Cipher

Source code review with AutoBugle

EK — Tue, 05 Feb 2008 22:23:40 +0000

Some time ago I start creating a list of google queries (Bugle) people could use to hunt bugs in source code available in the web. The project started before Google Code Search, so the only way to point to source code was using the Filetype and ? * . operators which worked pretty well. After a couple of months Google announced the Code Search service and the accompanied API which made things much more interesting. Using the new Google service people can supply full regular expression when searching and pinpoint to Bugs a bit more accurately.

Anyway, to cut a long story short, utilising jQuery, Google Code Search API and Bugle, I created an automated version of the Bugle project which looks as close as possible to a desktop based source code review tool.

To demonstrate Bugle Automated I will be looking for bugs in Samba. The first step is to add the package you want to inspect in the Scan field, as you can see below there is Auto Complete functionality available suggesting possible packages while you type a name.

After choosing a package, press scan an Bugle will do the rest.

The first screen you see is a bit empty , both the Main Panel and the Stats Panel will load as soon as you choose a vulnerability category from the left side. Bugle displays the number of issues of each category, so you can immediately get an general idea on where you might find a bug.

As soon as you choose a category a sub menu will be revealed, presenting all the different signatures in that category. At the same time the statistics Panel will load and all the relevant graphs for the project/categories and categories/signatures will be displayed.

Next we choose the Buffer Overflows category, with 205 hits and then the Generic BoF signature (with 50 hits). The Main Panel loads and then we can see each individual line with a possible bug. We scroll down until we find something that could be a vulnerability and click on that line.

We click the Line 117 of samba-1.9.15p8.mvs/source/sockspy.c and we inspect the code in the Code Snippet dialog. Then we scroll down until we find the line with the yellow highlighted text

We can see that strcpy(DestHost,argv[1]); is copying the arv[1] into the DestHost buffer which has 256 chars size. Now we can guess that if we pass in the command line DestHost larger than 256 chars we can create a buffer overflow condition. (Note that this bug in sockspy.c is in a very very very old version of Samba)

That’s Bugle Auto Scanner, hopefully this will assist in discovering and fixing bugs out there.

FuzzMan - man pages based fuzzer

EK — Wed, 18 Apr 2007 09:54:10 +0000

Fuzzing using man pages This article is to introduce a (probably) new fuzzing idea (FuzzMan) that is built around man pages. Many know that in *nix systems if you type man command you will get a manual page informing you on how to use a specific tool. So by just looking at the manual you can find out pretty much in seconds what type of argument and what options are offered by any given command.

The format which man pages follow is universal (mostly), so it is not very difficult to make a script and extract the offered options - which is exactly what gave me the idea of making a tool that can generate fuzzing data based on manual pages. Based on that concept we can fuzz as accurately as possible any command that has a man page.

So lets take a command and generate fuzzing data.

The choice for this example is “shar” - GNU sharutils 4.2.1

Shar creates “shell archives” (or shar files) which are in text format and can be mailed. These files may be unpacked later by executing them with /bin/sh. The resulting archive is sent to standard out unless the -o option is given.

Below you can see how a man page looks in the console

or have a look at the On-line Shar Manual pageThere are several options available for this command and therefore the fuzzer has to generate lots of combinations. Fuzzman catches signals so if you see that you have enough combinaitons you can press ctrl-c.
if you type ./fuzzman.pl shar you get :
=== Extract arguments for "shar" === STANDARD : --version : --print-text-domain-dir : --help : --version : -q : -p : -Z : -S : -z : -o : -l : -L : -n . . . : --no-i18n : --print-text-domain-dir ADDITIONAL : EXTRA BoF Arg : EXTRA Format String Arg : EXTRA Numbers Arg


:Number of Arguments :36 <=== it is not 100% accurate but is very close

=== Generate Fuzzing Script === +STOP GENERATOR WITH CTRL-C :Agrument combinations : 1040 <== This is the combinations counter :Partial shar.sh, not all combinations have been generated :Run fuzzing script [sh shar.sh]

We can see above that there are approximately 36 options. That would create several thousand combinations so I stopped it at 1040 combinations. Fuzzman tried different options adding arguments that could potentially lead to different overflow types, now the shar.sh script is ready.

Starting the shar.sh will execute the command 1040 times.

As we can see above we hit into a bug, Segmentation fault is always a sign.

You can download Fuzzman from here,
Enjoy

Note: This version of Sharutils have been reported for both Buffer Overflow and Format string vulns some time ago (here and here)

Hamachi Considerations

EK — Fri, 03 Nov 2006 17:31:58 +0000

“Hamachi is a zero-configuration virtual private networking (VPN) application.”I was introduced to Hamachi last week, and I thought wow that sounds cool and easy. So I installed both windows and linux versions and start messing around. while I was using different networks, I noticed that if you start typing random network names the system sents back an obvious message saying if a network exists or not. I found that inappropriate, to illustrate an obvious use of that I wrote a tiny perl script to detect different networks using the rather expected brute force approach.

Detect Networks script Detect-hamachi.pl

After that the next step was to see if the system returns a distinctive error if the network picked is correct but the password supplied is wrong. Again that proved to be the case, so the next step was to check on the network I created if there is any account lockout or IP blocking if I submit the wrong password several times. I send the wrong password 10 times and the account was still active. When considering the fact that someone creates a VPN to establish a secure tunnel between private assets this can be considered as an immediate security threat.

