UPDATE:
CryptoAuthLib solve the problem. Many thanks #zaph
I'm working on ATSHA204 security chip, where a part of work is to calculate SHA-256 alike the chip does. I'm using
CryptoAuthentication ATSHA204A Development Library 2.0.1 [from hxxp://www.atmel.com/tools/CRYPTOAUTHENTICATIONATSHA204DEVELOPMENTLIBRARY.aspx] Implemented in C.
Well, while try any data >= 64 bytes, everything works fine. But anything < 64 bytes differ with the CHIP's calculation.
Have a look below,
message:
20 4D 56 EF 56 F6 27 71
AD CF D7 07 FC BA BE 21
A8 7D 7C AF F5 54 6F ED
27 2C F9 ED 75 B3 94 C7
1C 04 02 00 EE 01 23 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
0E EA 11 36 8E 89 D2 11
07 C1 1B 64 B6 D0 34 DA
A6 DB 66 0F 14 FB DB C6
26 7D 6A 3A 62 83 47 13
digest from Atmel's algorithm:
8C E2 28 98 6A 21 A3 40
A4 42 97 CE 4C 80 70 DF
87 97 61 B3 FC CD A2 BF
8D F0 89 EE 29 B8 68 BF
And while taking something < 64 length to same implementation,
message:
11 CC 32 8B 30 ED 04 81
73 96 A9 F8 3B F7 9E 72
23 DC 05 29 3C 65 36 70
3A 03 1C E2 C2 2D 99 4E
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 16 00 00
digest from Atmel's algorithm:
40 3D DC C0 93 A6 4B A5
01 36 7D 59 EC 8C C4 59
15 20 6D 52 A7 D5 ED 40
9B 95 31 D3 49 37 F3 F8
What should add with message which less than 64 bytes to get digest alike the CHIP calculation. [unfortunately yet failed any reply from ATMEL community]
Related
Currently I'm trying to read the bytes from the IDAT chunk of a PNG image, in C. I am able to get all the other info, including the said array of bytes.
The problem arises whenever I try to decompress said array with zlib's uncompress() method.
[ ... ]
int decompress(Chunk * _chunk, Image * _image)
{
uLongf compressedSize = _chunk->length;
byte * uncompressedData = NULL;
uLongf uncompressedSize = 0;
int ret = uncompress(uncompressedData, &uncompressedSize, _chunk->data, compressedSize);
if(ret != Z_OK)
{
fprintf(stderr, "Error: failed to uncompress IDAT chunk data. ERR CODE: %d\n", ret);
return -1;
}
[ ... ]
}
The chunk struct is defined as such:
typedef struct chunk
{
uint32_t length;
byte chunkType[4];
byte *data;
} Chunk;
The byte type is just an unsigned char, and the image struct is defined as follows:
typedef struct image
{
uint32_t width;
uint32_t height;
byte bitDepth;
byte colorType;
byte compression;
byte filter;
byte interlace;
} Image;
The test image's HEX representation is:
89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52
00 00 00 11 00 00 00 12 04 03 00 00 00 4F D7 28
67 00 00 00 30 50 4C 54 45 00 00 00 80 00 00 00
80 00 80 80 00 00 00 80 80 00 80 00 80 80 80 80
80 C0 C0 C0 FF 00 00 00 FF 00 FF FF 00 00 00 FF
FF 00 FF 00 FF FF FF FF FF 7B 1F B1 C4 00 00 00
09 70 48 59 73 00 00 0E C4 00 00 0E C4 01 95 2B
0E 1B 00 00 00 28 49 44 41 54 08 D7 63 D8 0D 05
1B 18 36 30 00 01 FF FF FF 24 B1 FE FF FF C0 C0
40 0E 6B FF FF FF 20 73 48 60 C1 5D 0A 00 BB 1A
49 27 39 98 BC 6E 00 00 00 00 49 45 4E 44 AE 42
60 82
And the bytes of the IDAT chunk are:
08 D7 63 D8 0D 05 1B 18 36 30 00 01 FF FF FF 24 B1 FE FF FF C0 C0 40 0E 6B FF FF FF 20 73 48 60 C1 5D 0A 00 BB 1A 49 27
It must be noted that I'm not taking the CRC of the chunk as well; from my understanding it shouldn't be a problem.
Any idea as to why the uncompress() method is returning Z_DATA_ERROR?
You're not giving uncompress() anywhere to put the uncompressed data! uncompressedData cannot be NULL.
If a client connects to SQL Server, and a certificate is used to power TLS encryption, how can i get information about that certificate?
Ideally i want all the details, but i'd be happy with
Issuer: SSL_Self_Signed_Fallback
Issued to: SSL_Self_Signed_Fallback
SHA1 fingerprint: 6640479c9cac2b7ca63c9708c71a9245b951b4c7
Obviously i can't just look at the configuration on the server; as i'm trying to verify no MitM.
Also, i want to verify the correct certificate is being used (especially when no certificate is selected for use in the SQL Server Configuration Manager).
Either way: i want the client to be able to verify the certificate.
How can i get information about the certificate.
Assume:
ADO.net (SqlClient provider)
ADO (SQLOLEDB Provider)
OLEDB (SQLOLEDB Provider)
Whichever helps.
