Trip to Neumarkt in der Oberpfalz

In Easter holidays I made a small trip to “Neumarkt in der Oberpfalz” to visit my friends there. We are playing an online game together and I would like to meet them to chat about our lives or something about this game. They are working in small asia restaurant there. Neumarkt in der Oberpfalz is the capital of the Neumarkt district in the administrative region of the Upper Palatinate, in Bavaria, Germany. With a population of about 40,000, Neumarkt is the seat of various projects, and acts as the economic and cultural center of the western Upper Palatinate, along with Nürnberg, Ingolstadt, and Regensburg (Wikipedia).

My friends warned me that Neumarkt is pretty small but I didn’t believe them. There must be something to see. Therefore I took an early train to have more time to visit this town. They picked me up at the train station, we made a small talk, took some photos and I started my trip around Neumarkt. However it’s a pretty small town, it takes me only about an hour and little more to take a look of all sightseeings of this town. Nothing special there, some churchs, museum… At the day when I came to this town, the museum was not opened therefore I could not enter and see what there are in this museum. Below is the map of Neumarkt with some important locations, you can see there is a “spine” street goes through Neumarkt. Go along this street, then turn left or right, you can visit all of sightseeings.
Neumarkt in der Oberpflaz

It was a beautiful sunny day therefore I decided to buy Döner Kebap ( an art of turkish bread with lamb meat), one beer and enjoyed my lunch at a garden. Go green and relax myself. After lunch I finished my round trip, see my friends again, chatted for a little time and I left Neumarkt with a hot fried Peking duck as a gift from them. ^_^ . It’s delicious.

It’s pity that Neumarkt is not big enough to stay longer. However at least I go out of Munich, go green and relax myself. There some photos I would like to share in slide show below. Hope you’ll like it.

Hacking – Is SSL really secure with Root CA ?

Some days ago, I heard about a Root CA was attacked and some CAs was faked up which leads to a serious security vulnerabilities that internet users lose their sensible data although they used https:// for communicating to web server. This issue made me think about a case study that “What would happen if a Root CA was controlled by a government ? Will I be attacked by Man-In-The-Middle in https:// ? Can I protect myself from being attacked like that ? Is SSL really secure at all ?”. So I try myself to find the answers for these questions and think that it can be interesting for you.

A normal user may be does not know anything about https:// or HTTP Secure, for example my wife says simply there is one more “s” in compare to http:// and that’s all. My friend says it’s address of website. We must enter correctly with the “s” at the end otherwise we’ll be prompted for wrong URL. They are perfect, innocent answers, aren’t they? As advanced users, we all know that there is a term of “Man-In-The-Middle” attack in which an attacker acts as a repeater and sniffs all transferred data between user and web server. So if we send and receive data in clear text, he can read our sensible data (username, password) and what he would do with this data, only God knows. Therefore a requirement as well as a solution for encrypting data before sending out of internet world was born, that is HTTP Secure.

Continue reading Hacking – Is SSL really secure with Root CA ?

C# – Send data to other application – Menu and MenuItem

After I posted this blog “C# – Send data to other application“, Lion_King asked me if I have free time to try sending same messages to menu item in iTunes because he recognizes that it’s really difficult to send message to menu item. Therefore yesterday I spent half of day for trying to send mouse click to menu Store -> Sign In of iTunes and luckily that I was successful. So I decide to write the next part for sending data to other application related to menu and menu item in this small blog. The image below shows the menu item that I would like to click on automatically

Menu Sign In of iTunes

In the first part, I almost use three main APIs : FindWindow, FindWindowEx and SendMessage. In this second part, I also use this three main APIs to locate the components of form and send appropriate messages to popup the menu and click on the “Sign In” menu item. I will describe in step by step to help you understand easier. The steps which introduced in previous part will be explained in short form.