At this stage I modified the previous tiny script to go through a list of passwords given a valid network name and the result was predictebale, found the valid password and join the network.

Find valid Hamachi passwords script beef-hamachi.pl

A fast solution to the issue described is to “Block new network members by default”, there is an option in the Security tab to do that.

All of the above are very simple observations, nothing on the protocol or implementation as such (also as far as I am concerned the project is closed source at the moment). Haven’t used it that much so if you see something wrong in here let me know.

These scripts work only in linux and you need to have perl and hamachi installed. Have a look at http://files.hamachi.cc/linux/README on how to install in linux , note in Debian you need to create the /dev/net/tun device to make it work.

mkdir /dev/net/tun
mknod /dev/net/tun c 10 200

Note: The provided scripts are only for illustration purpose, use them only on networks you own.

Hacking: A very brief Introduction

EK — Wed, 18 Oct 2006 17:40:15 +0000

Guest Post by (Pascal.Cretain[AT]gmail.com)

An awful lot has been said about hacking, most of it is simply not true. Due to misinformation, ignorance, the decline of mass media, and other miscellaneous obscure powers, hacking has been associated with electronic crime, illegal access to forbidden realms, the pentagon, the FBI, the CIA, the Russian mafia, credit card fraud, identity theft, software piracy, vandalism, corruption, murder and death. Give me a break. A hacker, in the original sense, is a person who is curious, inventive, intelligent, eager to learn, willing to discover (and perhaps fail a thousand times before achieving any result) alternative ways of using tools and ideas. Using a metaphor here, if I may, a hacker is a bit like a child; she likes to take things apart to see what�s inside, and find out how things actually work. A hacker likes to stretch things to their limits, use devices in ways they were not meant to be used, cross borders and break rules just for the sake of experimentation. A real hacker does not give a fuck about the potential trophy (be it a p0rn, software, monetary compensation, sensitive databases or anything else) waiting for her as soon she has gained access to a restricted domain using a creative, alternative route to circumvent the defence mechanisms in place. She might e-mail the system administrators to let them know that their security is crap, at best, leave everything impact, then move on to a new project. A hacker is more than anything else, a student, not a criminal mind, period. This definition is not necessarily restricted in the world of computing. One can hack in real life. If you decide that your TV does not have any positive effect on your life when it�s on, and decide to cover it with a table cloth, and use it to eat your breakfast on, then you have hacked your TV, in a primitive fashion. Well done, that�s a great starting point.

There is a reason why all this bad hype around hacking has been created. See, hacking is tightly bound with intelligence, creativity and free spirit. Now these attributes are a bit of a threat to governments, global regulators and other bodies �in charge� who want to run the show. To achieve their goal easily and effectively, the controlling powers need to have obedient, non-creative and certainly not very intelligent citizens under their supervision. Where this profit-making, control seeking �plan� is supposed to lead humanity is beyond me, still there is a good chance that this is the way things work nowadays. It is not a coincidence that formal education has degraded to simple (biased) information processing. Our schools, institutions, society and family do not encourage creative and alternative thinking. In fact, they are afraid of it. This concept can extend even more, taking into consideration our lives and career aspirations in general. As the freegan manifesto (http://freegan.info/?page=anotherview) accurately proclaims, as much as capitalists like equating the free market with freedom, our lives are severely constrained under capitalism. Here in we are all expected to live within the rules of a specific narrow model. We go to schools that promote hierarchy and obedience while suppressing creativity and indoctrinating us with the patriotic dogmas and distorted histories of the dominant forces of our national leadership. We are compelled to fiercely compete for the best grades so that we can get into the best college, run up big debts on college loans that we will spend years paying off. Get good grades, get into the best grad school, get a high paying job, buy lots of stuff, buy a house and spend years paying off the mortgage, have kids, keep working to the point where out jobs become miserable unending chores, put our kids through college and grad school so they can start on the same cycle. We go through a mid-life crisis where we wonder what the point of it all is. We retire and get sick with degenerative diseases from a lifetime of eating an unhealthy, fast-food, meat based died and from sedentary living– miserable desk jobs and hours spent vegetating in front of corporate pablum on television. As we degenerate, bored, lonely, and isolated in a society that overvalues competition and undervalues community, we are shipped off to nursing homes, eventually end up in hospitals that attempt to prolong miserable and unhealthy lives, with surgical procedures and drugs and radiation treatments that are tremendously profitable to insurance companies, hospitals, physicians, and medical equipment and drug manufacturers, but do little to address the underlying issues of poor health and often make us even sicker. Eventually we die, providing income to the undertakers, coffin manufacturers, funeral parlours, and cemeteries to turn our corpses into formaldehyde filled hazardous waste that will not be cycled back into the ecosystem locked in boxes made of dead rainforest trees or strip-mined metals. This is considered “a successful life� for the Western middle class and lower portions of the upper class. Apparently, I got a bit carried away, but follow me and you will see where I am getting at.

