The Anatomy Of GSM Encryption Hack

After Karsten Nohl hacked the GSM encryption, I thought to Digg this a bit in more detail. So i have written this whole guide in favor of it. So lets start.

 

Karsten Nohl, A Germen Hacker have claimed that he have successfully cracked the GSM mobiles security algorithm. That we all know but the question that arises here is what he did to crack the GSM encryption which have been for years, actually from 1987.

 

There was a conference know as 26th Chaos Communication Congress (26C3) , as we all know which is indeed the most respected and one of the most seeable conferences in Europe.

 

 

It takes place from December 27th to December 30th 2009 at the bcc Berliner Congress Center in Berlin, Germany. which is quite recent and what was special this time on it was the GSM encryption crack details which were going to be demoed in the conference.

 

The 26C3s slogan is "Here Be Dragons".

 

As a matter of fact i was not there in the conference and thus missed all the stuff going on there. but some of my twitter friends helped me out with this. When twitters started to tweet with the hash tag of #26C3 all was going clear about it...

 

Basics

 

Ok lets began with the basic of the attack and what can be done with, what we need, what he cracked etc

 

Karsten Nohl GSM Crack 26C3

Here is the presentation or you can say the slides, which Nohl presented during the 26C3 which gives all the detail regarding the whole GSM encryption hack.

 

“… the GSM call has to be identified and recorded from the radio interface. […] we strongly suspect the team developing the intercept approach has underestimated its practical complexity.

A hacker would need a radio receiver system and the signal processing software necessary to process the raw radio data.”

–GSMA, Aug.„09

What a Hacker Need

As written in the document a hacker would need a radio receive system and also a signal processing software which is necessary to produce the raw data to decrypt it.

 

 

A Radio Receiver System    -

 

 

 

 

 

A Signal processing software  -

 

 

Ok this might explain you a bit about what a hacked need. Actually its not the kind of hack which you can perform with a laptop. you would need to decrypt which the Nohl have used the rainbow tables which were not explained in the previous hacks between 1995 to 2008 which were not quite successful.

 

There are various different setting you would need to do in the radio and OpenBTS. and other configuration, mods. Its pretty complicated stuff there.

 

Rainbow Tables

The main reason why this crack with A5/1 attacks were not done in the previous years is because of the rainbow tables which the Nohl introduced in the cracking procedure.

 

Previously the crack used some big system to decrypt but it was too expensive that it any hacked would not be able to crack it and that's why the hack was also not released in the internet.

 

 

But there come Nohl with his rainbow tables. They planned to do a workshop today, where you could bring your GSM data and they wanted to try to decrypt it. However, due to legal reasons they had to cancel it.

 

http://events.ccc.de/congress/2009/wiki/The_demonstration_is

 

The next step would be for someone to package the attack in the form of a script-kiddie-usable utility that would perform interception/decryption using an off-the-shelf GSM USB modem.

 

That seems to be how these things go; they'll drag their feet as long as possible, until the public pressure becomes unbearable.

 

So i guess most of you have to wait for the script-kiddies bundle to release so you can use it.

 

Get a working copy of the table generator rainbow tables by either :

A) Downloading binaries

1. Linux 32bit

2. Linux 64bit

3. windows 32bit

4. windows 64bit

revision 58 from October 25 2009

Or

B) Compiling The Program

 

Then, Running The Program

 

 

Stuff We Got For You

For more information i have made a list of papers, sildes, links, and videos of 26C3 presentation on the 26C3 for you.

 

Slides - Karsten Nohl GSM Crack 26C3

 

Videos - There are different sources of the videos. so i have written all the sources with the torrents.

 

1. 26c3-3654-en-gsm_srsly.mp4

2. 26c3-3654-en-gsm_srsly.mp4.md5

3. 26c3-3654-en-gsm_srsly.mp4.torrent

 

GSM: SRSLY? Part 1 - Part 2 - Part 3

 

Links -

1. http://rnmshot.dvrdns.org/

2. ftp://ftp.ccc.de/congress/26C3/mp4/

3. http://85.214.20.203/26C3/GSM/

4. http://reflextor.com/torrents/

5. http://reflextor.com/trac/a51

 

 

Happy Hacking @hackerthedude

Read More

Your Mobile Is In Danger : Karsten Nohl Cracks GSM Mobiles Security Algorithm

Karsten Nohl, A Germen Hacker have claimed that he have successfully cracked the GSM mobiles security algorithm. Which can effect the whole world even your moblie.

 

I know what you might be thinking till now and its all true. Nohl was not alone in this whole arena of finding the vulnerability in the GSM phones. He was with another 24 friends teamed up to crack the worlds most used mobile security algorithm.

 

GSM security algorithm is based on the such a frequesny that it changes it signals from one tower to another in seconds and then transfers the signals to the other frequency station. Yeah, I know its pretty complicated stuff there.

 

Nohl claims that armed with the code, which has been published online, and a laptop with two network cards, an eavesdropper could be recording phone calls within 15 minutes...

We also have live numbers of Victims !

 

Nohl : "This shows that existing GSM security is inadequate"

 

Nohl insisted that he had deciphered the code to force the global telecommunications industry to upgrade its security. Well this is a big security issue which is affecting many.. actually the whole world.

