Hello!
Several days ago some guyes from xxx asked my friend to hack the metatrader client. This is the story about that hack.
The work started - the main thing was to make the metatrader client work with not oficial MT server. So the idea was to chang the servers ip in the binaries. But it was impossible - the program is packed with Themida packer.
So what to do?
The run time patch.
He made the loader - started the MT client and started to inject into win api connect function - the MT client thinks it connects to the server - but my friends loader force it to connect to the clients server.
It is just a little story how to hack the software.
Social networks
This blog is about social networks, services, features. Facebook, Twitter - what we have done, our projects, scripts, programs, articles, bots...
Saturday, November 19, 2011
Tuesday, July 19, 2011
The Uses of Computers in Insurance
The Uses of Computers in Insurance
- Computers have helped to streamline the insurance industry, making it possible for insurance companies and the agencies that represent them to take on more clients and provide them faster service. Computers serve a variety of key functions within the insurance industry, and will likely continue to do so in the future.
Record-Keeping
- Computers provide insurance agents and their staff members with a convenient way to store customer records. Their ability to encrypt data and store it in a database lets the companies keep client records strictly confidential. The days of needing stacks of file cabinets for storing information have long since passed. Computers save space and also make data available to agents and underwriters with the touch of a button.
Tuesday, June 28, 2011
How to peep in other laptop built-in webcam: Learn how to use a built-in webcam for one’s own purposes
Some people truly believe their laptop built-in webcams can pry them so they fearfully beware of that. Sometimes they’re so seriously afraid of prying that they even tape their device’s watchful eye. Actually, they do it invainly. We'll show you how to master the built-in laptop webcam and use its functionality in civilian purpose and not as much civilian too.
Implementation: first annoying troubles
I was very surprised and upset when I learned that great and mighty .NET Framework is completely released from the ability of easy web camera interaction. In .NET v4 the situation has got a bit better (SilverLight-projects got some relevant classes), but I didn’t have enough time to test it, because I began writing some code examples for this article before VS2010 and .NET v4 official release.
Almost desperate, I have tightly ensconced myself in Google. All I found were MSDN and DirectDraw technology links. I even tried to knock out a simple application, but due to lack of DirectDraw work experience I just got a can of worms. Actually, I wrote an application, but I was never able to find and fix all the bugs in it.
Getting even more desperate I started browsing our Western friends’ web resources. After I studied a few dozens of links, I dug a lot of different goodies. There were various application examples and small articles (Americans don’t like to write a lot) among them too. I even managed to find a working DirectDraw based application example, but I was really horrified when I saw the source code. It was pretty hard to understand. So I decided not to bother with that stuff and try to find some easier way. I had hardly bowed out the I-st DirectDraw application example, before my eye caught another one. The author of that application had coded a whole web cam and other video capture devices handling library on the basis of the VFW (Video for Windows) technology.
This project (I'm talking of the library) was neutered at the hilt and that was a big pity. All things that library could do is video outputting of the webcam picture. It didn’t include neither individual frames capturing or video recording nor any other useful features.
Nevertheless, my subconscious mind firmly told me that this project is what I was looking for. Before I had a quick glance through its code, I saw names of some familiar Win-messages and no less familiar names of WinAPI functions. Once upon a time I had to write a Delphi application for webcam operation. That’s when I faced these functions for the first time.
Ready!
It’s possible for one PC/laptop to have several webcams connected at the same time. Example is not far to seek. In a professional capacity I often have to organize some simple videoconferences. Usually they involve two people. Each participant is shot by individual cam. Web cams are connected to my PC. When I start shooting, I choose an appropriate camera to work with at the moment using special software. Since we decided to take the web cam under our control, we’ll have to figure out how to get a list of system installed video capture devices and choose the one to work with at the moment.
WindowsAPI provides the capGetDriverDescription() function to solve this simple problem. It deals with five parameters:
- wDriverIndex – capture driver index. Index value ranges from 0 to 9;
- lpszName – buffer pointer, which contains the appropriate driver name;
- cbName – lpszName buffer size (in bytes);
- lpszVer – buffer , which contains the description of a specific driver;
- cbVer – lpszVer buffer size (in bytes).
This function returns TRUE in case of success. Now we have the function description, so let's see how to define it in C #. This can be done as follows:
[DllImport("avicap32.dll")]
protected static extern bool capGetDriverDescriptionA (short wDriverIndex, [MarshalAs(UnmanagedType.VBByRefStr)] ref String lpszName, int cbName, [MarshalAs(UnmanagedType.VBByRefStr)] ref String lpszVer, int cbVer);
Please note that before you specify the name of the function it is required to add the DLL name which includes its definition. In our case it’s avicap32.dll.
So, the function is imported and now you can write a class it will be used in. I’m not going to show the whole class code, but only the key method code:
public static Device[] GetAllCapturesDevices()
{
String dName = "".PadRight(100);
String dVersion = "".PadRight(100);
for (short i = 0; i < 10; i++)
{
if (capGetDriverDescriptionA(i,
ref dName, 100, ref dVersion,
100))
{
Device d = new Device(i);
d.Name = dName.Trim();
d.Version = dVersion.Trim();
devices.Add(d);
}
}
return (Device[])devices.ToArray
(typeof(Device));
}
Source code looks like child's play. The most interesting place is a cycle, which references the above mentioned capGetDriverDescription function. MSDN tells us that its index (the first parameter of the capGetDriverDescription () function) can vary from 0 to 9, so we deliberately set the cycle in this range. The method result is an array of Device classes (this class I have defined by myself. See the appropriate code source).
