c. Linux 2.6.x from 2.6.13 up to versions before 2.6.17.4 (CVE-2006-2451). Via logrotate(8).
- raptor_truecrypt.tgz. TrueCrypt <= 4.3 (CVE-2007-1738). Local privilege escalation via setuid volume mount.
- raptor_ldaudit. Local privilege escalation through glibc dynamic linker (CVE-2010-3856). Via crond(8).
- raptor_ldaudit2. Local privilege escalation through glibc dynamic linker (CVE-2010-3856). Via logrotate(8).
Solaris/x86
- raptor_ucbps. Solaris 8, 9 (CVE-1999-1587). Information leak with /usr/ucb/ps on both SPARC and x86.
- raptor_sysinfo.c. Solaris 10 (CVE-2006-3824). Kernel memory disclosure with the sysinfo(2) system call.
- raptor_libnspr. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation oldschool local root.
- raptor_libnspr2. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via LD_PRELOAD.
- raptor_libnspr3. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via constructor.
- raptor_peek.c. Solaris 8, 9, 10 (CVE-2007-5225). Kernel memory disclosure with fifofs I_PEEK ioctl(2).
Solaris/SPARC
- raptor_ucbps. Solaris 8, 9 (CVE-1999-1587). Information leak with /usr/ucb/ps on both SPARC and x86.
- raptor_rlogin.c. Solaris 2.5.1, 2.6, 7, 8 (CVE-2001-0797). Buffer overflow in System V login via rlogin vector.
- raptor_ldpreload.c. Solaris 2.6, 7, 8, 9 (CVE-2003-0609). Stack-based buffer overflow in the runtime linker ld.so.1.
- raptor_libdthelp.c. Solaris 7, 8, 9 (CVE-2003-0834). Buffer overflow in CDE libDtHelp via dtprintinfo help feature.
- raptor_libdthelp2.c. Solaris 7, 8, 9 (CVE-2003-0834). Buffer overflow in CDE libDtHelp, non-exec stack version.
- raptor_passwd.c. Solaris 8, 9 (CVE-2004-0360). Stack-based buffer overflow in the circ() function of passwd(1).
- raptor_sysinfo.c. Solaris 10 (CVE-2006-3824). Kernel memory disclosure with the sysinfo(2) system call.
- raptor_xkb.c. Solaris 8, 9, 10 (CVE-2006-4655). Buffer overflow in the Strcmp() function of X11 XKEYBOARD.
- raptor_libnspr. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation oldschool local root.
- raptor_libnspr2. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via LD_PRELOAD.
- raptor_libnspr3. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via constructor.
- raptor_peek.c. Solaris 8, 9, 10 (CVE-2007-5225). Kernel memory disclosure with fifofs I_PEEK ioctl(2).
AIX
- raptor_libC. AIX 5.3, 6.1 (CVE-2009-2669). Arbitrary file creation or overwrite via libC debugging functions.
Windows
Oracle
- raptor_oraextproc.sql. Oracle 9i, 10g (CVE-2004-1364). Directory traversal vulnerability in extproc.
- raptor_oraexec.sql. Exploitation suite for Oracle written in Java, to read/write files and execute OS commands.
- raptor_orafile.sql. File system access suite for Oracle based on the utl_file package, to read/write files.
MySQL
- raptor_udf.c. Helper dynamic library for local privilege escalation through MySQL run with root privileges.
- raptor_udf2.c. Slight modification of raptor_udf.c, it works with recent versions of the open source database.
- raptor_winudf.zip. MySQL UDF backdoor kit for M$ Windows (ZIP password is "0xdeadbeef").
Miscellaneous
- raptor_sshtime. OpenSSH (CVE-2003-0190, CVE-2006-5229). Remote timing attack information leak exploit.
- raptor_dominohash. Lotus Domino R5, R6 (CVE-2005-2428). Webmail names.nsf password hash dumper.
I'm a polyglot programmer and this section is dedicated to some of the
programs and scripts I've written.
Most of this stuff is experimental, standard disclaimer applies.
New School
- tactical-exploitation (new). A modern tactical exploitation toolkit to assist penetration testers.
- frida-scripts (new). A collection of my Frida.re instrumentation scripts to facilitate reverse engineering.
- Invoke-Shellcode.ps1. Updated cmdlet with -Stealth command line switch (see my pull request).
- samba-hax0r. Multi-purpose attack tool for SMB/CIFS network protocols exploitation.
