After completing the video lectures of the Security Tube Linux 64 bit Assembler Expert course (SLAE64), a series of assessments must be completed to gain certification. This is the seventh and final assignment; build a payload encrypter/decrypter.

We have used payload encoders in previous assignments, but this time we will build a hidden payload that requires a key to decrypt.

The choice of encryption method is left to the student and I spent a good while looking at the various encryption methods:

• AES - A modern and widely used block cipher scheme. Very complex to implement and would probably require a 3rd party library, making the assignment pretty pointless.
• RC4 - A fast and relatively easy to implement stream cipher. Unfortunately, Vivek used RC4 in his demo, I didn’t want to repeat his work.
• FISH, Scream, MUGI, etc - Complex, limited implementation documentation (my maths isn’t up to scratch).

While researching these schemes I stumbled onto some of the more classical cryptography schemes.

While modern crypto schemes produce streams or blocks of pseudo-random noise which is generally XORed against the cleartext, classical ciphers tended to use relocation or shifting of characters. Simple rotational schemes such as Caesar’s cipher or ROT13 barely qualify as encryption, the encoding operation is either fixed or easily brute forced. However, a Substitution Cipher requires a mapping table and this can be varied, forming a kind of key, although a large and cumbersome one.

The Vigenère cipher is a hybrid of substitution and rotation using a table built on an ascending rotation factor. However, it also makes use of a variable length key and so it is suitable for our needs.

After completing the video lectures of the Security Tube Linux 64 bit Assembler Expert course (SLAE64), a series of assessments must be completed to gain certification. This is the sixth assignment; take three x64 payloads from ShellStorm and create new, polymorphic versions which have the same functionality.

While this sounds super cool, what we’re actually doing is simply changing the content of the shellcode to try to evade detection by basic security tools that use signature based matching to recognise threats. A limitation of the assignment is to stay within 150% of the original payload size.

After completing the video lectures of the Security Tube Linux 64 bit Assembler Expert course (SLAE64), a series of assessments must be completed to gain certification. This is the fifth assignment; analyse 3 payloads generated by the Metasploit msfvenom tool.

msfvenom is a replacement for msfpayload and msfencode tools. It combines their functionality into a single application. The available payloads specifically for x64 Linux are quite limited:

root@kali:~# msfvenom -l | grep linux/x64

linux/x64/exec                                      Execute an arbitrary command
linux/x64/meterpreter/bind_tcp                      Inject the mettle server payload (staged). Listen for a connection
linux/x64/meterpreter/reverse_tcp                   Inject the mettle server payload (staged). Connect back to the attacker
linux/x64/meterpreter_reverse_http                  Run the Meterpreter / Mettle server payload (stageless)
linux/x64/meterpreter_reverse_https                 Run the Meterpreter / Mettle server payload (stageless)
linux/x64/meterpreter_reverse_tcp                   Run the Meterpreter / Mettle server payload (stageless)
linux/x64/shell/bind_tcp                            Spawn a command shell (staged). Listen for a connection
linux/x64/shell/reverse_tcp                         Spawn a command shell (staged). Connect back to the attacker
linux/x64/shell_bind_tcp                            Listen for a connection and spawn a command shell
linux/x64/shell_bind_tcp_random_port                Listen for a connection in a random port and spawn a command shell. 
                                                    Use nmap to discover the open port: 'nmap -sS target -p-'.
linux/x64/shell_find_port                           Spawn a shell on an established connection
linux/x64/shell_reverse_tcp                         Connect back to attacker and spawn a command shell

Recently my Ubuntu Apache server crashed during a busy period on the site, one of the last events logged was:

[error] server reached MaxClients setting, consider raising the MaxClients setting.

The default for MaxClients in apache2.conf is 100. The log suggested raising this value, many sites I Googled up suggested raising the value too. There’s also a fair amount of confusion about the correct setting for StartServers, MinSpareServers and MaxSpareServers values.