Bonus - Decoding network traffic
You can spy on the network traffic, and view the raw TLS handshake:
16 03 01 04 d0 02 00 00 51 03 01 5d a7 35 91 e7 c2 8d f3 3e d5 e4 6d ec 9a b9 7f af c1 43 ad d3 51 41 b7 44 4f 57 4e 47 52 44 00 20 d1 03 00 00 5b 82 d8 85 fe e2 b6 9a 6c ec 88 69 fc ee d3 61
23 e4 ae 17 3b be 1a e2 8f 29 23 ca c0 14 00 00 09 00 17 00 00 ff 01 00 01 00 0b 00 03 08 00 03 05 00 03 02 30 82 02 fe 30 82 01 e6 a0 03 02 01 02 02 10 20 9e 8f 8c 08 72 c1 bf 45 ad f8 df 73
1f 21 47 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 3b 31 39 30 37 06 03 55 04 03 1e 30 00 53 00 53 00 4c 00 5f 00 53 00 65 00 6c 00 66 00 5f 00 53 00 69 00 67 00 6e 00 65 00 64 00 5f 00
46 00 61 00 6c 00 6c 00 62 00 61 00 63 00 6b 30 1e 17 0d 31 39 31 30 31 36 31 34 30 31 30 36 5a 17 0d 34 39 31 30 31 36 31 34 30 31 30 36 5a 30 3b 31 39 30 37 06 03 55 04 03 1e 30 00 53 00 53
00 4c 00 5f 00 53 00 65 00 6c 00 66 00 5f 00 53 00 69 00 67 00 6e 00 65 00 64 00 5f 00 46 00 61 00 6c 00 6c 00 62 00 61 00 63 00 6b 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03
82 01 0f 00 30 82 01 0a 02 82 01 01 00 b6 dc 05 25 3e 1e 41 82 f6 b4 bc 97 1c c5 1e 02 a6 bb 1a c7 34 ed 51 cc 65 a6 60 72 0c 3c 0e ac 57 df 4f df 18 15 14 6f e0 9c d4 39 36 a1 8e 5b 17 85 0a
93 c2 78 02 70 89 f5 35 18 55 37 14 b0 6e 4c cd 0d e7 a0 81 33 c8 42 bc 55 f6 71 fa 4e d2 98 5e 63 5b 32 a6 c3 04 21 3d 22 df 8c ee a7 6e 53 4b be 3d e6 39 c9 90 c6 a9 ed df 7a a8 46 83 b9 7c
f1 03 7c 45 b1 be 42 ee 71 aa bc d6 7b 27 41 f3 b8 c4 16 2a 18 8a 38 4c 19 51 25 78 56 ce 12 75 d0 eb 29 19 c5 70 b1 c0 13 18 77 77 a6 9b 47 1f fe 1f 27 5a 50 fb 3f 73 03 c3 a0 5d 2f f4 dd 37
fd df 87 f0 80 e9 de a7 16 df ee b8 00 c2 1e 68 49 19 ce 44 f4 af ac bf d3 5f b8 1c 64 d5 95 1f 8b 32 c1 5a 80 a8 21 2d 2c 66 b8 7e 29 13 11 f8 1f e1 e9 0f 68 4e 0a b8 1b 3c f3 28 6f b7 46 85
b1 17 c9 c6 82 e4 3c 28 d4 6d d9 5b dd 02 03 01 00 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 82 01 01 00 3e f8 c8 54 30 c1 c1 12 5e eb 01 e5 50 41 57 55 de 9e 2e 69 2a 14 fa 9a 5a 9f
d3 c3 1c 28 49 28 b2 c2 e0 cf 3d 7f 48 88 3c 25 e3 30 b7 93 e1 5c a5 9c 6f 41 b0 fb 55 67 69 e5 c5 0e 46 7c e6 2b b4 2b d8 ac 42 62 1e 18 01 69 cd e0 85 59 77 19 bd f9 17 fc 1d 10 ba 8a 93 aa
88 8e e9 73 2c 56 2e d1 5e 22 ca 20 61 4c 03 f0 70 9f a7 a7 ed 16 3a fa 00 0e 9e 39 e8 6b 99 a1 72 cb 48 b8 88 26 2d 9d 3f d6 48 70 f0 a5 51 ee c0 a9 0a e8 cf e6 ed 27 79 4d f1 23 a6 f4 64 a0
72 04 2a 3a b9 30 aa 84 e4 d2 26 9d 8c 3e b5 fe 87 ef 2c 21 c7 4e 38 1f b7 b1 25 69 68 d8 42 b1 8d 25 f3 90 14 78 d2 39 9f 0f 17 2a fc 24 2e 3b 3b 40 99 c6 fb c9 0a b0 af cd 66 f1 c9 84 c5 be
dc e9 38 bb 36 2d be 6b db db 86 95 96 c6 84 4b 7d b0 a1 ea f7 42 b2 56 93 ec e9 fd 86 8f a5 ad f0 57 63 78 d0 5a 0c 00 01 67 03 00 18 61 04 6d f6 56 8c e9 8a 82 29 0a d4 da ea be 89 52 30 bf
cd 49 66 77 7f 18 12 b1 75 44 96 d1 9e 6d 15 da 69 ba a7 7c ee 6f ab 96 ea b0 0d 64 0f c4 22 ba d7 9f 54 71 15 42 84 50 95 a4 ad 16 15 71 56 a7 0a 80 60 2d 83 86 80 0a 96 7b 30 6a aa b7 be 8f
45 9b 96 1a 5c b2 d3 e6 28 6f c4 e4 bb 70 ce 01 00 23 e6 8d 9e bf fc 90 66 f8 07 b6 6b 44 bb 03 b5 3b fd 72 fe 7b 5a e6 15 5d 10 d6 51 22 b8 44 8d 27 85 20 53 04 fb 06 32 b7 03 9e ba 7a 32 62
f1 61 25 8a c4 42 3a 02 1f be cf 92 4d 6e 48 d3 48 8b 8f 03 dc 66 d8 8b 63 21 be 6f b0 53 1c 00 37 4e 7e 4f e8 1e ba d2 c4 45 0f c0 13 ed 71 ee 47 f3 4c 0d 1d af d5 d5 bb 52 78 4b b3 55 70 4e
bc a4 f1 da 4a ec 60 7a af 81 23 49 16 57 db 8e 8b 22 65 91 3f 5b 1c 0a 13 d0 e4 b0 a4 d3 10 33 a3 bd c9 39 b6 ea 9b 73 67 11 49 ed 4f 6d 71 ae ce a3 2a 3a 6d 07 d9 d6 24 89 27 2d e6 5a e9 e1
