Reverseme: Easy Windows

June 8, 2010 1 Comment

To get back into the groove, I decided to try a crackme. After searching far and wide, I can’t seem to find where I got this from, other than crackmes.de.  One of my favorite sites.

Crackme.zip <– here it is in case it’s deleted.

And the solution is, with no analysis:


#include <iostream>
#include <string>
using namespace std;

int add_name_chars(string name) {
  int total = 0;
  for (int i=0; i<name.length(); i++) {
    total += name[i];
  }
  return total;
}

int main() {
  string name;
  cout<<"Name: ";
  cin>>name;

  unsigned int ser1 = 31 * add_name_chars(name) / 629u + 44431400;
  while (ser1 > 0x3b9ac9ff) {
    ser1 /= 10;
  }
  cout<<"Serial 1: "<<ser1<<endl;

  unsigned int ser2 = 82 * ser1 - 3;
  while (ser2 > 0x1869f)  {
    ser2 /= 10;
  }

  cout<<"Serial 2: "<<ser2<<endl;
  return 0;
}

Ok, one hint. All the logic is at 004013BC. This was rated as 1, for newbies, but it still took me awhile to figure out. I thought it was fun.

Filed under Bits and Bytes, GrayHat Tagged with , , , ,

nmap script to try and detect login pages

April 7, 2010 1 Comment

The title sort of explains it.

description = [[
Attempts to check if a login page exists on the port.
]]

---
-- @output
-- 80/tcp open  http
-- |_ http-login-form: HTTP login detected

-- HTTP authentication information gathering script
-- rev 1.0 (2010-02-06)

author = "Rich Lundeen <mopey@webstersprodigy.net>"

license = "Same as Nmap--See http://nmap.org/book/man-legal.html"

categories = {"ioactive"}

require("shortport")
require("http")
require("pcre")

portrule = shortport.port_or_service({80, 443, 8080}, {"http","https"})

parse_url = function(url)
  local re = pcre.new("^([^:]*):[/]*([^/]*)", 0, "C")
  local s, e, t = re:exec(url, 0, 0)
  local proto = string.sub(url, t[1], t[2])
  local host = string.sub(url, t[3], t[4])
  local path = string.sub(url, t[4] + 1)
  local port = string.find(host, ":")
  if port ~= nil then
    --TODO check bounds, sanity, cast port to an int
    local thost = string.sub(host, 0, port-1)
    port = string.sub(host, port+1)
    host = thost
  else
    if proto == "http" then
      port = 80
    elseif proto == "https" then
      port = 443
    end
  end
  return host, port, path
end

--attempting to be compatible with nessus function in http.inc
--in this case, host is a url - it should use get_http_page
--get_http_page = function(port, host, redirect)
  

--port and url are objects passed to the action function
--redirect an integer to prohibit loops
get_http_page_nmap = function(port, host, redirect, path)
  if path == nil then
    path = "/"
  end
  if redirect == nil then
    redirect = 2
  end
  local answer = http.get(host, port, path)
  if ((answer.header.location ~= nil) and (redirect > 0) and 
      (answer.status >=300) and (answer.status < 400)) then
    nhost, nport, npath = parse_url(answer.header.location)
    if (((nhost ~= host.targetname) and (nhost ~= host.ip) and 
        (nhost ~= host.name)) or nport ~= port.number ) then
      --cannot redirect more, different service
      return answer, path
    else
      return get_http_page_nmap(port, host, redirect-1, npath)
    end
  end
  return answer, path
end

action = function(host, port)
  local result, path = get_http_page_nmap(port, host, 3)
  --seems to be a bug in the matching
  local loginflags = pcre.flags().CASELESS + pcre.flags().MULTILINE
  local loginre = {
     pcre.new("<script>[^>]*login"    , loginflags, "C"),
     pcre.new("<[^>]*login"           , loginflags, "C"),
     pcre.new("<script>[^>]*password" , loginflags, "C"),
     pcre.new("<script>[^>]*user"     , loginflags, "C"),
     pcre.new("<input[^>)]*user"      , loginflags, "C"),
     pcre.new("<input[^>)]*pass"      , loginflags, "C"),
     pcre.new("<input[^>)]*pwd"       , loginflags, "C") }

  local loginform = false
  for i,v in ipairs(loginre) do
    local ismatch, j = v:match(result.body, 0)
    if ismatch then
      loginform = true
      break
      end
  end
  if loginform then
    return "Login Form Detected at " .. path
  end
end

Filed under GrayHat, Network, Programming Tagged with ,

Nessus with Nikto – Running out of memory

December 30, 2009 Leave a comment

Kind of an annoying problem, but sometimes nikto runs out of control. This is made worse by nessus, which can have a lot of nikto instances running at once.