- mssql-hax0r. Multi-purpose SQL injection attack tool for advanced Microsoft SQL Server exploitation.
- havoc-0.1d.tgz. Random ARP traffic generator, BOFH style. It can temporarily hose an ethernet segment.
- ikenum. Script for remote enumeration of supported ISAKMP authentication methods (RFC 2409).
- orabackdoor.sql. Proof-of-concept code to demonstrate how to write a simple backdoor for Oracle.
- scan-tools.tgz. A collection of easily customizable bash scripts for network scanning purposes.
- sequel.tgz. A collection of simple scripts for performing multiple tasks via SQL injection attacks.
- p2s.c. Prism2stumbler is a wireless network stumbler for PRISM2 cards. Tested on Linux with wlan-ng.
Old School
- brutus.pl. Remote login/password bruteforce cracker for TELNET, FTP, POP3, SMTP, and HTTP protocols.
- ward.c. Fast wardialer for UNIX systems, it scans a list of phone numbers hunting for active modems.
- rasbrute.bat. Very basic and easily customizable DOS batch script for remote bruteforcing of M$ PPTP.
- bounce.c. Simple netcat-like bouncer client that pipes on localhost an active TCP session.
- x25-tools.tgz. A collection of multi-purpose X.25 scanners based on vudu, including nuascan and cudscan.
- psibrute.com. This DCL script abuses the old PSI_MAIL trick on VMS/OpenVMS to remotely find valid users.
- backdoor.bas. Simple VMS/OpenVMS lib$spawn() setuid-like backdoor (easily portable to other languages).
- autoscan.pl. Autonet NUA scanner for the old autonet x25pad gateway, based on the brutus.pl engine.
Exploitation
Esoteric
Here are some configuration templates for common information security
solutions. YMMV.
Packet Filters
- rc.iptables. Sample basic ruleset for the configuration of a Linux stateful host/masq firewall.
- pf.conf. Sample PF/NAT ruleset for the configuration of a FreeBSD/OpenBSD stateful host/masq firewall.
- MacOSXFirewall.tgz. Startup script and basic ruleset for the ipfw firewall bundled with Mac OS X.
- ipf.tgz. Sample rulesets for the IPFilter stateful firewall, with detailed comments. Tested on OpenBSD 2.9.
Application Firewalls
Virtual Private Networks
- torrc. Sample configuration file for a Tor relay/bridge. Tested on Tor 0.3.0.10 on FreeBSD.
- openvpn-*.conf. Sample OpenVPN client and server configurations. Tested on Debian GNU/Linux 8.7.
- isakmpd.tgz. Sample IKE configuration files for a basic IPsec VPN. Tested on OpenBSD 2.9.
- isakmpd-x509.tgz. Sample IKE configuration files for an IPsec VPN using X.509 certs. Tested on OpenBSD 3.2.
- isakmpd-road.tgz. Sample IKE configuration files for a road warrior IPsec VPN. Tested on OpenBSD 3.2.
A collection of other random stuff.
- RTFM. Hey, you! Yeah, you! Don't ask stupid questions, always Read The F* Manual before.
- Utah Bengaled Raptor. An impressive 8 foot tall, 1 ton wooden prehistoric monster, created by artist Matt Kron.
- 0xdefaced. This is the archived 0xdeadbeef dot info defacement hoax made for April Fools' Day 2004.
- Voodoo. A picture of my old and glorious Acer TravelMate 345T notebook, running OpenBSD.
- HP JetDirect Crash. Cool stack dump printed on paper by my HP JetDirect printer after a Denial of Service.
- Insert Coin. My kinda original HP JetDirect printer's new display (yeah, I was bored that day).
- Control Room. ITAPAC (DNIC 2222) is the most known Italian X.25 network, still alive as of 2006.
- Vi Assistant. Fear the infamous clippy-like assistant for vim. Resistance is futile, you'll be assimilated.
- Sidecar Wardriving. Funny picture of a l33t wardriving session on an original Ural sidecar.
- Pen-test Moderation. Cheap viagra spam and SecurityFocus "penetration" test mailing list moderation fun.
- This Site is Blocked. A screenshot of UAE's Internet Access Management Policy in action.
- Vault 7. Some of my shellcodes are among the CIA tools released by Wikileaks. Achievement unlocked!
Copyright (c) 1998-2018* Marco Ivaldi at 0xdeadbeef dot info $Id: index.html,v 1.712 2018/03/12 13:14:11 raptor Exp $ *celebrating 20 years!