 

The thing to think about in this whole chapter of security is that, the vulnerability is open and if any mad hacker like me, could try to hack this GSM network would i be get caught .With a total average of 4.3 Billion victims. what do you think, you would do with it.

Read More

WinScanX : A Simple, Fast and Portable Windows Auditing Tool

WinScanX is a state-of-the-art Windows auditing tool designed to help you get your Windows audit done quickly. It's easy to use and no installation is required.

 

WinScanX was released recently and its the one of the best resource released in 2009 . Its Fast, Simple, Portable and efficient tool for every security professional out there. Its really pa state of art tool.

 

 

WindScanX is released in two versions, one which is free to download and use and have some features in it which includes the GUI Front-End, Command-Line Interface, Easy-to-Use Reporting, Online Documentation etc and the other PRO version includes these and Quick Domain Audit, Multi-Host Scanning.

 

  Download WinScanX here                                         WinScanX ScreenShot Here

 

Windows Audit was created by Reed Arvin in order to provide the audit and security community with tools that are efficient and easy-to-use. These tools are designed to help minimize the time it takes to gather data in a security assessment so that more time can be spent doing what the computer cannot; analyzing the data to provide solid recommendations for identified security issues...

 

Screen Shot :

 

 

Command Line Usage :

WinScanX [-abcdefgpklijmnostqurxwyzSWv123] <hostname>

<username> <password>

 

[-abcdefgpklijmnostqurxwyzSWv123]  -- required argument

<hostname>  -- required argument

<username>  -- optional argument

<password>  -- optional argument

 

If the <username> and <password> arguments are omitted, this utility will attempt to establish a NetBIOS null session and gather information via the null session.

 

If the <username> and <password> arguments are both plus signs (+), the existing credentials of the user running this utility will be used.

 

Examples:

WinScanX -1 10.10.10.10

WinScanX -2 10.10.10.10 + +

WinScanX -3 10.10.10.10 administrator password

WinScanX -3 10.10.10.10 domain\admin password

WinScanX -1 WINSERVER01

WinScanX -2 WINSERVER01 + +

WinScanX -3 WINSERVER01 administrator password

WinScanX -3 WINSERVER01 domain\admin password

WinScanX -1 192.168.1-254

WinScanX -2 192.168.1-254 + +

WinScanX -3 192.168.1-254 administrator password

WinScanX -3 192.168.1-254 domain\admin password

WinScanX -1 IPInputFile.txt WinScanX -2 IPInputFile.txt + +

WinScanX -3 IPInputFile.txt administrator password

WinScanX -3 IPInputFile.txt domain\admin password

 

The passwords that are attempted for each user account are included in the Dictionary.input file.

 

The following can also be used in the Dictionary.input file:

 

<username>   -- The name of the current user

<lcusername> -- The name of the current user in lower case

<ucusername> -- The name of the current user in upper case

<blank>      -- A blank or null password

Download

 

 

 

Happy Hacking @hackerthedude

Read More

Total Round Up For "Top 10 Sexy Hackers of 2009"

Well many of the guys have already guessed and made the list of the sexiest hackers in the world and i also know i am pretty late in this news but i know what made this more special is that many were satisfied and many infosec geeks wasn't. So i just thought to make a whole roundup of the lists.

 

1. Violet Blue’s list of the Top 10 Sexy Geeks.

2. Michael Dahn's list of Top 10 Sexy Infosec Geeks of 2009.

 

The long hour discussion nearly took down twitter for about an hour. Surely i wasn't in the list :( and see you should i always respect your seniors decisions and that's what i am doing.

 

People Who Made The Hackers Choices :

20.  Tammer Saleh

19.  Crystal Williams

18.  Brady Forrest

17.  Amanda Coolong

16.  Sirus...

15.  Jack Dan8iel

14.  Angela Natividad

13.  Jacob Appelbaum

12.  Paul Carr

11.  Christopher Hoff

10.  Jeff Moss (Dark Tangent)

9.   Giannii Calvert

8.   Justine Aitel

7.   Amber Case

6.  Chris Wysopal (Weld Pond)

5.  Whit Scott

4.  Erin Jacobs

3.  Jiz Lee

2.  Dino Dai Zovi

1.  Katie Moussouris

 

Hope you all get the roundup of who made to the list and who didn't.

Note : This is for the sexiest hackers .

Read More

Christmas Present For Hackers [Pic]

This is just a nice Christmas present that my friend ophelia want this Christmas. May she get this gift. I was just thinking what if Santa Clause was a hacker. Ok Get the Santa here !! :D

Happy Christmas @hackerthedude

Image Credit : ophelia

Read More

Net Wars : New Challenge For Hackers [Video]

Net Wars are a new talent hunt for hackers that are good in hacking field and if they win they are given a job of ethical hacking. or if they not they can even get a handful of contacts and goodies too.

 

Some days ago CNN covered the story of this challenge which is currently taking place in U.S. These challenges are taken under by SANS : The most trusted source for computer security... Ya we all know the big SANS. if u dont know who are sans, its a organization of high end ethical hacking teachers and they provide some qualifications in US for ethical Hacking...

