Workable Deniability

So you have just finished installing the hidden operating system offered by TrueCrypt. You are however stuck with the following problem…you need frequent access to the hidden operating system…which means that you won’t be using the decoy system that much. According to the guidelines offered by TrueCrypt this means that your plausible deniability is a little bit less plausible. How about fixing this? What if you could “work” at the same time in both operating systems?

So there I was thinking I could write a blog posting with screenshots and a extended howto. Unfortunatly I am not able to perform the idea on my computer and I got no spare computer left. So I’m just going to put it out there and maybe someone feels like implementing it and letting me know how well it works.

The whole thing is rather simple, it actually fits in a sentence:

Run your decoy OS inside your hidden OS with the help of virtualization techniques.

Like stated before the claim is simple. It’s a shame I got no spare computer around atm to test it out. In theorie it should work fine. Only thing that worries me is the possible evidence that a virtualization application might leave on the booted decoy system, I’m thinking there is none…but I haven’t been able to test this.

So just to be clear this is NOT an idea to go against the TrueCrypt Security Precautions, it’s just another method to be able to spend more time in a hidden operating system without having to worry that it could be compromised because of forensics on your decoy os. This way all the timestamps and the temp files will be kept up to date in your decoy os while you are working in your hidden os.

To take it one step further…you could even write a few scripts to startup your email, mark them as read at varieng intervals and surf around on the web. If they ask you why you have script to automate things inside your decoy os, you can just answer with a simple answer: I’m lazy.

If I get a spare computer anytime soon I’ll be sure to let you know how this method works out.

Abuse legitimate code for backdoor purposes

So once in a while you hear about some backdoor which was slipped into some source code. Mostly in C applications…so I was thinking how would this be done in Java? Most of the times the backdoors you hear about are very nasty and difficult to track down “bugs” in the source code like buffer overflows, race conditions and the likes. Since Java doesn’t really have buffer overflows(I’m ignoring faulty VM implementations for the moment) I was wondering what an other *hopefully* good way would be to introduce bugs you can exploit?

Continue reading “Abuse legitimate code for backdoor purposes”

SniffDoor

Some sources from the old KD-Team website. This time it’s a connect back shell which gets activated when a certain keyword is seen in passing traffic. The advantage of this, is that you can activate your shell without raising to much suspicion. One thing though…it’s buggy. I made this back in the day and never bothered to fix some things. AFAIK it works under windows XP SP2 if it doesn’t well…try and fix it. I haven’t tested it since a long while.

here

Bit more efficient brute forcing

Or like most people will call it “just another mod_negotiation script”. Well yeah that’s true. I still think it has it’s added value during a brute force if it’s available. I’m not going to waste any space on explaining what the whole mod_negotiation thing is, because there are a number of excellent resources out there:

For the ones that are just curious how this boils down to source you can of course read the source of the module and some documentation about it, which is available over here:

So why did I write “yet another” script for this? Well first because I wanted to keep learning and practicing python. Also because I wanted my brute force attacks to be a little bit more efficient. So with this script instead of trying to guess the entire name(including the extension) of the file, I just guess the name and mod_negotiation will do the rest for me(read the links I provide, because it only works for mime types that are known to apache). So with a bit of luck you need less requests to find more files. For the ones working with w3af, it already has support for mod_negotiation testing.

The way to use this script would be to combine it with the excellent tool DirBuster. Just have DirBuster do a recursive directory brute force. Then take those results and feed them to my script with a decent file name list. This script is kind of an alpha version, just something I quickly whipped up.

[*] DiabloHorn https://diablohorn.wordpress.com
[*] Mod Negotiate File Brute Force
[*] mfbrute.py -t <target> -d <dir list> -f <file list>
[*] -t target to scan
[*] -d directories which will be scanned
[*] -f files which will be scanned
[*] -v verbose
[*] -h this help

You can get the src from here.

IP id finder

I have been intrigued by nmap’s feature to scan a target using an idle zombie pc which has an incremental ip id. I have also been intrigued by scapy. Finally I have also been intrigued by metasploit. At first I combined nmap and metasploit and the end result was, that I was not able to get the IPIDSEQ module to work. So I turned to scapy and tried porting the metasploit module to python. It was fun and I finally employed python for something besides playing with it to learn.

python src

I’ve also finally learned why it’s nice to prepend your output with “[*]”, since I’ve been lazy with the verbose output I have just used the one from scapy to know if my script should output or shouldn’t output verbose messages. This means that the output gets cluttered. So by prepending “[*]” you can just grep the results to have a clear view of what the script is doing without the scapy stuff in between it.

