Demystifying the Kerberos

Dear readers, how are you?

It is usual reading no such good words on the complex and hard understanding of the Kerberos. Although my area is Malware Analysis, Reverse Engineering and Software Exploitation, I’ve written two articles for Oracle trying to mitigate this undesirable impression about the Kerberos. I used Oracle Linux 7.2 for implementing the solution.

The first article deeply explains Kerberos concepts and showss how to implementing it. At end, I show how to integrate SSH with it.

The second article has a more practical approach. It explain how to implement an IdM (Identity Manager Server), integrating the Kerberos with Active Directory and Samba.

Both parts follow:

part 1: Kerberos concepts + implementation + SSH (32 pages): https://community.oracle.com/docs/DOC-1004909

part 2: Kerberos + IdM + Active Directory + Samba (44 pages): https://community.oracle.com/docs/DOC-1004910

In my opinion, Kerberos is an outstanding protocol and framework, and I hope this my small contribution to community helps professionals to see it from a different point of view.

Have a nice day.

Alexandre Borges

(LinkedIn: http://www.linkedin.com/in/aleborges and Twitter: @ale_sp_brazil)

Lecture at UnG – Introduction to Malware Analysis

Dear readers, how are you?

Yesterday (APRIL/07/2016), I spoke at UnG (Universidade de Guarulhos – Guarulhos University) about Introduction to Malware Analysis. Honestly, I had a great time with many students and teachers attending the lecture. It follows the certificate which I earned from the UnG:

Once more, thank you to everybody from UnG for the generosity and kindness during my lecture.

I hope you have a nice day.

Alexandre Borges

(LinkedIn: http://www.linkedin.com/in/aleborges) and twitter: @ale_sp_brazil .

Reversing: few words about a trivial code

(this short write up can be read in pdf format: https://alexandreborgesbrazil.files.wordpress.com/2016/01/reversing_few_words_about_a_trivial-code2.pdf)

Dear readers, how are you? During my classes and presentations, it is extremely common to hear students and professionals comparing different areas inside IT security, but honestly I think is neither possible nor feasible to do this “mental exercise”. Yesterday, I received one of this kind of message and, in the middle of the e-mail, I could read that “doubtless, hacking (pentest) is more difficult than reverse engineering and malware analysis”. I am not sure if it’s possible to state it. As an super easy educative example, I sent this code (I cleaned it a bit to make it clearer) below to my student and I asked him about two things: a) What’s the equivalent structure in C that the code is representing? b) How does it work?

.text:004028BC mov [ebp+var_C], eax

.text:004028BF mov ecx, [ebp+var_10]

.text:004028C2 movsx edx, byte ptr [ecx]

.text:004028C5 mov [ebp+var_14], edx

.text:004028C8 mov eax, [ebp+var_14]

.text:004028CB sub eax, 64h

.text:004028CE mov [ebp+var_14], eax

.text:004028D1 cmp [ebp+var_14], 0Fh ;

.text:004028D5 ja short loc_402923 ;

.text:004028D7 mov edx, [ebp+var_14]

.text:004028DA xor ecx, ecx

.text:004028DC mov cl, ds:byte_40293E[edx]

.text:004028E2 jmp ds:off_40292A[ecx*4] ; switch jump

.text:004028E9 ; —————————————————————————

.text:004028E9 loc_4028E9:

.text:004028E9        ; CODE XREF: sub_402884+5Ej

.text:004028E9 ; DATA XREF: .text:off_40292Ao

.text:004028E9 mov eax, [ebp+var_C] ;

.text:004028EC push eax ; char *

.text:004028ED call sub_401565

.text:004028F2 add esp, 4

.text:004028F5 jmp short loc_402923

.text:004028F7 ; —————————————————————————

.text:004028F7 loc_4028F7:

.text:004028F7         ; CODE XREF: sub_402884+5Ej

.text:004028F7 ; DATA XREF: .text:off_40292Ao

.text:004028F7 mov [ebp+var_4], 1 ;

.text:004028FE jmp short loc_402923 ;

.text:00402900 ; —————————————————————————

.text:00402900 loc_402900:

.text:00402900         ; CODE XREF: sub_402884+5Ej

.text:00402900        

.text:00402900 mov ecx, [ebp+var_C] ;

.text:00402903 push ecx ; char *

.text:00402904 call sub_402813

.text:00402909 add esp, 4

.text:0040290C jmp short loc_402923 ;

.text:0040290E ; —————————————————————————

.text:0040290E

.text:0040290E loc_40290E:

.text:0040290E

.text:0040290E mov edx, [ebp+var_C] ;

.text:00402911 push edx ; char *

.text:00402912 call sub_402851

.text:00402929 add esp, 4

.text:0040291A mov eax, [ebp+arg_4]

.text:0040291D mov dword ptr [eax], 1

.text:00402923

.text:00402923 loc_402923:

