Chatsubo [(in)Security Dark] Labs

My experience at Ekoparty 2011

2011-10-02T18:03:00.022-05:00

Hi fellows, after a long time, I've decided to create another entry in diz bl0g ... I'll put a few words about my experience in the most important IT security convention in Latinamerica.. Yes, I know what y0u have in mind and that'z what I'll be talking about ! EKOPARTY ! (www.ekoparty.org - @ekoparty) ;)

It all started on Wednesday the September 21st, 2011 in Buenos Aires, Argentina, when I went to KONEX cultural center to get the badge, a cool one by the way. What I really liked of this badge unlike others, is that there's no difference between speaker/attendee badge. Anyway, I went with my friends Federico Bossi (@fedebossi) and Claudio (@claudio_leon) to get the badges. After that, we saw the Bus intented to go around the streets for wardriving purposes jejeje.. It was hilarious 'cauz the bus had very funny music (such as Reggaeton =X) jajaj, and blinking lights around the windows... A picture is worth a thousand words =D. That night, I went with Fede to "Antares" a very nice pub in a city near Buenos Aires, which is called La Plata... 'til 6 am ¬¬' WTF !!

Thursday, September 22nd, I finally met in person to my br0ther Xava Du (@xavadu) !!! after 8 years !! =0 and we just were there walking around, drinking b33rs @ Immunity Sec stand, meeting some people and talking with other security researchers. In the same hall was the lockpicking village, fight with r0b0ts, a ping pong table, vendors, pop corns, old video games, wifi hack3rs, etc. etc. etc...

Also, I found my mexican friend there, Diego Bauche (@dexosexo) !! it was great to see him there 'cause we really needed to talk in 'Mexican spanish' :D jejej which is pretty different than 'Argentinian Spanish' !

At the end of that night, there was a party just right there @ KONEX ;) ... There was a funny (weird) band performing xD. In that party, I met a pretty & intelligent girl who was also involved in IT security, she totally impressed me 'cause she has deep knowledge =0 (Note: She found a security vulnerability in a mainstream SCADA platform) ! It was nice 2 meet her =)

Friday, September 23rd, the EkoFest location was finally published.

Before the Juliano Rizzo (@julianor) talk, suddenly, a üb3r-h4x0r-3l3ctr0-p0st-futur1st r0b0t appeared =D IT WAS AMAZING !! I've never seen something like that before, even in Defcon or BlackHat ! ;)

At the end of Ekoparty, and before the party, we went to Agustin Gianni's (@agustingianni) house to drink some Fernet and after that we moved to another place to have some Beers & Pizza with Xava Du, Claudio, more people and speakers such as Rubén Santamarta (@reversemode), Chema Alonso (@chemaalonso), Agustin Gianni (@agustingianni), Juliano Rizzo (@julianor) and Pedro Varangot. After that we all went to the PARTY !! (no pictures xD)

Saturday, September 24th, we moved to La Plata and prepared our ekoparty-afterasado ! jajaj I had a GREAT time with friends !! Thank you d000d3z !!!

On the other hand, I also had the chance to say hi to antoher Argentinian friends (security researchers) like Nahuel Grisolia (@cintainfinita), Maximiliano Soler (@maxisoler) and Ariel Sánchez (dymitri).

What about the CONFERENCES??!! One single word: AMAZING ;) .. All of them ! what a great level. Som3 pix:

Definitely, I'll be there the next year ! ;)

Ch33rz !!!

My research cited on a scientific technical report

2011-01-18T22:16:00.013-06:00

Well, have past a long time since my fingers wr0te something on this wall... But today, I was just looking for advancements in vulnerability and exploit development on Google and !! something really nice appeared in front of my eyes and behind my screen jeje.

I was reading the following technical report from The Department of Mathematics, Royal Holloway, University of London:

Technical Report
RHUL-MA-2009-06
16th February 2009
Title: Buffer Overflows in Microsoft Windows Environment
Author: Parvez Anwar
Comments: Search Security Award Winning Project

... And suddenly, I read the author refering my name, comments and a c0de of mine. It made my day, obviously, B-)

Here are the paragraphs that made me feel pr0ud of myself..

