Bypass Resrtriction based on file extension.

People at office or school when ever you guys try to download something (music, applications...etc) you might counter an annoying message which really freaks you out. Say you want to download an file.exe but your admin has blocked .exe at the gateway level. What can one do ??Think about tunneling stuff. Naaaahh .We are hacker ,isn't it? We think smarter not harder. Anyways this is a way by which using your simple web browser you can cheat the best UTM devices in this world. So i had enough talk lets come to the point. Let me give you one live example and show you how exactly it works.

Say you want to download Winamp. You did little bit of googling and found this link :-

http://mymirrors.homelinux.org/freeware/WinAmp/winamp524_full_emusic-7plus.exe


You are really happy thinking that you ultimately got your pie . Nope my friend. As soon as you click on that link you will be greeted with a busted message saying Exe is blocked or anything else which really sounds ridiculous.

Then you start thinking like a hack3r. You open your web browser type the same link but garnishing it a little bit with you own tppings:-

http://mymirrors.homelinux.org/freeware/WinAmp/winamp524_full_emusic-7plus.exe?winamp.cda

Wow no more moronic messages instead a pop-up will show up asking where you want to save the file. Once it downloaded rename the file to winamp.exe. winamp.cda is basically just an example that i'm showing here. You can write anything (.abc , .def.......;) what ever you prefer.

So what happened exactly. Nothing special you are cheating the UTM device extension checking mechanism.

The idea behind this is give you an insight how basically these tunneling tools work. Frankly speaking i have to reverse engineer a very popular tunneling tool Ultrasurf to get this exploit. But the credit must go to the person who found this exploit and create this awesome tool accordingly.

So friends as i said before , Think Smarted Not Harder

Network Based Attacks

Hi friends, you know that there're lots of attacking methods in network security . Here's a collection of links for different kind of attacks :

SYN packet manipulation
-- SYN packet manipulation
http://www.iss.net/security_center/advice/...ood/default.htm
-- Syn Flood experiment
http://www.niksula.cs.hut.fi/~dforsber/synflood/result.html
-- SYN Cookie
http://cr.yp.to/syncookies.html

Smurf DOS

-- ISS.com: Description
http://www.iss.net/security_center/advice/...urf/default.htm
-- GRC.com: DDOS Anatomy
http://grc.com/dos/grcdos.htm

IRC (Internet Relay Chat) Client attacks

-- IIS.com: Description
http://www.iss.net/security_center/advice/...IRC/default.htm

Service attacks

-- Buffer Overflow attacks
http://www.iss.net/security_center/advice/...low/default.htm
-- Buffer overflow vulnerabilities explained
http://www.hacker.pl/gminick/pliki/notmine/bof-eng.txt

-- Wireless Attacks Threaten Wired Networks
http://www.infosecuritymag.com/2001/oct/digest18.shtml#news1

I hope these links will draw out some important info abt types of attacks used by blackhats and may be able to answer atleast 1% of your queries .

Block port 135 without using any firewall

Are you scared of DCOM exploits. Although there are patches availaible by Microsoft but who wants them .We are hackers so we can create our own protocols .Aren't we?? I hope this tutorial will flash you mind a bit. I'm writting this article keeping just XP prof in mind. I haven't tested it yet on other platforms.

Microsoft RPC port 135, DCOM buffer overrun

Microsoft's RPC implementation runs over TCP port 135.RPC is used by a number of higher level protocols for their transport layer, such as by DCOM.

Vulnerabilities have been found in Microsoft's RPC implementation and the services it gives access to.Closing TCP port 135

It is highly desirable to close port 135. Port 135 is consistently on of the most attacked ports on the Internet.

It is not possible to simply disable the RPC service as there are many essential parts of Windows that require RPC to be running even though they do not make network connections.

However Microsoft does not allow RPC to configured to a different port and by default it is bound to all network interfaces making it vulnerable to attack from the Internet.

Below i have described how to disable services that run on top of RPC, which is desirable in itself, and then to close port 135 itself.

Step 1

Disable RPC dependent services

SSDP Discovery Service
Windows Time
Messenger
Remote Registry
System Event Notification
Remote Desktop Help Session Manager
Distributed Transaction Coordinator
Task Scheduler service
COM+ Event System
COM+ System Application

Step 2

Disable DCOM

1. Run "regedt32.exe" from the Start menu "Run." item.
2. Select the key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole"
Set the value "EnableDCOM" to "N".
3. Select the key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc"
Edit the value "DCOM Protocols". This may contain a number of
strings.Delete the string "ncacn_ip_tcp"

Configure RPC

1. Run "regedt32.exe" from the Start menu "Run." item.
2. Select the key
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs"
Add the string value "ListenOnInternet" and set it to "N".