e0 6c 47 5c c1 c0 72 01 e6 63 a6 06 7f 0d b0 16 68 7d 82 49 86 df 38 9b b4 95 5a 95 f8 e8 03 e9 63 83 7c c4 07 62 a1 f5 ce 48 0a 0c 6e 9c da e5 bf 5e e4 56 a1 de 98 80 e5 65 df eb 25 7c 38 97
8a e1 8d a3 c9 a8 a6 f8 bb 77 06 16 ec 21 8a 5c 0e 0e 00 00 00
Which can then be decoded:
Record Header
16 ; type 0x16 (22) = Handshake record
03 01 ; protocol version { 3, 1 } TLS 1.0
04 d0 ; 0x04d0 bytes of handshake message follows
Handshake
02 ; Handshake type 0x02 (2=server_hello)
00 51 ; bytes in message 0x0051 (88-bytes)
03 01 ; server_version { 3, 1 } (TLS 1.0)
5d a7 35 91 ; random.gmt_unix_time (1571239313 = 10/16/2019 3:21pm UTC)
e7 c2 8d f3 3e d5 e4 6d ; random.random_bytes 28-bytes
ec 9a b9 7f af c1 43 ad
d3 51 41 b7 44 4f 57 4e
47 52 44 00 20 d1 03 00 ; "çÂ.ó>Õämìš¹¯ÁCÓQA·DOWNGRD\0"
00 5b 82 d8 85 fe e2 b6 ; SessionID (variable length 2..32-bytes)
9a 6c ec 88 69 fc ee d3
61 23 e4 ae 17 3b be 1a
e2 8f 29 23 ca c0 14 00
00 09 ; CipherSuite { 0, 9} (TLS_RSA_WITH_DES_CBC_SHA)
00 17 ; CipherSuite { 0, 0x17 } = (TLS_DH_anon_EXPORT_WITH_RC4_40_MD5)
00 00 ; CipherSuite { 0, 0 } (TLS_NULL_WITH_NULL_NULL)
ff ; compression_method 0xff
01 ; compression_method 0x01
00 ; compression_method 0x00 (0=null)
01 00 ; ???
Handshake header
0b ; 0x0b (11) handshake message (11=certificate)
00 03 08 ; 0x308 (776) bytes of certificates to follow
Certificates length
00 03 05 ; length of all certificates to follow is 0x305 (773) bytes
Certificate 1 Length
00 03 02 ; certificate 1 length 0x302 (770) bytes
Certificate 1
30 82 02 fe 30 82 01 e6 a0 03 02 01 02 02 10 20 9e 8f 8c 08 72 c1 bf 45 ad f8 df 73 1f 21 47 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 3b 31 39 30 37 06 03 55 04 03 1e 30 00
53 00 53 00 4c 00 5f 00 53 00 65 00 6c 00 66 00 5f 00 53 00 69 00 67 00 6e 00 65 00 64 00 5f 00 46 00 61 00 6c 00 6c 00 62 00 61 00 63 00 6b 30 1e 17 0d 31 39 31 30 31 36 31 34 30 31 30 36 5a
17 0d 34 39 31 30 31 36 31 34 30 31 30 36 5a 30 3b 31 39 30 37 06 03 55 04 03 1e 30 00 53 00 53 00 4c 00 5f 00 53 00 65 00 6c 00 66 00 5f 00 53 00 69 00 67 00 6e 00 65 00 64 00 5f 00 46 00 61
00 6c 00 6c 00 62 00 61 00 63 00 6b 30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 0f 00 30 82 01 0a 02 82 01 01 00 b6 dc 05 25 3e 1e 41 82 f6 b4 bc 97 1c c5 1e 02 a6 bb 1a
c7 34 ed 51 cc 65 a6 60 72 0c 3c 0e ac 57 df 4f df 18 15 14 6f e0 9c d4 39 36 a1 8e 5b 17 85 0a 93 c2 78 02 70 89 f5 35 18 55 37 14 b0 6e 4c cd 0d e7 a0 81 33 c8 42 bc 55 f6 71 fa 4e d2 98 5e
63 5b 32 a6 c3 04 21 3d 22 df 8c ee a7 6e 53 4b be 3d e6 39 c9 90 c6 a9 ed df 7a a8 46 83 b9 7c f1 03 7c 45 b1 be 42 ee 71 aa bc d6 7b 27 41 f3 b8 c4 16 2a 18 8a 38 4c 19 51 25 78 56 ce 12 75
d0 eb 29 19 c5 70 b1 c0 13 18 77 77 a6 9b 47 1f fe 1f 27 5a 50 fb 3f 73 03 c3 a0 5d 2f f4 dd 37 fd df 87 f0 80 e9 de a7 16 df ee b8 00 c2 1e 68 49 19 ce 44 f4 af ac bf d3 5f b8 1c 64 d5 95 1f
8b 32 c1 5a 80 a8 21 2d 2c 66 b8 7e 29 13 11 f8 1f e1 e9 0f 68 4e 0a b8 1b 3c f3 28 6f b7 46 85 b1 17 c9 c6 82 e4 3c 28 d4 6d d9 5b dd 02 03 01 00 01 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05
00 03 82 01 01 00 3e f8 c8 54 30 c1 c1 12 5e eb 01 e5 50 41 57 55 de 9e 2e 69 2a 14 fa 9a 5a 9f d3 c3 1c 28 49 28 b2 c2 e0 cf 3d 7f 48 88 3c 25 e3 30 b7 93 e1 5c a5 9c 6f 41 b0 fb 55 67 69 e5
c5 0e 46 7c e6 2b b4 2b d8 ac 42 62 1e 18 01 69 cd e0 85 59 77 19 bd f9 17 fc 1d 10 ba 8a 93 aa 88 8e e9 73 2c 56 2e d1 5e 22 ca 20 61 4c 03 f0 70 9f a7 a7 ed 16 3a fa 00 0e 9e 39 e8 6b 99 a1
72 cb 48 b8 88 26 2d 9d 3f d6 48 70 f0 a5 51 ee c0 a9 0a e8 cf e6 ed 27 79 4d f1 23 a6 f4 64 a0 72 04 2a 3a b9 30 aa 84 e4 d2 26 9d 8c 3e b5 fe 87 ef 2c 21 c7 4e 38 1f b7 b1 25 69 68 d8 42 b1
