Category Archives: Tools

Account Registration phone verification internals

Phone verification is becoming wide spread for free account sign ups on sites like Yahoo, Gmail, Craig’s list, Facebook etc.   I hate giving out my real info just to test something with a burner account.   In the past, the solution was as simple as Googling “receive free sms” and going to one of dozen’s sites that will receive the verification code.   I knew that it was too easy to last.  Sure enough, the numbers from those sites are now black listed.

I really didn’t want to give out my primary cell phone to Yahoo.  So I reached went for the next best thing.  My VoIP trunk provider has the capability to receive SMS on a VoIP number and forward it to my primary phone, or even as an email.   I entered that in, and to my surprise yahoo still rejected it.   That got me thinking.  How can they be blacklisting my own private number?  No one else registered with it before.

How it works:

With the numbers being ported all over the place, how can they know whether a particular number is a VoIP number?  The short answer is that they don’t know.   They take a guess based on the information that’s publicly available (or available for small fee) through sources such as these:

Local calling guide is actually quite accurate (and free).  Where it messes up, is as soon as a number is ported.   It will only show the name of the telco that originally registered the number, all subsequent ports are ignored.   When I looked up my numbers that failed to verify, sure enough they all came back as belonging to a VoIP company.  Same thing when I tried to look up many “receive free sms” service numbers.   They all showed up as VoIP.

So now what?  I still don’t want to give Yahoo my cell phone

… There isn’t a fool proof way, but some of these may work

  • Port a “real” number to VoIP.  It costs me about $12/first year to have a secondary VoIP number – which of course doesn’t work that great now days.  Porting a real number to VoIP will work, but it’s little bit more time and money.   I figure about $50/first year (get a sim, port it, cancel original service, keep it running as VoIP).   Not that bad, but a little too much trouble for what I’m using it for.
  • Sign up with a service that provides verification codes for burner phone numbers.   They do the above steps for you in mass scale as a service.   I haven’t tried it though.  If they listed their numbers in advance I could look them up to see if they show up as VoIP.  For this to work they must have a proper setup using “real” phone numbers.   Also it’s hard to believe that they wouldn’t get black listed in a hurry.   Maybe there is one that works, but chances are if it works, now it won’t work several months later.
  • Give up for now (until something better comes along)… this is kind of what I ended up doing.  I still didn’t give them a real number; I ended up reviving one of my old yahoo accounts.  I used it instead.

 

Undetectable Keylogger in 30 minutes

I noticed that all 60 out of 60 popular Windows anti-virus and anti-malware solutions do not catch the simplest keylogger.

For the test I created a windows application using the popular UserActivityHook.cs library.   It took me about 30 minutes of mostly copy and pasting.  I didn’t have to obfuscate the nature of my program nor did I have to pack it’s binary contents.    The program runs as plain user – it doesn’t need privilege escalation either.  In other words, it is very dangerous.   I scanned the executable through virustotal as well as few popular anti-virus and anti-malware programs on various workstations locally and they all passed the keylogger as 100% ok.

This doesn’t illustrate my hacking abilities (I used none).   What this does illustrate is the poor state of anti-malware and anti-virus tools at the moment.  No matter what the marketing materials tell you, the only protection these tools offer you is against specific white-listed instances of malware. For any other attack you’re on your own.

virus-total-pass

I couldn’t believe my eyes, either, so I decided to dig deeper.

Why was this so easy?

To understand that let’s dig into the various detection methods antivirus programs have at their disposal (thanks Wikipedia) and why each method fails

