THREE PEAT
GigaOm Names Cobalt an “Outperformer” for Third Consecutive Year in Annual Radar Report for PTaaS.
THREE PEAT
GigaOm Names Cobalt an “Outperformer” for Third Consecutive Year in Annual Radar Report for PTaaS.

Bug Bounties on Bash on Ubuntu on Windows

A few months ago Microsoft took the world by surprise by announcing that Windows would provide developers or hackers with a familiar Bash…

A few months ago Microsoft took the world by surprise by announcing that Windows would provide developers or hackers with a familiar Bash environment. Officially it is called the Windows Subsystem for Linux (WSL).

This feature will be fully incorporated in the Windows 10 Anniversary Update to be released on August 2nd, 2016.

I have talked with some bug-hunter friends of mine and explained that I would be using that for penetration tests and was met with some very confused looks. Why would anyone use this? Why not simply run Kali in a virtual machine, or dual-boot? The answer is simply “because we can”.

When I go to the local coffee-shop and want to do some work, I need my usual desktop environment — which is Windows 10 — and some familiar hacking tools. Yes, they call it here in Singapore a coffee-shop, nothing to do with Amsterdam, but think about it as a Starbucks without air-conditioning and without the trendy crowd browsing their Facebooks on the latest Apple hardware) .

I definitely do not want to bring two laptops, nor do I want to dual boot, or go through the pains of running a virtual machine on a very low-powered machine. Low-powered? Yes, because of the portability. I want it simple and stupid.

So, let’s delve a bit deeper in the possibilities of WSL.

What is this Subsystem for Linux?

First of all, this is not a virtual machine and does not come with the overhead thereof. WSL enables to run native Linux ELF64 binaries on Windows. Linux system calls are “translated” and directed to the Windows kernel. There is a lot more going on, but this should suffice to blow away your hacker friends with your expert knowledge of Windows and get started with some experiments

How do I install WSL?

Until the release of the Windows 10 Anniversary Update, you need to enable Insider Preview Builds. This is done as follows:

  1. Type the following in the search box in the Windows taskbar: “Windows Update Settings”.

  2. Select “Windows Insider Program” and choose to receive* Insider Preview Builds*.

  3. Select “Slow” as insider level or “Fast” if you want to live on the bleeding edge.

It might take a few hours or even days to be upgraded to this Insider Preview Build. Once that is done, execute the following:

  1. Type in the search-field in the taskbar: “windows features”

  2. Select “turn Windows Features on or off”

  3. Select Windows Subsystem for Linux (Beta)

  4. Reboot when requested

How do I use it?

You start it by simply typing “bash” in a Windows shell (the classic “cmd” shell or the Windows Powershell). The first time you do this, the system will ask whether or not you want to be a root user by default. Make a choice, and go ahead.

That is it! You are now in a Ubuntu Linux environment. All regular commands work! Let’s start with updating our system to the latest available:

apt-get update
apt-get upgrade
apt-get autoremove

What are the limitations and possibilities?

The sky’s the limit! Don’t worry. You might want to look at the Microsoft BashOnWidows Github repository for current bugs or problems. Just remember to update WSL often, bugs are fixed in a rapid pace and new possibilities present them every few weeks.

Currently, you have to live with the following limitations:

  • You cannot call Windows programs from WSL.

  • You can access Windows files from WSL (they are mounted on /mnt/c), but accessing files residing in WSL folders from Windows is not recommended (although possible).

  • Background services can be started, but if you close the calling shell, they will exit.

  • Not all network protocols are (currently) fully implemented, TCP/UDP will work, but using “raw” sockets might not.

  • Each Windows user has a unique WSL instance. If you create new Linux users (with adduser) these users are not available to other Windows users.

Let’s build Kali on Windows

Ok, that will be too much at first, but who knows, this seems like a definite possibility in the future. For now, let’s start with some basic tools and see what is possible.