8d 25 f3 90 14 78 d2 39 9f 0f 17 2a fc 24 2e 3b 3b 40 99 c6 fb c9 0a b0 af cd 66 f1 c9 84 c5 be dc e9 38 bb 36 2d be 6b db db 86 95 96 c6 84 4b 7d b0 a1 ea f7 42 b2 56 93 ec e9 fd 86 8f a5 ad
f0 57 63 78 d0 5a 0c 00 01 67 03 00 18 61 04 6d f6 56 8c e9 8a 82 29 0a d4 da ea be 89 52 30 bf cd 49 66 77 7f 18 12 b1 75 44 96 d1 9e 6d 15 da 69 ba a7 7c ee 6f ab 96 ea b0 0d 64 0f c4 22 ba
d7 9f 54 71 15 42 84 50 95 a4 ad 16 15 71 56 a7 0a 80 60 2d 83 86 80 0a 96 7b 30 6a aa b7 be 8f 45 9b 96 1a 5c b2 d3 e6 28 6f c4 e4 bb 70 ce 01 00 23 e6 8d 9e bf fc 90 66 f8 07 b6 6b 44 bb 03
b5 3b fd 72 fe 7b 5a e6 15 5d 10 d6 51 22 b8 44 8d 27 85 20 53 04 fb 06 32 b7 03 9e ba 7a 32 62 f1 61 25 8a c4 42 3a 02 1f be cf 92 4d 6e 48 d3 48 8b 8f 03 dc 66 d8 8b 63 21 be 6f b0 53 1c 00
37 4e 7e 4f e8 1e ba d2 c4 45 0f c0 13 ed 71 ee 47 f3 4c 0d 1d af d5 d5 bb 52 78 4b b3 55 70 4e bc a4 f1 da 4a ec 60 7a af 81 23 49 16 57 db 8e 8b 22 65 91 3f 5b 1c 0a 13 d0 e4 b0 a4 d3 10 33
a3 bd c9 39 b6 ea 9b 73 67 11 49 ed 4f 6d 71 ae ce a3 2a 3a 6d 07 d9 d6 24 89 27 2d e6 5a e9 e1 e0 6c 47 5c c1 c0 72 01 e6 63 a6 06 7f 0d b0 16 68 7d 82 49 86 df 38 9b b4 95 5a 95 f8 e8 03 e9
63 83 7c c4 07 62 a1 f5 ce 48 0a 0c 6e 9c da e5 bf 5e e4 56 a1 de 98 80 e5 65 df eb 25 7c 38 97 8a e1 8d a3 c9 a8 a6 f8 bb 77 06 16 ec 21 8a 5c 0e 0e 00 00 00
The certificate can then be decoded:
Issued by: SSL_Self_Signed_Fallback
Issued to: SSL_Self_Signed_Fallback
Valid from: 2019-10-16 14:01:06 UTC
Valid to: 2049-10-16 14:01:06 UTC
SHA1 fingerprint: 6640479c9cac2b7ca63c9708c71a9245b951b4c7
Of course that requires a network spying tool, and a lot of work.
As opposed to most of TLS clients (e.g. http, smtp, pop3, ftp, InternetQueryOption) allow you to view the client certificate directly:
Bonus Chatter - The TLS Nonce Easter Egg
The random 28-byte NONCE, generated by SQL Server and sent to the client, contains an easter-egg (of sorts):
; random.random_bytes 28-bytes
e7 c2 8d f3 3e d5 e4 6d ec 9a b9 7f af c1 çÂ.ó>Õämìš¹.¯Á
43 ad d3 51 41 b7 44 4f 57 4e 47 52 44 00 C.ÓQA·DOWNGRD.
It ends with "DOWNGRD\0".
That's a feature of TLS 1.3 designed to help a client detect a downgrade attack.
If the server is capable of supporting TLS 1.3, but it has been asked by the client to use something lower, it adds "DOWNGRD" to the random nonce:
DOWNGRD\0: If the server was asked to negotiate TLS 1.1 or earlier
DOWNGRD\1: If the server was asked to negotiate TLS 1.2
This way the client can detect if a man-in-the-middle intercepted the client, and altered the list of protocols supposedly supported by the client to trick the client into using TLS 1.2 (weaker), or TLS 1.1 or earlier (broken).
Bonus Reading
How does TLS 1.3 protect against downgrade attacks? 🕗
OpenSSL: Fetching SQL Server public certificate (asking about OpenSSL)
How can client retrieve SQL Server public SSL certificate? (Asking for anything; including network sniffing)
p.s. And, of course, this question does not belong on dba.stackexchange.com because this is a programming question (e.g. ADO.net, OLEDB), and not a DBA question.
I am not so familiar with the C language and compiling it in Linux but I have something to ask and hope you can assist.
I have this line of code that uses an installed command and its parameters to join domain. (see pic).
After I run gcc join.c to compile it its created a file a.out.
So far so good but when I run vim a.out to view to content of that file I see mypassword can be easily viewed by a simple text editor. (see second pic)
Is there anything I can do to avoid this when compiling my C code?