  • Signature-based detection: is the most common method. To identify viruses and other malware, the antivirus engine compares the contents of a file to its database of known malware signatures. Since this malware is new, there is nothing to compare to.   This is also another reason why I’m not posting the keylogger for everyone to download.   Days after I release it, it will get picked up by one of the many anti-malware teams and a signature will be made out of it in a hurry.   I don’t want to be tagged as distributing malware down the road.   This approach is mediocre, but it’s not good enough – definitely not as good as the various vendors would have you believe.   It’s trivial to bypass the anti-malware scan if you spend 30 minutes making your own.   Even if you copy and paste bunch of stuff together.  On the other hand if you’re using someone else’s tool it will get picked up as malware sooner or later.
  • Heuristic based detection: is generally used together with signature-based detection. It detects malware based on characteristics typically used in known malware code.   I was kind of rooting for the anti-malware programs to catch it based on heuristics,  if they can’t catch my test, how are they catching the keyloggers that others are trying to use against me?    Sadly none did.   This is most likely due to the fact that the Windows security architecture allows keylogging as a very routine function that is used by many legitimate applications.   In particular the keylogger depends on GetKeyboardState API call that’s used for many other benign reasons by other applications.   I still think if the anti-virus companies tried harder, they could catch this based on heuristics.  Currently they obviously don’t.
  • Behavioural-based detection: is similar to heuristic-based detection and used also in Intrusion Detection System. The main difference is that, instead of characteristics hardcoded in the malware code itself, it is based on the behavioural fingerprint of the malware at run-time. Clearly, this technique is able to detect (known or unknown) malware only after they have starting doing their malicious actions.    Once again anti-malware products didn’t live up to this promise.  They could have noticed the writes to disk milliseconds after each key press – they didn’t.   Then again, it is tricky.  There are lot of legitimate programs out there that do write to disk after key strokes and they aren’t key loggers.  
  • Data mining techniques: are one of the latest approach applied in malware detection.   Data mining and machine learning algorithms are used to try to classify the behaviour of a file (as either malicious or benign) given a series of file features, that are extracted from the file itself.    Data mining should have been a no-brainer for an anti-malware tool.    I was doing all sorts of suspicious stuff in my code and not hiding it one bit.   I guess we have to wait until this matures a bit, but given how miserably the other methods failed, I’m not holding my breath for that.

So….  this sucks.   How do you protect myself then?    Right now, you probably can’t.   Anti-malware companies have to step up and detect these kind of things.    Be skeptical, just because you see 57 green check marks on virus total, doesn’t mean it’s safe.   And no, don’t stop using your anti-virus, virustotal or whatever else you have.   Even if anti-virus is 90% effective.  That’s better than 0% without it.

ASP.NET dll download vulnerability

Attack:

  1. Guess what the dll of the core application is called.  By default it will be called the same name as the ASP.NET project created by the programmer.   Other than taking a guess based on the name of the web site, often it’s possible to determine the name by browsing HTML source or by triggering errors.
  2. Download the main dll by requesting the following URL:  http://domain.com/bin/application.dll
  3. Once you’ve got the .dll downloaded you can decompile it using ILSpy or your own favorite reversing tool.   If you’re lucky, you may find hardcoded passwords.  If not, you can now look for SQL and Linq injection opportunities that the source code is likely to reveal.

Defence:

  • Most IIS installations restrict access to /bin/ folder by default, but I’ve noticed that for some reason, some don’t.   One way to block this attack is by adding a hidden segment “bin”.

Notes:

  • I found at least one Linux system running Apache with Mono that was vulnerable.  Linux is not immune, if anything I’d say it’s more likely to allow this attack.

Asterisk – Seamless dialing of remote extension through DTMF

Problem Description:

There are two offices.  Office A runs Asterisk / FreePBX while office B runs a closed system with auto attendant.

The guys at office A would like to be able to dial office B extensions as if they were local.

 

Solution Overview:

Program the office A extensions in this way:

  1. Local extension picks up
  2. Remote office number is called
  3. When the remote office picks up
  4. DTMF key presses are sent to select the right extension
  5. Call is connected

Solution Details:

First I attempted to program this into freePBX through the GUI, but I wasn’t having any luck because the default macros were not letting me craft the dial command in such a way that it sends the key presses after the call is placed.   Although it would have been nice to have everything in the GUI, the FreePBX GUI method seems to be a dead end.  I ended up relying on good old /etc/asterisk/extensions_custom.conf configuration file, and I just created my own extensions there.

[ext-local]
exten => 102,1,Dial(SIP/v-outbound/4031112222,30,rD(ww11))
exten => 103,1,Dial(SIP/v-outbound/4032223333,30,rD(ww12))

[ext-local] sets the right context so that these extensions are picked up as if they were local.  You could also put these into other contexts like [ivr-1] etc.

D tells the Dial command to send DTMF button presses after the remote end picks up

w tells the Dial command to wait 0.5 seconds

 

Improved proxmark3 scanning of ioProx / Kantech fobs

I’ve been playing with my new proxmark3. It works great for HID cards, but ioProx code is still in its infancy. I made some improvements to it based on analysis by marshmellow:

  • Better accuracy: You no longer have to worry about centering your fob on the antenna or scan it repeatedly to get a “good” reading. Now you can just hold it in your fingers to scan. Before this update I was averaging 10 – 70% accuracy depending on how I held the fob. This version is pretty much 100% – I haven’t had a bad scan yet.
  • Correct decoding of human readable XSF number: Previous version had a bug that displayed the wrong unique code and the wrong facility IDs.

proxmark3

Download the binary firmware (including source code patch if you want to build it yourself) .

