How to test Linux commands on your server without actually running them. This tool can save you from lot of problems

On many occasions, developers and cybersecurity experts encounter very complex Linux programs and commands, so it is difficult to know what they do and how they work without resorting to an instructor or even running the tool in question, which is undesirable when we want to advance in our projects.

This time, cybersecurity experts from the International Institute of Cyber Security (IICS) will show you a method to find out exactly how a program works directly from the command line using the tool known as Maybe.

According to cybersecurity experts Maybe is a very easy to use tool that allows experts to examine the commands and find out in detail how any utility works with the file system when using them in real practice. Thanks to the reports generated by Maybe, users will be able to decide whether to use the analyzed tool or not to run it.

OPERATION

In their official forum, the tool’s developers claim that Maybe “runs a set of ptrace-controlled processes using the python-ptrace library”. When a program intercepts a call to modify the file system, Maybe writes the call to the registry, then modifies the processor logs to redirect a call to an invalid system ID.

Maybe then sets the value returned by this operation (which is considered null) to indicate the successful completion of the original call: “As a result, the process trusts that everything you are trying to do is happening, although nothing is actually happening in our system,” the developers mention.  

Cybersecurity experts point out that we must be very careful when using Maybe, since its use in a vulnerable system can have serious consequences: “The reality is that this utility is not able to block any call to the system, so its use can cause failures on your computer”.

INSTALLATION

Before installing maybe, check if a package manager is installed on your pip system. If this is not the case, the following are the commands to install pip on multiple Linux distributions. On Arch Linux and other systems based on this distribution, such as Antergos and Manjaro Linux, pipyou can perform the following installation process:

sudo pacman -S python-pip

In other distributions such as RHEL and CentOS, ideally use the following script:

sudo yum install epel-release
sudo yum install python-pip 

For Fedora, cybersecurity experts recommend using the following sequence:

sudo dnf install epel-release
sudo dnf install python-p 

Here is the corresponding command for Debian, Ubuntu and Linux Mint:

sudo apt-get install python-pip

In SUSE and OpenSUSE, use the following command:

sudo zypper install python-pip

After you finish this process, complete the Maybe installation:

sudo pip install maybe

USING MAYBE

This is really a very easy-to-use utility. You should only add the MAYBE concept before the command you want to investigate, as shown in the following example:

$ maybe rm -r ostechnix/

As you can see, we’re about to delete an ostechnix folder to know exactly what happens after you run the previous command, getting the following response:

maybe has prevented rm -r ostechnix/ from performing 5 file system operations:
 delete /home/sk/inboxer-0.4.0-x86_64.AppImage
 delete /home/sk/Docker.pdf
 delete /home/sk/Idhayathai Oru Nodi.mp3
 delete /home/sk/dThmLbB334_1398236878432.jpg
 delete /home/sk/ostechnix
Do you want to rerun rm -r ostechnix/ and permit these operations? [y/N] y

This means that the scanned command wants to perform five operations on the file system, then presenting an option to allow or deny these operations.

Below are the cybersecurity experts showing us another example. Suppose you want to install Inboxer, a desktop client for Gmail. Here’s what we managed to find out about the corresponding operation using Maybe:

$ maybe ./inboxer-0.4.0-x86_64.AppImage 
fuse: bad mount point `/tmp/.mount_inboxemDzuGV': No such file or directory
squashfuse 0.1.100 (c) 2012 Dave Vasilevsky
Usage: /home/sk/Downloads/inboxer-0.4.0-x86_64.AppImage [options] ARCHIVE MOUNTPOINT
FUSE options:
 -d -o debug enable debug output (implies -f)
 -f foreground operation
 -s disable multi-threaded operation
open dir error: No such file or directory
maybe has prevented ./inboxer-0.4.0-x86_64.AppImage from performing 1 file system operations:
create directory /tmp/.mount_inboxemDzuGV
Do you want to rerun ./inboxer-0.4.0-x86_64.AppImage and permit these operations? [y/N]

If it is not possible to detect any operations with the file system during the examination of a command, Maybe will display something similar to this:

$ maybe sudo pacman -Syu
sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

The update command for Arch Linux is discussed here. Maybe it did not detect any operations on the file system or display information about additional operations.

CONCLUSION

As you can see, this is a very simple tool and can provide us with valuable information before starting a process of pentesting, vulnerability analysis, among other procedures. To learn more about cyber security risks, malware, vulnerabilities and information technologies, feel free to access the International Cyber Security Institute (IICS) website.