... and the c0de that made me scream like crazy :@ a few years ago ajaja.. but it was worth ;)

Full report:
http://www.ma.rhul.ac.uk/static/techrep/2009/RHUL-MA-2009-06.pdf

ch33rz !!! /o/

DotDotPwn v2.1 - The Traversal Directory Fuzzer

2010-10-26T15:23:00.011-05:00

Dewds!! we've set up the official Website:
http://dotdotpwn.sectester.net/

These are the new features included in v2.1 (transcription of CHANGELOG.txt):
----------------
DotDotPwn v2.1
Release date: 29/Oct/2010 (PUBLIC Release at BugCon Security Conferences 2010)
Release date: 14/Oct/2010 (NON-PUBLIC Version)

Changes / Enhancements / Features:

* STDOUT module implemented to be used as you wish (Read the EXAMPLES.txt to
see some examples)
* TFTP Module implemented
* -k switch for false positive avoidance making another verification once the
HTTP Status 200 is received. This option looks for the specified parameter
in the server's response.
(e.g. -k "root:" if trying with /etc/passwd file
or -k "localhost" in windows/system32/drivers/etc/hosts)
With this option enabled, the HTTP module will print the total of false
positives detected during the scan as long as there is more than one.
* -p switch for payload specification.
This option simply takes the text file passed as a parameter, replaces the
'TRAVERSAL' tokens and sends it to the target (-h switch) in the specified
port (-x switch)
(e.g. a file called request.txt that contains an HTTP request including
cookies, session ids, variables, etc. and the 'TRAVERSAL' tokens within the
request that would be fuzzed)
* For the impatient, when it's working in quiet mode (-q switch), it prints
dots each certain number of attempts to inform that it's still working ;).
* Prints the number of vulnerabilities found before exiting when an error
ocurrs (e.g. the Web server doesn't respond anymore because it has reached
the maximum number of clients/sockets/threads)
* Prints the time taken at the end of the testing
* A cleaner usage message (help message)

Supported modules:
- HTTP
- HTTP URL
- FTP
- TFTP
- Payload (Protocol independent)
- STDOUT
-------------

And again, I include some screensh0tz ... Enjoy them and stay tuned for the public release !!..

[ STDOUT Module + scripting ;) ] against Webmin 1.280

TFTP Module against TFTPDWin

Without False Positive detection

With False Positive detection

PAYLOAD Module against Webmin 1.280

Ch33333rz ! B-) c yaaa @ BugCon 2k10 !

DotDotPwn - The Directory Traversal Fuzzer

2010-09-09T23:48:00.011-05:00

"Welly, welly, welly, well." -- A Clockwork Orange (movie).

Hell Yes !!!! B-), a few weeks ago, my brother chr1x from CubilFelino Security Labs (published a tool to detect directory traversal vulnerabilities in FTP/HTTP servers. It only relied upon 2 .txt files (databases) with the payloads to be lauched to the target. Then, some cool ideas came into my mind, so, I wrote the c0de from the skratch and in a modular basis, as well as, I included a lot of features/enhacements, but the main change was the pass from being a Checker to a Fuzzer (I c0ded a Traversal Engine for it).

Well, Stay tuned for the public release ;) s00n !! (DotDotPwn v2.0)
Official Website: http://chr1x.sectester.net/toolz/ddpwn/

----------
Release date: 2/Sept/2010 (NON-PUBLIC Version)
Author: nitrØus (nitrousenador@gmail.com)

Changes / Enhancements / Features:
* From Checker to Fuzzer
* Rewritten from the scratch
* Modular architechture (DotDotPwn packages)
* Traversal Engine to automatically create the fuzzing patterns to be sent.
This engine makes all the permutations between the dots and slashes
encodings, iterates the number of deepness passed as argument and finally,
it concatenates the filenames intelligently according to the Operating System
detected (in case of -O switch enabled), otherwise, the engine includes all
the defined file sets (Windows, UNIX and Generic).
* -O switch for Operating System (nmap) and -s switch for service detection
* -f switch available to define a specific file name to retrive
* -U and -P switches to supply specific usernames/passwords
* -d switch to specify the desired deep of traversals
(e.g. deep 3 equals to ../../../)
* -t switch to specify the time in milliseconds between each attemp
* -x switch to specify a different TCP/UDP port than the defaults
* -b switch to break after the first vulnerability is found
* -q switch for quiet mode (doesn't print each attemp in STDOUT)
* Special treatment of Slash/Backslash in filenames in order to have a
correct semantic within each traversal string.
* Improvement in the FTP module to compare against the server's response code
instead of vendor-dependent response message (in compliance with RFC 959 FTP)
* Improvement in the parameter passing
* A cool banner was included ;)

Supported modules:
- HTTP
- HTTP Parameters (url)
- FTP

And as I said before, a picture is worth a thousand words, I post some screenshots ;) .. Enjoy them !