Don�t panic, though, for all is not lost. We have the unbelievable luxury of living in the internet era. Now this is a whole new topic again, and a huge one indeed, but it is very relevant to this study for certain reasons. If you think back some years ago, access to information and knowledge was very, very different. First of all, there used to be one horrible restriction to acquire information: it had a price. To learn how to be a doctor, computer programmer, lawyer, journalist, biologist, builder, you had to buy many, expensive books and/or go to expensive schools. You very evolution itself was too damn hard, since every time you encountered a problem, an unknown condition in your field, you had to go to public libraries, make expensive telephone calls to other fellow professionals, spend time investigating and if you were lucky enough to find a solution, you would rely on it just because it was the only solution you were able to locate. It is not the case today. Today�s internet is a gift. An ever-changing, almost organic collection of all sorts of information that brings together individuals and ideas of all races, social classes, religions, scientific fields and arts. The power of this mechanism lies in its multi-inclusive nature. Looking for an answer to a question you might have, you are very likely to encounter tons of crap, some quite good approaches, and a few superb ones. You will, though, invariably gain the ability to evaluate, judge, search and think for yourself. And that, my friend, is a tremendous skill. In fact, it is the very root of becoming a superior human being and understanding the world you happen to live in, in depth, so you can make conscious choices and reject this or that lifestyle that �they� are trying to enforce upon you. Computer (or real life) hacking just happens to be one of the benefits drawn from this new skill that you will (hopefully) acquire. So, if there is one service you have to buy in this damn world, it is, in my humble opinion, a good internet connection. Get DSL. Assuming that living in London you speak English, internet access is all you are ever going to need ( provided that you have a computer � a crappy one will do, get your uncle�s old PC that she was planning to donate to charity if you have to), plus some spare time to invest.

Trust me in this one, reader: It will not always be like that. The internet is a very new invention, and a very groundbreaking one. As it happens with all radical inventions in the history of mankind (the wheel, electricity, relativity) it takes quite some time until people are eventually able to govern the new invention�s power, and restrict its potential misuse through many rules, legislation and supervision. The early stages are somewhat �experimental� and very liberal. Man (including the superior forces running the show) has realised the full potential of the internet as a generous profit-making source. Due to the fact that one of our main characteristics is greed, people got quickly addicted (and dependent) to the internet, and now refuse to let go. Fortunately for the rest of us, not profit-oriented, various healthy tendencies including open source information exchange grew in parallel and got their place quietly in the internet. Because of the fact that no-body actually �owns� the internet, it is deemed very unlikely that the internet is going to shut down some time soon for �general maintenance and regulations introduction�. Control is happening, though. Slowly it spreads over the wires through mechanisms like legislation, and sniffing. There are however countermeasures to being supervised: Cryptography is a good one. Cryptography has been made available to the masses about a decade ago through a program called PGP (Pretty Good Privacy) written by a genius hacker called Phil Zimmerman. Cryptography is another, very complicated issue that we are not going to cover here, but it is worth mentioning that the strength of your encrypted messages relies on the size (in bits) of the encryption algorithm. If 40 bits are used, it�s quite easy to decrypt. If 256 bits are used it�s bloody difficult, even for governments or intelligence agencies to decrypt your message. This is because the extent of difficulty introduced to a cipher by adding just one bit doubles, so that a cipher with 41 bits is twice as hard to crack (takes twice the time) compared to one using 40 bits. This is why the US government has put restrictions to the exports of cryptographic algorithms (40 bits I think), and they have classified cryptography under �weapons� so that they can maintain control of the game. Moral of the story: (Ab)use the internet in its present form, for it might not last that long.

While it is possible to hack computer networks without being a programmer (or at least being able to read and understand code) I strongly suggest you acquire that skill. Remember, the goal is not to scratch the surface (as sick of it all says), but to get a shovel and start digging. If you want to hack wisely, you have to understand how the tools you are going to use actually work. That�s why I personally support the �open source� approach, because it gives you access to the underlying architecture of all the tools you are using. In that way, you can really understand what�s going on behind the scenes, and perhaps modify anything as you see fit. The languages commonly used in the computer security field are Ansi C (often used in a scripting approach under the UNIX shell), and many general purpose scripting languages such as Tcl, Perl and Python. I have seen apps recently written in pure Java, though this language is generally not preferred in the underground. Moreover, you must get acquainted with the basic concepts of computer networking. There are a few protocols which are extremely popular and you should know how they work. These include the TCP/IP protocol suite (including UDP and ICMP), the mail protocols (POP3 and SMTP) and various others such as HTTP. You should also get familiar with the major Operating Systems, Windows and Linux. There are things you can do with one but can�t with the other, so you should learn and use both. If you have no fuckin� clue what I�m talking about in these last few lines, then I strongly urge you to get an internet connection (see above), and start using www.google.com to educate yourself. I shall warn you here, reader, that the legislation on computer attacks is rapidly changing, and getting stricter every day. So as soon as (and if) you ever start launching attacks against computer networks, be sure to launch them against networks you own, or ones that you have formal authorisation to perform testing against, to avoid getting in trouble. It is perfectly possible to hide your tracks and clean up your mess effectively, but it is a very daunting task, something that comes with experience. As a newbie, you might as well forget about it for the time being.