.text:00402923

.text:00402923 mov eax, [ebp+var_4] ; jumptable 004028E2 default case

.text:00402926 mov esp, ebp

.text:00402928 pop ebp

.text:00402929 retn

.text:00402929 sub_402884 endp

.text:00402929

.text:00402929 ; —————————————————————————

.text:0040292A        dd offset loc_4028E9 ; DATA XREF: sub_402884+5Er

.text:0040292A        dd offset loc_4028F7 ; jump table for switch statement

.text:0040292A        dd offset loc_40290E

.text:0040292A        dd offset loc_402900

.text:0040292A         dd offset loc_402923

.text:0040293E        db 0, 4, 4, 4 ; DATA XREF: sub_402884+58r

.text:0040293E        db 4, 4, 4, 4 ; indirect table for switch statement

.text:0040293E        db 4, 4, 1, 4

.text:0040293E        db 4, 4, 2, 3

.text:0040294E

 

As I stated previously, the code above is trivial and, in a nutshell, although this code have been extracted from a malware, there is only reverse engineering here. Few comments follow:

  • The represented structure is a simple “switch case” statement (it is easily identified by IDA Pro).
  • There’re 16 possible cases (you should pay attention in the comparison at 0x004028D1 and remember that 0x0F is equal to 16).
  • The variable which is defining the cases is var_16 (look at 0x004028D7). It is will be loaded to edx and it will be acting as an index (more details below).
  • A jump table (0x0040292A) is being used to represent the switch case statements.
  • Looking at the jump table pointers (0x0040293E), we notice that there’re only five different indexes (0 to 4), so we have only five different statements in a nutshell. Therefore, the instruction mov cl, ds:byte_40293E[edx] (at 0x004028DC) servers as an index to jump table pointers. Depending on this index (0 to 15 – you remember that there are 16 possible cases in this example), the program chooses a pointer. For example, if the index is A(0x10) then the index in the jump table pointer is “1” (check this information by counting the values at 0x0040293E lines). Looking at jump table(0x0040292A), the second switch statement (remember, the range is from 0 to 4) is the address 0x004028F7
    (dd offset loc_4028F7).
  • Thus, the “switch jump” instruction jmp ds:off_40292A[ecx*4] at address 0x004028E2 finally jumps the code flow to the mentioned address above (0x004028F7).

As I said previously, this is an super easy and basic construction, but most time while I am analyzing malwares I see pieces of code like that. In fact, it is suitable to tell that malware analysis is much more difficult than a simple switch case statement. Sure, I could explain several kind of hooking, injections, hijacking , and so on, but I chose this example to prove to my student that is not possible to compare different areas before having a better knowledge about both them (in time: my student wasn’t able to answer my questions at beginning of this write up).

Personally, my life is IT Security and I have a strong preference by malware analysis, so I am available to help you when necessary. If you want, I will be teaching few courses this year (more at https://alexandreborges.org/my-courses/) and I hope see you there.

Have a nice day.

Alexandre Borges.

(LinkedIn: http://www.linkedin.com/in/aleborges and twitter: @ale_sp_brazil).

Oracle 12c Transportable Tablespace on OTN (Oracle Technology Network)

Dear readers, how are you? It follows my article about Oracle 12c Transportable Tablespace on OTN (Oracle Technology Network):

https://community.oracle.com/docs/DOC-922240

I hope you have a nice day.

Alexandre Borges.

(LinkedIn: http://www.linkedin.com/in/aleborges and Twitter: @ale_sp_brazil)

Speaking about IT Security at UNISA

Dear readers, what have you been doing? Continuing my project of talking about IT Security in universities, it follows below the certificate that I earned for my speak at UNISA:

Once more, I am available to talk about IT Security (Hacking, Malware Detection, Malware Analysis, Digital Forensics and Software Exploitation) in universities and companies without charging any fee. If you are interested, send me an e-mail to alexandreborges [at] alexandreborges [dot] org.

I hope you have a nice week.

Alexandre Borges.

(LinkedIn: http://www.linkedin.com/in/aleborges and Twitter: @ale_sp_brazil).

Speaking about security aspects in the Software Engineering at PUC University

Dear readers, how are you? Few weeks ago, I spoke about “Security Aspects in the Software Engineering” to excellent postgraduate students from Software Engineering course at PUC (Pontifícia Universidade Católica) University in Sao Paulo. It follows my certificate:

I keep my mission which is to talk about modern security topics to universities and companies without charging anything. If you are interested, send me an e-mail: alexandreborges [at] alexandreborges [dot] org.

Have a nice day.

Alexandre Borges.

(LinkedIn: http://www.linkedin.com/in/aleborges and Twitter: @ale_sp_brazil)

Speaking at Security Congress Latin America 2015

Dear friends, how are you? Today I spoke about Memory Forensic Analysis in the Security Congress Latin America 2015 (#isc2congresslatam). Fortunately, I had a great audience who were attending my speak:

This year, I have been focusing on speaking about malwares detection by using Memory Analysis. Next year, I will focus on a harder topic: Malware Analysis. Most people believe that’s accessible topic. They are wrong. Certainly, it’s the most difficult and brutal topic in IT Security area. Stay tunned!

I hope you have a nice day.

Alexandre Borges.

(LinkedIn: http://www.linkedin.com/in/aleborges and twitter: @ale_sp_brazil).