After we get the device list, we should take care of displaying the cam video flow. There’s capCreateCaptureWindow () function invented to help us creating a capture window to make that.
By jumping a little ahead, I’d say that further camera involved action will take the form of banal capture window messaging. Yes, indeed, we’ll have to use the SendMessage () function which is painfully familiar for every windows-programmer.
Now let’s take a closer look at the capCreateCaptureWindow () function. There are six arguments to be set:
- lpszWindowName – null terminal line, which contains the name of the capture window;
- dwStyle – window style;
- x – X coordinate;
- y – Y coordinate;
- nWidth – window width;
- nHeight – window height;
- hWnd – parent window handle;
- nID – window ID.
The function result is handling of created window or NULL in case of error. This function has to be imported as it also applies to WinAPI. I won’t exemplify the import code, because it’s almost identical to the one I wrote for the capGetDriverDescription () function. We’d better look at the camera initializing process:
deviceHandle = capCreateCaptureWindowA (ref deviceIndex, WS_VISIBLE | WS_CHILD, 0, 0, windowWidth, windowHeight, handle, 0);
if (SendMessage(deviceHandle, WM_CAP_DRIVER_CONNECT, this.index, 0) > 0)
{
SendMessage(deviceHandle, WM_CAP_SET_SCALE, -1, 0);
SendMessage(deviceHandle, WM_CAP_SET_PREVIEWRATE, 0x42, 0);
SendMessage(deviceHandle, WM_CAP_SET_PREVIEW, -1, 0);
SetWindowPos(deviceHandle, 1, 0, 0, windowWidth, windowHeight, 6);
}
In this code, there goes an attempt to send a WM_CAP_DRIVER_CONNECT message immediately after the window is created. The non-null result will tell us about the function performing success.
Now we’ll imagine that today, the gods are on our side, and we’ll immediately send multiple messages: WM_CAP_SET_SCALE, WM_CAP_SET_PREVIEWRATE, WM_CAP_SET_PREVIEW. Alas, the story goes just the same as functions story. C# knows nothing about the existence of such constants. You'll need to define them by yourself. A list of all necessary constants and comments goes below.
// Custom message
private const int WM_CAP = 0x400;
// Video capture driver is connected
private const int WM_CAP_DRIVER_CONNECT = 0x40a;
// Video capture driver is disconnected
private const int WM_CAP_DRIVER_DISCONNECT = 0x40b;
// Buffer copy of a frame
private const int WM_CAP_EDIT_COPY = 0x41e;
// Preview mode On/Off
private const int WM_CAP_SET_PREVIEW = 0x432;
// Overlay mode On/Off
private const int WM_CAP_SET_OVERLAY = 0x433;
// Preview rate
private const int WM_CAP_SET_PREVIEWRATE = 0x434;
// Zoom On/Off
private const int WM_CAP_SET_SCALE = 0x435;
private const int WS_CHILD = 0x40000000;
private const int WS_VISIBLE = 0x10000000;
// Setting the preview callback function
private const int WM_CAP_SET_CALLBACK_FRAME = 0x405;
// Getting a single frame from a video capture driver
private const int WM_CAP_GRAB_FRAME = 0x43c;
// Saving a frame to a file
private const int WM_CAP_SAVEDIB = 0x419;
I will omit all further class description as I reviewed its basic structure. All the rest is easy to deal by getting acquainted to my well-commented source code. The only thing I don’t want to leave behind the scenes is an example of the library usage.
Totally, I have implemented a couple of methods in this library: GetAllDevices (already discussed), GetDevice (getting the video capture device driver by its index), ShowWindow (webcam video flow displaying), GetFrame (individual frame to image file capture) and GetCapture (video flow capture).
I made a small application in order to demonstrate the efficiency of created library. I've used one ComboBox component (which is used to store a list of available video capture devices) and a few buttons - "Refresh", "Start", "Stop" and "Screenshot". Ah, yes, there’s also an Image component which is to display the camera video flow.
We’ll start from the "Update" button. It gets a fresh list of all installed video capture devices. Event handler source code:
Device[] devices = DeviceManager.GetAllDevices();
foreach (Device d in devices)
{
cmbDevices.Items.Add(d);
}
Looks simple, isn’t it? We just enjoy the object-oriented programming because the developed library undertakes all dirty work. The code which displays the camera video flow is even easier:
Device selectedDevice = DeviceManager.GetDevice(cmbDevices.SelectedIndex);
selectedDevice.ShowWindow(this.picCapture);
Again, looks just like a piece of cake. Well, now let’s take a look at "Screenshot” source code:
Device selectedDevice = DeviceManager.GetDevice(cmbDevices.SelectedIndex);
selectedDevice.FrameGrabber();
I don’t pay some special attention to the FrameGrabber () method. In my source code this method call leads to direct root system drive saving of current frame. Of course that’s not the way it should be, so don’t forget to make all necessary changes before application “field” use.
Steady!
Now it’s time to talk about how to create a simple but reliable CCNC system. Typically, such systems are based on two algorithms: two frames distinguishing and a simple background simulation. Their implementation (source code) is quite a heavy thing, so I decided to go an easier way at the last moment. That easy way includes the use of powerful, but so far little-known AForge.NET which is a framework for .NET.