Step 4

Patching the RPC server

Microsoft RPC cannot be configured not to listen on a different port to 135.Instead it is necessary to patch the system to force it not to use the port.Patching an OS is strictly for advanced users.

The server needs to be patched using a hex editor.I have used Winhex here .

The RPC server is implemented in a file called rpcss.dll, however this file is in constant use.So you will first have to disable it, re-boot, patch it, re-enable it and reboot again.

1. Make a copy of the file rpcss.dll, as a backup.Copy the file from\windows\system32\rpcss.dll into one of your own directories,using Windows Explorer.
2. From the Start menu select Run.
3. Enter "regedt32" and click on OK.
4. Expand the tree and select the key:HKLM\System\CurrentControlSet\Services\RpcSs
5. Rename the value "ImagePath" to "xImagePath"
6. Exit regedt32 and re-boot the machine. The machine may take longer than normal to start up and some functionality will no longer be available. The Start bar may longer be visible to it is a good idea to have a short cut to a DOS BOX on the desktop. This will be re-enabled later.
7. Run your hex editor and open the file "from \windows\system32\rpcss.dll"
8. Search for the byte sequence "31 00 33 00 35" or the Unicode text "135".
9. Over-write this byte sequence to "30 00 30 00 30". This changes the port from 135 to 000, which DCOM will not be able to open.
10.Save the file in the hex editor.
11.From the Start menu select Run.
12.Enter "regedt32" and click on OK.
13.Expand the tree and select the key: HKLM\System\CurrentControlSet\Services\RpcSs
14.Rename the value "xImagePath" to "ImagePath"
15.Exit regedt32 and re-boot the machine
16.The DCOM server should no longer bind to port 135

Who need those stupid packet filtering tools such as firewall when we have a beautiful technique to survive called Reverse Engineering.

I hope you guys will enjoy my work .Your comments are always welcome.


Using Google to Find Security Bugs

Reviewing software for security bugs is a highly recommended best practice. There are various techniques for doing source code reviews, one of them being "static code analysis" which (in most cases) involves the use of a 'grepping' (pattern matching) tool along with a database of patterns that indicate potential security flaws. There are disadvantages to static code analysis: high rate of false positives and the inability to detect logic errors that may lead to security bugs. That said, static code analysis tools can be used to perform a quick first pass on the source code to detect bugs that can be easily identified by a grepping technique ("low hanging fruit"). Some of the free static code analyzers (security) are: Flawfinder, RATS, and SWAAT.

The idea is query Google Code Search using techniques previously reserved for local static code analysis. Here are a few interesting queries:

- SQL Injection in Java caused by executing a dynamic SQL query with user supplied input: http://www.google.com/codesearch?hl=en&lr=&q=.*executeQuery.*getParameter.*

- SQL Injection in PHP caused by executing a dynamic SQL query with user supplied input: http://google.com/codesearch?hl=en&lr=&q=.*mysql_query%5C%28.*%5C%24_%28GET%7CPOST%29.*

- Cross-Site Scripting (XSS) in Java caused by echoing user supplied input without HTML encoding: http://www.google.com/codesearch?hl=en&lr=&q=%3C%25%3D.*getParameter*

- Cross-Site Scripting (XSS) in PHP caused by echoing user supplied input without HTML encoding it: http://google.com/codesearch?hl=en&lr=&q=echo.*%5C%24_%28GET%7CPOST%29.*

See the resources below for more details and queries:

http://asert.arbornetworks.com/2006/10/static-code-analysis-using-google-code-search/

http://blogs.securiteam.com/index.php/archives/663

Google in my opinion is the most handy & the most powerfull hacking tool.Use it smartly

How to steal a million

I took on a challenge to steal one million Indian Rupees (INR150.000) and become millionaire over a weekend? No, I didn’t succeed. Choosing method, going through the legal matters and talking to all parties took too long. I admit it and it bothers me, I didn’t succeed within the setup time limit but hey, except from time, it was my win!