I suspect what you might be thinking �Hey, that�s all good, now teach me how to hack!�, and, gee, I really hope that I�m wrong. See, there is a reason why I decided to release this document in this very event - the resistance festival. Taking into account the fact that you came here, you are quite likely a person who already has an �alternative� approach to life. You try to differentiate yourself from the mass through unconventional music and other art forms, �revolutionary� appearance (we have all been there at one time or another), maybe travelling and the likes. If you have followed me until this point, you have hopefully realised that the mission of this document is not to provide some quick guide to getting porn and certainly not illegally accessing your girlfriend�s hotmail account. It is to teach you how to be a creative problem solver, and how to seek knowledge. The means employed to try and get you started is computer hacking. This is because it just so happens that I have an elementary knowledge of this field, I consider it interesting, and I feel that there is a great potential to it. If, on the other hand, you are one of them people who want to learn how to hack computer systems because it is considered �elite�, or to get some free shit, while not having genuine interest in improving yourself, perhaps the security mechanisms employed in the IT industry nowadays, and eventually getting (more) wise then to hell with you anyway. Forget you ever read this document and go back to whatever you were doing. The community does not need you.

Section II: Doing it
——————————- Although I have been fiercely propagating creativity, I do believe that it is important to follow (not religiously though) a standard methodology when hacking. This ensures that you hack effectively and do not forget any necessary steps due to your enthusiasm or various other reasons. Of course, the methodology you choose should be one you have studied thoroughly (or created it yourself � even better), and customized to your specific needs. What we are talking about, here, is a hacked methodology, by means of our prior definition of what hacking essentially is. A nice, open-source methodology for security testing is provided by the fine folks at ISECOM, and is called OSSTMM. I suggest you have a look at it. Now moving on to the juicy bits.

Step 1: Profiling the target (fingerprinting): Just like in real life, the first thing you need to when planning an attack is information gathering. If your target was to break in a house, you wouldn�t just smash the window and enter, not if you didn�t want to get busted that is. The same goes for hacking. You main source to gather information is, you guessed it, the internet. Use the main search engines (Google is good, but there�s tons of other search engines that you might want to have a look at, see Fravia�s ww.searchlores.org to learn how to find anything and everything on the web). Identify IP addresses, Domain Name Servers, telephone numbers (might come in handy for war dialling) , key personnel names; try to find messages in public message boards seeking technical information on specific problems they might have, for this might reveal specific software or hardware they are running, as well as version numbers. Gather e-mail addresses and e-mail server IPs, articles written by the target�s personnel, whatever seems relevant and you can lay your hands on. Use tools such as SamSpade, query the public Whois databases (like www.ripe.net), do what you have to do, be creative. This way, you will plot a nice picture of the target, though public channels, without having to query the target at all. This phase might seem dull to you, but it�s the quintessence of hacking. Without this information, you will be surely lost and helpless, in danger of knocking other people�s virtual doors, or even worse, knocking in vain where it is unlikely that you will ever get an answer.

Step 2: Scanning & Beyond: Now comes the point where you reckon you have gathered enough information to start getting more active. You have discovered several public facing devices perhaps a couple of firewalls, routers, Web and Mail Servers and you wonder what you can do to them. This is when you start scanning your target. The art of scanning attempts to find out what particular services and program daemons are listening, and on which ports. While there are several methods (Xmas, Null, Full, UDP) to discover such information, the most common and effective one is to send synchronisation (SYN) requests to your target. This is also known as the half-open TCP connection, and usually it manages to obtain a list of ports which demonstrated an interest, revealing that there is something running there. When there is something running, it can probably be exploited. You can use tools like Nmap by Fyodor, or Superscan(GUI)/Scanline(command line) by Foundstone. There are many free scanners out there, you go and have a look for yourself. An indispensable part of port scanning is the so-called banner grabbing. This functionality is included nowadays with many of the freely available scanners and what it does is try to tell you more about what it has found, such as which piece of software is active, what version it is running etc. There is a beautiful tool capable of doing myriads of things, that might help you in this goal too, and this tool is called NetCat. Netcat tries to establish a remote connection to a user-defined port, and sometimes it can achieve that, often revealing sensitive, useful information that will help you better profile your target�s vulnerabilities. Alternatively, you can use a splendid free tool called Nessus, which does just that, without getting you into manual trouble at all. Nessus is a general purpose scanner, which runs off a constantly updated vulnerability database. If you run Nessus against your target, it will inform you of any specific holes it has found, and will propose remedial action. If you like it manual, though, you can now browse to a public vulnerability database (hint: www.securityfocus.com), and see which (if any) exploits are applicable in your situation.

Step 3: Exploitation: There you are, you have found at least one machine that�s running a service vulnerable to some exploit you are now aware of. You can try to exploit the hole reported, using publicly available exploit code, or when you have become a competent hacker, perhaps write your own exploit. Not all exploits will provide you with System privileges in your target system; many of the security problems are of a different nature, some can cause Denial of Service Attacks (another big topic), others are related with more subtle issues, such as ineffective logging. Give it a try, though. See if the problem you have spotted is likely to cause �remote arbitrary code execution�. If the problem is a buffer overflow, your chances are good. Check out the MetaSploit framework, an experimental website dedicated to exploit development and research. With some luck, you might end up having System privileges in your target network. This effectively means you can do whatever you want. Even if you have not achieved to break in with Systems privileges, you might try to escalate your privileges while inside. For that, you can use local exploits, a different family of exploits. Use your imagination and creativity. There is no strict rule as to what you can do. You can attempt to go even further, perhaps by obtaining a copy of the local password file. In modern OSs, the password file is encrypted so you �d better transfer a copy of the password file to your local machine and try to crack it later using one of the many, free password crackers. You might now be thinking �Hey what�s all that crap you said before that strong cryptography is extremely difficult to crack�? There is one condition under which cryptography is effective: that the user chooses a good password. See, most of the times the cryptographic algorithm generates a hash of the password provided. A hash is a mathematical one-way function that�s meant to be extremely difficult to reverse. What password crackers do, effectively, is to try to match weak passwords (taken from password lists) with the equivalent entries in a hash file. A different approach (more lengthy indeed) is to try all possible combinations to match a password and its hash. These approaches are tagged Dictionary and Brute Force attack, respectively.

