0xdeadbeef dot info | raptor's labs

0xdeadbeef dot info.

"A chain is only as strong as its weakest link." -- Charles A. Lindbergh
"I have seen the fnords." -- Historical graffiti on Anarchy Bridge, UK
"Testing can prove the presence of bugs, but not their absence." -- Edsger W. Dijkstra
"The enemy knows the system." -- Claude E. Shannon
"Perfection is achieved when there is nothing left to remove." -- Antoine de Saint-Exupery
"The GNU people aren't evil." -- /usr/src/linux/Documentation/CodingStyle
"You can't argue with a root shell." -- Felix "FX" Lindner
"Well, until that perfect world you need red team analysis" -- @thegrugq_ebooks
"Never whistle while you're pissing." -- Hagbard Celine
"When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl." -- Anonymous

Fnord!

[0x01] Who's Raptor?

I'm a seasoned information security researcher and consultant, specializing in networking (from old school X.25 to modern Wi-Fi), telephony (POTS, mobile, VoIP), and control systems (SCADA and critical infrastructure). I'm employed as Principal Security Advisor at @ Mediaservice.net, a leading information security consulting firm based in Italy, where I'm in charge of project and team management, penetration testing, compliance audits, vulnerability research, and exploit development. Basically, I'm a professional hacker and project manager. I hold the following certifications:

(ISC)2 Certified Information Systems Security Professional (CISSP)
PCI Qualified Security Assessor (QSA)
PCI Approved Scanning Vendor (ASV)
OSSTMM Professional Security Analyst (OPSA)
OSSTMM Professional Security Tester (OPST)
OSSTMM Wireless Security Expert (OWSE)
PRINCE2 Foundation

As member of the ISECOM Core Team, I'm actively involved in the development of the Open Source Security Testing Methodology Manual (OSSTMM), the international standard for performing security testing and metrics. I'm also contributing to the Hacker Highscool (HHS), another ISECOM project promoting security awareness for teens. As a technical writer, I've co-authored some popular books and I've published many articles about hacking, security, and privacy. I co-founded Linux&C (the first Italian magazine about Linux and open source), Linux Pratico, and H&C.

This is my personal homepage and playground. Despite being a busy guy, I try to keep it up to date. Take a look below for (new) stuff. Please send your feedback to: Marco Ivaldi <raptor[at]0xdeadbeef.info> (PGP key updated on 2014-07-01).

[0x02] Projects

Here's the list of my current research projects related to ethical hacking and information security.

OSSTMM. I'm a primary contributor of ISECOM's Open Source Security Testing Methodology Manual.
HHS. I'm contributing to the Hacker Highscool, another ISECOM project providing security awareness for teens.
Antifork Research. I'm one of the founders of the project (formerly known as disLESSici team).
Tech Blog @ Media. This is the on-line repository of research projects sponsored by my employer.

[0x04] Publications

This is a collection of books, articles, research papers, presentations, and advisories I've written or contributed to.

Articles and Books

L'anonimato su Internet. About anonymity and privacy on the Internet, appeared on Apogeonline on 19/01/2000.
Qualcuno ci ascolta. About the ECHELON network (written in January 2000, not published elsewhere).
Intrusioni di rete. Slides compiled for an Information Security Master in Milan University (14/12/2001).
Introduzione al Quantum Computing. Introduction to QC, also released as an Apogeonline ebook in July 2002.
Sicurezza su reti X.25. White paper written for ITBH and released to the public in September 2002.
L'arte dell'hacking. I did the technical review of the translation of Hacking: the art of exploitation, by J. Erickson.
Vulnerabilita' su Linux. I wrote the foreword for this practical exploitation guide by Enrico Feresin.
Hacking Exposed Linux. I wrote the VoIP chapter for the third edition of the HEL book, released by ISECOM.
La metrica di sicurezza di OSSTMM. About the attack surface security metrics defined by OSSTMM (rav).
Cyberworld. I co-authored this book sponsored by the Italian DOD's National Security Observatory.
La Comunicazione. I wrote the article "ICT Security Certification with OSSTMM", published by ISCOM.
I cinque miti della sicurezza SCADA. Article discussing SCADA security myths and popular beliefs.
Protezione degli utenti VIP. Article about tailoring information security services for Top Managers.
Penetration Testing Guidelines. I co-authored these security testing guidelines by ISACA's Venice Chapter.
CLUSIT Report 2016 (new). I co-authored the e-commerce section of this year's annual CLUSIT ICT security report.