AForge.NET is primarily intended for developers and researchers. With its help, developers can greatly facilitate their work in developing projects in the following areas: neural networks, image operation (filtering, image editing, per-pixel filtering, resizing, and image rotation), genetics, robotics, interaction with video devices, etc. AForge.NET is delivered with good manual. It describes everything about the product. Take the time to thoroughly read it. I especially like to mention about the quality of the product source code. Digging that code is a real pleasure.
Now back to our immediate problem. Frankly, it can be solved as two and two by that framework means. "Then why did you give me soar brain with that WinAPI functions?" – You’ll ask dissatisfiedly. Just to ensure that you won’t be limited in anything. I think you know that there’re different kinds of project and in one case it’s more convenient to apply the .NET, but in some other case it’s easier to get away with just a good old WinAPI.
Let’s return to our problem again. We’ll have to take the MotionDetector class of the above mentioned framework in order to implement the motion detector. The class excellently operates with Bitmap objects and allows a quick calculating of two images difference percentage. Source code example:
MotionDetector detector = new MotionDetector(
new TwoFramesDifferenceDetector( ),
new MotionAreaHighlighting( ) );
// Next frame processing
if ( detector != null )
{
float motionLevel = detector.ProcessFrame( image );
if ( motionLevel > motionAlarmLevel )
{
flash = (int) ( 2 * ( 1000 / alarmTimer.Interval ) );
}
if ( detector.MotionProcessingAlgorithm is BlobCountingObjectsProcessing )
{
BlobCountingObjectsProcessing countingDetector = (BlobCountingObjectsProcessing) detector.MotionProcessingAlgorithm;
objectsCountLabel.Text = "Objects: " + countingDetector.ObjectsCount.ToString( );
}
else
{
objectsCountLabel.Text = "";
}
}
}
The above code (if not taking into count the MotionDetector class initialization) is performed when getting every next frame from the web cam. After we’ve got a frame there follows a banal comparison (based on ProcessFrame method). If the motionlevel value is more then motionLevelAlarm (0.015f) it means we should sound the alarm! Some motion is detected. One of the screenshots clearly demonstrates the work of the motion detector.
Go!
Any web cam can be easily adapted for facial recognition and advanced system logon establishment. If after browsing all this material you think that it’s difficult, then you're completely wrong! Late March, there appeared an example (and then a link to the article) on the http://codeplex.com web site (OpenSource MS projects hosting), which demonstrated the implementation of the application for web cam face detecting. Application example is based on the use of new opportunities of .NET and SilverLight. It’s unreal to be reviewed within the limit of one journal article, because the author of the source code tried to do everything elegant to the hilt. Here you can find as algorithms for image handling (blur filter, noise reduction, pixel by pixel comparison, stretching, etc.) so the demonstration of the SilverLight new products and much more. In other words, it gets the “must use” label with no doubt! See the project and article link below.
Finish
All application examples overviewed within the article will serve you a good start point. On the basis of those examples it is easy to create a webcam professional tool and earn a few hundred bucks a quarter by selling it or create some greasy and creepy spy Trojan.
Bethink the story about the backup of Skype conversation. It was told there that the keyloggers time had already passed away. Now audio and video data is extremely red hot. If you consider that nowadays, the webcam is a mandatory attribute of any laptop, it is easy to imagine how many interesting videos you can shoot by putting off this kind of "useful program" to your victim... But, anyway, I told you nothing about that, didn’t I? :). Good luck in programming! Remember, if you got any questions just feel free to ask me.
WWW
http://blogs.msdn.com/ – "Silverlight 4 real-time Face Detection" Russian version.
http://facelight.codeplex.com/ – "Facelight" project is hosted up here. It allows real time face recognition. If you’re going to code some serious software for person identification or system logon, then you’re simply obliged to check out this project.
http://www.aforgenet.com/framework/ – AForge .NET - is an excellent and easy to use framework for video and image handling.
http://facelight.codeplex.com/ – "Facelight" project is hosted up here. It allows real time face recognition. If you’re going to code some serious software for person identification or system logon, then you’re simply obliged to check out this project.
http://www.aforgenet.com/framework/ – AForge .NET - is an excellent and easy to use framework for video and image handling.
Hackers’ playground: hackers’ brain-twisters
Have you ever thought about legal hacking? Is it possible to do the things you love and pump your pentesting skills without breaking the law? Where is it safe to try out some injections and run experiments with web-exploits, without thinking of your VPN is enabled or not? How to test your hackers’ knowledge, starting the path from a scripts’ bug to the very system root? You know… There is the way!
We are often asked the same question: "How to learn hacking?". The answer is simple: study it just like any other subject. At first, you need to deeply and thoughtfully study the theory and only then proceed to practice. The only difference is that there are a lot of books fully ready for studying mathematics, but not hacking. It just looks like there aren’t. You will rebel: "What do you mean there aren’t? What about those shareware programs or any web-resource. There are so much of them. They are great hackers’ “playgrounds”, aren’t they? ". You know, that is an option, anyway. But first, you have every chance to quickly finish running experiments which have been started in such a way. And secondly, taking the bull by the horns with trying to analyze some serious web-resources having no experience under belt is just like a leap without looking forward. Such kind of “activity” is neither safe, nor smart. There is a better option!
Many companies which are involved in training information security professionals prepare them to be ready to face different kinds of problem situations. They are the same as math exercises, but only in pentest context. Similar to math solutions are also offered by enthusiasts who show different hack techniques by the example of them. Old versions of some well-known products are often taken as a basis, because they are full of uncorrected vulnerabilities. Sometimes such quests are made from scratch, but anyway, they have some purposely embedded bugs which can be successfully exploited. Some of such websites are hosted directly on the www and offer a unique][-quest to pass (such as our project atwww.ring0cup.ru), others require installation on your own web server and still others are distributed as a virtual machines’ image, so you just run it and that’s it. So, today we’ll try to deal with and unscramble the diversity of similar projects.