Step Null: Web Application Hacking: A category of devices that deserves special treatment is that of Web Servers. To you, the newbie, this probably can be interpreted as website hacking. Websites sit on machines called Web Servers, which run special software to achieve their goal (serve web content to you). We classify this as �application hacking� because most of the stuff runs at the application (the highest) layer of the OSI seven-layered model. There�s a bunch of nasty things you can do to web applications, including, but not limited to SQL injection, path traversal, and cross site scripting. The list goes on. For a very good interactive tutorial on application testing, I refer you to the WebGoat (www.owasp.org). As far as automated Web app scanning, there�s a fine tool called Nikto which launches specialised attacks to test security and/or patching level. Manually speaking, there�s a suite of tools called proxies which you will find very useful if you are interested in application testing. Proxies basically sit between you and the web server, acting as a man-in-the-middle. All requests that you send to the web server can be intercepted and modified by the proxy before they leave your machine. In this way, you can craft customised requests, mess around with HTTP, manipulate cookies, change fields as you see fit, and see what happens. Some nice, free proxies for Windows are Odysseus, Achilles and WebScarab.

Step Nullx02: Firewall Hacking / IDS evasion: Due to the increase in electronic attacks, the high availability of information and tools, and human stupidity, today�s IT landscape is very tight. One can envisage a company�s network as a castle, without an easy way in. Devices called Firewalls can be thought of as the walls protecting the castle; Intrusion Detection Systems can be viewed as dog guards. What a firewall effectively does is take the responsibility to define which services and protocols will be allowed in and out of the caste. It�s a passive, but effective, means of defence if configured correctly. IDS systems usually work with attack signatures. Their role is to be more energetic, logging and preventing potential attacks. They also attempt to stop so-called 0-day hacks by applying intelligent hostile activity recognition methods to incoming traffic, even when there is no actual match to one of the attack signatures in the database. Firewall hacking is difficult and requires skill and creativity. One simple approach is to try and tunnel hostile traffic through a port/service that is being permitted by the firewall �officially�. Port 80, the one used to allow internal users to browse the web, is a good candidate for experimentation. IDS systems evasion can also be a difficult task, because these systems are getting more and more intelligent as we speak. One straightforward approach to attempt to cause confusion is packet fragmentation. Using tools such as the fragrouter by Dug Song, the IDS systems cannot tell with certainty whether the incoming packets constitute an attack or not, because the structure of the packets differs from the signatures in the IDS� database. To be honest with you, this last step is a bit advanced, but I thought I�d mention it here since I had some free space, and it�s an important section in the IT infrastructure.

Considerations & Conclusions: As I said before, hacking in our era can be dangerous. Needless to say here, I do not have responsibility if you do anything stupid with the knowledge and tools that you became aware of in this document. Handle with caution. Other than that, may I wish to you, reader, good luck in you journey to knowledge through hacking. It is a difficult and certainly long journey, and you will often feel disappointed and might consider quitting. I strongly suggest that you stay, though, for it is a fascinating field and many interesting people are involved in this. I wish to stress one more time, here, that if you feel like staying with us, please do it right, and don�t be one of these lusers who go out there and Change HTML (the equivalent of Spray painting) in some old, forgotten, unprotected and unpatched web servers operated, perhaps, by the catholic church of Stoke-on-Trent. These people give a bad reputation to hacking, and are certainly not hackers themselves.

Contact: That�s it reader. I hope you have gained some useful information from this document I composed. Even more, I hope that you might be inclined to research these issues for yourself, hopefully under the right ethics and mentality, as a true hacker should. Obviously, this is just an A4 you�re holding so you probably didn�t expect me to fit in here even more information than I already did. Feel free to contact me with your opinion/feedback on this paper. If you intend to ask me any questions, though, be very careful. If you manage to convince me that you have spent considerable time on research, tried different approaches, used your brain but still have not managed to reach a sound conclusion, I will be more than happy to help you. (If I know the answer, which I seriously doubt for I am a novice as well). If, on the contrary, you send me an email with a very lame question that clearly demonstrates you fall into the dreadful category of hotmail password seekers/lazy lusers that want everything served to them without moving their little finger, then I am afraid that I will not reply to you, hell I might even try to spam your mailbox (joke). I�m sorry if my communication approach does not satisfy you, but these are the rules of the game. Take care.

The Semantic Web

EK — Thu, 12 Oct 2006 10:34:20 +0000

Guest Post (by Nick Lagos)

“The bane of my existence is doing things that I know the computer could do for me.” — Dan Connolly, The XML Revolution

In 1989, Tim Berners-Lee, a British researcher working at CERN (Conseil European pour la Recherche Nucleaire), envisioned the birth of a linked information system that would offer efficient access to data, regardless of the program or terminal in use. That led to the creation of the World Wide Web. Nowadays, the essential property of the World Wide Web is its universality. This constitutes both power and weakness, as anything can be found but the amount of information included is enormous and thus unmanageable. In order to confront the problem of information proliferation, changes have to be made to the current structure of the Web. Along these lines, Tim Berners-Lee proposed the reformation of the Web, as it exists, to the “Semantic Web”. As Berners-Lee argues “the Semantic Web is not a separate Web but an extension of the current one, in which information is given well-defined meaning, better enabling computers and people to work in co-operation�the challenge of the Semantic Web, therefore, is to provide a language that expresses both data and rules for reasoning about the data and that allows rules from any existing knowledge-representation system to be exported onto the Web” (Berners-Lee et al. 2001).