DotDotPwn (Usage)

Traversal Engine (Description)

Traversal Engine (Resources)

Traversal Engine (Working [internals])

OS and Service detection (taken into account in the Traversal Engine for intelligent fuzzing)

HTTP-Params Module (Description)

HTTP-Params Module (Usage)

HTTP-Params Module (Vulnerabilities found)

FTP Module (Vulnerabilities found, quiet mode and retrieved files)

HTTP Module (Vulnerabilities found)

Well, stay tuned on http://chr1x.sectester.net/toolz/ddpwn/ for the public release ;).

Keep Fuzz1ng !!!!!! B-/
nitrØus

Chatsubo [(in)Security Dark] Labs say Hi !

2010-08-26T23:06:00.014-05:00

Well, before I go to bed, I'd like to present my workplace, the :

Chatsubo [(in)Security Dark] Labs.

Here, cool stuff happens, insanity crossing the wires, sparks emerging from the keyboards and damn g00d music resounding the walls. Nowadays, distributed in 3 different geographic locations in Mexico, The Chatsubo Labs is armed with laptops, servers, desktops, one firewall, one access point, switches and routers. In there, resides research projects, tons and tons of lines of c0de developed by me (nitrØus), a variety of Operating Systems (Solaris, OpenBSD, NetBSD, Minix, Gentoo, Debian, CentOS, n00buntu, RedHat, IOS and probably others) and many virtual machines to have fun as well.

By now, you may be wondering where the hell the name came from? Well, It's inpired in the bar described early in the Cyberpunk novell Neuromancer (William Gibson), The Chat (short of Chatsubo), exists in some particularly dingy corner of Night City, in Chiba, Japan. Then, that's why I liked the name, a concensual hallucination, my meeting place for cyberspace c0wboys and hackers (friends of mine) eager to do interesting stuff.

Now, lexicographically speaking, the [] and the () represents nested options, what I mean is that I can call my labs as any of the following ways (which helps me in different situations depending on the context;)):
- Chatsubo Labs
- Chatsubo inSecurity Dark Labs
- Chatsubo Security Dark Labs

Wanna see?... A picture is worth a thousand words, so, this is it !, a picture of the Chat that I took a few years ago in one of the currently 3 different geographic locations:

The next is a picture of an old laptop where I learned some of Operating Systems Development and learned how to build my 0wn boot loader in ASM in a floppy disk (3.5") jeje. With this toy, I used to have fun with my first OpenBSD 3.4 and Red Hat Linux 7.3

What about decoration???... Well, a jellyfish thank and lavalamp helps to make the Chatsubo Labs a nice place to work:

Video of the Jellyfish Tank:

Finally, if u want 2 add teh labs on ur 0wn website/bl0g, these are the *official* banners (note my highly specialized graphic design sk1lls in MS Paint jaja):

Keep r0cking !!!!! Ch33rz !
- nitrØus

Advanced Persistent Threat

2010-08-24T15:48:00.005-05:00

I was reordering and deleting some old bookmarks, and I found a good article I read the past month about APT.

For those who haven't heard about it, I suggest u to read this good article...

Understanding the advanced persistent threat
by: Richard Bejtlich
Issue: Jul 2010
http://searchsecurity.techtarget.com/magazinePrintFriendly/0,296905,sid14_gci1516312,00.html

l8 chr33z !!

John the Ripper benchmark

2010-08-08T15:49:00.004-05:00

These are the results of a little benchmark that I performed a couple of months ago.