Damn Vulnerable Web App
Usually, creators of web applications like to boast with a high reliability of one’s product and their built-in WAF (a firewall for web applications) in every possible way, but they really bashfully laugh off in case if there’s another bug found in their script. By contrast, “Damn Vulnerable Web App” (DVWA) developers, categorically state that the live web-server installation is not acceptable, because the application is... "damn vulnerable":). All the most common mistakes which have ever been made by amateur programmers are gathered in one place, so now you do have a possibility to exercise in committing different kinds of attacks.
The most popular PHP/MySQL bundle was chosen as platform, so for the same reason we begin our review starting with DVWA. If you want to save some time on setting up a web server you should download a “ready to use” web server assemblies like Denwer or XAMPP. Actually, the only necessary thing is unpack the files to the public html-directory and type the http://127.0.0.1/dvwa/index.php in browsers’ address line. You won’t even have to mess about with the database manual creation, because there is a "Create/Reset Database" menu button. But if you still want something to fix, this can be done through editing the /config/config.inc.php . Another point concerns the PHP settings. You need to make sure that all the appropriate changes were made to PHP.ini file.
magic_quotes_gpc = Off
allow_url_fopen on
allow_url_include on
Also, DVWA project is regularly updated. In late 2009, it was even purchased by investors, so it is quite possible that soon we should expect some significant improvements.
Mutillidae
Initially, the creator of this project was going to make a web-applications pentesting video tutorial for beginners, which had to include the explanation of the pentesting basics. The creator got in a mess when it came closer to choosing a suitable platform in order to showcase different vulnerabilities. He just couldn’t find it. Most of the solutions were too hard to explain the basics for beginners who just have started their conversance with the problems of web-applications’ security. That’s the way the Mutillidae project was born.
The creator had taken a list of ten types of OWASP Top 10 vulnerabilities: SQL-injections, XSS, CSRF, and so on and wrote some scripts, so any solicitous could try out for the exploitation of each of them. Scripts’ code was intentionally written in a very simple way, in order to facilitate the understanding of the vulnerabilities. Mutillidae can be easily installed on Windows, TUX and even XAMPP based servers. All databases one-click creatable. You should just choose the "Setup/reset the DB" option from the projects’ main page. Creator offers to sequentially read the information about each of the OWASP Top 10 vulnerability and try ones hands at Mutillidae after sorting out the every exploit. If your try was successful, the second part of the quest is to fix a bug that was found.
WebGoat
When the Mutillidae’s creator was talking about the majority of hackers' quests are not designed to suite the beginner’s level and the WebGoat quest suit is among those too. The project is remarkable because it is being developed within the above mentioned OWASP (Open Web Application Security Project). There’re also a large number of security-utilities which are produced under OWASP auspices. But if the two previous projects are PHP oriented, then here you will face the Java code. For J2EE-applications hosting there’s a standard TomCat-server which is already included in the WebGoat assembly and configured in order to be ran in as simple as possible:
- Unpack WebGoat-OWASP_Standard-xxzip to your work directory.
- Start TomCat's daemon, by launching the webgoat.bat file. (System has to have a fresh J2EE installed).
- Turn on your browser and follow http://localhost/WebGoat/attack.
- Authorize as a guest/guest.
- Now take a fling at searching vulnerabilities.
Usually, all quests are tied to some real problem. E.g. in one of the quests you will be asked to make an SQL-injection in order to steal a list of fake credit numbers. Some quests are accompanied by a training component which shows the user some useful hints and the appropriate vulnerable code.
SecuriBench
After passing all the intricate quests of WebGoat application you can switch to a more complex project which name is Stanford SecuriBench. The fact is that the developers didn’t write it from scratch with intentionally made vulnerabilities. Instead, they went the other way and gathered a selection of 8 real-life programs. All of them are written in Java: jboard forum engine, bloggers’ blueblog script and so on. Of course, all old and raw releases with no Bugtraq show up were selected as the samples. Nevertheless, these are real-existing applications and their creators have already thought of their protection, so using these exploits will not be that easy. Basically, SecuriBench is just a collection of vulnerable programs, so you’ll have to install and configure each of them manually and of course you should surely take care of configuring Tomcat server before.
It is noteworthy that this project was born during its creators were working on tools for code static analysis, so if you seek a guinea pig to test some code research tool the SecuriBench application is just what you needed.
Moth
Another collection of real-existing applications is presented in the Moth project. Nevertheless, it has a completely different form. It differs from other projects with its distribution kit which is presented in the form of a virtual machine image including Ubuntu 8.10 installed. Actually, in order to run it you’ll have to have any VMware product which is able to launch a virtual machine image file (including the free VMware Player).
Originally, Moth was configured to receive all the network settings from DHCP-server, so you should make sure that the virtual machine’s network settings are suitable (e.g. my router automatically assigns IPs, so I just have to choose a Bridged mode, which allows the virtual machine to enter the physical network). Next, start a virtual machine, log into the system (moth/moth), check system’s assigned IP address with “ifconfig” and enter the Moth admin panel through: http://<moth-ip_address>. Now you’re on the main page. Here you can browse the scripts of some known products which were pre-installed on the web server: Wordpress 2.6.5 blog engine, Vanilla 1.1.4 forum script and other PHP/MySQL based scripts, as well as a single Java+Tomcat6+MySQL project.