Interviews

Stealing Minutes. Newsweek International reporter Benjamin Sutherland interviewed me for this article on VoIP.
Materatown. I have been interviewed by the fine folks at Materatown.net on the topic of satire and anonymity.
How Secure is Secure Enough?. Control's Editor-in-Chief Walt Boyes interviewed me for this article on SCADA.

Advisories

CVE-2003-0190. I discovered and published this OpenSSH/PAM Delay Information Disclosure Vulnerability.
CVE-2006-1242. I discovered and published this Linux Kernel IP ID Information Disclosure Weakness.
CVE-2006-5229. I discovered and published yet another OpenSSH information disclosure via timing leak.

Related Works

Buffer Overflow in passwd(1). This white paper has been written by Shaun McAdams for his GIAC GCIH practical.
Whoppix-raptor. A flash demo showing raptor_chown.c in action done for whoppix.net by ports@portsonline.net.
SSH Enumusers. A Metasploit module that implements the time-based attack against SSH I discovered back in 2006.

Magazines

Linux&C. The first Italian magazine dedicated to GNU/Linux and the open source movement, since 1999.
H&C. Hard core Italian computer security and hacking magazine (discontinued project).
ICT Security. The first Italian magazine entirely dedicated to computer security and business continuity.
PC Magazine. Italian magazine dedicated to personal computing and professional information technology.

Mailing Lists

Bugtraq. The first public mailing list dedicated to issues about computer security, and how to fix them.
Full-Disclosure. An unmoderated high-traffic discussion list for disclosure of security information.
Vuln-Dev. Low-traffic vulnerability research and exploit development mailing list, hosted by SecurityFocus.
Pen-Test. Another mailing list from SecurityFocus, dedicated to security testing and network auditing.
DailyDave. The premier list for discussion of security issues, 0days, and reverse engineering.
Cabal. Marketing-free security mailing list dedicated to discussions which are too long to fit in Twitter.
SCADASEC. Discussion group about critical infrastructure protection and SCADA/control systems security.
ISECOM Research. The official mailing list of ISECOM researchers, busy to make sense of security.
Sikurezza.org. A virtual community of people interested in computer (in)security issues, based in Italy.

[0x08] Exploits

As a hacker, I basically study how things can go wrong. Here are some of the exploits I've developed during my vulnerability research activities (for educational purposes only).

Linux

raptor_chown.c. Linux 2.6.x < 2.6.7-rc3 (CVE-2004-0497). Missing DAC controls in sys_chown() on Linux.
raptor_prctl.c. Linux 2.6.x from 2.6.13 up to versions before 2.6.17.4 (CVE-2006-2451). Suid_dumpable bug.
raptor_prctl2.c. Linux 2.6.x from 2.6.13 up to versions before 2.6.17.4 (CVE-2006-2451). Via logrotate(8).
raptor_truecrypt.tgz. TrueCrypt <= 4.3 (CVE-2007-1738). Local privilege escalation via setuid volume mount.
raptor_ldaudit. Local privilege escalation through glibc dynamic linker (CVE-2010-3856). Via crond(8).
raptor_ldaudit2. Local privilege escalation through glibc dynamic linker (CVE-2010-3856). Via logrotate(8).

Solaris/x86

raptor_ucbps. Solaris 8, 9 (CVE-1999-1587). Information leak with /usr/ucb/ps on both SPARC and x86.
raptor_sysinfo.c. Solaris 10 (CVE-2006-3824). Kernel memory disclosure with the sysinfo(2) system call.
raptor_libnspr. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation oldschool local root.
raptor_libnspr2. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via LD_PRELOAD.
raptor_libnspr3. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via constructor.
raptor_peek.c. Solaris 8, 9, 10 (CVE-2007-5225). Kernel memory disclosure with fifofs I_PEEK ioctl(2).

