Everything can be hacked…or can it?

Everything can be hacked!

That’s a quote I love, you hear it all over the net. Most people reversing software/hardware or people penetrating highly secure (or at least claimed) networks, state that most of today’s applications/hardware/networks can be compromised. Normally you see the vicious circle of stuff being released….hackers attempting to pwn it, vendors claiming it can’t be hacked, hackers publishing the hack. I might be exaggerating a little bit, but usually that’s the general consensus. Of course there are exceptions to the rule and there is hardware/software out there that hasn’t be hacked yet and maybe it really is NOT hackable. Today I wanted to write about one of those exceptions: Unidirectional networks. This post will cover the devices and answer the question if I believe their 100% claim, it will also cover some of my midnight thoughts on how to use alternative ways to maybe get data back even when such a device is in place. These ideas DO NOT BYPASS the device, so don’t get your hopes up, it are just possible ideas to use other vectors instead of routing your traffic through the secure device.

Continue reading “Everything can be hacked…or can it?”

Firewall DNS v0.1

Well this is new for me, further developing a working POC. Like you all know, I love new ideas and POC development, but hate the further development of POCs. This time the Firewall DNS POC just didn’t cut it, it did what I wanted it to do, but it lacked some “usability” features. These are the added features:

#Functionality
# – = done
# x = todo
###
# – Queries can either be full domain(www.google.com), or only base domain(google.com)
# – Block queries
# – relays queries
# – reads settings from config
# – reloads config
#   – on/off using -auto
# – drops privileges
# – reload config on key combo (ctrl+c)
###

The config file options are somewhat explained in the config file itself, other stuff you’ll have to read from the src. Here”s how it looks now:

sudo ./fw-dns.py
##############################################
new configuration:
reload time:
43200
dns server:
(‘192.168.2.254’, 53)
if listen:
127.0.0.1
allowed full domains:
[‘ubuntu.com’]
allowed partial domains:
[”]
##############################################
Starting fw-dns
Listening on localhost 127.0.0.1
Connected to remote DNS server (‘192.168.2.254’, 53)
Dropped privileges

You can download using bittorrent here:  fw-dns_v0.1
You can download from megaupload here:  http://www.megaupload.com/?d=D4WBLBQ8

Future Patching Made Easy

Future Patching, got no clue how to call it otherwise, is in my opinion creating a crack/keygen that will patch future versions of the software without having to reverse it again. First time I saw this was on the awarenetwork website. They created a rather interesting crack for winrar. Since then I was intrigued by the concept, it’s just a lot of work imo to keep finding patterns manually and coding them, until I decided to give immunity debugger another go. For some librecognition will be nothing new and they already know the commands by heart, others will be pleased to see something being made easy.

Continue reading “Future Patching Made Easy”

Firewall DNS

So I’m trying to setup a really tight server and one of the things left to secure was DNS. How do I make sure that if the server gets rooted the backdoor will not be able to connect through DNS to it’s C&C? I decided to write a custom “firewall dns”, which would only allow DNS requests if they matched a certain host. You might now be yelling things like “YOU RETARD, never code something if there is an existing and probably working alternative”, true; thing is I’ve never really done anything with DNS on a coding level so it seemed like this was my opportunity.

Continue reading “Firewall DNS”

More wordlists…

Following all the recent hype about wordlists, her are 2 lists. One is a “sort -u” representation of the lists I mentioned in my previous post (excluding the huge 30+gig list) and some additional lists I’ve collected. The other is my list of “8 character minimum” words that I’ve composed from the previous lists. Enjoy the lists and happy cracking. You can download them on the download page. For the really curious ones, below are the names of all the files included in the “sort -u” list.

wordlists-sorted.gz.torrent

8min_brute-20100321.txt.gz.torrent

Continue reading “More wordlists…”

Interesting Local File Inclusion method

So there I was exploiting a LFI, only problem being I hit a brick wall. I did not see any possible way to leverage my LFI so that I could get RCE or even leverage it in such a way that I would be able to view the source of other PHP files. Now WTF should I do I asked myself?