The United States Cyber Challenge

A national competition and talent search to find and develop 10,000 cyber security specialists to help the United States regain the lead in cyberspace [ 5/8/09 ].

The web pages for the US Cyber Challenge will be posted on May 29 at www.sans.org/uscc and at other sites. To learn more about the program prior to May 29, email USCC@sans.org

1.The Need
2.The Competition and Skills Programs
3.The Sponsorship...

 

 

Here is what they said about, why they need some hackers aka great security guys in there force and why now.

“The cyber threat to the United States affects all aspects of society, business, and government, but there is neither a broad cadre of cyber experts nor an established cyber career field to build upon, particularly within the Federal Government. [Using an] airplane analogy, we have a shortage of ‘pilots’ (and ‘ground crews’ to support them) for cyberspace.” (Center for Strategic and International Studies, Report of the Commission on Cybersecurity for the 44th Presidency, December 2008)

“The provisioning of adequate cyber forces to execute our assigned missions remains our greatest need.” (Gen. Kevin P. Chilton, Commander, U.S. Strategic Command, March 17, 2009, in testimony before the House Armed Services Committee)

“I cannot get the technical security people I need.” (Gen. Charles Croome, Commander, Joint Task Force ‐ Global Network Operations, in response to a question from a CSIS Commissioner asking what is the most critical problem he faces in meeting the growing cyber challenge. May 28, 2008)

“There are about 1,000 security people in the US who have the specialized security skills to operate effectively in cyberspace. We need 10,000 to 30,000.” (Jim Gosler, Sandia Fellow, NSA Visiting Scientist, and the founding Director of the CIA’s Clandestine Information Technology Office, October 3, 2008.)

Happy Hacking @hackerthdude

Read More

FBI Is Watching You : Now On Facebook, Twitter, Youtube and More

Ok did anybody told FBI about Privacy stuff that we need to live on this planet Earth full of some officers who just want to piss of Hackers.

 

Ya, Its FBI they are taking a new strategy focusing on the social media for spreading the Information or something whatever in their mind. Here is what they say :

"Over the past few years we’ve rolled out a number of new web initiatives—including an e-mail alert service, syndicated news feeds, and a series of podcasts and widgets—that make it easier for you to help us track down wanted fugitives and missing kids, to submit tips on terrorism and crime, and to get our latest news and information."

We are moving forward on other social media fronts as well.

Where is FBI Till Now :

• Facebook, where you can follow our news, check out our photos and videos, and become a “fan” of the FBI;
• YouTube, where you can watch our videos and connect back to our main website for job postings and other content; and
• Twitter, where you can receive our tweets on breaking news and other useful information....

FBI More On :

More widgets :

The new high-end widget was built using Flash, XML, and ActionScript and can be shared virally through social media websites such as Facebook, MySpace, and Blogger, says Michael Litchfield, the web developer who built it for the FBI. “I was excited to work on it and thought it was a great way to market the Bureau to a new generation.”
Visit There widgets page.

 

Fugitives at your fingertips :

A company called NIC—founded by an ex-law enforcement officer—has built a free “Most Wanted” iPhone and iPod Touch application based on our newest widget and fueled by our RSS feeds.

 

Virtual billboards and kiosks :

They are doing pilot tests in Second Life—a free 3-D world inhabited by millions of people worldwide—for virtual billboards and kiosks that show the mugs of our Ten Most Wanted fugitives and connect people to FBI jobs, there Internet Crime Complaint Center, and the wanted posters of cyber criminals.

 

 

 

Happy Hacking Be Safe @hackerthdude

Read More

Process Hacker V1.9 Released

Process Hacker is a great tool or you can say a piece of software which acts as a more advance and more reliable software in front of default task manager. it creates a more detailed and a more understandable version of task manager.

 

You may remember we have earlier featured it in Process Hacker : Power Packed Task Manager, ok i know the spelling is wrong but don't worry about that we all are humans except the Google bot here :D.

 

Lets move on with Process Hacker, recently the people behind this software released the new Version of Process Hacker V1.9...

 

New Stuff :

• Ability to set I/O priority for processes and threads
• No more separate Assistant.exe executable required
• Signature verification now works on x64
• Now shows signer names (plus a Verified Signer column)
• Added proper x64 support to structs reader
• Added basic preprocessor to structs reader
• WOW64 modules now appear in Handle/DLL searches
• Small performance improvements
• Editing object SACLs is now possible with KProcessHacker

Process Hacker runs on both 32-bit and 64-bit Windows, but certain functionality is only available on 32-bit systems, including: Bypassing rootkits and security software when accessing processes, threads, and other objects, Viewing kernel pool limits,Viewing hidden processes, Changing handle attributes, Viewing kernel-mode stack traces and many others.

 

Screen Shots :

 

 

 

 

 

 

 

Statistics

      Process Hacker

      Main Language: C#

                      Total Lines of Code: 130,419

                      Active Contributors: 6

                      Commit Activity Timeline:
                     

Download

 

 

 

Happy Hacking @hackerthdude

Read More

AWeber Hacked : Recent Data Compromise

We just in a split second got news, The great and most popular email subscription and rss manager for Wordpress have been hacked. The recent reports says that they have been hacked by some kind of Third-party Software which they use.