If you want to learn more about Win32 API Programming you can read this book
Win32 Programming (Addison-Wesley Advanced Windows Series)(2 Vol set)

1. As usual, before we send anything to any where on an application, we must firstly get the handle of that application. Use Spy++ I found out that the class name and caption of iTunes should be “iTunes” and “iTunes”.

IntPtr hwndMainWindowItunes = WinAPI.FindWindow("iTunes", "iTunes");

2. Now it’s time to get the handle of the menu, maybe you’ll think about the APIs GetMenu to get the menu’s handle of a dialog. That’s right in most of cases but with iTunes everything has been changed. If you look at the component tree of iTunes in Spy++, you will see that the sub menu “Store” is not a real sub menu at all. Its class name is “Static”, which means a label and we can drag the “Finder Tool” over it to get its handle. It’s really strange with a menu because as normal we can not drag “Finder Tool” over any menu. You can open Notepad and test if you can drag “Finder Tool” over its menu.

Component tree of iTunes

So it turn to be really difficult now because menu “Store” is a faked one therefore the GetMenu is useless and we can not get the handle of popup menu when we click on “label” Store. Every time when we switch to Spy++ window to drag the “Finder Tool” over the popup menu, this popup menu will disappear cause of losing focus. Either we have popup on or we have “Finder Tool” on. We can not have both of them on at the same time, we are in a hard circumstance. To solve this problem, I decide to run a while loop which continuously clicks on menu Store to keep the popup menu open and then I can use Spy++ to get its handle. Of course, to click on Store menu, I must get its handle and send click message to it.

IntPtr hwndMnStatic1 = WinAPI.FindWindowEx(hwndMainWindowItunes, IntPtr.Zero, "Static", "");
IntPtr hwndMnStatic2 = WinAPI.FindWindowEx(hwndMainWindowItunes, hwndMnStatic1, "Static", "");
IntPtr hwndMnStore = WinAPI.FindWindowEx(hwndMnStatic2, IntPtr.Zero, "Static", "&Store");

int x = 5, y = 5;
int lParam = ((x << 16) | (y & 0xffff));
while (true)
{
	WinAPI.SendMessage(hwndMnStore, WinAPI.WM_LBUTTONDOWN, IntPtr.Zero, new IntPtr(lParam));
	WinAPI.SendMessage(hwndMnStore, WinAPI.WM_LBUTTONUP, IntPtr.Zero, new IntPtr(lParam));
}

With the block code above, I can keep the popup menu open all time by clicking at the position (5,5) of menu “Store”. Then I can drag the Spy++ over it to get its class name and caption which are “#32768” and “”. The position for mouse clicking is stored in lParam variable containing transformation of x and y coordinates. After having the class name of popup menu, we can , of course, improve our while loop to break when having the handle of popup.

IntPtr hwndMnPopupMenuWnd = IntPtr.Zero;
while (hwndMnPopupMenuWnd == IntPtr.Zero)
{
	WinAPI.SendMessage(hwndMnStore, WinAPI.WM_LBUTTONDOWN, IntPtr.Zero, new IntPtr(lParam));
	WinAPI.SendMessage(hwndMnStore, WinAPI.WM_LBUTTONUP, IntPtr.Zero, new IntPtr(lParam));
	hwndMnPopupMenuWnd = WinAPI.FindWindow("#32768", "");
}

However, the big disadvantages of sending mouse click with WM_LBUTTONDOWN and WM_LBUTTONUP is the component receiving mouse click must be in the front all time. We can not click on the component which lies behind some other forms. That means we must bring it front and keep it front all time when we would like to send mouse click message. This is really big disadvantages because it is impossible that I let a program click on a component in background and I can do something else at the same time. Because I can carelessly hide the component behind the screen. So if you know how to send mouse click without requiring that the component should be front then share to me . I appreciate for that and the source code to keep iTunes to foreground window and get the handle of popup menu looks like below