Versions that I compiled and tested:
- ANY
- SSE2
- MMX
- NTLM (source code patched to crack NTLM hashes)

BENCHMARKING
ANY
Benchmarking: Traditional DES [24/32 4K]... DONE
Many salts: 278297 c/s real, 347004 c/s virtual
Only one salt: 268979 c/s real, 334551 c/s virtual

Benchmarking: BSDI DES (x725) [24/32 4K]... DONE
Many salts: 9484 c/s real, 11738 c/s virtual
Only one salt: 9288 c/s real, 11552 c/s virtual

Benchmarking: FreeBSD MD5 [32/32]... DONE
Raw: 6795 c/s real, 8472 c/s virtual

Benchmarking: OpenBSD Blowfish (x32) [32/32]... DONE
Raw: 409 c/s real, 496 c/s virtual

Benchmarking: Kerberos AFS DES [24/32 4K]... DONE
Short: 266547 c/s real, 331526 c/s virtual
Long: 772505 c/s real, 960827 c/s virtual

Benchmarking: NT LM DES [32/32 BS]... DONE
Raw: 4773K c/s real, 5951K c/s virtual

MMX
Benchmarking: Traditional DES [64/64 BS MMX]... DONE
Many salts: 1041K c/s real, 1301K c/s virtual
Only one salt: 936512 c/s real, 1150K c/s virtual

Benchmarking: BSDI DES (x725) [64/64 BS MMX]... DONE
Many salts: 34188 c/s real, 42417 c/s virtual
Only one salt: 33753 c/s real, 41982 c/s virtual

Benchmarking: FreeBSD MD5 [32/32]... DONE
Raw: 6794 c/s real, 8425 c/s virtual

Benchmarking: OpenBSD Blowfish (x32) [32/32]... DONE
Raw: 417 c/s real, 520 c/s virtual

Benchmarking: Kerberos AFS DES [48/64 4K MMX]... DONE
Short: 339046 c/s real, 422751 c/s virtual
Long: 1031K c/s real, 1276K c/s virtual

Benchmarking: NT LM DES [64/64 BS MMX]... DONE
Raw: 8434K c/s real, 10516K c/s virtual

SSE2
Benchmarking: Traditional DES [128/128 BS SSE2]... DONE
Many salts: 2050K c/s real, 2543K c/s virtual
Only one salt: 1760K c/s real, 2194K c/s virtual

Benchmarking: BSDI DES (x725) [128/128 BS SSE2]... DONE
Many salts: 68352 c/s real, 85014 c/s virtual
Only one salt: 66560 c/s real, 82376 c/s virtual

Benchmarking: FreeBSD MD5 [32/32]... DONE
Raw: 6819 c/s real, 8465 c/s virtual

Benchmarking: OpenBSD Blowfish (x32) [32/32]... DONE
Raw: 417 c/s real, 520 c/s virtual

Benchmarking: Kerberos AFS DES [48/64 4K MMX]... DONE
Short: 339814 c/s real, 420562 c/s virtual
Long: 1025K c/s real, 1279K c/s virtual

Benchmarking: NT LM DES [128/128 BS SSE2]... DONE
Raw: 9648K c/s real, 11912K c/s virtual

NTLM Patch
Benchmarking: Traditional DES [24/32 4K]... DONE
Many salts: 280217 c/s real, 348529 c/s virtual
Only one salt: 269644 c/s real, 333718 c/s virtual

Benchmarking: BSDI DES (x725) [24/32 4K]... DONE
Many salts: 9659 c/s real, 12013 c/s virtual
Only one salt: 8982 c/s real, 10980 c/s virtual

Benchmarking: FreeBSD MD5 [32/32]... DONE
Raw: 6806 c/s real, 8402 c/s virtual

Benchmarking: OpenBSD Blowfish (x32) [32/32]... DONE
Raw: 417 c/s real, 520 c/s virtual

Benchmarking: Kerberos AFS DES [24/32 4K]... DONE
Short: 265574 c/s real, 331140 c/s virtual
Long: 741427 c/s real, 901979 c/s virtual

Benchmarking: NT LM DES [32/32 BS]... DONE
Raw: 4750K c/s real, 5836K c/s virtual

Benchmarking: NT MD4 [Generic 1x]... DONE
Raw: 9549K c/s real, 11906K c/s virtual