Dec 29 13:03:10 mopey-macky kernel: [72355.838027] Free swap = 0kB
Dec 29 13:03:10 mopey-macky kernel: [72355.838031] Total swap = 5855684kB
Dec 29 13:03:10 mopey-macky kernel: [72355.866431] 1048576 pages RAM
Dec 29 13:03:10 mopey-macky kernel: [72355.866436] 38328 pages reserved
Dec 29 13:03:10 mopey-macky kernel: [72355.866440] 9361 pages shared
Dec 29 13:03:10 mopey-macky kernel: [72355.866444] 1000493 pages non-shared
Dec 29 13:03:10 mopey-macky kernel: [72355.866451] Out of memory: kill process 6730 (run-mozilla.sh) score 665297 or a child
Dec 29 13:03:10 mopey-macky kernel: [72355.866556] Killed process 6734 (thunderbird-bin)

Yes, that was fun, randomly killed processes because I’m out of memory. some instances of nikto were taking 2gb of memoy and spidering infinitely over these dynamic pages.

To fix, I added a stupid watchdog script.

#!/usr/bin/python

import subprocess
import time

#percent of memory the nikto is taking
MAXMEMPERCENT = 13
#time is in hours
MAXTIME = 1
#time in seconds to check
SLEEPYTIME = 60
lfile=open("./nikto_wd.log", "a")

while 1:
  p1 = subprocess.Popen(["ps", "aux"], stdout=subprocess.PIPE)
  p2 = subprocess.Popen(["grep", "nikto"], stdin=p1.stdout, stdout=subprocess.PIPE)
  output = p2.communicate()[0].split("n")

  for line in output:
    #print line
    thisline = line.split()
    try:
      if ("/usr/bin/perl" in thisline[10] and thisline[3] != "" and thisline[9] != ""):
        memusage =  float(thisline[3])
        hours = int(thisline[9][0])
        #process needs to be killed 
        if int(hours) > MAXTIME or float(memusage) > MAXMEMPERCENT:
          print "die, zombie scum", thisline
          lfile.write("die, zombie scum " + str(thisline) + "n")
          subprocess.call(["kill", thisline[1]])
    except IndexError:
      pass
  lfile.flush()
  time.sleep(SLEEPYTIME)

Filed under GrayHat, Programming Tagged with ,

GPG Cheat Sheet

July 8, 2009 Leave a comment

The gnu Privacy handbook has a ton of useful information, but I thought I’d make a quick reference for the gpg usage I use most. Especially because I was just an idiot and lost my gpg private key (though I do remember the passphrase) – this time there will be a backup!

List all keys

gpg –list-keys

print key to a file (mypublickey) – <keyid> is listed when you do list-keys

gpg -ao mypublickey.key –export <keyid>

show secret keys

gpg –list-secret-keys

backup secret keys

gpg -a –export-secret-keys <keyid> | gpg-aco myprivatkeyfile.key.gpg

Restoring the key

gpg –import {keyfile}

Restore an encrypted key

gpg –decrypt {privatekeyfile} | gpg –import

Sign a file

gpg –output doc.sig –sign doc

verify signature

gpg –output mydoc –decrypt doc.sig

Filed under GrayHat, Linux Tagged with ,

browsing with firefox, tor, refcontrol, and noscript on ubuntu

May 8, 2009 Leave a comment

This is a topic that’s been covered a lot. However, it took a bit of research to find a solution that worked for me, so I thought I’d write about it here.

I am doing some research that involves a *lot* of google searches. Because this research involves a significant number of directed queries, it seems logical to hide this information as much as practical. If there is a web host who notices sequential names in a Google referer URL repeatedly, this might raise suspicion or alter behavior which could skew results. Similarly, it is desirable to hide IP information from both the web host (for similar reasons) and possibly even search engines.

First, to avoid any changes to usual browsing, a new firefox profile was created using:

firefox -ProfileManager

Additionally, to run both firefox profiles at once, the first was run as normal, which the second has the additional options:

firefox -P <new-profile> -no-remote

I add this to my taskbar alongside the regular old firefox %u so I can choose a profile with a click.

To hide the HTTP referer, a firefox extension called RefControl was selected  https://addons.mozilla.org/en-US/firefox/addon/953. This simply replaces the referer for every query with one that is configurable. Although this is certainly possible with a more traditional proxy (like paros), RefControl’s ease of use is essential with the shear number of queries that were performed for this research. For this research, I changed the referer passed several times from names like “yahoo.com”, “cnn.com”, etc. Although the traffic patterns may still seem suspicious to an administrator who carefully monitors his logs, it reveals virtually no information about what it is that is being searched for.

To obfuscate the IP address, tor and privoxy were used. Tor bounces the HTTP requests around a distributed network of relays all around the world. An in depth discussion of Tor is out of the context here, but in a nutshell “it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location” http://www.torproject.org/. Privoxy is additionally used to prevent applications like flash or dns from leaking information. Since both privoxy and tor are required, you need to install these:

apt-get install tor privoxy

and to get privoxy to work with tor, I uncommented the following line (if it’s not there just add it):

forward-socks4a / localhost:9050 .

Despite the advantages, this did make browsing for names quite slow. I really like torbutton. In the not so distant future I remember having to modify proxy settings every time I wanted to go back and forth using tor. With tor

Lastly, the noscript firefox plugin was used to mitigate all javascript based attacks that might be used to obtain IP information http://noscript.net/.

Filed under GrayHat, Linux, Network Tagged with , , ,

Security in an Insecure Environment

April 22, 2009 Leave a comment

Filed under GrayHat, Linux, windoze Tagged with ,

Older posts

Newer posts

Follow

Get every new post delivered to your Inbox.