Originally, Moth was configured to receive all the network settings from DHCP-server, so you should make sure that the virtual machine’s network settings are suitable (e.g. my router automatically assigns IPs, so I just have to choose a Bridged mode, which allows the virtual machine to enter the physical network). Next, start a virtual machine, log into the system (moth/moth), check system’s assigned IP address with “ifconfig” and enter the Moth admin panel through: http://<moth-ip_address>. Now you’re on the main page. Here you can browse the scripts of some known products which were pre-installed on the web server: Wordpress 2.6.5 blog engine, Vanilla 1.1.4 forum script and other PHP/MySQL based scripts, as well as a single Java+Tomcat6+MySQL project.
In order to enhance the reality of what is happening, there are three ways to access the script here: directly, using the mod_security and using the PHP-IDS:
- http://moth/w3af/audit/xss/simple_xss.php?text=<script>alert('xss');</script>
- http://moth/mod_security/w3af/audit/xss/simple_xss.php?text=<script>alert('xss');</script>
- http://moth/php-ids/w3af/audit/xss/simple_xss.php?text=<script>alert('xss');</script>
Mod_security and PHP-IDS represent a WAF (Web Application Firewall) and offer an additional protection for Web applications (see details in our "Firewall for Web applications" article in the October issue of "Hacker"). Each of them maintains a detailed log of suspicious requests, so this is a great way to understand how the WAF works and how it can be deceived. The project is permanently updated and its creators promise adding a vulnerable application which will be written in Python and Ruby in the near future.
Information Security products’ test platforms
The Moth distribution kit has been created with a certain specific purpose. The same way as we had configured a system for convenient antivirus software testing with a help of virtual machines the author of Moth have collected vulnerabilities of different web projects in order to be able to conveniently test automatic security scanners. As a result, he got a platform which helped him to test some commercial products and an open source w3af framework, which was specially designed to simplify the search and exploitation of vulnerabilities in web applications. You should know that commercial security scanners’ manufacturers are actively engaged in the creation of such field testing platforms too. Eventually, where else can they debug their products and show their capabilities to clients?
Thus, Acutenix WVS developers offer as many as three web sites which are built on different platforms: testphp.acunetix.com, testasp.acunetix.com, testaspnet.acunetix.com. HP test resource (in theory, meant for their HP WebInspect) is located at zero.webappsecurity.com. IBM Rational AppScan hacking platform address is demo.testfire.net. Don’t try breaking in there to manually find some bugs. Instead, you can make a try to do it with some automatic scanner.
Vulnerable OS
The creator of pWnOS decided not to limit his OS with web applications, but to create a whole vulnerable system on basis of a virtual machine image. The main task for you is to "get the root access". The legend is as follows: you are a pentester, who was hired to study the security of some dedicated server. That's where the game starts. You will experience live hosts search by nmap, vulnerable services searching, receiving SSH access certificates, local exploits detecting and so forth. It’s a paradise for beginners, in one word. You can find some tips, passing recommendations and instructions on how to make this thing work on VirtualBox here forums.heorot.net.
We have already written about the Damn Vulnerable Linux project a couple of times. Perhaps, this project is the most branded from all we talk about today. For those who’d like to train on searching for vulnerabilities will like this distribution kit because here you can find some buggy daemons, which can be easily exploited, and vulnerable scripts, allowing the most common types of attacks (SQL-injection, XSS, etc.), also there are some simply not enough secured applications, which were intentionally left by its developers. The system is distributed as a LiveCD-image and is easy to run on a virtual machine using VMware or VirtualBox software.
Another project, which is named as De-ICE PenTest is no longer a single system. Now it’s 3-in-1. The legend is as follows: a CEO of some company should hold a pentest of his IT infrastructure in order to report to the Board of Directors. For the sake of appearance, he hires some rookie and instructs him to pentest one of the servers, being convinced that everything is more than secured. When you deal with this task, you will be asked to do a more complex pentest of another system. This is the second quest. When critical errors emerge even here, the director provides you with a range of IP-addresses and says: "Do whatever you want"! Each of these three tasks is distributed as a LiveCD and can also be run on virtual machines. Here you can find some configure instructions and passing tips de-ice.hackerdemia.com/doku.php.
Cracking and reversing
Throughout the last part of the material we have dealt exclusively with web-hacking bypassing the programs hacking. What should do those who’d like deal with reversing? Fortunately, reversing has never had problems with quests. Beginners and experienced crackers and reversers can entertain themselves with some small programs that were specifically designed to be cracked. I'm talking of so-called crackmes which can be downloaded from the web. E.g. www.crackmes.de or www.tdhack.com. For convenience, they have been sorted by complexity starting from simple tasks, which were specially designed for those who are just mastering the debugger, to complex puzzles with mass debugging tricks which can compete with some real programs’ serious protection. You can always ask a huge cracker’s community to help you if you are in a rut. By the way, if you really decided to deal with cracking, I’d recommend you to read some of our old stuff which is called "Cracking is simple" published in ][# 08/2005 issue. We have considered all main points and the simplest methods analyzing the one of the most popular crackmes' assembling there.
Exploits development
If you will carefully examine the description of the latest exploits, it’ll be easy to notice that most of them can exploit some older versions of applications that are still in use. The hottest example is IE8, which is running on Vista/W7 and can’t be exploited. However we can see even some public exploits coming out each month for the IE 6/7, which is running on XP. So we’ll start from IE. But where can we get the older versions of it if the system had upgraded IE to 8 long time ago? Internet Explorer Collection will help us with that. Just with a single installer you can set up all versions of Internet Explorer at once and if necessary switch quickly between them. This software registers the various IE engines and makes it so that they don’t conflict with each other. But we must bear in mind that older versions of browsers may have some problems running on the latest versions of Windows.
