Hello, my 0x00'ers! You may have noticed @0x00pf's awesome reverse engineering content, and you may have noticed he has posted raw binaries (without source), now, of course, it's reverse engineering, the challenge is about not knowing the source.
But how do you and I know that @0x00pf is not a mad 1337 h4x0r waiting to launch shells and 'sploit us? We don't; unless we are a 1337 reverse engineering badass. Of course, we can be sure Pico is real, and not trying to take over our machine. But once again the Hacker Spirit prevails, and Paranoia takes over. This leads me into this series; where I will cover "Paranoia and a Terminal", things we can do to stay safe, anonymous, and otherwise make ourselves sleep better at night.
So what can we do about it?
As @oaktree has elegantly pointed out, we shouldn't run unknown binaries regardless of who it is, because we don't know what they could be doing.
What we need to do, is run our binary in a VM. But that takes a lot of effort right? I got to figure out what OS I wanna virtualise, I gotta go find the downloads, sift through them till I get the version + edition I want; then eventually I have to download it; which on my 9600 baud dial-up connection is gonna take forever! Once I've done that, I gotta run through the installation, and then eventually sort out folder mounting, and ssh, it's just a pain. Fear not! There is light! Say hello to Vagrant.
Vagrant is a really cool virtualization package that uses the virtualbox backend. It allows me to
- Download a prebuilt ready-made VM image
- Initialise it
- Mount the current working directory
- SSH into it
All in 3 commands. It's super slick for this kind of quick paranoia investigations.
If you're running Windows, OS X, Centos, or Debian, you can download the download files here, otherwise if you're running some other distro (like me), You'll also need to install virtualbox, I'm sure your OS's package manager has it, for me, I just ran
sudo pacman -S virtualbox
sudo pacman -S vagrant
If you are on Ubuntu run:
sudo apt-get install virtualbox
sudo apt-get install vagrant
Now you are up and running, usage is super simple. Navigate to a folder you want to access the files in, and run
vagrant init hashicorp/precise32
This will make a file called "Vagrantfile" in the current directory, these files are sharable to other people, (another thing which makes vagrant rock).
You can open this file up, and notice its just a config file for setting up the VM, since you haven't actually initialized it yet, you've just configured it.
Now you need to get your VM up and running! This is again, super simple, just run:
This will set up your VM using the config, and download the image if you do not already have it. If this is your first time using vagrant, you will not have the image already; but vagrant rocks, it will download it for you, this shouldn't take too long, as its fairly small.
Now your VM is running; man, that was simple ay? This command has configured networking, configured SSH, configured private key auth, and mounted the current directory to it. To access your newfound VM run:
Now you have access to your VM, in your terminal, no hassle. To access your files in your current directory:
You'll see the file "scaryfile.txt", is in there; this is your current working directory mounted, if you delete
scaryfile.txt, it will also delete on the real machine, make note of this. Any commands run however in this prompt will only execute on the VM, you could run
sudo rm -rf / and of course, it would break the VM, but it wouldn't touch your real machine.
Keep in mind that vagrant will use your existing network stack, so if you were to run a malicious script that would send your IP to the attacker, this would not protect against that, you'd need to configure a proxy, all of which is entirely possible with vagrant.
Exiting + Destroying
So, you've examed the big scary files, you've determined they are dirty as (@0x00pf, I'm looking at you) and you've decided to rid your machine of the now borked VM.
You can exit your VM SSH connection with
exit, however, that will only kill the connection, it's still running in the background, to see a list of the currently running machines and their states, run:
In our example, we have our current machine running. To stop it, run
Since we are in our current working directory, it knows what VM we are talking about, and thus is able to stop it with no specification.
Now we have completed that, we can either start it up again by running
vagrant up, or we can destroy it completely, since we know the file is dirty, and ridden with malware, we can destroy the box with
This will leave our files intact, however, but our virtual machine is gone.
We have seen that sometimes we need to just check something out, but don't want to have the headache of setting up yet another VM. Vagrant makes that easy; and once a software used entirely by developers and sysadmins for transportation of software, and a powerful precursor to Docker, it is still relevant in the security world; and continues to make my life a lot easier