#include <stdio.h>
#include <unistd.h>
int main ()
{
printf("Running 'net join' with the following parameters: \n");
char *domain="mydomain";
char *user="domainjoinuser";
char *pass="mypassword";
char *vastool="/opt/quest/bin/vastool";
char *ou="OU=test,DC=mtdomain,DC=local";
char unjoin[512];
sprintf(unjoin,"/opt/quest/in/vastool -u %s -w '%s' unjoin -f",user,pass);
printf("Domain: %s\n",domain);
printf("User: %s\n",user);
printf("-----------------\n");
printf("Unjoin.............\n");
system(unjoin);
printf("Join................\n");
execl("/opt/quest/bin/vastool", "vastool", "-u", user, "-w", pass, "join", "-c", "ou", "-f", domain, (char*)0);
}
00000000 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 |.ELF............|
00000010 02 00 3e 00 01 00 00 00 40 83 04 08 00 00 00 00 |..>.....#.......|
00000020 40 00 00 00 00 00 00 00 40 0a 00 00 00 00 00 00 |#.......#.......|
00000030 00 00 00 00 40 00 38 00 04 00 40 00 1c 00 1b 00 |....#.8...#.....|
00000040 03 00 00 00 04 00 00 00 20 01 00 00 00 00 00 00 |........ .......|
00000050 20 81 04 08 00 00 00 00 20 81 04 08 00 00 00 00 | ....... .......|
00000060 1c 00 00 00 00 00 00 00 1c 00 00 00 00 00 00 00 |................|
00000070 01 00 00 00 00 00 00 00 01 00 00 00 05 00 00 00 |................|
00000080 20 01 00 00 00 00 00 00 20 81 04 08 00 00 00 00 | ....... .......|
00000090 20 81 04 08 00 00 00 00 b0 05 00 00 00 00 00 00 | ...............|
000000a0 b0 05 00 00 00 00 00 00 00 10 00 00 00 00 00 00 |................|
000000b0 01 00 00 00 06 00 00 00 e0 06 00 00 00 00 00 00 |................|
000000c0 e0 96 04 08 00 00 00 00 e0 96 04 08 00 00 00 00 |................|
000000d0 60 02 00 00 00 00 00 00 60 02 00 00 00 00 00 00 |`.......`.......|
000000e0 00 10 00 00 00 00 00 00 02 00 00 00 06 00 00 00 |................|
000000f0 24 08 00 00 00 00 00 00 24 98 04 08 00 00 00 00 |$.......$.......|
00000100 24 98 04 08 00 00 00 00 a0 00 00 00 00 00 00 00 |$...............|
00000110 a0 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 |................|
00000120 2f 6c 69 62 36 34 2f 6c 64 2d 6c 69 6e 75 78 2d |/lib64/ld-linux-|
00000130 78 38 36 2d 36 34 2e 73 6f 2e 32 00 00 00 00 00 |x86-64.so.2.....|
00000140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000150 00 00 00 00 01 00 00 00 12 00 00 00 70 86 04 08 |............p...|
00000160 00 00 00 00 c0 01 00 00 00 00 00 00 13 00 00 00 |................|
00000170 12 00 00 00 80 86 04 08 00 00 00 00 a1 00 00 00 |................|
00000180 00 00 00 00 1a 00 00 00 12 00 00 00 90 86 04 08 |................|
00000190 00 00 00 00 8f 00 00 00 00 00 00 00 22 00 00 00 |............"...|
000001a0 12 00 00 00 a0 86 04 08 00 00 00 00 61 00 00 00 |............a...|
000001b0 00 00 00 00 29 00 00 00 12 00 00 00 b0 86 04 08 |....)...........|
000001c0 00 00 00 00 b0 01 00 00 00 00 00 00 2f 00 00 00 |............/...|
000001d0 12 00 0c 00 80 86 04 08 00 00 00 00 00 00 00 00 |................|
000001e0 00 00 00 00 35 00 00 00 20 00 00 00 00 00 00 00 |....5... .......|
000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 5f 5f 6c |.............__l|
00000200 69 62 63 5f 73 74 61 72 74 5f 6d 61 69 6e 00 70 |ibc_start_main.p|
00000210 72 69 6e 74 66 00 73 70 72 69 6e 74 66 00 73 79 |rintf.sprintf.sy|
00000220 73 74 65 6d 00 65 78 65 63 6c 00 5f 69 6e 69 74 |stem.execl._init|
00000230 00 5f 5f 67 6d 6f 6e 5f 73 74 61 72 74 5f 5f 00 |.__gmon_start__.|
00000240 6c 69 62 63 2e 73 6f 2e 36 00 00 00 04 00 00 00 |libc.so.6.......|
00000250 08 00 00 00 06 00 00 00 04 00 00 00 03 00 00 00 |................|
00000260 07 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 |................|
00000270 02 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 |................|
00000280 00 00 00 00 f8 98 04 08 00 00 00 00 07 00 00 00 |................|
00000290 01 00 00 00 00 00 00 00 00 00 00 00 00 99 04 08 |................|
000002a0 00 00 00 00 07 00 00 00 02 00 00 00 00 00 00 00 |................|
000002b0 00 00 00 00 08 99 04 08 00 00 00 00 07 00 00 00 |................|
000002c0 03 00 00 00 00 00 00 00 00 00 00 00 10 99 04 08 |................|
000002d0 00 00 00 00 07 00 00 00 04 00 00 00 00 00 00 00 |................|
000002e0 00 00 00 00 18 99 04 08 00 00 00 00 07 00 00 00 |................|
