FreeBSD could be used for hacking?

forquare

Well-Known Member

Reaction score: 195
Messages: 341

Heard about SecBSD on BSDNow on the way to work this morning. It's based on OpenBSD and not currently available for public use, but may be of future interest to the OP and others.
 

Phishfry

Beastie's Twin

Reaction score: 3,240
Messages: 6,378

Here are some recent attempts to compromise my webserver using lighttp on Linode.

Code:
2018-12-07 13:30:24: (request.c.648) request-URI parse error -> 400 for: index.php/admin
2018-12-07 13:30:26: (request.c.648) request-URI parse error -> 400 for:
2018-12-07 13:31:06: (request.c.648) request-URI parse error -> 400 for: odoo_cmr/web/login
2018-12-07 13:31:06: (request.c.648) request-URI parse error -> 400 for: CMR/web/login
2018-12-07 13:31:18: (request.c.648) request-URI parse error -> 400 for:
2018-12-07 13:31:26: (request.c.648) request-URI parse error -> 400 for: zenbership-master/admin/login.php

Code:
2018-11-17 23:19:07: (request.c.648) request-URI parse error -> 400 for: http://www.123cha.com
2018-11-17 23:23:37: (request.c.648) request-URI parse error -> 400 for: www.baidu.com:443
2018-11-17 23:23:38: (request.c.648) request-URI parse error -> 400 for: www.voanews.com:443
2018-11-17 23:23:42: (request.c.648) request-URI parse error -> 400 for: cn.bing.com:443
2018-11-20 12:35:53: (request.c.648) request-URI parse error -> 400 for: www.baidu.com
2018-11-20 12:35:54: (request.c.648) request-URI parse error -> 400 for: http://www.123cha.com
2018-11-20 12:35:56: (request.c.648) request-URI parse error -> 400 for: cn.bing.com:443
2018-11-20 12:35:57: (request.c.648) request-URI parse error -> 400 for: www.voanews.com:443
2018-11-20 12:36:01: (request.c.648) request-URI parse error -> 400 for: www.baidu.com:443
2018-11-26 01:16:32: (request.c.648) request-URI parse error -> 400 for: www.baidu.com
2018-11-26 01:16:36: (request.c.648) request-URI parse error -> 400 for: cn.bing.com:443
2018-11-26 01:16:42: (request.c.648) request-URI parse error -> 400 for: www.baidu.com:443
2018-11-26 01:16:43: (request.c.648) request-URI parse error -> 400 for: www.voanews.com:443
As found in /var/log/lighttp/lighttpd.error.log
 

Spartrekus

Daemon

Reaction score: 168
Messages: 1,151

I am not thinking of doing damage to other people. Just a question that came to my mind when I saw that there are Linux distros used for hacking, but find nothing about the BSD.

FreeBSD is the best swiss util for hacking, surely yes.
You have all plethora of tools, right in the hand with "pkg".

@above user:
You can use illustrator 7 with wine, or photoshop 5 or 6, for your website, under FreeBSD. It works fast.
EPS is good for your site.
 

mod3777

Member

Reaction score: 20
Messages: 45

There was a time when DefCon was full of Linux guys, now they come with FreeBSD. I have visited DEFCON 26, it was 50/50 BSD/Linux users. I would say more BSD users as Linux was mostly thrown inside a VM of macOS. As they said, ZFS rollback was the primary reason they switched to FreeBSD. I had been pen-testing with a Debian stable machine since long, until few years ago I moved to FreeBSD. Now I hack around breaking various architectures, trying to port FreeBSD, even for my HTC M8 (bricked now, but still working on it). It's something so fun that you won't understand without actually doing it.
 

Spartrekus

Daemon

Reaction score: 168
Messages: 1,151

There was a time when DefCon was full of Linux guys, now they come with FreeBSD. I have visited DEFCON 26, it was 50/50 BSD/Linux users. I would say more BSD users as Linux was mostly thrown inside a VM of macOS. As they said, ZFS rollback was the primary reason they switched to FreeBSD. I had been pen-testing with a Debian stable machine since long, until few years ago I moved to FreeBSD. Now I hack around breaking various architectures, trying to port FreeBSD, even for my HTC M8 (bricked now, but still working on it). It's something so fun that you won't understand without actually doing it.

The cool thing with NetBSD and OpenBSD, it is much much more secured than Linux.
 

mod3777

Member

Reaction score: 20
Messages: 45

The cool thing with NetBSD and OpenBSD, it is much much more secured than Linux.

In a private conversation with theo, I remember him advising me, "knowing the flows of your system matters more than automated hardening". Damn! So true.
 

youngunix

Active Member

Reaction score: 40
Messages: 228

Out of curiosity, why is NetBSD so difficult when it comes to finding answers to issues and surprisingly dealing with ports and packages! I'd love for it to become just like FreeBSD.
 

kpedersen

Son of Beastie

Reaction score: 2,437
Messages: 3,237

Hacking is for bending software to do their bidding. Cracking is for breaking into things where one should not be. All crackers are hackers but not all hackers are crackers.

A bit off topic but I always thought it was the other way round. An example of "cracking" software is removing stupid DRM; surely this more aligns with the idea of bending software to do the users bidding.

And then hacking is about constantly trying crap until you get through. That is why you can hack on code, hack into mainframes, etc.

I agree that all crackers are hackers though. Because multiple ways of patching the binary often need to be tried before one works without undesirable side effects.

That said, I have never read an actual book on hacking so I could easily have been wrong all these years. As for cracking, this one is fantastic! (Possibly a bit dated now but the concepts still work)
 

drhowarddrfine

Son of Beastie

Reaction score: 2,731
Messages: 4,645

kpedersen No. If you have to crack something open, you're getting into things you shouldn't and breaking things in the process.