So you got it, but what about the other browsers and different software? Where those old vulnerable versions can be found? Of course, the vulnerability is better to look for in some new versions. It’s more correct, I’d say :). Services like oldapps.com and oldversion.com, which host the old versions of different software, will help you if you still want to exercise with some ready-to-use exploits in order to get one's bearings. E.g. you can easily download a few dozens of different Winamp versions, starting from release 0.2. Just imagine how much time has passed!
Do you really need this all?
You can read any number of ready-made manuals and follow someone to repeat the alleged "hacking", or you can download some ready-to-use exploits and try to use them without absolute understanding of what they’re doing. Do you really need this? Is it interesting for you? After all, if you make sense of it all and make your every step understanding what you are doing, you will definitely enjoy the process a lot more. This material is unlikely to be useful for experienced pentesters but if you just about to start your pentest journey, take these decisions on the note. Some more effective and safe way to learn the basics of pentest just don’t exist.
Hackers’ brain-twisters
One of the most interesting ways to have fun with hacking is to rack one’s brains over some hacker’s brain-twister and they are, actually, the hacking quests. Some of these quests have a rating, which depends on time needed to decide a problem and the number of incorrect attempts to enter the result. If you ever tried to pass our ][-contests, then you’ll understand what I’m talking about. Several quests are still available within the ring0cup.ru project, so if you want to try one’s hand in searching some malicious Trojan creator and stealing his logs or encryption of some dumped traffic, having company’s financial flows in it, then welcome! There’re a lot of web-resources having such quests in their armory. So here’s a brief about some of them:
- mod-x.com. In this online game you act like one of the agents of the Mod-X structure. You are given a certain task and you have to accomplish it. Tasks are divided into different levels of complexity, so the farther you go, the more fun to play.
- hax.tor.hu /welcome. In this quest you will have to warm up by doing five simple tasks.
- quest.fsb-my.name/index.php. This is a very good quest, which offers a huge variety of different tasks, including crackmix.
- vicnum.ciphertechs.com. It’s a kind of "Capture the flag" competition, which includes a large number of ][-tasks. By the way, you’ll be able to browse the game from the inside because the project is an open source one.
This list can go on and on. Anyway, if this list won’t be enough for you (probably it won’t), I’d recommend you a nice web-resource at hackergames.net, which contains more than 150 quest and the challenge references (players’ comments included), as well as manuals on how to pass them.
WWW
A list of projects, which didn’t enter the above mentioned list for some reasons:
- The Butterfly Security Project
- Good old hackme quests from Foundstone
- OWASP InsecureWebApp
- BadStore
- OWASP SiteGenerator
INFO
Speaking of legal hacking platforms is not a useless thing to do. We think this is the best way to try one’s hand in hacking having no risk to make harm to somebody and to be punished for that.
Phone pranks: hacker’s approach to IP-telephony
The Clickatel service (a service that allows SMS sending from any number) seemed a real catch not so long ago. Everybody have just played with it but soon got tired. It's time to take the next step and figure out how to call and talk to somebody using some spontaneous number. And also try to figure out how to intercept the voice traffic, pick a password for a SIP-provider account and just make the best use of remarkable VoIP technology at the same time.
Where’s the damn low-cost communications?
There’re lots of different implementations of a technology which is generally known as Voice over IP technology. Let’s take a look at the well-known Skype. Skype creators have developed their own data transmission protocol which allows transferring the data among those users who aren’t able to establish a direct connection because of their firewalls and routers. By the way, Niklas Zennström and Janus Friis patented their brand-peer technology before selling the Skype to eBay, and now (after a few billion dollars transaction) they’re going to return their brainchild back. However, that’s not the point. The question is: “Who gives the most low-cost VoIP communications”? And the answer is simple - nobody.
The solution should be based on one’s needs and calls directions. Again, let’s take a look at the Skype. Generally they provide quite imputed prices and now they’re even ready to offer the unlimited calls package for a pretty small monthly fee (I have to mention that calls to Russia doesn’t fall under these conditions). On the other hand, you immediately become a hostage of the original software client and that means that you won’t be able to integrate your Skype-account in some hardware in one's turn. In order not to have one’s hands tied, many people prefer SIP (Session Initiation Protocol) and AIX (Inter-Asterisk eXchange) technologies which are actually used by a large number of providers. Inasmuch as these standards are open, there’re lots of options of using them including the implementation of numerous software and hardware. One of the most successful software phone implementations (which actually have no decent competitors) is the X-Lite software (www.counterpath.com).
There’re so many operators who provides services that use such technologies so making a review or a comparison among them would be silly. Instead, Let me tell you about an interesting company - the Betamax. This is one of the largest VoIP communications providers in Europe, which, however, doesn’t work directly with individuals but provides its facilities and technologies for many resellers. The trick is that each reseller has a certain target audience for which each of them adjusts personal tariffs. If there’s an operator who provides paid calls to Turkey then there’re chances to find an operator who provides them for free. By the way, the www.12voip.com is one of them. The question is how to find the right operator? There’s a special site where all reseller’s tariffs are automatically collected and grouped. Keep it secret: backsla.sh/betamax. If you browse that site you’ll find the appropriate operators to call almost all European countries absolutely for free. Alas, free calls to Russia are available only for St. Petersburg and Moscow.
