I’m working now in software branch for construction industry. After years of working together with my customers, I have found out that the IT security at the construction area is not getting enough attention. The world is moving on mobility and automation, people are trying to remotely control all equipment, to make everything working automatically or just to control the work progress. Same things happen to construction field too. We’re planning, developing many products so that we could optimize the workflow, centralize data, minimize risk… at best to save time and money for our customers.
Last week I’ve read small news on c’t magazine saying that the default password of EasyBox router used for Vodafone, Telecom, Arcor in Germany … was hacked by Sebastian Petters. That means if someone is using default settings of EasyBox, you can get his WLAN password easily and then access his network. This default password was generated by a algorithm and this algorithm was patented. Therefore like other patents, the complete description of algorithm was simply exposed on internet (http://www.patent-de.com/20081120/DE102007047320A1.html if you can read German). As you can see the algorithm is pretty simple, it just takes the MAC address of router, makes some computations with base changing, xor,plus… Therefore all we have to do is get the MAC address of victim, make a copy of the algorithm ourselves and then generate the default WLAN password.
Last year I have seen a lot of DDOS attacks aimed to website of news or independent communities. These websites were attacked by a botnet built from unknown virus (which wasn’t detected by any antivirus at that time). Some professionals found some variants of this virus but the websites were still heavily attacked.
Some of professional users are willing to help to find more variants of this virus. They would like to check if computers of their families are members of this botnet. However using a sniffer then running through forest of packet to identify which processes are flooding the websites, is too complicated for them.
On Saturday 06.08 I received an email of Twitter saying that my account was maybe hacked by someone. The content of email starts as below
Twitter believes that your account may have been compromised by a website or service
not associated with Twitter. We’ve reset your password to prevent others from
accessing your account….
I think that is again a spam trying to get my Twitter password. As usual I’ll delete it immediately but fortunately I look at the sender of the email and I’m pretty nervous because it’s real Twitter
From: "Twitter" <email@example.com>;
Some days ago, I heard about a Root CA was attacked and some CAs was faked up which leads to a serious security vulnerabilities that internet users lose their sensible data although they used https:// for communicating to web server. This issue made me think about a case study that “What would happen if a Root CA was controlled by a government ? Will I be attacked by Man-In-The-Middle in https:// ? Can I protect myself from being attacked like that ? Is SSL really secure at all ?”. So I try myself to find the answers for these questions and think that it can be interesting for you.
A normal user may be does not know anything about https:// or HTTP Secure, for example my wife says simply there is one more “s” in compare to http:// and that’s all. My friend says it’s address of website. We must enter correctly with the “s” at the end otherwise we’ll be prompted for wrong URL. They are perfect, innocent answers, aren’t they? As advanced users, we all know that there is a term of “Man-In-The-Middle” attack in which an attacker acts as a repeater and sniffs all transferred data between user and web server. So if we send and receive data in clear text, he can read our sensible data (username, password) and what he would do with this data, only God knows. Therefore a requirement as well as a solution for encrypting data before sending out of internet world was born, that is HTTP Secure.
Hacking WEP Password is not a new topic anymore since aircrack was first released in 2006. This software suite consists of many tools for detecting, analyzing, monitoring network, sniffing packing and hacking WEP / WPA (Dictionary attack) password. It only supports protocol 802.11x Wireless and network adapter with allows raw monitoring mode (a example list of this type of adapter you can find at following link http://www.aircrack-ng.org/doku.php?id=compatibility_drivers#list_of_compatible_adapters).
Monitor mode is one of 6 modes which a 802.11 wireless card can operate in: Ad-hoc, Master (acting as access point) , Mesh, Monitor, Repeater. Unlike promiscuous mode, which is also used for packet sniffing and can be used on both wired and wireless networks, monitor mode allows packets to be captured without having to associate with an access point or ad-hoc network first and only applies to wireless networks. Therefore be careful when choosing network adapter, you must choose the correct one which stands on the support list otherwise you can not sniff packet from victim network. When I mean “correct”, I mean that it must be exactly same as stated in list. In my demo, I’ll use the USB Wireless Network Adapter “Netgear Wg111v2” which costs about 6 Euro on Ebay. You can find the version of this series on the side of USB stick like the image below.