 

The general meaning of this would be the code would be hidden in the app they would be using their systems which took the ownage of there API might be. We are not sure till yet.

 

It could be Local Buffer overflow on that third party software which they were using. The Apparent effects of this hack was that many spam email message were send to the subscribers. Here is the list of the things which were NOT compromised and are saved by the team.

• AWeber customers’ personal information was not compromised.
• No credit card data was compromised.
• No customers’ names, “from” or contact email addresses, postal addresses, website URLs or any other profile information were compromised.
• No affiliates’ names, contact email addresses, tax ID numbers, website URLs or postal addresses were compromised.

We are looking into the details and will provide a further updates soon.

You can read more about this Here

Read More

RSnake's 2nd Take On DNS Rebinding

Robert Hansen aka RSnake the father of Xss is back with a bang. With his latest research on DNS rebinding hacking which he also explained with a Video but he is all set to remove this DNS rebinding from the world.

 

RSnake released a new podcast on DNS Rebinding after his previous release of video on it. Its a pretty good news that somebody is caring about the DNS hacking techniques as one we saw a couple of days ago Twitter was hacked, with some DNS resolution problems.

 

 

Dennis Fisher talks with security researcher Robert “Rsnake” Hansen about his recent work on DNS rebinding attacks, the poor state of browser security and his new book “Detecting Malice.”..

 

*Podcast audio courtesy of sykboy65

Subscribe to the Digital Underground podcast on

 

How DNS Rebinding Works

The attacker registers a domain which is delegated to a DNS server he controls. The server is configured to respond with a very short TTL parameter, which prevents the response from being cached.

 

The first response contains the IP address of the server hosting the malicious code. Subsequent responses contain spoofed private network IP addresses (RFC1918), presumably behind a firewall, being target of the attacker.

 

Because both are fully valid DNS responses, they authorize the sandboxed script to access hosts inside the private network. By returning multiple short-lived IP addresses, the DNS server enables the script to scan the local network or perform other malicious activities.

*source Wikipedia

 

Read More

Finding IP address in Gmail From Email Header's

Email headers determine where a message is sent, and records the specific path the message follows as it passes through each mail server.

 

When You send an email to any of your friends or others could be your Girl friends Never mind. But When you send the email through any email client like Gmail , Yahoo Mail , Hotmail, AOL, Outlook Express, etc it also sends the Email Header which contains Some important information for Us i.e.Hackers.

 

Basically it is a feature of Mailing protocol.

Now when the victim sends you a Email through any ,Gmail, Yahoo mail etc doesn't matter, then mail comes to your inbox in the form of Email Header but the your Email client changes it and shows only readable part of it.

 

Well This article is based on how to view Email headers in Gmail. We Will talk about others in Future too. Yeah its a kind of easy tutorial....

 

Finding IP address in Gmail

1. Login to your Gmail account with your username and password.
2. Open the mail.
3. To display the email headers,
   • Click on the inverted triangle beside Reply. Select Show Orginal.
4. Look for Received: from followed by the IP address between square brackets [ ].
   Received: from [69.138.30.1] by web31804.mail.mud.yahoo.com

5. If you find more than one Received: from patterns, select the last one.

Ok Most of the users use Gmail i think and its the most popular one also from the rest of the email clients that's why i liked to write this one first.

 

Example

Here's an example of a message header for an email sent from MrJones@emailprovider.com to MrSmith@gmail.com:

Delivered-To: MrSmith@gmail.com
Received: by 10.36.81.3 with SMTP id e3cs239nzb; Tue, 29 Mar 2005 15:11:47 -0800 (PST)
Return-Path:
Received: from mail.emailprovider.com (mail.emailprovider.com [111.111.11.111]) by mx.gmail.com with SMTP id h19si826631rnb.2005.03.29.15.11.46; Tue, 29 Mar 2005 15:11:47 -0800 (PST)
Message-ID: <20050329231145.62086.mail@mail.emailprovider.com>
Received: from [11.11.111.111] by mail.emailprovider.com via HTTP; Tue, 29 Mar 2005 15:11:45 PST
Date: Tue, 29 Mar 2005 15:11:45 -0800 (PST)
From: Mr Jones
Subject: Hello
To: Mr Smith </MRJONES@EMAILPROVIDER.COM></MRJONES@EMAILPROVIDER.COM>

Notice the received is the stuff we need here to get the IP Address of the victim.

Received: from [11.11.111.111] by mail.emailprovider.com via HTTP; Tue, 29

Ok Hope You all got the idea of the Email Headers in Gmail. More will posted later.

 

 

Happy Hacking @hackerthedude

Read More

The Top Targeted Brands Of 2009 [Pic]

The Year 2009 is almost over and as we noted the whole year 2009 Is The Year Of Biggest Data Breach's Ever Says Forbes and The Years Biggest Security Breach for the year 2009, But the question which exhibits now is, which were the most targeted brands of this year 2009.

 

The Avira Tech Blog have released a new report based on there attacks by the cybercriminals. Which consist of the mostly targeted websites of 2009 and which might be in 2010.

 

*Click on the image to View Full size

Well with dawn of 2009, some most vulnerably websites from the forefront of hackers are Paypal, Chase Bank, Ebay, American Bank … after 3 more there is facebook.
Yeah !, you are right ..