000002f0 05 00 00 00 00 00 00 00 00 00 00 00 20 99 04 08 |............ ...|
00000300 00 00 00 00 07 00 00 00 06 00 00 00 00 00 00 00 |................|
00000310 00 00 00 00 28 99 04 08 00 00 00 00 06 00 00 00 |....(...........|
00000320 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000340 31 ed 49 89 d1 5e 48 89 e2 48 83 e4 f0 50 54 49 |1.I..^H..H...PTI|
00000350 c7 c0 90 85 04 08 48 c7 c1 00 85 04 08 48 c7 c7 |......H......H..|
00000360 6c 83 04 08 e8 07 03 00 00 f4 66 90 55 48 89 e5 |l.........f.UH..|
00000370 48 81 ec 30 02 00 00 48 8d 05 66 13 00 00 48 89 |H..0...H..f...H.|
00000380 c7 b8 00 00 00 00 e8 f5 02 00 00 48 8d 05 86 13 |...........H....|
00000390 00 00 48 89 45 f8 48 8d 05 84 13 00 00 48 89 45 |..H.E.H......H.E|
000003a0 f0 48 8d 05 88 13 00 00 48 89 45 e8 48 8d 05 88 |.H......H.E.H...|
000003b0 13 00 00 48 89 45 e0 48 8d 05 94 13 00 00 48 89 |...H.E.H......H.|
000003c0 45 d8 48 8b 45 e8 49 89 c3 48 8b 45 f0 49 89 c2 |E.H.E.I..H.E.I..|
000003d0 48 8d 05 98 13 00 00 48 89 c6 48 8d 85 d8 fd ff |H......H..H.....|
000003e0 ff 48 89 c7 4c 89 d2 4c 89 d9 b8 00 00 00 00 e8 |.H..L..L........|
000003f0 9c 02 00 00 48 8b 45 f8 48 89 c6 48 8d 05 9b 13 |....H.E.H..H....|
00000400 00 00 48 89 c7 b8 00 00 00 00 e8 71 02 00 00 48 |..H........q...H|
00000410 8b 45 f0 48 89 c6 48 8d 05 8c 13 00 00 48 89 c7 |.E.H..H......H..|
00000420 b8 00 00 00 00 e8 56 02 00 00 48 8d 05 82 13 00 |......V...H.....|
00000430 00 48 89 c7 b8 00 00 00 00 e8 42 02 00 00 48 8d |.H........B...H.|
00000440 05 81 13 00 00 48 89 c7 b8 00 00 00 00 e8 2e 02 |.....H..........|
00000450 00 00 48 8d 85 d8 fd ff ff 48 89 c7 b8 00 00 00 |..H......H......|
00000460 00 e8 3a 02 00 00 48 8d 05 6e 13 00 00 48 89 c7 |..:...H..n...H..|
00000470 b8 00 00 00 00 e8 06 02 00 00 48 b8 00 00 00 00 |..........H.....|
00000480 00 00 00 00 50 48 8b 45 f8 50 48 8d 05 90 13 00 |....PH.E.PH.....|
00000490 00 50 48 8d 05 85 13 00 00 50 48 8d 05 7a 13 00 |.PH......PH..z..|
000004a0 00 50 48 8d 05 6d 13 00 00 50 48 8b 45 e8 49 89 |.PH..m...PH.E.I.|
000004b0 c1 48 8d 05 5b 13 00 00 49 89 c0 48 8b 45 f0 49 |.H..[...I..H.E.I|
000004c0 89 c3 48 8d 05 47 13 00 00 49 89 c2 48 8d 05 35 |..H..G...I..H..5|
000004d0 13 00 00 48 89 c6 48 8d 05 14 13 00 00 48 89 c7 |...H..H......H..|
000004e0 4c 89 d2 4c 89 d9 b8 00 00 00 00 e8 c0 01 00 00 |L..L............|
000004f0 48 83 c4 30 c9 c3 00 00 00 00 00 00 00 00 00 00 |H..0............|
00000500 48 89 6c 24 d8 4c 89 64 24 e0 48 8d 2d 4f 01 00 |H.l$.L.d$.H.-O..|
00000510 00 4c 8d 25 48 01 00 00 48 89 5c 24 d0 4c 89 6c |.L.%H...H.\$.L.l|
00000520 24 e8 4c 89 74 24 f0 4c 89 7c 24 f8 48 83 ec 38 |$.L.t$.L.|$.H..8|
00000530 4c 29 e5 41 89 ff 49 89 f6 48 c1 fd 03 49 89 d5 |L).A..I..H...I..|
00000540 31 db e8 d9 00 00 00 48 85 ed 74 1a 0f 1f 40 00 |1......H..t...#.|
00000550 4c 89 ea 4c 89 f6 44 89 ff 41 ff 14 dc 48 83 c3 |L..L..D..A...H..|
00000560 01 48 39 eb 75 ea 48 8b 5c 24 08 48 8b 6c 24 10 |.H9.u.H.\$.H.l$.|
00000570 4c 8b 64 24 18 4c 8b 6c 24 20 4c 8b 74 24 28 4c |L.d$.L.l$ L.t$(L|
00000580 8b 7c 24 30 48 83 c4 38 c3 0f 1f 80 00 00 00 00 |.|$0H..8........|
00000590 f3 c3 00 00 01 00 02 00 14 00 00 00 00 00 00 00 |................|
000005a0 01 7a 52 00 01 78 10 01 1b 0c 07 08 90 01 07 10 |.zR..x..........|
000005b0 14 00 00 00 1c 00 00 00 88 fd ff ff 2a 00 00 00 |............*...|
000005c0 00 00 00 00 00 00 00 00 14 00 00 00 00 00 00 00 |................|
000005d0 01 7a 52 00 01 78 10 01 1b 0c 07 08 90 01 00 00 |.zR..x..........|
000005e0 24 00 00 00 1c 00 00 00 18 ff ff ff 89 00 00 00 |$...............|
000005f0 00 4a 86 06 8c 05 66 0e 40 83 07 8d 04 8e 03 8f |.J....f.#.......|
00000600 02 02 58 0e 08 00 00 00 14 00 00 00 44 00 00 00 |..X.........D...|
00000610 80 ff ff ff 02 00 00 00 00 00 00 00 00 00 00 00 |................|
00000620 48 83 ec 08 48 8b 05 fd 12 00 00 48 85 c0 74 05 |H...H......H..t.|
00000630 e8 cb 79 fb f7 48 83 c4 08 c3 00 00 48 83 ec 08 |..y..H......H...|
00000640 48 83 c4 08 c3 00 00 00 00 00 00 00 00 00 00 00 |H...............|
00000650 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000660 ff 35 82 12 00 00 ff 25 84 12 00 00 00 00 00 00 |.5.....%........|
00000670 ff 25 82 12 00 00 68 00 00 00 00 e9 e0 ff ff ff |.%....h.........|
00000680 ff 25 7a 12 00 00 68 08 00 00 00 e9 d0 ff ff ff |.%z...h.........|