IntPtr hwndMainWindowItunes = WinAPI.FindWindow("iTunes", "iTunes");
IntPtr hwndMnStatic1 = WinAPI.FindWindowEx(hwndMainWindowItunes, IntPtr.Zero, "Static", "");
IntPtr hwndMnStatic2 = WinAPI.FindWindowEx(hwndMainWindowItunes, hwndMnStatic1, "Static", "");
IntPtr hwndMnStore = WinAPI.FindWindowEx(hwndMnStatic2, IntPtr.Zero, "Static", "&Store");

WinAPI.WINDOWPLACEMENT wp = new WinAPI.WINDOWPLACEMENT();
wp.length = Marshal.SizeOf(wp);
WinAPI.GetWindowPlacement(hwndMainWindowItunes, ref wp);

int proposedPlacement = wp.showCmd;

if (wp.showCmd == WinAPI.SW_SHOWMINIMIZED)
	proposedPlacement = WinAPI.SW_SHOWMAXIMIZED;

WinAPI.SystemParametersInfo((uint)0x2001, 0, 0, 0x0002 | 0x0001);
WinAPI.ShowWindowAsync(hwndMainWindowItunes, proposedPlacement);
WinAPI.SetForegroundWindow(hwndMainWindowItunes);
WinAPI.SystemParametersInfo((uint)0x2001, 200000, 200000, 0x0002 | 0x0001);

int x = 5, y = 5;
int lParam = ((x << 16) | (y & 0xffff));
IntPtr hwndMnPopupMenuWnd = IntPtr.Zero;
while (hwndMnPopupMenuWnd == IntPtr.Zero)
{

	WinAPI.SendMessage(hwndMnStore, WinAPI.WM_LBUTTONDOWN, IntPtr.Zero, new IntPtr(lParam));
	WinAPI.SendMessage(hwndMnStore, WinAPI.WM_LBUTTONUP, IntPtr.Zero, new IntPtr(lParam));
	hwndMnPopupMenuWnd = WinAPI.FindWindow("#32768", "");
}

3. Ok, one of hard sections is now finished, we are going to the next part to get the menu item. Let’s see what we have now. We have a handle of a popup menu window. I make the window to bold because I would like to emphasize that it’s the handle of a window that contains the real menu in it. It’s not the handle of menu at all. However please do not think about GetMenu APIs to get the handle of menu, because it’s a pop up menu, it does not like a normal menu. We can not get its handle through this API but we must use the SendMessage with parameter MN_GETHMENU to get its handle.

IntPtr hwndMnPopupMenu = WinAPI.SendMessage(hwndMnPopupMenuWnd, WinAPI.MN_GETHMENU, IntPtr.Zero, IntPtr.Zero);
int count = WinAPI.GetMenuItemCount(hwndMnPopupMenu);
int menuItemIndex;
System.Text.StringBuilder menuItem = new System.Text.StringBuilder(0x20);

menuItemIndex = -1;
for (int i = 0; i < count; i++)
{
	// loop through main menu...
	WinAPI.GetMenuString(hwndMnPopupMenu, (uint)i, menuItem, 0x20, WinAPI.MF_BYPOSITION);
	if (menuItem.ToString().Equals("Sign &In…"))
	{
		menuItemIndex = i;
		break;
	}
}

You can see the block code above everywhere when man would like to access an menu item to gets its index. You may ask me why do I need this index. The question is really simple because I do not know any API function which allows me to click directly on a menu item. Therefore I get the menu index to locate its position on form and then send the mouse click to it. If you know one then tell me, by the way I tried with WM_COMMAND and GetMenuItemId but this combination does not work because here is a pop up menu.