So, the Semantic Web should provide enhanced information access based on the exploitation of machine-processable metadata. Facilities to put machine-understandable data on the Web are becoming a high priority for many communities. The Web can reach its full potential only if it becomes a place where data can be shared and processed by automated tools as well as by people. For the Web to scale, tomorrow’s programs must be able to share and process data even when these programs have been designed totally independently. The Semantic Web is a vision: the idea of having data on the Web defined and linked in a way that it can be used by machines not just for display purposes, but for automation, integration and reuse of data across various applications (W3C 2002).

But in order for the Semantic Web to become successful, it has to be based on the principles that made the current World Wide Web successful. According to Goble (2003) these are its scalability, by challenging assumptions on link consistency and completeness, and its simplicity. So the challenges that emerge for the semantic technologies to be brought in the Web are (Goble 2003):

� The Web is vast, so solutions have to scale. Reasoning engines must perform quickly and robustly.
The Web is here–we have a legacy so we will have a mixed environment where some resources are “semantic” and some are just “Web”. We must have a clear and achievable migration path from non-semantic to semantic.
The Web is democratic–all are knowledge acquisition experts and all are knowledge modellers. The barriers of admission must be low enough for most users to participate to the degree that is appropriate for them.
The Web grows from the bottom. Most people wrote their first HTML by editing a third parties. The Semantic Web will arise from fragments of metadata copied in a similar way.
The Web is volatile and changeable–resources appear and disappear, resources change.
The Web is dirty–there is no way to ensure consistency or whether information is trustworthy, and provenance is unknown. However, tolerance of error does not necessarily mean one should be oblivious to it.
The Web is heterogeneous–no one solution or one technology will be adopted; no one set of metadata will apply to a resource. Agreements are difficult, and mappings and translations will be common place.

Towards achieving the attainment of the Semantic Web, the development of three major technologies is needed. These are: a language that allows users to add structure into their documents easily and in a uniform way, a framework that would add meaning to the evolved structure and an entity that would solve the problem of communication. Each of these technologies will be presented and discussed in future sections.

Useful links:
http://www.w3.org/2001/sw/ (W3C’s page, the power behind the Semantic Web)
http://www.semanticweb.org/ (Community for the Semantic Web)
http://rdfweb.org/ (Example of a Semantic Web application)
http://www.w3.org/DesignIssues/Semantic (Roadmap to the future for the Semantic Web)
http://ftrain.com/google_takes_all.html (Why Google marketplace became so successful?)
http://www.netcrucible.com/semantic.html (How can you make a semantic web site?)

References

W3C Semantic Web Homepage, http://www.w3.org/2001/sw/ (21 November 2002).
Goble, C. 2003. The Semantic Web: an evolution for a revolution. In: Computer Networks, Volume 42, Issue 5, pp. 551-556.
Berners-Lee, T.; Hendler, J. and Lasilla, O. 2001. The Semantic Web. Ed. Scientific American, Vol. 284, Issue 5, New York.

Applied Honeypots

EK — Mon, 12 Dec 2005 17:40:15 +0000

Track Big Brother using HoneypotsAlthough honeypot�s main application is to create attractive traps for hackers, there is a good opportunity for hackers to track governmental or other information gathering agents using the same method. A scenario like that would be a really big breakthrough into the world of secrecy, since top secret tools and techniques will be revealed to the public. Can you imagine how difficult will be to make an investigation if the agent who is doing it is not sure if the system he is �logged� is a honeypot or not? It is almost sure that someone who will be able to track a government agent searching into his data will be able to go to the court and have evidence of this intrusion into his system. The legal issues of something like that will be rough to solve. The main steps of achieving an entrapment of an agent into a honeypot are two and commonly used by governments and organisations to catch hackers. A hacker can use the same plan the �enemy� uses.

Reputation
Content

Both of these steps are not difficult to achieve. Reputation: make some public noise about a particular illegal service you provide through your system so an agent will notice it (public noise is not difficult these days, especially via the web).

Content: create some fake �illegality� in your system so it can convince an observer.At this point government knows about the service you provide but since there is not any evidence about you they need to make some analysis of your system/data using forensic techniques, which most likely will be launched remotely. Note that they (government) want to see your system work in real-time so they won�t stop it. Now that the hacker expects to be under investigation the only thing that he has to do is, shit back and watch. The honeypot is been used against government so we can expect it to give us some really interesting feedback. Most likely we would see exploits that haven�t yet published, tools that are in total secrecy, and we might see some techniques to detect the existence of a honeypot.

As we can see, honeypots are tools which can provide good analysis of a particular attack, but we must remember that every publicly available tool can be used by all the people, so the question created is, honeypots help investigators or hackers? The power that a hacker can gain using the previous technique can make him/her almost untouchable; no one would want to hack into his/her system to do investigation since the only thing that they will achieve is to give more knowledge �out�.