Continue reading “Interesting Local File Inclusion method”

Port scanning from different source ports

This is just some quick script I hacked up to scan TCP ports using different source ports. The aim of the script is to find badly configured firewalls that allow traffic from certain source ports. This is for instance explained in the NMAP book. I’ve done it in scapy (yeah I know python ones again) and still admire scapy, it’s a wonderful piece of software. Here are some nice references if you decide to write your own networking stuff in scapy:

#   – http://www.secdev.org/projects/scapy/doc/usage.html
#   – http://www.secdev.org/conf/scapy_pacsec05.pdf
#   – https://cs.uwindsor.ca/~rfortier/CRIPT/uploads/slides/Python_Scapy.pdf

You can find the source here.

I chose manual output analysis, this means that the script doesn’t have any logic whatsoever and you will have to decide, if it allows or doesn’t allow traffic from different source ports yourself. Example output:

Received 34 packets, got 8 answers, remaining 28 packets
srcport, dstport, flags, humanflags
20,80,18,[‘SYN’, ‘ACK’]
20,443,18,[‘SYN’, ‘ACK’]
53,80,18,[‘SYN’, ‘ACK’]
53,443,18,[‘SYN’, ‘ACK’]
67,80,18,[‘SYN’, ‘ACK’]
67,443,18,[‘SYN’, ‘ACK’]
88,80,18,[‘SYN’, ‘ACK’]
88,443,18,[‘SYN’, ‘ACK’]

Hope it’s also useful for someone out there.

Bootloader Development Environment

So I took on a new challenge, understanding how to develop your own Master Boot Record (MBR). So how do you start to develop your own bootloader? The first answer that came into mind was the setup of a development environment. No development environment , no bootloader. Actually that’s my thought on every new coding project I undertake. In this blog post I’m going to explain the steps I went through and why I finally choose for a somewhat rather basic development environment. Anyways let’s get started.

p.s. Happy New Year

p.s.2. HACK THE PLANET!!!

Continue reading “Bootloader Development Environment”

and another google password dork

Just when you think that all possible google password dorks have been found and documented. For the ones still not familiar with the google hacking database (just click it) :)

I just stumbled upon this new dork to find passwords(and all other kind of interesting network related data(just enter the following into google):

ext:pcap password

example stuff you can find(I have censored the sensitive information using ***):

+OK Hello there.

AUTH

-ERR Invalid command.

USER ***

+OK Password required.

PASS ***

+OK logged in.

STAT

+OK 0 0

QUIT

+OK Bye-bye.

This was just a quick post…cause I honestly didn’t think people would STILL let google index their sensitive stuff.

Stealing stuff from vmdk files

Well that’s been a while. I almost forgot my WordPress password. My last post wasn’t really informative so I thought let me just post one of the projects I’m currently working on. It’s far from finished and I doubt if I’ll release it once it’s finished. So for the moment being I’ll only share my alpha POC which should be enough to build upon.

Have you ever had the need to get stuff of vmdk files without using any of the visual VMWARE products? Well I have!! Now luckily VMWARE also has detected that there are a lot of people with that need and they have released an excellent API the Virtual Disk Development Kit 1.1. Now that stuff is sexy, quote from it’s website:

The Virtual Disk Development Kit (VDDK) is a collection of C libraries, code samples, utilities, and documentation to help you create or access VMware virtual disk storage. The kit includes:

  • The Virtual Disk and Disk Mount libraries, a set of C function calls to manipulate virtual disk files.
  • C++ code samples that you can build with either Visual Studio or the GNU C compiler.
  • The Disk Mount utility to access files and file systems in offline virtual disks on Windows or Linux guest virtual machines.
  • Documentation about the VDDK libraries and the command-line utilities.
  • The Virtual Disk Manager utility to manipulate offline virtual disk on Windows or Linux (clone, create, relocate, rename, grow, shrink, or defragment).

