Installing hping3 On OSXMost people know that OSX is just BSD with a pretty interface. Technically... I say that because you can't just take normal BSD packages and expect them to work on OSX. There's a little bit of porting that needs to be done (less so now that Macs are Intel based).
So what does this have to do with anything? I own a Macbook Pro and decided that there is no reason this couldn't be my all-purpose security host, since it can, in fact, run all (most) standard *nix programs. I got some of the usual utilities using FinkCommander, which is just a GUI for Fink, a package management system for *nix programs.
Fink, however, didn't have hping3. A search told me that hping3 could be gotten through DarwinPorts. Awesome, right? A version of the ports system for OSX (BSD users will remember ports). Here is where the fun starts.
Grab the DMG of DarwinPorts, mount it, and install the package. The instructions tell you that all you have to do is run:
sudo port -d selfupdateand DarwinPorts will automatically update itself and you'll be good to go. WRONG! You'd think that you could find something for DarwinPorts in your Applications folder. WRONG! Ok, maybe it's in the normal *nix locations like /bin, /usr/bin, or /usr/local/bin. WRONG! So what gives?
Today's lesson will be in examining an OSX package (.pkg file). Just like applications, packages are also directories. My goal was to find where this package installed DarwinPorts to. So my first step was to go check out what's inside the package.
<slonkak@apple0-2> [~] cd /Volumes/MacPorts-1.7.0/ <slonkak@apple0-2> [MacPorts-1.7.0] cd MacPorts-1.7.0.pkg/ <slonkak@apple0-2> [MacPorts-1.7.0.pkg] ls Contents <slonkak@apple0-2> [MacPorts-1.7.0.pkg] cd Contents/ <slonkak@apple0-2> [Contents] ls -la total 808 drwxr-xr-x 7 slonkak staff 238 Dec 13 21:42 . drwxr-xr-x 3 slonkak staff 102 Dec 13 21:42 .. -rw-r--r-- 1 slonkak staff 52252 Dec 13 21:42 Archive.bom -rw-r--r-- 1 slonkak staff 348998 Dec 13 21:42 Archive.pax.gz -rw-r--r-- 1 slonkak staff 1227 Dec 13 21:42 Info.plist -rw-r--r--@ 1 slonkak staff 9 Dec 13 21:42 PkgInfo drwxr-xr-x 8 slonkak staff 272 Dec 13 21:42 ResourcesIf you didn't know, when you double click a DMG file a disk image gets mounted to /Volumes (exactly like what happens when you insert a USB drive, except DMGs are read-only). So after getting inside the Contents folder of the package I'm struck by the size of one file in particular. Archive.pax.gz is 348K, much larger than any other file. I'm going to guess that is where the program is contained.
Now we need extract the contents of that file. Since the current volume is read-only, let's copy it to the Desktop and see what's inside.
<slonkak@apple0-2> [Contents] cp Archive.pax.gz ~/Desktop/ <slonkak@apple0-2> [Contents] cd ~/Desktop/ <slonkak@apple0-2> [~/Desktop] gunzip Archive.pax.gz <slonkak@apple0-2> [~/Desktop] file Archive.pax Archive.pax: ASCII cpio archive (pre-SVR4 or odc) <slonkak@apple0-2> [~/Desktop] cpio -im < Archive.paxWhat did I just do? After copying the file to my desktop I used `gunzip` to decompress Archive.pax. But what kind of file is a PAX file? I asked. Using the `file` command I learned that it was a CPIO file (a close relative of TAR). I then used the `cpio` utility to restore files from the archive (-i) and keep the modification times on those files (-m).
Low and behold, we have an "opt" directory. Let's see what's inside.
<slonkak@apple0-2> [~/Desktop] cd opt/ <slonkak@apple0-2> [opt] ls local <slonkak@apple0-2> [opt] cd local/ <slonkak@apple0-2> [local] ls bin etc include lib libexec man sbin share var <slonkak@apple0-2> [local] cd bin/ <slonkak@apple0-2> [bin] ls daemondo port portf portindex portmirrorThere it is, the `port` program. According to how it was unpacked, I should be able to find this utility on my local system under /opt/local/bin. Let's see.