 

In December, the situation was changed: Now PayPal is the most phished brand (32205 unique URLs) followed from far away by the Chase Bank (25901 unique URLs) and Ebay (18738 unique URLs).

 

The Most Top Targeted brands are no other then Banks and some social media services come back to these banks.  Now what will be going to happen in 2010. Well we will cover all the news and Hacks just for you guys. So hang on with Hacker The Dude.

 

 

Be safe during the winter holidays and always write the address of PayPal and other online banks in the browser by yourself and never click on links in emails.

 

Happy Hacking Be Safe @hackerthedude

Read More

Bootkit : One Deadly Weapon In The Attacker Arsenal

There was a great presentation at BlackHat about Bootkit. Which is simply a rootkit being loaded from the MBR before the system starts.

 

 

This could be use to defeat full drive encryption where the system would be infected after it boot. Below you have a copy of the main page of the http://www.stoned-vienna.com/ web site with tons of great information on the subject:

Stoned Bootkit

Stoned Bootkit is a new Windows bootkit which attacks all Windows versions from XP up to 7. It is loaded before Windows starts and is memory resident up to the Windows kernel. Thus Stoned gains access to the entire system.

 

It has exciting features like integrated file system drivers, automatic Windows pwning, plugins, boot applications and much much more. The project is partly published as open source under the European Union Public License. Like in 1987, 'Your PC is now Stoned! ..again'….

Peter Kleissner, Software Dev. Guru in Vienna

Your PC is now Stoned! ..again; Some links:

http://www.stoned-vienna.com/ - Main site (this site, redirects here)
http://stoned-bootkit.blogspot.com/ - Blog
http://vimeo.com/5114740 - Short video introduction to the project
http://www.pauldotcom.com Episode 155 - Interview and very good write up
www.blackhat.com speakers & topics - Stoned Bootkit at Black Hat USA 2009

Black Hat déjà vu - Stoned again
TrueCrypt vs Peter Kleissner, Or Stoned BootKit Revisited..

Download the Stoned Bootkit Paper

• Paper
  
• Black Hat USA 2009 Presentation
  
• Open Source Framework
  
• Infector file that was used in the Black Hat USA 2009 presentation
  

'A bootkit is a rootkit that is able to load from a master boot record and persist in memory all the way through the transition to protected mode and the startup of the OS. It's a very interesting type of rootkit.' - Robert Hensing about bootkits

Please take also a look on my upcoming Hacking at Random presentation "The Rise of MBR Rootkits & Bootkits in the Wild".

Frequently Asked Questions

What is Stoned Bootkit and why should you concern?

A bootkit is a boot virus that is able to hook and patch Windows to get load into the Windows kernel, and thus getting unrestricted access to the entire computer. It is even able to bypass full volume encryption, because the master boot record (where Stoned is stored) is not encrypted. The master boot record contains the decryption software which asks for a password and decrypts the drive. This is the weak point, the master boot record, which will be used to pwn your whole system. No one's secure!

For whom is Stoned Bootkit interesting?

1. Black Hats
2. Law enforcement agencies
3. Microsoft

Why is Stoned something new?
Because it is the firts bootkit that..
- attacks Windows XP, Sever 2003, Windows Vista, Windows 7 with one single master boot record
- attacks TrueCrypt full volume encryption
- has integrated FAT and NTFS drivers
- has an integrated structure for plugins and boot applications (for future development)

With Stoned Bootkit you can install any software (for example a trojan) on any computer running Windows without knowing any password, even when the hard disk is fully encrypted. Relate questions from the Black Hat presentation:

1. Can the BIOS MBR protection prevent the attack?

No, because the BIOS is not called to write the MBR to disk. Windows has its own native hard disk drivers that are directly accessing the hard disk. The MBR protection in the BIOS works only with DOS and Windows 95/98.

2. Can hardware encryption prevent the attack?

Only for physical access. The attack is still possible under a running Windows because the hardware encryption is a layer below. The Stoned software will be stored encrypted by the hardware encryption and decrypted on startup, so it will still become active when starting.

TrueCrypt Attack

Stoned is able to bypass the full volume encryption of True Crypt. It allows installing a Trojan to a computer that's hard disk is full encrypted. Let's take a look at the technical part. For True Crypt encryption there are two scenarios:

1. Only the system partition is encrypted; the master boot record, unpartitioned space and the host protected area stay unencrypted.
   
2. Full volume encryption, only the master boot record stays unencrypted.
   

The trick is that the master boot record is never encrypted - and thus can be safely overwritten and used for our own boot 'software'. For the first case additional data such as plugins, the original master boot record backup or further code can be stored to unpartitioned space. For the second case the whole Windows attacking code must fit into the master boot record, into the 63 sectors minus the decryption software. TrueCrypt has free 7 sectors where Stoned Bootkit still fits, so even full volume encryption is no problem.