Solaris/SPARC

raptor_ucbps. Solaris 8, 9 (CVE-1999-1587). Information leak with /usr/ucb/ps on both SPARC and x86.
raptor_rlogin.c. Solaris 2.5.1, 2.6, 7, 8 (CVE-2001-0797). Buffer overflow in System V login via rlogin vector.
raptor_ldpreload.c. Solaris 2.6, 7, 8, 9 (CVE-2003-0609). Stack-based buffer overflow in the runtime linker ld.so.1.
raptor_libdthelp.c. Solaris 7, 8, 9 (CVE-2003-0834). Buffer overflow in CDE libDtHelp via dtprintinfo help feature.
raptor_libdthelp2.c. Solaris 7, 8, 9 (CVE-2003-0834). Buffer overflow in CDE libDtHelp, non-exec stack version.
raptor_passwd.c. Solaris 8, 9 (CVE-2004-0360). Stack-based buffer overflow in the circ() function of passwd(1).
raptor_sysinfo.c. Solaris 10 (CVE-2006-3824). Kernel memory disclosure with the sysinfo(2) system call.
raptor_xkb.c. Solaris 8, 9, 10 (CVE-2006-4655). Buffer overflow in the Strcmp() function of X11 XKEYBOARD.
raptor_libnspr. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation oldschool local root.
raptor_libnspr2. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via LD_PRELOAD.
raptor_libnspr3. Solaris 10 (CVE-2006-4842). NSPR library arbitrary file creation local root via constructor.
raptor_peek.c. Solaris 8, 9, 10 (CVE-2007-5225). Kernel memory disclosure with fifofs I_PEEK ioctl(2).

AIX

raptor_libC. AIX 5.3, 6.1 (CVE-2009-2669). Arbitrary file creation or overwrite via libC debugging functions.

Oracle

raptor_oraextproc.sql. Oracle 9i, 10g (CVE-2004-1364). Directory traversal vulnerability in extproc.
raptor_oraexec.sql. Exploitation suite for Oracle written in Java, to read/write files and execute OS commands.
raptor_orafile.sql. File system access suite for Oracle based on the utl_file package, to read/write files.

MySQL

raptor_udf.c. Helper dynamic library for local privilege escalation through MySQL run with root privileges.
raptor_udf2.c. Slight modification of raptor_udf.c, it works with recent versions of the open source database.
raptor_winudf.tgz. MySQL reverse shell and command execution UDFs backdoor kit for M$ Windows.

Miscellaneous

raptor_sshtime. OpenSSH (CVE-2003-0190, CVE-2006-5229). Remote timing attack information leak exploit.
raptor_dominohash. Lotus Domino R5, R6 (CVE-2005-2428). Webmail names.nsf password hash dumper.

[0x10] Code

This section is dedicated to some of the programs and helper scripts I've written. Most of this stuff is experimental, standard disclaimer applies.

New School

mssql-hax0r. Multi-purpose SQL injection attack tool for advanced Microsoft SQL Server exploitation.
samba-hax0r. Multi-purpose attack tool for SMB/CIFS network protocols exploitation.
havoc-0.1d.tgz. Random ARP traffic generator, BOFH style. It can temporarily hose an ethernet segment.
ikenum. Script for remote enumeration of supported ISAKMP authentication methods (RFC 2409).
orabackdoor.sql. Proof-of-concept code to demonstrate how to write a simple backdoor for Oracle.
scan-tools.tgz. A collection of easily customizable bash scripts for network scanning purposes.
sequel.tgz. A growing collection of simple scripts for performing multiple tasks via SQL injection attacks.
p2s.c. Prism2stumbler is a wireless network stumbler for PRISM2 cards. Tested on Linux with wlan-ng.