<slonkak@apple0-2> [bin] cd /opt/local/bin/ <slonkak@apple0-2> [bin] ls daemondo port portf portindex portmirrorVoila! We've found it! But we still have a tiny problem; we can't execute this program in a terminal like they say in the DarwinPorts instructions because /opt/local/bin isn't in our shell's path. I'm using tcsh, so all I had to do was edit my .cshrc and re-read it.
<slonkak@apple0-2> [bin] vi ~/.cshrc alias q 'exit' set prompt="<%n@%m> [%c] " set path= ($path /sw/bin /opt/local/bin) <slonkak@apple0-2> [bin] source ~/.cshrc <slonkak@apple0-2> [bin] which port /opt/local/bin/portAs you can see, I already had to add /sw/bin to my path to enable programs installed with Fink to work and now /opt/local/bin is there. I then re-read my configuration with the `source` command and look at that, `port` is found.
So let's continue with the DarwinPorts instructions and update it.
<slonkak@apple0-2> [bin] sudo port -d selfupdate DEBUG: Synchronizing ports tree(s) Synchronizing local ports tree from rsync://rsync.macports.org/release/ports/ DEBUG: /usr/bin/rsync -rtzv --delete-after rsync://rsync.macports.org/release/ports/ /opt/local/var/macports/sources/rsync.macports.org/release/ports receiving file list ... done sent 36 bytes received 373499 bytes 106724.29 bytes/sec total size is 23260158 speedup is 62.27 DEBUG: MacPorts sources location: /opt/local/var/macports/sources/rsync.macports.org/release/base DEBUG: Updating MacPorts sources using rsync receiving file list ... done sent 36 bytes received 6894 bytes 4620.00 bytes/sec total size is 4045815 speedup is 583.81 MacPorts base version 1.700 installed DEBUG: Rebuilding and reinstalling MacPorts if needed Downloaded MacPorts base version 1.700 The MacPorts installation is not outdated so it was not updated DEBUG: Setting MacPorts sources ownership to rootOk, so it seemed that we already had the latest version as noted by the first to last line. Now let's get to what we really wanted to do, install hping3.
<slonkak@apple0-2> [bin] sudo port install hping3 ---> Fetching tcl ---> Attempting to fetch tcl8.5.6-src.tar.gz from http://downloads.sourceforge.net/tcl ---> Verifying checksum(s) for tcl ---> Extracting tcl ---> Configuring tcl ---> Building tcl ---> Staging tcl into destroot ---> Installing tcl @8.5.6_0 ---> Activating tcl @8.5.6_0 ---> Cleaning tcl ---> Fetching hping3 ---> Attempting to fetch hping3-20051105.tar.gz from http://distfiles.macports.org/hping3 ---> Verifying checksum(s) for hping3 ---> Extracting hping3 ---> Applying patches to hping3 ---> Configuring hping3 ---> Building hping3 ---> Staging hping3 into destroot ---> Installing hping3 @20051105_1 ---> Activating hping3 @20051105_1 ---> Cleaning hping3 <slonkak@apple0-2> [bin] rehash <slonkak@apple0-2> [bin] which hping3 hping3: Command not found.Sigh. hping3 was successfully installed, but after rehashing it can't be found. It appears that it's in yet ANOTHER location that is not in my path. `port` was located in /opt/local/bin, so let's start there.
<slonkak@apple0-2> [bin] cd /opt/local/bin/ <slonkak@apple0-2> [bin] ls daemondo portf portmirror tclsh8.5 port portindex tclsh <slonkak@apple0-2> [bin] cd .. <slonkak@apple0-2> [local] ls bin etc include lib libexec man sbin share var <slonkak@apple0-2> [local] cd sbin/ <slonkak@apple0-2> [sbin] ls hping3THERE IT IS! It's not in /opt/local/bin, it's in /opt/local/sbin. Fine; one more edit to my path.
<slonkak@apple0-2> [sbin] vi ~/.cshrc alias q 'exit' set prompt="<%n@%m> [%c] " set path= ($path /sw/bin /opt/local/bin /opt/local/sbin) <slonkak@apple0-2> [sbin] source ~/.cshrc <slonkak@apple0-2> [sbin] which hping3 /opt/local/sbin/hping3Success!
Wow, that took forever. At least we learned a lot in the process: PKG files are actually directories, where DMG files are mounted, using the cpio program, editing your shell's path, etc. At the end of the day, your Mac is one step closer to being your go-to security host.