My personal notebook has the system partition encrypted with TrueCrypt. I showed at Black Hat USA 2009 live that Stoned Bootkit was able to bypass that and could pwn my own system.

cmd.exe Privilege Escalation

Thanks to Vipin & Nitin Kumar for providing me their cmd.exe privilege escalation attack (source code together with some more detailed information). I rewrote a driver in C that does that job - overwriting the security token of cmd.exe with the one of services.exe. It waits until the image "whoami.exe" is loaded and escalates the rights of the cmd.exe process. An attacker can use this in the real world for example as root shell on a target system (with physical access). Take a look at the kernel debug output generated from the driver:

Image Load: \Device\HarddiskVolume1\Programme\Support Tools\whoami.exe
Found Process: System
Found Process: smss.exe
Found Process: csrss.exe
Found Process: winlogon.exe
Found Process: services.exe
System Service Security Token: e17c04ea
Overwriting old Security Token: e1445036
cmd.exe privilege escalated successfully!

(Left to right): Windows XP SP2, Windows Vista, Windows 7 RC pwned (take a look at whoami.exe, changes from Peter Kleissner to NT-AUTHORITY\SYSTEM and cmd.exe runs under SYSTEM rights as opposed in the task manager)

You may download the Windows 7 RC + TrueCrypt attack demonstration high quality video (11,7 MB) at http://www.stoned-vienna.com/downloads/TrueCrypt Windows 7 RC.avi.

 

Please download and read TrueCrypt Foundation's mail about the attack at http://www.stoned-vienna.com/downloads/TrueCrypt Foundation Mail 18. Juli 2009.tif. The whole mailings with the TrueCrypt Foundation can be found in the Stoned framework in the directory 'TrueCrypt'.

Local Infector

An automated infector Live CD will be published soon. It allows infection of a local machine (requires physical access and the ability to boot from CD or USB stick, this is the second installation way, the first would be using the Windows infector executable). As boot base the Windows PE 2.0 from the Windows Automated Installation Kit is used for automatic deployment. Instructions of how to create your own Stoned Windows PE CD and a download for pre-configured iso will follow. For more information read the blog entry at http://stoned-bootkit.blogspot.com/2009/08/vipin-kumar-windows-pe-and-eminem.html.

Stoned..

• is a software in the Master Boot Record, with the target to be memory resident up to the Windows kernel
  
• attacks Windows XP, Server 2003, Vista, Server 2008, 7
  
• supporting architecture: IA32, AT Architecture (IBM-conforming)
  
• full featured, including own file system drivers for FAT and NTFS!
  
• supports different boot media, hard disk, removable-media, cd, dvd, flash drives, network..
  
• there will be new versions, plugins and updates!

It has been successfully tested and verified on following systems:

1. Windows 2000 SP4
   
2. Windows XP SP2
   
3. Windows XP SP3
   
4. Windows Server 2003
   
5. Windows Server 2003 R2 SP2
   
6. Windows Vista
   
7. Windows Vista SP1
   
8. Windows Server 2008
   
9. Windows 7 Build 6801
   
10. Windows 7 Beta
    
11. Windows 7 RC
    
12. DiskCryptor 0.8
    
13. TrueCrypt 6.1a
    
14. TrueCrypt 6.2
    
15. TrueCrypt 6.2a
    
16. Bochs 2.4.1
    
17. VMware Workstation 6.5.0
    

Stoned v2

The next version of Stoned is currently under development. The next version is going to be more evil than ever.

Features:

- 64-bit support based on the implementation of vbootkit 2.0
- infecting all local drives (including USB autorun spread)
- Linux support - experimental
- BIOS persistent infection - experimental

The first beta will be released with Hacking at Random 2009. Other changes will be removal of the (under a lot of critics) selling notice. In future Stoned will be published by my startup company Insecurity Systems.

Future ideas:

- burning CDs with Stoned when they are inserted
- using driver that is used by infector and kernel driver
- infection on access
- TPMkit
- using more open source to get the things done

 

Happy Hacking @itsmeafterall

Read More

Is Google Public DNS Safe ?

Is Google's new Public DNS server safe?

Google opened their new DNS service to the public. Google's strategy appears to be an attempt to compete with the popular free service called OpenDNS.

 

In light of the ongoing slaught of DDOS attacks on sites such as Facebook and under 48 hours ago, Twitter, the infosec industry is (and they should be) concerned about Google's DNS vulnerability.

 

So far, as this like below documents, the relatively small amount of research that has been done suggests that Google's port usage is sufficiently randomized so as to reduce the risk of an attack….

My opinion on this though? It most definitely will be some hacker's gold star target due to the fact that Google is getting a lot of press right now. However, you would have to be totally and completely brain dead/flatlining to attempt to crack this honeypot right now. But, hey, that's why we all love dumb criminals - they have high entertainment value and are a great source of humor.

Read More

New Html 5 XSS Vector’s By Gareth Heyes

Gareth Heyes is a great security guy, as you can also visit his blog The Spanner. The newly released HTML 5 is now under the eyes of hackers and it wasn't late that the New Xss vectors have been released by Gareth Heyes .

 

 

These New Xss vectors according to Gareth are automatic in major Web Browsers from Safari, Chrome to Opera all support them. And its a matter of fact that Gareth also featured them on twitter too.

 

The injection looks something like:-

<input type="text" USER_INPUT>

 

The new HTML 5 works on some other vectors and uses, but the great thing in there is that you don't need to bind your Xss into a css style in here. HTML5 however lets us execute like expressions but without css styles….