When I was wandering on HVA, I found a thread introducing a guessing game which I discussed on this blog Rx and permutation. If you want to play, you can try it here http://jotto.ciphertechs.com/ . From my side, after 14 times trying to brute force the characters of password, I found out they are “a”, “j”, “m”, “o”, “r” as image below
After calculating all permutations, I found the meaningful permutation is “major” and was greeted with message “Congratulations – you guessed major in 15 attempts” . I look accidentally on the URL of this page http://jotto.ciphertechs.com/cgi-bin/jotto2.pl and saw that the game was written in Perl and a bad thought passed through my head to hack this game to get a better result.
Authentication is an important process of a internet service for authenticating users. For example, when you register an account for Yahoo mail, you will be asked for an ID and password so that only you can access to your email account. That means Yahoo will save your ID and your password in their servers so that they can compare with your input later. Your ID can be saved in clear text but the password will not be never saved under clear text. Yahoo uses its own algorithmus to make a hash of your password. For example your password is “123456789”, then Yahoo may save it as format “25f9e794323b453885f5181f1b624d0b”. In this way only you know the password and if the server is attacked, your password will be still safe. Furthermore password hash protects you from losing password through snipping on network connection.
Yesterday, I visited forum of RETEAM and found a thread asking which obfuscator is applied on the target. So curious, I downloaded the target and try to identify with my tool .Net Id and he could not identify which packer was used. The packer used for the target is .Net Reactor. My tool does not work because of my programming fault. I fixed it and it works again. I already added a new signature for PE Compact. During analyzing the assembly, I found that it is not difficult to write a tool to deobfuscate the target. Therefore I started to write DeReactor to deobfuscate .Net Reactor.
As you know, the obfuscator obfuscate all of functions, variable’s name, encrypt string and flow control. DeReactor will help you to achieve an assembly with easy-to-read source code.
.Net Reactor uses a simple tip to anti-decompile with .Net Reflector. He just added 3 instructions before each method so that Reflector confuses. They are ‘branch’, ‘pop’ and ‘load int 0’ instructions as you can see in the figure below:
This trick is also used in many other obfuscators. They just add some useless instructions in the header of each method and then put jump command to entry point at the top. With this way, they did not destroy or obfuscate any flow control but this trick can prevent Reflector from decompiling. This trick is pretty weak against an expert reverser but it is a good candidate to fight against script kiddie. It is also pretty simple to implement.
The second feature of .Net Reactor is that it will encrypt all of string into a unreadable form so that the reverser has no clue to find which he really wants. The way.Net Reactor works to decrypt the string during executing is pretty simple. He just encrypt the clear text and replace the clear text with encrypted one. Then inserted the decrypt function below this ‘ldstr’ instruction and this function will decrypt the string to original form and gives it back to the program as the figure below.
There are still a lot of things to do with this tool. But I hope in this beta version it will help you a little so that you can analyze your assembly easier.
Yesterday I made an article about unpacking .Net Reactor 184.108.40.206. You can can find it in my portal at post How to unpack .Net Reactor. In this article I introduce new way to unpack .Net Reactor. It is not the same as the ways which are used around the world now. I think it’ll help the others to find the other methods to unpack .Net assembly.
During writing this article and export it to PDF I found that there is a problem with my PDF converter. I write my article in Word and use an open source program PDF Creator to convert it to PDF. In my article I use hyperlinks to the website of tools. Instead of showing direct hyperlinks I hide the hyperlinks under the description. And PDF Creator can not render it. They just ignore the hyperlinks and therefore after converting into PDF, I can not click on the description to open the hyperlinks anymore. I do not know if there is another open source PDF converter. I thing PDF Creator is the best one but he did not support indirect hyperlinks until now. That is a big disadvantages. I have such problem in another open source software, that is FileZilla. FileZilla is a popular open source FTP Client but it does not support to get link after uploading. That is a big advantage that man must do it manually by copying the path and paste the file name behind. Sometimes I see that some popular open source software is not good enough as I expect. They try to implement something which I do need and pass all basic functions.
And last thing of yesterday is that with help of my cousin I found one of my beloved flash which I forgot its name after a long time. You can see it here, it is very meaningful. The interview with god.
The first news of today is that my soap comes back. Someone who stole it, gave it back. The way that my soap came back is exactly same as the way it went. Just after a night, it is here. :)).