There is still more work to be done. For example, there appears to be CRC or checksum near the end – it’s still a mystery.

Quick and easy iptables based proxy

Today was a busy day dealing with power outage that affected 2100 businesses in downtown Calgary. Of course, couple of my clients were in the zone that went dark. I offered them to run their key infrastructure from my place for couple of days. Everything went great, except I have only 1 IP address on my connection. That’s not good when both clients want to come in on port 443. What to do?

Call up my ISP and order another IP? Nope: Takes too long, too expensive, I just need this temporarily. Also, ISP might mess it up and take me offline for a while.

Get VM with IPv4 IP and proxy the traffic over? Yes, but why go with something heavy handed like nginx?

I prefer this elegant solution brought to you by iptables:


# echo 1 >| /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A PREROUTING -p tcp -d $IP_OF_VM --dport 443 -j DNAT --to $IP_WHERE_IM_FORWARDING_TO:8443
# iptables -t nat -A POSTROUTING -j MASQUERADE

CAPTCHA firewall bypass / port knocking portal

Couple of my clients’ sites were being probed by botnets.   It was the usual:

  • Common vulnerabilities probes
  • Password guessing attacks

It didn’t warrant putting them behind a firewall, but I also didn’t like the idea of having it open to relentless automated 24×7 scanning. The sites were extranet type of sites, not really public, but not private either.  I scratched my head a bit trying to figure out how I could improve security without inconveniencing users.  What I came up with is this method:

  1. Any access to the website is blocked by a “captive portal” like page
  2. When the user provides the portal what’s being asked for (in this case correct answer to CAPTCHA) the firewall opens an exception to their IP and the user is redirected onward to the site they were looking for.

Is this secure against a determined hacker?  Definitely not.  Solving the CAPTCHA takes only 3 seconds and they’re in through the first layer of defense.   That’s why it’s critical that this is treated as an extra (thin) layer of defense and not as the only layer.

Is this secure against 99% off all attacks out there? (worm / botnet attacks on autopilot): Definitely

How is it implemented?

  • PHP page shows the portal page
  • If CAPTCHA is correct, IP is collected from $_SERVER[“REMOTE_ADDR”], sanitized and saved in a file that keeps track of allowed IPs
  • PHP  page then triggers a shell script that updates iptables with the following entry:
    iptables -t nat -A PREROUTING -p tcp --dport 80 -s $AllowedIP -d $YourIP -j DNAT --to-destination $TargetIP:80

How can this be improved?

Nothing says that access is given with a simple CAPTCHA, there could be full authentication that takes pace before firewall is opened.  Furthermore it could close shortly after access is given disallowing any fresh TCP connections.   Think of it as authenticated port knocking.

security proxy

 

You’ve probably seen a page like this if you’ve stumbled across CloudFlare protected site when using Tor.  I don’t know what internal mechanism they use, but I imagine it’s very similar.

 

API Monitors

When reversing applications it’s useful to see what’s happening under the hood.   Up until now I’ve either had to bring out OllyDbg and dive into assembly or rely on a high level tool like Systernals Process Monitor.   I’m fond of strace on Linux, but when I searched for “strace for Windows” resulted in tools that were not very reliable.   That was couple of years ago.

Today I stumbled on these two API monitors that do exactly what I need on Windows:

 

Visualizing Complex Files

Inspired by a very interesting TED talk by Chris Domas, I decided to make my own tool that did the same thing.

Download the binary (.NET compatible)

Download the source code

As you can tell from the source code,  the mechanism is very easy:

  1. Split file into bytes
  2. Loop through the bytes (currentByte and previousByte)
  3. X axis is 0 – 255 (currentByte)
  4. Y axis is 0 – 255 (previousbyte)
  5. Plot intersections of X and Y

The technical name for this is digraph.  Doing this in 3D or 4D would require a very similar process.

Below are screenshots of some of the files that I visualized.

text

Note how everything is in the upper left corner.  That’s because bulk of plain text is ASCII bytes 32 (space) to 126 (~)

exe

 

Some similarities to a text file in terms of well defined patterns except that binary file won’t be restricted to below byte 127.

jpeg

Notice the shades of gray.

 

random

 

This was about 32 MB file.  If I had a bigger file that was even more random I would expect the entire screen to fill white.   Any pattern visible here is a tale tale to a lack of randomness (or a small sample)