Hacking is building fine furniture with an axe. Thus the phrase, "Hack away at something until it works."
 

Sevendogsbsd

Daemon

Reaction score: 703
Messages: 1,147

I have to weigh in, lol. I am a web application penetration tester (white hat). I break into web applications and test vulnerabilities because that's what my employer pays me to do. I use Kali Linux at work, only because I am not allowed to use FreeBSD and I use FreeBSD at home to do the same thing in my test lab. FreeBSD works perfectly well for this. I need a minimum of tools to do this because frankly, most of what I do is manual.

I believe the OP meant "hacking" in the sense of breaking into apps. I know the term "hacking" meant something different originally and am aware of its history, but the term's meaning has morphed over the years. I still call myself a hacker because I (with authorization), break into web apps. I don't call myself a "cracker" because that has a negative racial connotation, or used to anyway. I am definitely not a hacker in the sense that RMS intended when he (I think?) coined the term.
 

drhowarddrfine

Son of Beastie

Reaction score: 2,731
Messages: 4,645

In the end, it doesn't matter, but it irritates me when I hear the "news" media--the source of this confusion in my opinion--promulgates the misinformation that a hacker is a bad guy and the cause of all our grief when, to me, being a hacker is something one can be proud of.
 

Trihexagonal

Son of Beastie

Reaction score: 2,497
Messages: 3,057

That said, I have never read an actual book on hacking so I could easily have been wrong all these years.

I own a copy of Hacking Exposed: Network Security Secrets and Solutions I bought new in 1999.

That's when I got the first PC of my own and figured the best way to keep from being exploited was to know how they were carried out. It was all news to me at the time and I still consider Win98 the Swiss Cheese of Operating Systems.

A bit dated now but it does have a UNIX section. I've seen this and more recent editions covering other areas in .pdf form so they still publish them. I hate to read .pdf format, have several laptops of my own and don't need access to anyone else's.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 13,980
Messages: 40,708

I have that one too :)

I also have a copy of "Hacker Disassembling Uncovered" from Kris Kaspersky. That was a difficult read but extremely interesting.

 

Sevendogsbsd

Daemon

Reaction score: 703
Messages: 1,147

I have that book (Hacking Exposed) as well - 2005 edition, actually have never read it :rolleyes:
 

Sevendogsbsd

Daemon

Reaction score: 703
Messages: 1,147

I try to read every night before I go to bed: staring at monitors all day I want to help my mind wind down. I have many books in my library I haven't read but this one I didn't buy. If I remember correctly my mother bought me this years ago. I never was much into reading tech books, mainly fantasy, philosophy and humor.
 

mod3777

Member

Reaction score: 20
Messages: 45

I have to weigh in, lol. I am a web application penetration tester (white hat). I break into web applications and test vulnerabilities because that's what my employer pays me to do. I use Kali Linux at work, only because I am not allowed to use FreeBSD and I use FreeBSD at home to do the same thing in my test lab. FreeBSD works perfectly well for this. I need a minimum of tools to do this because frankly, most of what I do is manual.

I believe the OP meant "hacking" in the sense of breaking into apps. I know the term "hacking" meant something different originally and am aware of its history, but the term's meaning has morphed over the years. I still call myself a hacker because I (with authorization), break into web apps. I don't call myself a "cracker" because that has a negative racial connotation, or used to anyway. I am definitely not a hacker in the sense that RMS intended when he (I think?) coined the term.

Sorry, but I would like to call myself cracker over hacker, honestly. Cracking is always more fun to me. However, it doesn't always work long and vendors patch it on next update. I am against white hat hacking, can't personally stand by info sec people helping some nasty corporations. No hard feelings either.
 

ralphbsz

Son of Beastie

Reaction score: 2,693
Messages: 3,554

I am against white hat hacking, can't personally stand by info sec people helping some nasty corporations.
Extrapolating from that attitude, you probably don't like fire fighters or fire safety inspectors either. That implies that you prefer to die by burning. Obviously, I don't mean that remark literally. Instead, I'm just trying to demonstrate the ethical implications of what you just said.
 

mod3777

Member

Reaction score: 20
Messages: 45

I hope my bank hired few white hats when it designed its website. Same for the national healthcare website. Don't you ?

I worked at infosec industries for few years. I quit because I can't stand by that personally. However there are some areas where pen-testing is must. I do not want to defend my statement, in fact sometimes things really go out of hand that I feel so frustrated about something... anyway.. leave it. Don't throw tomatoes on me :)
 

mod3777

Member

Reaction score: 20
Messages: 45

Extrapolating from that attitude, you probably don't like fire fighters or fire safety inspectors either. That implies that you prefer to die by burning. Obviously, I don't mean that remark literally. Instead, I'm just trying to demonstrate the ethical implications of what you just said.
Just leave it
 
A

Afflospark

Guest


Well, it depends on the person and on what they're doing.

Linux is the most experimental, On the other hand BSD is specilly designed to run on servers.
Linux means you can either do more or cause your computer to explode, depending on how much testing has been done.
Linux has more options than BSD, so you get to see a great many more ideas in actual action.
 

Spartrekus

Daemon

Reaction score: 168
Messages: 1,151

Out of curiosity, why is NetBSD so difficult when it comes to finding answers to issues and surprisingly dealing with ports and packages! I'd love for it to become just like FreeBSD.

well, if you compile our own free packages, there is no need of much things.
Netbsd is highly performant.

I don't need X11, so maybe that's why I can do all I what I need with Netbsd.
 

zux0x3a

New Member

Reaction score: 1
Messages: 10

FreeBSD is the greatest one for hacking purposes , customize it with tools you need to do
 
Top