I assume that after reading the above you’ll also agree that the possibilities are endless. Now let’s get cooking.

Continue reading “Stealing stuff from vmdk files”

Bit more efficient brute forcing

Or like most people will call it “just another mod_negotiation script”. Well yeah that’s true. I still think it has it’s added value during a brute force if it’s available. I’m not going to waste any space on explaining what the whole mod_negotiation thing is, because there are a number of excellent resources out there:

For the ones that are just curious how this boils down to source you can of course read the source of the module and some documentation about it, which is available over here:

So why did I write “yet another” script for this? Well first because I wanted to keep learning and practicing python. Also because I wanted my brute force attacks to be a little bit more efficient. So with this script instead of trying to guess the entire name(including the extension) of the file, I just guess the name and mod_negotiation will do the rest for me(read the links I provide, because it only works for mime types that are known to apache). So with a bit of luck you need less requests to find more files. For the ones working with w3af, it already has support for mod_negotiation testing.

The way to use this script would be to combine it with the excellent tool DirBuster. Just have DirBuster do a recursive directory brute force. Then take those results and feed them to my script with a decent file name list. This script is kind of an alpha version, just something I quickly whipped up.

[*] DiabloHorn https://diablohorn.wordpress.com
[*] Mod Negotiate File Brute Force
[*] mfbrute.py -t <target> -d <dir list> -f <file list>
[*] -t target to scan
[*] -d directories which will be scanned
[*] -f files which will be scanned
[*] -v verbose
[*] -h this help

You can get the src from here.

IP id finder

I have been intrigued by nmap’s feature to scan a target using an idle zombie pc which has an incremental ip id. I have also been intrigued by scapy. Finally I have also been intrigued by metasploit. At first I combined nmap and metasploit and the end result was, that I was not able to get the IPIDSEQ module to work. So I turned to scapy and tried porting the metasploit module to python. It was fun and I finally employed python for something besides playing with it to learn.

python src

I’ve also finally learned why it’s nice to prepend your output with “[*]”, since I’ve been lazy with the verbose output I have just used the one from scapy to know if my script should output or shouldn’t output verbose messages. This means that the output gets cluttered. So by prepending “[*]” you can just grep the results to have a clear view of what the script is doing without the scapy stuff in between it.

Finally scapy is a real nice toy. I had to implement 0.0 code to support cidr notation. So when you for example want to scan a /24 range you can just go like: “microsoft.com/24”. isn’t that neat? Hope you enjoy it and find a way to use it. For me it was more fun to write it and learn a lot along the way, then the actual goal I wrote it for. oh btw the non-verbose output looks like:

[*] 74.125.45.100 = Randomized

oh a second btw I recommend putting the timeout/waittime on 5 or something like that.

Google Dork

Well I suspect that people already know about this. I didn’t, so I felt like blogging about it. Often when searching for specific directories on google it can be a pain in the ass, I mean you can combine “inurl” and “intitle” but still… so the other day I stumblod upon this nice feature of the “site” command. you can actually append a directory name to it!!

site:<[sitename].tld>/directortyname/

That actually seems to yield better results. For example I used it to search for a specific directory on some TLD and it worked fine. I particularly like it because it makes searching for a specific directory with specific characteristics a lot easier. A nice example to try for example could be, it results in (almost) only include directories which allow directory listing:

site:org/include/ intitle:”index of”

If you stretch it even further you *COULD* argue that you can do a directory search withouth actually hitting the target, of course it would be limited to the directories indexed by google.

If you already knew it then oh well…if not enjoy.

Burn Notice toy…is really THAT easy to build!

ok :| WOW sometimes the gadgets and toys you see in a Hollywood show REALLY are THAT easy to build. I’m talking about the home made taser gun, made out of a disposable camera and I first saw it on Burn Notice.

Continue reading “Burn Notice toy…is really THAT easy to build!”