Honeypots & Worms

Worms are small entities, which spread �around� using well-known vulnerabilities, with a main purpose to intrude inside a system and be able to attack from that host others and spread [http://www.securityfocus.com/infocus/1740]. Worms can �Damage� or do �Good�, depended the way you use them. Mostly written by computer hackers and researchers, although many times antivirus companies create them for the obvious reason to make money. In order to find out how a honeypot will be useful against a worm, we need to know the most known characteristic of a network reaction during an attack. When a worm is lunched we can observe aggressive flow of traffic and bandwidth reduction. The first hint that a worm is �around� is observed, now we can watch for a specific steps usually a known worm does, for example, if we have an attempt on port 135 of our system and the particular packet is giving known signatures of MSBlast we can be sure what is going on and send the worm to a controlled honeypot or honeynet to observe how this worm works and at the same time secure our network from the attack.

The previous example is known as a defender honeypot and is based on gateway, which is acting once as a firewall and then as IDS. We have content analysis, traffic analysis, and source code analysis and port alarms. It is obvious from what we saw above that a system like that can work in case a worm is known and predictable, which in most cases will work, but during the attack of a new and unknown worm a honeypot might do damage instead, and send the worm inside our secure network. This confusion can be caused also from worms which are using encryption and/or polymorphism so it is really difficult for a honeypot to be sure if there is a worm attack or just e.g. a network problem. In a situation like that it is better to use a scheme called Sacrificial Lamb. We have to sacrifice a system in our network and leave the worm infect it. In this system we had previously created virtual hosts (using honeyd for example) in a very simple �topology � and big in number, so we could simulate 10.000 hosts, and see how the worm is moving inside that virtual network. 10.000 hosts is probably a good number to identify all the possible signatures of the worm and be able to update our honeypot-gateway/anti virus/firewall or IDS.

Catch information thieves using honeytokens

Some times the concept of honeypot needs to be applied to a specific information or collection of information instead of a system. In order to make this statement more clearly we can use a real life example [http://lwn.net/Articles/40925]. Lets say that you want to check if a service you are using in the internet is selling your personal information to a third party or spammers. The only way to do that is to give them some fault information and be able to confirm them.

An easy way to do that is, by having a different email address for every registering you are doing to different services. First you need to have your own domain name in order to do it easier, then enable email forwarding, so every email address you create under you domain name will send the emails to your main email address.

Let say that we want to open a user account with Amazon.com, during the registration process amazon will ask for a valid email address, this is where we will put our honeytoken , instead of using our main email address we put in this field : amazon.com@mydomain.com.

Now every time we receive an email, which is having as recipient amazon.com@mydomain.com we know that the information came out of amazon.

Another example is the Management�s emails. In this scenario we need to know if someone is trying to have access to a company�s high confidential information, which for example can be transferred via email. In order to achieve that we do the following: We create an email, which is having fake information about a server we are having online and this server is full of top-secret data.

For example: 

Dear manager ,

These are the informations about the company�s
private server :
Server : TopSecret.company.com
Username : Manager1
Password : Password1

Regards ISDepartment

This email is a real trap, we are sure that if someone will login into the system TopSecret.company.com will be an attacker. Then we can track him/her down easily. As we can see from the previous examples, honeytokens can be really helpful, although this technique is not new, especially in information intelligence world.

Track Spammers with honeypots

One of the biggest problems created using the fundamental tools of web is spamming. It is difficult to catch a spammer since the mailing system itself is not secure enough. Spammers usually use �open� (open relay) mail servers in order to do their attack. Although it is well known problem, many companies and ISPs don�t take any countermeasures to avoid a usage of their servers as a spam tool because they mostly don�t know that is happening, until it is very late and they get blacklisted.

We mentioned earlier Open Relay, this is an option in mail servers, which lets anyone in the Internet use your mail server and deliver emails. Although this service at the beginning of the Internet revolution had a reason of existence, now it seems like the good tool for spammers to deliver their �goods� [http://www.honeypots.net]. The main technique of spammers is to do an IP scanning combined with Service scanners in order to identify any mail servers for a given IP range. The next step is to check the found servers for an Open relay service; the usual way of doing the check is by sending an email to your self, using the server under �analysis�. The formal name for these tests is known as Relay Test message [http://www.tracking-hackers.com/solutions/sendmail.html].

Since we know the way that spammers work, we can place a honeypot and make it work as a Relay mail server, when the attacker will find that server, he will send the Relay Test message, now the honeypot knows that there is something wrong, but it will keep work as relay server and will return the relay test message. Now the spammer is sure that the server is open and he will try to lunch spamming attack. Our honeypot will be programmed to pretend that it sends all the emails the spammer delivers, in the meantime we will be able to do a research in the spammers Identity, for example find his IP, Location and ISP. Even if the attacker uses a proxy to do the work, we can track the proxy servers and inform the administrators about the misuse of their system.