00000690 ff 25 72 12 00 00 68 10 00 00 00 e9 c0 ff ff ff |.%r...h.........|
000006a0 ff 25 6a 12 00 00 68 18 00 00 00 e9 b0 ff ff ff |.%j...h.........|
000006b0 ff 25 62 12 00 00 68 20 00 00 00 e9 a0 ff ff ff |.%b...h ........|
000006c0 ff 25 5a 12 00 00 68 28 00 00 00 e9 90 ff ff ff |.%Z...h(........|
000006d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000006e0 00 00 00 00 52 75 6e 6e 69 6e 67 20 27 6e 65 74 |....Running 'net|
000006f0 20 6a 6f 69 6e 27 20 77 69 74 68 20 74 68 65 20 | join' with the |
00000700 66 6f 6c 6c 6f 77 69 6e 67 20 70 61 72 61 6d 65 |following parame|
00000710 74 65 72 73 3a 20 0a 00 6d 79 64 6f 6d 61 69 6e |ters: ..mydomain|
00000720 00 64 6f 6d 61 69 6e 6a 6f 69 6e 75 73 65 72 00 |.domainjoinuser.|
00000730 6d 79 70 61 73 73 77 6f 72 64 00 2f 6f 70 74 2f |mypassword./opt/|
00000740 71 75 65 73 74 2f 62 69 6e 2f 76 61 73 74 6f 6f |quest/bin/vastoo|
00000750 6c 00 4f 55 3d 74 65 73 74 2c 44 43 3d 6d 74 64 |l.OU=test,DC=mtd|
00000760 6f 6d 61 69 6e 2c 44 43 3d 6c 6f 63 61 6c 00 2f |omain,DC=local./|
00000770 6f 70 74 2f 71 75 65 73 74 2f 69 6e 2f 76 61 73 |opt/quest/in/vas|
00000780 74 6f 6f 6c 20 2d 75 20 25 73 20 2d 77 20 27 25 |tool -u %s -w '%|
00000790 73 27 20 75 6e 6a 6f 69 6e 20 2d 66 00 44 6f 6d |s' unjoin -f.Dom|
000007a0 61 69 6e 3a 20 25 73 0a 00 55 73 65 72 3a 20 25 |ain: %s..User: %|
000007b0 73 0a 00 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d |s..-------------|
000007c0 2d 2d 2d 2d 0a 00 55 6e 6a 6f 69 6e 2e 2e 2e 2e |----..Unjoin....|
000007d0 2e 2e 2e 2e 2e 2e 2e 2e 2e 0a 00 4a 6f 69 6e 2e |...........Join.|
000007e0 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 2e 0a |................|
000007f0 00 2f 6f 70 74 2f 71 75 65 73 74 2f 62 69 6e 2f |./opt/quest/bin/|
00000800 76 61 73 74 6f 6f 6c 00 76 61 73 74 6f 6f 6c 00 |vastool.vastool.|
00000810 2d 75 00 2d 77 00 6a 6f 69 6e 00 2d 63 00 6f 75 |-u.-w.join.-c.ou|
00000820 00 2d 66 00 01 00 00 00 00 00 00 00 44 00 00 00 |.-f.........D...|
00000830 00 00 00 00 04 00 00 00 00 00 00 00 4c 82 04 08 |............L...|
...
Is there anything i can do to avoid this when compiling my C code?
The only thing you can do is to not hard-code the password or any sensitive information into your C program: even if you encrypt this sensitive information in one way or the other, either the decryption key would need to be provided at runtime by a user running your program, or the info could be decrypted by a sufficiently motivated person. You might as well prompt the user for the password.
Note that any other form of hiding would be a mere obfuscation - a small obstacle on the way of a user who is trying to access your secret information. It may deter a few "script kiddies", but it would fall to the first knowledgeable user.
As dasblinkenlight pointed out, whatever you do will not deter somebody from getting your password. For instance, he could run strace on your program to figure out which arguments are being passed to vastool, or he could use a debugger. If you write programs with the intent of being secure, always keep Kerkhoff's principle in mind:
A (crypto-) system should be secure even if everything about the system [...] is public knowledge.
However, if you like some extra smokescreen security obfuscation, you might want to have a look at the memfrob(3) function:
void *memfrob(void *s, size_t n);
The memfrob() function
encrypts the first n bytes of the memory area s by exclusive-ORing
each character with the number 42. The effect can be reversed by using
memfrob() on the encrypted memory area.
Note that this function is not a proper encryption routine as the XOR
constant is fixed, and is only suitable for hiding strings.
one way is to use a function (rot13(), reverse(), chartobinary() f.e.) and call your function with the encoded string.
I had mounted a fusecompress of directory compressed/ at fusecompress/
I copied a large file (several GB) to the fusecompress directory (ok, I mv'd it).
The compressed file in the directory compressed/ is length 1,221,396,660.
However, I cannot remove/uncompress the file. fusecompress has a memory error: "Cannot allocate memory".
Is there anyway to utilize the lzo library to write a decompress routine for the compressed file?