WinAPI.RECT helpRECT = new WinAPI.RECT();
WinAPI.GetMenuItemRect(hwndMnPopupMenuWnd, hwndMnPopupMenu, (uint)menuItemIndex, out helpRECT);

x = (helpRECT.Left + helpRECT.Right) / 2;
y = (helpRECT.Top + helpRECT.Bottom) / 2;

Cursor.Position = new System.Drawing.Point(x, y);
WinAPI.mouse_event((int)(WinAPI.MouseEventFlags.LEFTDOWN), 0, 0, 0, 0);
WinAPI.mouse_event((int)(WinAPI.MouseEventFlags.LEFTUP), 0, 0, 0, 0);

Thread.Sleep(2000);
IntPtr hwndMnSignIn = IntPtr.Zero;
int index = 0;
while (hwndMnSignIn == IntPtr.Zero && index < 100)
{
	index++;
	hwndMnSignIn = WinAPI.FindWindow("iTunesCustomModalDialog", "iTunes");
        Thread.Sleep(100);
}

After having the position to click on, I can not manage to use the same way to click on this menu item with WM_LBUTTONDOWN and WM_LBUTTONUP. I tried many times to send these messages to menu item by editing coordinates to hard-coding or replacing the hWnd of windows but none of them work. So I must use the other API mouse_event to click on menu item to open the Sign-In window with class name “iTunesCustomModalDialog” and caption “iTunes”. Opening this dialog takes about some seconds so just sleep the program in 2 seconds to wait for the new opening dialog and try to get its handle in 100 times. Each time takes place after 100ms.

Now we finish our mission although there are still some open questions which I can not answer myself. I hope one of you may help me to find out the solutions:
– Sending message WM_LBUTTONDOWN/WM_LBUTTONUP will require a foreground windows. Is there any way to do it without setting foreground windows? I mean “Can we send mouse click to a background window?”.
– After having the position of menu item “Sign In”, “Why can’t I use Send Message WM_LBUTTONDOWN/WM_LBUTTONUP to simulate mouse click any more? How should I give the parameters to SendMessage to make a mouse click on it without using mouse_event API?”

And as usual in the end of the post is the source code “Send data to other application – Menu and MenuItem

Hacking – How to hack WEP Password with BackTrack ?

Hacking WEP Password is not a new topic anymore since aircrack was first released in 2006. This software suite consists of many tools for detecting, analyzing, monitoring network, sniffing packing and hacking WEP / WPA (Dictionary attack) password. It only supports protocol 802.11x Wireless and network adapter with allows raw monitoring mode (a example list of this type of adapter you can find at following link http://www.aircrack-ng.org/doku.php?id=compatibility_drivers#list_of_compatible_adapters).

Monitor mode is one of 6 modes which a 802.11 wireless card can operate in: Ad-hoc, Master (acting as access point) , Mesh, Monitor, Repeater. Unlike promiscuous mode, which is also used for packet sniffing and can be used on both wired and wireless networks, monitor mode allows packets to be captured without having to associate with an access point or ad-hoc network first and only applies to wireless networks. Therefore be careful when choosing network adapter, you must choose the correct one which stands on the support list otherwise you can not sniff packet from victim network. When I mean “correct”, I mean that it must be exactly same as stated in list. In my demo, I’ll use the USB Wireless Network Adapter “Netgear Wg111v2” which costs about 6 Euro on Ebay. You can find the version of this series on the side of USB stick like the image below.

Continue reading Hacking – How to hack WEP Password with BackTrack ?

Hacking – How to hack Jotto Ciphertechs game?

When I was wandering on HVA, I found a thread introducing a guessing game which I discussed on this blog Rx and permutation. If you want to play, you can try it here http://jotto.ciphertechs.com/ . From my side, after 14 times trying to brute force the characters of password, I found out they are “a”, “j”, “m”, “o”, “r” as image below

Brute force Jotto

After calculating all permutations, I found the meaningful permutation is “major” and was greeted with message “Congratulations – you guessed major in 15 attempts” . I look accidentally on the URL of this page http://jotto.ciphertechs.com/cgi-bin/jotto2.pl and saw that the game was written in Perl and a bad thought passed through my head to hack this game to get a better result.

Continue reading Hacking – How to hack Jotto Ciphertechs game?