For you who didn’t read the rules, here there are again:

  1. Get access to at least 1 miljon Indian Rupees (millionaire!!)
  2. Don’t get caught (VERY important!)
  3. Don’t put anyone in trouble in any way (Do good, not bad)
  4. The mission must be finished before Monday (Longer and I would get bored)
  5. Improve security so this can’t be done by anyone else (The whole point!)

The method
IT-security is my passion but in the world today the boarder between computer security and physical security is really thin. For example, what good is a perfect set up firewall if the door is unlocked to let you walk out with the server? Or what good does a strong password do if you write it down next to your computer? This is something I wanted to include on this challenge.

Back in the late 90’s it was the golden years of Credit Card frauds, people exchanged thousands of stolen credit card details in open IRC-channels. Most of these guys were sitting at home, not even using proxys or encryption. They broke into webshop and companies that just started their business online not knowing anything about computers and even had clear text lists with Credit Cards on easy to access server. People exchanged Credit Cards for more Credit Cards or other stuff such as shells, passwords and botnets. The crimes weren’t even investigated as long the money stolen was below the cost to investigate it and we all know what unrealistic pay these incompetent computer guys charged. And still do today…

I even believe Internet had far more crime back then if you compare the numbers of theft/fraud to the number of users. So no, it wasn’t all better back in the days it just wasn’t considered as serious.

Why am I telling about this? Because even if this was ten years ago, Credit Cards are still one of the easiest sources to money and a target for any criminal. Assuming they know what they’re doing I’m targeting the same.

The victims
This is what would have happened for the victims if we took it one more step:

It’s weekend which means people are gladly spending loads of money at the pub/club. Of course they aren’t exactly sober and won’t pay any attention to their bank accounts being robed. The day after, being hung over they will realize that someone last night stole their credit card information and with that all their money.
The memory is a bit blurry but they remember using the credit card twice, once paying the bartender and then the taxi driver. Of course it was one of them! Or maybe it was skimmed back when you were on vacation on the South Pole? Those damn penguins!

The steal
Every time you as a guest pay with a credit card the bartender places five items on the disk after charging it.

  1. Your Credit Card
  2. Your ID
  3. Your receipt
  4. A pen
  5. The pub’s receipt for you to sign

You take #1, #2, #3 and move along to your friends with your beer and leave #4 and #5 on the disk. The bartender on the other hand being in constant stress goes on with his/her work to serve other customers while you sign the receipt and leave. When the bar disk has a couple of signed receipts they are collected into the cashbox.

Me being an extra friendly guest I help the bartender by collecting a few into my cashbox (my pocket). Not all of them, I’m a lazy bastard and of course don’t want to put the bartender out of work! Ohh yeah, it will probably raise some questions as well that all receipts are gone. You know how impossible it is to get the bartenders attention when you want to order a beer, I got just as much attention taking recipes. 30 minutes later I have ten of these.

Let’s say I would continue this averaging 20 an hour for five hours, this would give us 100 receipts. So what can you do with 100 pieces of paper? Well now it just happened to be some interesting stuff on these that could help me to my INR1.000.000.

The tech
Each receipt has following data on them:

  1. Full credit card number
  2. Cards expirations date
  3. Name or full birth date

So we got everything needed to use their card online except from the missing CCV (the 3-digit code on the back) which makes this trick a bit of a hassle. To calculate the CCV we could use the following formula:

PAN x ED x SC x CVK == CCV

PAN == Primary Account Number
ED == Expiration Date
SD == Service Code, probably “000” but only known by the issuer
CVK == A number of DES keys again is only known by the issuer
CCV == Credit Card Verification, 3-digit code to prevent fraud printed on the back

Simply put we can’t use any algorithm to get the CCV due to we don’t know the SD and SVKs. Good security, I like it! But missing only a 3-digit code is not going to stop us. Using bruteforce we have a maximum of 1000 and an average of 500 attempts per card, pretty much any script kiddies dream. Even easier we could just withdraw or buy stuff from one of the many shops online which don’t require CCV (Did I hear USA?).

To test my theory I set out to bruteforce a major Credit Card. 15 minutes later I had filled my poker account simply testing 001, 002, 003… This was done manually but a small script would probably take just as long to create and automate the process for future misuse. Shouldn’t this have triggered some security system? Did I trigger something? It doesn’t really matter, I still succeeded withdrawing money so any protection that alarmed the bank was doing it too late. Before anyone would notice the money is long gone. Oh, also the card still works according to my friend who allowed me to use his. Thanks T! =)