Old School

brutus.pl. Remote login/password bruteforce cracker for TELNET, FTP, POP3, SMTP, and HTTP protocols.
ward.c. Fast wardialer for UNIX systems, it scans a list of phone numbers hunting for active modems.
rasbrute.bat. Very basic and easily customizable DOS batch script for remote bruteforcing of M$ PPTP.
bounce.c. Simple netcat-like bouncer client that pipes on localhost an active TCP session.
x25-tools.tgz. A collection of multi-purpose X.25 scanners based on vudu, including nuascan and cudscan.
psibrute.com. This DCL script abuses the old PSI_MAIL trick on VMS/OpenVMS to remotely find valid users.
backdoor.bas. Simple VMS/OpenVMS lib$spawn() setuid-like backdoor (easily portable to other languages).
autoscan.pl. Autonet NUA scanner for the old autonet x25pad gateway, based on the brutus.pl engine.

Exploitation

abo-exploits.tgz. Advanced buffer overflows study. See gera's vulnerable code exploited in different ways.
fs-exploits.tgz. Format strings exploitation study. Commented solutions to gera's fs vulnerable code series.
vulndev-exploits.tgz. Exploit code for vuln-dev challenges. Currently, there are 2 accomplished challenges.
linux-x86-exploits.tgz. Linux/x86 vulnerable code study. Currently, there are 86 example exploits included.
solaris-sparc-exploits.tgz. Solaris/SPARC vulnerable code study. Currently, there are 19 example exploits.
shellcode.tgz. An old collection of Linux and BSD shellcode, illustrating different concepts and techniques.
libc-search.c. Quick and easily-adaptable libc symbol/pattern search helper. Tested on Linux.

Esoteric

xchg rax,rax solutions (new). My attempt at tackling the x86_64 asm riddles in xorpd's xchg rax,rax book.
poly.tgz. An old collection of polyglots, programs that may be compiled in more than one language.

[0x20] Configurations

Here are some configuration templates for common information security solutions. YMMV.

Packet Filters

rc.iptables v1. Sample basic ruleset for the configuration of a Linux 2.4 stateful firewall (host fw + vpn).
rc.iptables v2. Sample basic ruleset for the configuration of a Linux 2.4 stateful firewall (masq fw + vpn).
MacOSXFirewall.tgz. Startup script and basic ruleset for the ipfw firewall bundled with Mac OS X.
pf.tgz. Sample PF/NAT rulesets for the configuration of an OpenBSD 3.9 stateful firewall.
ipf.tgz. Sample rulesets for the IPFilter stateful firewall, with detailed comments. Tested on OpenBSD 2.9.

Application Firewalls

modsecurity-2.5.12.conf. Sample configuration file for the ModSecurity application firewall v2.5.12.
modsecurity-2.6.8.conf. Sample configuration file for the ModSecurity application firewall v2.6.8.

Virtual Private Networks

isakmpd.tgz. Sample IKE configuration files for a basic IPsec VPN. Tested on OpenBSD 2.9.
isakmpd-x509.tgz. Sample IKE configuration files for an IPsec VPN using X.509 certs. Tested on OpenBSD 3.2.
isakmpd-road.tgz. Sample IKE configuration files for a road warrior IPsec VPN. Tested on OpenBSD 3.2.

[0x40] /dev/random

A collection of other random stuff.

BOFH's excuse of the day. A small tribute to the infamous Bastard Operator From Hell by Simon Travaglia.
RTFM. Hey, you! Yeah, you! Don't ask stupid questions, always Read The Fucking Manual before.
Utah Bengaled Raptor. An impressive 8 foot tall, 1 ton wooden prehistoric monster, created by artist Matt Kron.
0xdefaced. This is the archived 0xdeadbeef dot info defacement hoax made for April Fools' Day 2004.
Voodoo. A picture of my old and glorious Acer TravelMate 345T notebook, running OpenBSD.
HP JetDirect Crash. Cool stack dump printed on paper by my HP JetDirect printer after a Denial of Service.
Insert Coin. My kinda original HP JetDirect printer's new display (yeah, I was bored that day).
Control Room. ITAPAC (DNIC 2222) is the most known Italian X.25 network, still alive as of 2006.
Vi Assistant. Fear the infamous clippy-like assistant for vim. Resistance is futile, you'll be assimilated.
Sidecar Wardriving. Funny picture of a l33t wardriving session on an original Ural sidecar.
Pen-test Moderation. Cheap viagra spam and SecurityFocus "penetration" test mailing list moderation fun.
This Site is Blocked. A screenshot of UAE's Internet Access Management Policy in action.