On many occasions, developers and cybersecurity experts encounter very complex Linux programs and commands, so it is difficult to know what they do and how they work without resorting to an instructor or even running the tool in question, which is undesirable when we want to advance in our projects.
This time, cybersecurity experts from the International Institute of Cyber Security (IICS) will show you a method to find out exactly how a program works directly from the command line using the tool known as Maybe.
According to cybersecurity experts Maybe is a very easy to use tool that allows experts to examine the commands and find out in detail how any utility works with the file system when using them in real practice. Thanks to the reports generated by Maybe, users will be able to decide whether to use the analyzed tool or not to run it.
In their official forum, the tool’s developers claim that Maybe “runs a set of ptrace-controlled processes using the python-ptrace library”. When a program intercepts a call to modify the file system, Maybe writes the call to the registry, then modifies the processor logs to redirect a call to an invalid system ID.
Maybe then sets the value returned by this operation (which is considered null) to indicate the successful completion of the original call: “As a result, the process trusts that everything you are trying to do is happening, although nothing is actually happening in our system,” the developers mention.
Cybersecurity experts point out that we must be very careful when using Maybe, since its use in a vulnerable system can have serious consequences: “The reality is that this utility is not able to block any call to the system, so its use can cause failures on your computer”.
Before installing maybe, check if a package manager is installed on your pip system. If this is not the case, the following are the commands to install pip on multiple Linux distributions. On Arch Linux and other systems based on this distribution, such as Antergos and Manjaro Linux, pipyou can perform the following installation process:
sudo pacman -S python-pip
In other distributions such as RHEL and CentOS, ideally use the following script:
sudo yum install epel-release sudo yum install python-pip
For Fedora, cybersecurity experts recommend using the following sequence:
sudo dnf install epel-release sudo dnf install python-p
Here is the corresponding command for Debian, Ubuntu and Linux Mint:
sudo apt-get install python-pip
In SUSE and OpenSUSE, use the following command:
sudo zypper install python-pip
After you finish this process, complete the Maybe installation:
sudo pip install maybe
This is really a very easy-to-use utility. You should only add the MAYBE concept before the command you want to investigate, as shown in the following example:
$ maybe rm -r ostechnix/
As you can see, we’re about to delete an ostechnix folder to know exactly what happens after you run the previous command, getting the following response:
maybe has prevented rm -r ostechnix/ from performing 5 file system operations: delete /home/sk/inboxer-0.4.0-x86_64.AppImage delete /home/sk/Docker.pdf delete /home/sk/Idhayathai Oru Nodi.mp3 delete /home/sk/dThmLbB334_1398236878432.jpg delete /home/sk/ostechnix Do you want to rerun rm -r ostechnix/ and permit these operations? [y/N] y
This means that the scanned command wants to perform five operations on the file system, then presenting an option to allow or deny these operations.
Below are the cybersecurity experts showing us another example. Suppose you want to install Inboxer, a desktop client for Gmail. Here’s what we managed to find out about the corresponding operation using Maybe:
$ maybe ./inboxer-0.4.0-x86_64.AppImage fuse: bad mount point `/tmp/.mount_inboxemDzuGV': No such file or directory squashfuse 0.1.100 (c) 2012 Dave Vasilevsky Usage: /home/sk/Downloads/inboxer-0.4.0-x86_64.AppImage [options] ARCHIVE MOUNTPOINT FUSE options: -d -o debug enable debug output (implies -f) -f foreground operation -s disable multi-threaded operation open dir error: No such file or directory maybe has prevented ./inboxer-0.4.0-x86_64.AppImage from performing 1 file system operations: create directory /tmp/.mount_inboxemDzuGV Do you want to rerun ./inboxer-0.4.0-x86_64.AppImage and permit these operations? [y/N]
If it is not possible to detect any operations with the file system during the examination of a command, Maybe will display something similar to this:
$ maybe sudo pacman -Syu sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
The update command for Arch Linux is discussed here. Maybe it did not detect any operations on the file system or display information about additional operations.
As you can see, this is a very simple tool and can provide us with valuable information before starting a process of pentesting, vulnerability analysis, among other procedures. To learn more about cyber security risks, malware, vulnerabilities and information technologies, feel free to access the International Cyber Security Institute (IICS) website.
Cyber Security Researcher. Information security specialist, currently working as risk infrastructure specialist & investigator. He is a cyber-security researcher with over 25 years of experience. He has served with the Intelligence Agency as a Senior Intelligence Officer. He has also worked with Google and Citrix in development of cyber security solutions. He has aided the government and many federal agencies in thwarting many cyber crimes. He has been writing for us in his free time since last 5 years.