There’s another interesting aspect. Each of the Betamax services provides the Direct Call service which allows both talkers to dispense only a single phone without any headset. Now, let’s see what the whole point is. You should type in your phone number and the phone number of your subscriber to appropriate proposed text fields and then immediately press the "Connect" button. In less than a couple of seconds you’ll get a call. So one talker is on line! Then service will call your subscriber and as soon as he takes up a direct connection will be established. It's so simple and effective. Except that you’ll be able to see the current subscriber’s state ("talking", "busy", "no answer") in real time.
Brute forcing a SIP account
Practice shows that Internet is full of PBXs (private branch exchange) which are incorrectly configured and SIP accounts that have weak passwords. To demonstrate this we’ll set up a software implementation of PBX based on Asterisk PBX project (www.asterisk.org) and check it for resistance using a SIPVicious (www.sipvicious.org) special set of utility which is written in Python. In order not to bother with installing Linux and PBX further configuring we'll use the Trixbox project (www.trixbox.org) which already has all services set up sensibly. The only thing that you have to do is to enter a few settings using a user-friendly web interface. There’s an image of a VMware virtual machine on their official web site which can be launched with the free VMware Player utility (www.vmware.com/products/player/). After the first start you’ll have to install a few so-called extensions (extensions: 100, 101 and 123). We recommend you to set some simple numeric password for the first one, leave the password field blank for the second and lastly, set some simple word (something that occurs in any Brute Force dictionary. E.g. secret) for the third one. All these things have to be done to create a platform for experiments. SIPVicious package utilities are used in order to find some vulnerable accounts. Each of them works from inside console and can be launched both under the Win, and Tux.
The first step is scanning a given subnet (e.g. 192.168.1.1/24) to find a PBX:
[you@box sipvicious]$ ./svmap 192.168.1.1/24
| SIP Device | User Agent |
---------------------------------------------
| 192.168.1.103:5060 | Asterisk PBX |
[you@box sipvicious]$
Thus, we’ve found our PBX. Next thing you need is to analyze it and find some extensions:
[you@box sipvicious]$ ./svwar.py 192.168.1.103
| Extension | Authentication |
------------------------------
| 123 | reqauth |
| 100 | reqauth |
| 101 | noauth |
[you@box sipvicious]$
The results aren’t surprising. We can see that number 101 doesn’t require authorization and numbers 100 and 123 require a password. Let's pick up the password for number 100, using the selection of numerical values (as they are used more than often):
[you@box sipvicious]$ ./svcrack.py 192.168.1.103 -u 100
| Extension | Password |
------------------------
| 100 | 100 |
The password is picked up! Now let’s try to pick up the password for the 123 account using the dictionary:
[you@box sipvicious]$ ./svcrack.py 192.168.1.103 -u 123 -d dictionary.txt
| Extension | Password |
------------------------
| 123 | secret |
We have all passwords now. The only thing that has left is to check the login/password details in your SIP client.
Of course, the chances of successful brute force of some individual account are low, but among the hundreds of extensions there’s at least one that has a weak password. Moreover, the three step approach like: “Detect PBX, Find extension, Pick up the password” is one of the easiest for VoIP technologies. In the next issues we’ll return to this question in some detail.
How to fake a number?
Besides ability to call, having affordable prices is pretty good itself. But there’s a thing which won’t lead to something good. The subscriber will see a "number is hidden" notification or some incomprehensible number of VoIP-gateway instead of your number so he can’t call you back. Specifying your cell phone number or even any arbitrary number as CallerID is much more fun! In old days, not so long ago, the trick with Caller ID faking can be achieved by using the loyalty of SIP-operators configuration. Obviously, it takes a long time to find operators whose policies don’t strictly fix the CallerID field allowing the setting of an arbitrary value, among the huge number of SIP-providers. This focus can’t be repeated now, alas. So we decided to look for some other options.
Substituting the CallerID field by one’s cell phone number is allowed by most operators, but you’ll have to verify your identity to do that. You’ll be sent an SMS with a special verification code which you should enter on your operator’s web site. We expected to see something around that ordering a sipnet premium service which allows seeing a number of a calling person to all subscribers. Just as we expected, using that service you can enter their web site, register your cell phone number and expose it for outgoing calls. Just enter your personal office "Premium Services -> Caller ID -> Call Booking via SMS" and press the "register a cell phone" button. Then it appears that (attention!) the only needed thing is sending an SMS (from your cell phone of course) which contains a code that was shown on the web site. By the way, the SMS is absolutely free and has to be sent to some common federal number. See, what I’m trying to tell you? After all, I think everyone has tried sending SMS with a substitution of the sender’s number? Some services charge no fee for this option but they add some advertisement in the end of your message instead. What we need is to send nothing but a secure code in our SMS. Yakoon.com service is an ideal one for that purpose. Download their specific client application and register.
You’ll get your activation code on the e-mail you’ve specified during the registration. Then you’ll get an SMS containing the promo code for 3 free SMS. By the way, it is allowed to use the Latin characters to specify the sender’s name. So how can we turn tail on it? Create a new SMS – we’ve already got the number and the text (from the sipnet site) and the only thing that has left is specifying the sender’s number. You can specify any phone number, e.g., 123456789. Once the message is delivered, SMS sender’s number will appear in the premium Caller ID service. And now this number can be set as CallerID even if you call someone. It’s like taking candy from a baby!