I tried the following, but got a segmentation fault:
char buffer[OUT_LEN];
char outbuffer[IN_LEN];
int read;
lzo_uint writ;
unsigned long totalWrit = 0;
while( (read = fread( buffer, sizeof(char), OUT_LEN, stdin )) > 0 )
{
r = lzo1x_decompress( buffer, read, outbuffer, &writ, NULL );
fwrite( outbuffer, sizeof(char), writ, stdout );
totalWrit += writ;
}
fprintf( stderr, "\nDone. %d bytes written out.\n\n", totalWrit );
Update:
In response to bill, the first 160 bytes of the file are:
00000000 01 1f 01 5d ff 89 04 00 a2 20 85 04 30 6e ba 48 |...]..... ..0n.H|
00000010 00 00 01 02 00 00 00 00 00 00 11 3c 3c 3c 20 53 |...........<<< S|
00000020 75 6e 20 56 69 72 74 75 61 6c 42 6f 78 20 44 69 |un VirtualBox Di|
00000030 73 6b 20 49 6d 61 67 65 20 3e 3e 3e 0a 00 3b 00 |sk Image >>>..;.|
00000040 00 08 7f 10 da be 01 00 01 00 90 01 00 54 00 3b |.............T.;|
00000050 a8 00 20 c9 70 00 02 02 00 00 00 a2 2d b8 03 6c |.. .p.......-..l|
00000060 02 a9 02 80 a9 01 10 b4 01 00 15 28 00 00 52 08 |...........(..R.|
00000070 00 00 a4 15 30 3e 76 22 73 4c 96 3d bf 8f ca 66 |....0>v"sL.=...f|
00000080 a8 93 2b a6 83 65 44 4d 37 41 a4 02 ca bb 56 4e |..+..eDM7A....VN|
00000090 a9 e9 b0 05 39 14 00 05 04 00 00 ff 00 00 00 3f |....9..........?|
You must look how the file was compressed. Witch Header and additional data are stored in the file.
We see these packets being injected in an FTP-DTP channel during a downlink file transfer on Telstra's NEXTG mobile network. We are not sure if these are network level packets, a problem with our 3G modem (HC25 based) or something like our firewall injecting in the stream.
Using a tool we noticed that the PPP framing fails with protocol length errors, so they are mostly likely mobile network packets.
I am hoping someone here can identify the signature of the packets so that I can chase this up with the appropriate vendor.
There is definitely a format to these packets: -
Packet1:
00 00 00 24 c4 b8 7b 1a 00 90 7f 43 0f a1 08 00 45 00 01 10 f4 4e 00 00 40 06 2f 13 cb 7a 9d e9 7b d0 71 52 7a ed 04 06 8c 61 5d a9 01 f7 0c eb 50 10 ff ff 58 b9 00 00
Packet2:
00 00 00 24 c4 b8 7b 1a 00 90 7f 43 0f a1 08 00 45 00 00 ff 6b 50 00 00 40 06 b8 22 cb 7a 9d e9 7b d0 71 52 7a ed 04 06 8c 61 7b 82 01 f7 0c eb 50 10 ff ff a3 79 00 00
Packet3:
00 00 00 24 c4 b8 7b 1a 00 90 7f 43 0f a1 08 00 45 00 02 20 5b 50 00 00 40 06 c7 01 cb 7a 9d e9 7b d0 71 52 7a ed 04 06 8c 61 7c 59 01 f7 0c eb 50 10 ff ff e2 5d 00 00
Packet4:
00 00 00 24 c4 b8 7b 1a 00 90 7f 43 0f a1 08 00 45 00 01 38 d8 52 00 00 40 06 4a e7 cb 7a 9d e9 7b d0 71 52 7a ed 04 06 8c 62 42 f9 01 f7 0c eb 50 10 ff ff 20 91 00 00
Packet5:
00 00 00 24 c4 b8 7b 1a 00 90 7f 43 0f a1 08 00 45 00 00 d0 4d 58 00 00 40 06 d6 49 cb 7a 9d e9 7b d0 71 52 7a ee 04 08 4b fb 0b 8f 03 5d 51 1a 50 10 ff ff e9 88 00 00
I converted your packet trace snippet into a format understood by text2pcap so I could convert them into the pcap format for viewing in Wireshark (a very handy packet capture and analysis tool):
Looks like some sort of IPv4 multicast traffic at a very rough guess. Here's what I got from the first packet (rest came up as malformed):
No. Time Source Destination Protocol Info
1 0.000000 7b:1a:00:90:7f:43 00:00:00_24:c4:b8 0x0fa1 Ethernet II
Frame 1 (31 bytes on wire, 31 bytes captured)
Arrival Time: Dec 1, 2009 00:33:05.000000000
[Time delta from previous captured frame: 0.000000000 seconds]
[Time delta from previous displayed frame: 0.000000000 seconds]
[Time since reference or first frame: 0.000000000 seconds]
Frame Number: 1
Frame Length: 31 bytes
Capture Length: 31 bytes
[Frame is marked: False]
[Protocols in frame: eth:data]
Ethernet II, Src: 7b:1a:00:90:7f:43 (7b:1a:00:90:7f:43), Dst: 00:00:00_24:c4:b8 (00:00:00:24:c4:b8)
Destination: 00:00:00_24:c4:b8 (00:00:00:24:c4:b8)
Address: 00:00:00_24:c4:b8 (00:00:00:24:c4:b8)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 7b:1a:00:90:7f:43 (7b:1a:00:90:7f:43)
Address: 7b:1a:00:90:7f:43 (7b:1a:00:90:7f:43)
.... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
.... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
Type: Unknown (0x0fa1)
Data (17 bytes)
0000 08 00 45 00 01 10 f4 4e 00 00 40 06 2f 13 cb 7a ..E....N..#./..z
0010 9d .
Data: 080045000110F44E000040062F13CB7A9D
These look like ordinary TCP packets but with two extra 00 bytes tagged on at the front. Not sure why that would happen, but they appear to be from 00-90-7f-43-0f-a1 (Watchguard) to 00-24-c4-b8-7b-1a (Cisco).
IP header is 45 00 01 10 f4 4e 00 00 40 06 2f 13 cb 7a 9d e9 7b d0 71 52
TCP header is 7a ed 04 06 8c 61 5d a9 01 f7 0c eb 50 10 ff ff 58 b9 00 00
So you can get the rest of the details from there.
00:24:c4 is a NIC from Cisco and 00:90:7F is a NIC from WatchGuard.
From the IEEE OUI Registry.
How much help that might be ... don't know. Might therefore be an attempted VPN connection.
As already decoded by others:
first 6+6+2 bytes identifying NIC and Ethernet II.
bytes 0x0800 EtherType telling that it is IP. http://en.wikipedia.org/wiki/EtherType
next octet starting with nibble "4" is IPv4
etc.