As hackers, we need some development tools and some often used libraries and tools pre-installed. In Bash, type the following:

apt-get install autoconf build-essential curl git-core libffi-dev libpcap-dev libreadline6-dev libssl-dev libyaml-dev python-setuptools python-dev python-pip libsqlite3-dev libxml2-dev libxslt1-dev libcurl4-openssl-dev lua5.2lua5.2-dev libtoolopenjdk-7-jre python-software-properties sqlite3 subversion wget xtightvncviewer zlib1g-dev

You might prefer the latest Ruby version. Install as follows:

cd
git clone [https://github.com/rbenv/rbenv.git~/.rbenv](https://github.com/rbenv/rbenv.git~/.rbenv)
echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bashrc
echo 'eval "$(rbenv init -)"' >> ~/.bashrc
exec $SHELL
git clone [https://github.com/rbenv/ruby-build.git~/.rbenv/plugins/ruby-build](https://github.com/rbenv/ruby-build.git~/.rbenv/plugins/ruby-build)
echo 'export PATH="$HOME/.rbenv/plugins/ruby-build/bin:$PATH"' >> ~/.bashrc
exec $SHELL
rbenv install 2.3.1
rbenv global2.3.1
ruby-v
gem install bundler
rbenv rehash
gem update
gem clean
bundle config --global silence_root_warning 1
find ~/.bundle/cache -type d -exec chmod0755 {} +
rbenv rehash

Let’s install our first scanning tool to assess vulnerabilities in WordPress sites (WPScan):

cd
git clone [https://github.com/wpscanteam/wpscan.git](https://github.com/wpscanteam/wpscan.git)
cd wpscan
bundle install

I have tested WPScan and this works as expected. Great!

Now try sqlmap:

cd
git clone [https://github.com/sqlmapproject/sqlmap.git](https://github.com/sqlmapproject/sqlmap.git) sqlmap-dev
cd sqlmap-dev

Again, no problem running sqlmap!

Next on the wishlist was Nmap. Installation is no problem:

svncohttps://svn.nmap.org/nmap cdnmap
./configure
make
make install

Bad news, compilation and installation works, but running Nmap results in the following error message:

Starting Nmap7.12SVN (https://nmap.org) at2016-07-0717:11DST route_dst_netlink: cannot bind AF_NETLINK socket:Invalidargument

This is already escalated on Github so we expect that Nmap might work in the near future.

Of course I tried to install metasploit. Unfortunately, metasploit depends on a Postgress database and I fail to compile postgress. It is however possible to connect to a Postgress database running on Windows, but that was not the point of my experiment.

Running a web server? Just install Apache:

apt-get install apache2
service apache2 start

There will be some error-messages at start-up, but Apache runs without problems and is accessible from Windows. Please note that the service will stop running when you close Bash!

Well, that’s it as introduction. I hope everyone now starts experimenting with and compiling tools on WSL. Let us know about your successes or failures!

Troubleshooting

Hey, this is very advanced stuff, so you are on your own here! Just some pointers:

  • Files in WSL are stored under C:\Users\<YOUR USERNAME>\AppData\Local\lxss. Enable to see hidden files along with operating system files in "Folder Options" first. Remember: it is not recommended to access these files from Windows!

  • To uninstall WSL, start a command shell as admin and type lxrun /uninstall /full

  • To reinstall WSL, start a command shell as admin and type lxrun /install /y

  • To change the default user (everyone wants to be root), start a command shell as admin and type lxrun /setdefaultuser

Explore more ways to attack windows applications with an overview of thick client applications.

Back to Blog
About Herman Stevens
After a long career as an information security professional, Herman is now director of Astyran Pte Ltd (Singapore). At Astyran, Herman leads a team to help assess applications for security through standards compliant vulnerability assessments, helps companies build secure applications by performing secure design and secure code reviews, helps businesses building security into their software development lifecycle (SDLC), trains development teams, and make them aware of common security defects and how to avoid them. More By Herman Stevens