This is a general idea on how we can use honeypots against spammers, more practical details on how to do that visit: http://fightrelayspam.homestead.com/files/antispam06132002.htm

Cipher challenge

EK — Mon, 02 May 2005 18:12:07 +0000

This is an experimental area in which I’ll post some Cipher Challenges for you to solve , at the moment it will not be anything fancy , retrieve the plaintext from the following ciphertext and email it to me :

Challenge .1
: FUKPGCZHZCI MVZKOC, QBH ZW DTS KR QGBW GM TCIDZTN MVXCWLGAZ QHDSK YP RMKDL RYUTSPQ KDPC NSAGDKHZO PX CYRQDCK AQ AG IBZ P GRIU VBMQ CAK PVOHLBZS WDM RWSDIFAYVX VCKL ABM RHOZGIS ! ST FRDP WQUG. PK UTH STBA INCS PK PT RPRQU UCT CL Z WEBW AYPW XBAOREM JGGUH PS RUO WNM ZRTWDMC BZWDPVRCG PA ZSI PGPV. HSPX SFVI W RFA TTYG NFICKQYKH
Hint 1 : here

Phising Techniques

EK — Thu, 22 Jul 2004 12:44:30 +0000

Many Techniques exist on how to scam people using email or websites. This is a list of these kind of scams so you can see them and recognise them.

(have your eyes open)
URL Obscurity

Using Password fields:
http://username:password@www.example.com/ 

Ex.
http://www:microsoft.com/download/@www.cipher.org.uk
This link will lead to cipher.org.uk and not Microsoft

Using different Base:
Dword Format
http://dword format
Generalised formula to convert to dword format
Let say that we have a url http://a.b.c.d
DwordURL=((((a*256)+b)*255+c)*256+d)
so now we have http://((((a*256)+b)*255+c)*256+d)

Octal Format
http://octal
Generalised formula to convert to Octal
Let say that we have a url http://a.b.c.d
OctalURL= 0Base8(a).0Base8(b).0Base8(c).0Base8(d)
You need at least one leading zero.

Hex Format
http://hex
Generalised formula to convert to Hex
Let say that we have a url http://a.b.c.d
HexURL = Base16(a).Base16(b).Base16(c).Base16(d)
or
HexURL = Base16(a.b.c.d)

Using Redirection
Lets say that IBM use a script which can load another
webpage inside their main website :
e.g. :http://www.IBM.com/url?p=http://www.google.com.
You can use that to exploit trust.

Using Cross Site Scripting
Reported vulns on different web applications provide
crossscripting gateway for the Phiserman.

-Via Search engine
 Be sure that the search engine in your organisation
 doesnt accepts JavaScript,VBScript,HTML,JSP or
 any active content injection.
 Type that
 alert(’css’)
 if this doesnt work , go to a Hex converter and
 convert that into Hex. Then paste it in the
 search engine field and press search.
(If it is vuln attacker can use popup window
to gain trust)

Typographical domain Mistakes
Instead of paypal.com,paypai.com,paypa1.com
Gain trust exploiting human vision.

Visual spoofing
Is possble if :
You create a popup window which you set it not
to have scroll bars,status bar etc. You reporgram
the interface with javascript and you add SSL lock. 

Browser Bugs
Using different browser bugs you can fake
url or a Certificate :

-Extensive amount of characters can disable
 status bar view of a link
-Using this You can gain trust using someone else’s
Certificate and URL.(new bugs come every day)

Proxying
Fake direct session using proxy. Provide a link
to a legitimate website,using any of the previous
bugs, load the legal website via you proxy. SSL
certificate,forms,webpages …everything will be
real but everything will be passed to the victim
via your proxy , so you can sniff the communication.

Historical Phising Example
http://www.math.org.il/pic.gif

NetBSD on Cobalt RAQ1

EK — Thu, 18 Mar 2004 14:54:50 +0000

Install NetBSD on Cobalt RAQ1 Why install netbsd on a Cobalt RAQ ? cause the restore OS they provide is so old and unsupported it can be considered Dead, plus NetBSD is cool.

After I got my own small and pretty RAQ1

I had a big problem on which OS to install. Although the obvious route was Cobalt OS restore CD (a very old debian) it had many problems, it supports only a very limited number of ethernet cards both in desktops and laptops and it has many outdated or unpatched services. The best choice to my opinion(and not only) is NetBSD which has a port for Cobalt (MIPS) and almost for any other machine with hard drive and memory on the planet.

So what do you need to do that ?

Download an iso from here and download this file :image_raq1.iso.gz . Create an ISO cd and we are almost done.
Have another working machine ready to act as the host for the net-installation.
X-over cable or a hub with only these 2 machines connected on.

Put the cd inside your destkop/laptop and boot it up from the cdrom (set your bios). Wait until the instructions screen come up. After that press ‘q’ and login as ‘root’ . There is no password so don’t worry. As soon you are “shelled” type ‘ifconfig -a’ and if your nic card is recognised you can start preparing the space on your desk for you RAQ (Otherwise find another computer and do the same).

Now connect your RAQ with the desktop/laptop with an X-over cable or via a hub. Since we want to install the OS via ethernet we need to inform the RAQ that we need it to start in Net Boot mode.

Power UP
Press both Left and Right cursor buttons on the front Panel

You will now see the Net Boot on the LCD Screen , after that you just see different operations that the installer is doing. After the machine reboots, thats it, ready to go.

Advices as soon as you login into the server :

passwd root
passwd toor
useradd -m username
passwd username
add your self in the wheel user group so you can use 'su'.
vi /etc/ifconfig.tlp0 (set your IP address and the subnet)
vi /etc/rc.conf (disable/enable services)
	+ configure /etc/rc.conf to something like
			hostname="servername"
			dhclient=NO
			nfs_client=NO
			paneld=YES
			inetd=NO
			sshd=YES
reboot