 

For example:-

 

<input type="text" AUTOFOCUS onfocus=alert(1)>

 

We use the “autofocus” feature to focus our element and then the onfocus event to execute our XSS. This works with a plethora (I like that word) of tags. Any form based element it seems you can use this method:-

 

<input autofocus onfocus=alert(1)>
<select autofocus onfocus=alert(1)>
<textarea autofocus onfocus=alert(1)>
<keygen autofocus onfocus=alert(1)>

 

Conclusion

This New Xss vectors majorly uses the onfocus HTML 5 expression to make the use of Xss on the major browsers using HTML 5 right now like Safari, Chrome, Opera, Might be Firefox too.

Read More

Keep Your Encrypted Notes Safe With Fsekrit

fSekrit is a small application for keeping encrypted notes.

 

This software is a good tool to keep Your encrypted codes or even data safe, from any external usage.

 

The great note about this great tool is that its a really small utility, it portable , that means you can keep it in your pen drive and take it with you to any other place.

 

Another advantage of using fSekrit is that your un-encrypted data is never stored on your hard disk.

 

With a traditional encryption utility you would have to decrypt your file to disk, view or edit it, and then re-encrypt it, and unless you use secure file wiping tools, it would be a trivial matter for someone to to retrieve your un-encrypted data, even though you have deleted it…

 

This can't be done with fSekrit, though, since it never stores your un-encrypted data on disk. fSekrit uses very strong encryption (256-bit AES/Rijndael in CBC mode) to ensure that your data is never at risk. Self contained fSekrit note files are tiny! Only 60k plus the size of your text.

 

Screen Shots :

 

 

 

 

 

Download :

 

 

 

Happy Hacking @hackerthedude

Read More

The Anatomy of the Twitter Hack - Twitter's DNS Servers Hacked Yet Again Last Night

 ~ via Tech Crunch

During and after Twittergate, when a hacker broke into a few hosted email accounts and obtained a number of internal documents, I had an opportunity to spend hours speaking to the actual attacker and document how he carried out the attack.

The article was called The Anatomy of The Twitter Attack, and today we unfortunately find ourselves with a sequel to that post as the Twitter DNS servers were compromised last night and the site was redirected to a defacement page.

Unlike last time, on this occasion I have not had the benefit of speaking directly to the attackers, but have spoken to a number of people within the underground security scene familiar with matters and have constructed other parts of the story from public sources. 

The incident last night was perpetrated by a group called the Iranian Cyber Army – and we have been told that this group is working with the Iranian government...

The attack occurred at the same time as a number of other diplomatic incidents, including the escalation of diplomatic hostilities between Iran and the US/EU as well as an incursion by Iranian troops into a disputed border area containing an oil field....


The defacement was carried out by hijacking the servers hosting the DNS records for the twitter.com domain (this is the server that maps the domain name to an IP address). The attackers modified the DNS records to point to an IP address with a web server hosting the defacement page. The twitter.com domain (registered with NetworkSolutions) was not hijacked, nor were its records altered.

The DNS records for Twitter are hosted at Dyn. A company that provides DNS hosting for over 100,000 domain names and provides other services for companies. We have been told, but have yet to confirm, that the account password recovery feature was used to reset the password for the Twitter account at Dyn. When we checked the password recovery page, it contains a request to contact Dyn directly – there is no form of any type. We have not been able to confirm is there was an automated process at this page which has since been taken down.

To reset the password to gain access to the account hosting DNS records, the attacker had access to the email address associated with the account. Twitter hosts all email on Google Apps for Domain, which played a central role in the previous attack on Twitter not because of any vulnerability within the application itself, but because of a lapse in password policies which lead to a minor account being compromised, which lead to other accounts being compromised.

The attackers gained access to the Twitter account at Dyn, and changed the DNS records for Twitter.com to point to an IP address that was on the anonymous Tor network. The attackers seemed to have changed all the records at Twitter.com, including sub-domains used for the API, the status page, etc. but because of varying caching levels and the fact that some clients were using a direct IP address not all services were affected immediately.

For most users the main Twitter web application was displaying the defacement page for just under an hour.

This type of attack is not very sophisticated, but it is extremely effective. It was not a direct vulnerability with the DNS server but rather with the accounts system and email addresses. While the Twitter application was not compromised, desktop applications and websites that directly send a users username and password back to Twitter over plain HTTP would have sent this information to the attackers IP address, from where it could easily have been harvested.

The solution to similar problems revolves around the management of account passwords, especially with critical services such as DNS hosting. Further, since the status page for Twitter was hosted on the same domain as the main site, it was also inactive during the period of time that the defacement was up on the site and for a short time afterwards while Twitter responded to the attack.

Read More

Wireshark v1.2.5 Released

Wireshark is the world's foremost network protocol analyzer, and is the standard across many industries and educational institutions for security stuff. Wireshark is the world’s most popular network protocol analyzer.

 

It has a rich and powerful feature set and runs on most computing platforms including Windows, OS X, Linux, and UNIX. Network professionals, security experts, developers, and educators around the world use it regularly.