Bear in mind that after the number is registered in sipnet, it is sent an SMS: "Your number is registered in sipnet". Incidentally, for new numbers registration convenience you can shove a little script which would seek the verification number by itself and send it to confirm a cell phone number via SMS using the Yakoon’s API.
Bear in mind that after the number is registered in sipnet, it is sent an SMS: "Your number is registered in sipnet". Incidentally, for new numbers registration convenience you can shove a little script which would seek the verification number by itself and send it to confirm a cell phone number via SMS using the Yakoon’s API.
How to eavesdrop on Skype and SIP calls?
Intercepting the VoIP data differs from the traditional sniffing with its own nuances, but in general data interception is going the same way. The nuance is that the voice traffic eavesdropping requires communications packet sniffing and associated media stream sniffing. Signal messages use different network protocol (UDP or TCP) and a port other than the data transmitting. At the same time, media stream is typically transmitted over UDP using the RTP (Real Time Protocol). Fortunately, the RTP packets intercepting and decoding, as well as session’s analysis can be automatically made with some advanced sniffer. Our favorite Wireshark (www.wireshark.org) has a corresponding option "Statistics -> VoIP Calls". After you get a list of VoIP calls you can explore the graphical chart on how the exchange of data has proceeded or you just can listen to the voice data. Ability to record VoIP traffic is also presented in other utilities such as Cain and Abel (www.oxid.it) and UCSniff (ucsniff.sourceforge.net). The latter is also can intercept traffic of video conferences. Of course, all this is valid only if the traffic is sent in an unprotected form. As an anti sniffer one’s can use TLS (Transport Layer Security) utility for SIP signals encryption and RTP (Secure Real Time Protocol) to protect the voice calls (but in most cases the voice is transmitted in unencrypted form).
In the context of security Skype looks much more advantageous because of mandatory crypt of all transmitted data. There’s no any solution for the interception and decryption of traffic in public. Many IS experts claim that even security services don’t have any tools to do that. Nevertheless, Skype calls eavesdropping is still possible, but only if you have access to the caller’s PC. Just a week before this issue had to go to the printery, Swiss software developer, Ruben Utteregger had published the source code of Trojan which can intercept the Skype conversations. Trojan accepts commands from a special server and sends it audio files. The greatest malware flair is a Skype-Tap model, which intercepts Skype’s API-calls, finds PCM audio data, converts it to MP3 files and sends it to the storage server in encrypted form. You can read some more about that Trojan and find its sources on the developer’s web site: www.megapanzer.com.
How to create a free phone number abroad?
One of the most interesting services of Skype is the SkypeIn option which allows creating a phone number somewhere in U.S. and calls receiving with a help of the Skype client. However, users are charged for that service. Now you can acquire your own phone number in some other country totally free. Groovy Tel (www.groovytel.com) provides a toll free number in the US. Each call to this number will be routed through one of the systems which have an implemented voice chat like: Google Talk, MSN Messenger, Yahoo Messenger, Free World Dialup or Gizmo. However, to register in their program you have to have a Facebook SN profile and have at least 20 friends. :) You’re offered to choose one from three phone numbers during the registration, but you can get the most suitable using the “Refresh” button. I’ve tested the system with GTalk: everything works fine and when you receive a call you’ve got the number displayed. There’s another service – the JetNumber, which will be useful if you need a number only for a few days. They have a three day trial period so the service is out of charge during that time. You can take a number in Argentina, France, Mexico, the United Kingdom and the United States for testing.
Of course, it’s great that Groovy Tel forwards all calls to IM-client but it would be even better if any SIP / IAX-operator could be specified as a point of destination. Such kind of service is provided by IPKall (www.ipkall.com). And you know what? It’s totally free again! :) A support of open protocols allows using not only software solutions but also hardware devices. Redirecting calls to some SIP-account (which can be bought on the same sipnet.ru) which is bonded with a VoIP-gateway is worth nothing. This kind of adapter allows you to connect an ordinary phone and receive all calls from your toll free number in the US using the IPKall's service. The bad news is that the service doesn’t have an instant registration so you’ll have to wait a bit for your application to be approved.
Making PBX from Wi-Fi access point!
It doesn’t mean you should buy an expensive device in order to set up a PBX. If you read our SYN / ACK section attentively, you probably already have a good look at how to set up an Asterisk (www.asterisk.org) based PBX software solution. In our case, we still need a computer with a set upped *Nix. If you have a wi-fi access point or some other tunable network device at home you can try to set up Asterisk server on it. I did this on my Asus Wl500gP (which I have repeatedly written about). After installing the “Oleg firmware” Asterisk set up can be done just in two commands:
ipkg uninstall asterisk
ipkg install asterisk14
reboot
Now the only thing that has left is adding a few users and assigning them an extension number. To do that you can use the beginner’s manual:http://www.en.voipforo.com/asterisk/asterisk-first-steps.php. Upon that, it’s necessary to install SIP-clients on user’s machines and lastly set up a server and the profiles.
WWW
Excellent VoIP software selection:
http://www.voipsa.org/Resources/tools.php
http://www.voipsa.org/Resources/tools.php
The list of providers granting a direct telephone numbers in different countries:
http://www.voip-info.org/wiki/view/DID+Service+Providers
http://www.voip-info.org/wiki/view/DID+Service+Providers
WARNING
Some hotspot’s owners are deliberately blocking the SIP protocol so the clients couldn’t use the IP-telephony. All provided information is for educational purposes only. The editors are not responsible for use of this information for some illegal purposes.
Subscribe to:
Posts (Atom)