Finally scapy is a real nice toy. I had to implement 0.0 code to support cidr notation. So when you for example want to scan a /24 range you can just go like: “microsoft.com/24”. isn’t that neat? Hope you enjoy it and find a way to use it. For me it was more fun to write it and learn a lot along the way, then the actual goal I wrote it for. oh btw the non-verbose output looks like:

[*] 74.125.45.100 = Randomized

oh a second btw I recommend putting the timeout/waittime on 5 or something like that.

Art Exposition

Well like you probably don’t remember a while back I wrote about art I enjoyed. Well to my surprise the artist has a exposition right at the airport of Madrid. It seems like the information is only available in Spanish for the moment being. Although the most important bit of information can be translated quite easily:

La exposición, situada en el pasillo que da acceso al Terminal T-2 del Aeropuerto desde el Metro y el Parking P-2

translates to:

The exposition which is stationed in the hallway that gives access to the T-2 terminal of the airport coming from the metro and parking P-2

So if anyone is going to Madrid I recommend having a look. It is available until the end of July.
For people interested in art events in Madrid I recommend the following blog:

which at the time beeing happens to also inform about the exposition at the airport of Madrid.

Google Dork

Well I suspect that people already know about this. I didn’t, so I felt like blogging about it. Often when searching for specific directories on google it can be a pain in the ass, I mean you can combine “inurl” and “intitle” but still… so the other day I stumblod upon this nice feature of the “site” command. you can actually append a directory name to it!!

site:<[sitename].tld>/directortyname/

That actually seems to yield better results. For example I used it to search for a specific directory on some TLD and it worked fine. I particularly like it because it makes searching for a specific directory with specific characteristics a lot easier. A nice example to try for example could be, it results in (almost) only include directories which allow directory listing:

site:org/include/ intitle:”index of”

If you stretch it even further you *COULD* argue that you can do a directory search withouth actually hitting the target, of course it would be limited to the directories indexed by google.

If you already knew it then oh well…if not enjoy.

Scriptable Anti Live Forensics – POC

In short this + python support. I’ve finally decided to build alpha POC code for the idea I already blogged about. Some of you might wonder why I choose to support python, seeing that I previously wrote about it and I hate/loved it. Well because afaik it’s the easiest language to embed inside C. Oh and the reason why I added support for a scripting language is because some things are just so much easier when done in a scripting language. So let’s see the actual code(make sure u read my previous blog post else the next stuff might sound like total gibberish).

Continue reading “Scriptable Anti Live Forensics – POC”

Burn Notice toy…is really THAT easy to build!

ok :| WOW sometimes the gadgets and toys you see in a Hollywood show REALLY are THAT easy to build. I’m talking about the home made taser gun, made out of a disposable camera and I first saw it on Burn Notice.

Continue reading “Burn Notice toy…is really THAT easy to build!”

The power of suggestion

You make an ass out of u and me! In other words never assume because it’s bad. That’s exactly what my midnight idea is all about. Let’s assume…you write stuff down on a piece of paper but there is no shredder nearby and you are to lazy to eat it/burn it etc. How do you make sure the stuff you wrote down, doesn’t get into someone else his hands and if it does that it’s totally useless to them? Well for that I had the following midnight idea…just suggest them some wrong information!

Continue reading “The power of suggestion”

Laser Alarm…fun stuff

So one day you wake up and you think…why should I buy an alarm installation if I can just make my own. The normal answer is because you usually don’t have the skills nor the time for it. In my case I preferred the answer, because you can learn new skills and do cool stuff. Well that motivated me so here I am writing about how I build my first amateur laser alarm(which is far from finished). Keep on reading if you are curious about my first steps into the hardware world.

Continue reading “Laser Alarm…fun stuff”

The process of a successful stack based BOF-Part 2

The previous post explained how to setup the environment so that we would be able to actually debug the crashing process. In this post I will try to explain the process of analyzing it and building a working exploit. So the first step is to identify why it crashed in the first place.

Continue reading “The process of a successful stack based BOF-Part 2”

The process of a successful stack based BOF-Part 1

n0limit his legend preceeded him but the real deal is way better then the legend! No, really this dude really helped me out in the process to making it work. When doing BOF bugs there is a HUGE difference between reading about it and putting it to practice. Another big thanks go out to KD he got me interested in this stuff again. I mean with all the web exploiting going on these days…you’d almost forget about the giant of all times. The infamous Buffer Overflow!

Continue reading “The process of a successful stack based BOF-Part 1”