 

It is freely available as open source, and is released under the GNU General Public License version 2

Wireshark uses pcap to capture packets from supported protocols.

• Data can be captured "from the wire" from a live network connection or read from a file that records the already-captured packets.
• Live data can be read from a number of types of network, including Ethernet, IEEE 802.11, PPP, and loop-back.
• Captured network data can be browsed via a GUI, or via the terminal (command line) version of the utility, tshark.
• Captured files can be programmatically edited or converted via command-line switches to the "editcap" program.
• Data display can be refined using a display filter.
• Plug-ins can be created for dissecting new protocols.

Read More

30 Million Facebook, MySpace, and Orkut ID’s Hacked

Hackers Have crossed the security boundaries of a widget and multi-social networking based company RockYou.com which host many users from some famous social networking websites such as MySpace, Face book and Orkut.etc

With this Hack over 30 Million users have been affected.

 

The most troubling aspect of this incident is that RockYou apparently stored the information in plain text, rather than following industry standards by encrypting it.
The hackers have claimed also that they have hacked the whole Database full of Usernames and  passwords and some private information as well.

 

Hacker appears to be forcing RockYou to admit to certain vulnerabilities in its data security.

"Don't lie to your customers, or I will publish everything"

The hacker wrote as an obvious reprimand to Rock You.

This seems to be strong words which hacker said in reply to company officials in terms to the matter of encryption.The RockYou is pretty upset it and have written that they are working on the Security measures they have used. You can read more about it Here.

Read More

Hackers Slays Microsoft’s Forensics Toolkit

Ok this is kind of good news for all of us. The Well Know Tool For Law Enforces Used ,Not Mostly, Microsoft-packaged forensic toolkit is now attackable.

 

The Tool is used by Law Enforcement agencies to keep a track on a computer of a hacker. But the great thing the Twist here is that a hacker or might be a group of hackers had worked hard on this tool to crack it down.

 

They were successful with a crack they built named DECAF. Its good to see here in this whole matter is that how the government use such a piece of crap that was cracked.

 

They should had made their own tool for the forensic usage and does not rely on the software which combines a suite of 150 bundled scripts , piled in one single script.

 

The tools scan files and gather information about activities performed on the machine, such as where the user surfed on the internet or what files were downloaded…

 

Someone submitted the COFEE suite to the whistleblower site Cryptome last month, prompting Microsoft lawyers to issue a take-down notice to the site. The tool was also being distributed through the Bit Torrent file sharing network.

 

 

What Do DECAF do actually at the COFFE is that first it deletes temporary files or processes associated with COFEE, second it erases all COFEE logs, Third it disables USB drives, and contaminates or spoofs a variety of MAC addresses to crash forensic tracks.

 

On This the Unknown Hackers Add by an email,

“We’re just two developers who support the free flow of information and privacy”

“You could say we’re just average joes.”

 

Ok we have got a screenshot of COFEE to for you guys. Enjoy !

 

 

UPDATE : Your copy of DECAF no longer works. Hackers have disabled it.
GAME OVER

Read More

Torpig Domain Generator : Hackers Using Twitter Trending Topics

Torpig botnet uses Twitter API (trends) to generate new pseudo-random domain names of attack sites where infected websites silently redirect visitors to. Active domain names change at least twice a day.

This real-time tool generates a domain name of the currently active attack site and two domain names that hackers should activate in upcoming 24 hours.

 

This tool is a initiative by a hacker Denis or you can say a security guy. The tool uses JavaScript and Twitters API to find a domain for attacking using the twitters Trending topics.

Well its big hole in the whole twitter’s API and the way this tool have predicted the domain names are right one so far. Its now the all up to the twitter API developers hand…

 

What is Torpig Botnet

Botnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security threats on the Internet.

 

A particularly sophisticated and insidious type of bot is Torpig, a malware program that is designed to harvest sensitive information (such as bank account and credit card data) from its victims.

 

At the beginning of 2009, we took control of the Torpig botnet for ten days. Over this period, we observed more than 180 thousand infections and recorded more than 70 GB of data that the bots collected.

 

Torpig relies on domain flux not only for its main C&C servers, but also to generate the names of the drive-by-download servers that it uses to spread. In traditional drive-by-download attacks, the iframe or script tags reference a hard-coded domain to redirect the victim browser to a malicious webpage to start the attack.

 

However, Torpig redirects victims to a malicious webpage by computing a pseudo-random domain name on-the-fly (seeded by the current date) using JavaScript code.

 

Two Twitter API Botnet Uses

 

However, this time they use two consecutive calls to Twitter (was one).

The first request goes to

 

http://search.twitter.com/trends/daily.json?callback=callback

 

The response contains a timestamp (current time) and hackers use it to calculate a date (2 or 3 days before the current date) for the next API request.

 

http://search.twitter.com/trends/daily.json?date=yyyy-mm-dd"&callback=callback2

where yyyy-dd-mm is the calculated date. This request returns the top 20 trending topics for each hour in a given day.

as per the author..

 

Conclusion

Well you can also view the hackers blog post on Here . Overall its a good news for some malicious hackers who work on some twitter stuff and try to get victims. But it has some hole in this botnet too..

 

 

Happy Hacking @hackerthedude

Read More