CRACKING
[nitr0us@nectar run]$ ./unshadow ~/passwd ~/shadow > ~/passshad

ANY
[nitr0us@nectar run]$ time ./john ~/passshad
Loaded 4 password hashes with 4 different salts (FreeBSD MD5 [32/32])
eilrahc (charlie)
newpass (ted)
Bond007 (jim)
virginia (monk)
guesses: 4 time: 0:00:00:01 100% (2) c/s: 5654 trying: virginia

real 0m1.016s
user 0m0.730s
sys 0m0.022s

MMX
[nitr0us@nectar run]$ time ./john ~/passshad
Loaded 4 password hashes with 4 different salts (FreeBSD MD5 [32/32])
eilrahc (charlie)
newpass (ted)
Bond007 (jim)
virginia (monk)
guesses: 4 time: 0:00:00:00 100% (2) c/s: 5768 trying: virginia

real 0m1.008s
user 0m0.695s
sys 0m0.025s

SSE2
[nitr0us@nectar run]$ time ./john ~/passshad
Loaded 4 password hashes with 4 different salts (FreeBSD MD5 [32/32])
eilrahc (charlie)
newpass (ted)
Bond007 (jim)
virginia (monk)
guesses: 4 time: 0:00:00:00 100% (2) c/s: 5827 trying: virginia

real 0m0.984s
user 0m0.734s
sys 0m0.016s

NTLM-Patch
ANY
[nitr0us@nectar run]$ time ./john ~/PWDUMP_OUT.txt
Loaded 7 password hashes with no different salts (NT LM DES [32/32 BS])
PASSWOR (susan:1)
JOSHUA (falken)
A (monk:2)
MASTER1 (george)
VIRGINI (monk:1)
8 (susan:2)
POOR (mike)
guesses: 7 time: 0:00:00:01 (3) c/s: 1560K trying: 4OUH - POOR

real 0m1.252s
user 0m0.843s
sys 0m0.043s

[nitr0us@nectar run]$ time ./john ~/PWDUMP_OUT.txt --format=nt
Loaded 5 password hashes with no different salts (NT MD4 [Generic 1x])
joshua (falken)
master1 (george)
virginia (monk)
passwor8 (susan)
poor (mike)
guesses: 5 time: 0:00:00:01 (3) c/s: 1309K trying: cbc7 - pamc

real 0m1.474s
user 0m0.952s
sys 0m0.040s

MMX
[nitr0us@nectar run]$ time ./john ~/PWDUMP_OUT.txt
Loaded 7 password hashes with no different salts (NT LM DES [64/64 BS MMX])
PASSWOR (susan:1)
JOSHUA (falken)
A (monk:2)
MASTER1 (george)
VIRGINI (monk:1)
8 (susan:2)
POOR (mike)
guesses: 7 time: 0:00:00:01 (3) c/s: 1727K trying: 4OUH - PAVS

real 0m1.127s
user 0m0.804s
sys 0m0.039s

[nitr0us@nectar run]$ time ./john ~/PWDUMP_OUT.txt --format=nt
Loaded 5 password hashes with no different salts (NT MD4 [Generic 1x])
joshua (falken)
master1 (george)
virginia (monk)
passwor8 (susan)
poor (mike)
guesses: 5 time: 0:00:00:01 (3) c/s: 1426K trying: cbc7 - pamc

real 0m1.348s
user 0m1.009s
sys 0m0.040s

SSE2
[nitr0us@nectar run]$ time ./john ~/PWDUMP_OUT.txt
Loaded 7 password hashes with no different salts (NT LM DES [128/128 BS SSE2])
PASSWOR (susan:1)
JOSHUA (falken)
A (monk:2)
MASTER1 (george)
VIRGINI (monk:1)
8 (susan:2)
POOR (mike)
guesses: 7 time: 0:00:00:01 (3) c/s: 1915K trying: 4OUH - PRN3

real 0m1.019s
user 0m0.732s
sys 0m0.030s

[nitr0us@nectar run]$ time ./john ~/PWDUMP_OUT.txt --format=nt
Loaded 5 password hashes with no different salts (NT MD4 [X86 SSE2 5x])
joshua (falken)
master1 (george)
virginia (monk)
passwor8 (susan)
poor (mike)
guesses: 5 time: 0:00:00:01 (3) c/s: 1459K trying: cbjk - pov0

real 0m1.315s
user 0m0.935s
sys 0m0.046s

Interesting results ;) ... HAPPY CRACKING !!

Having fun with RISK management equations

2010-07-29T10:01:00.010-05:00

Have past a few weeks without any post, so, I think it's the time... Today, I'm havin' fun with MS Excel (yes, I'm a f**ck1ng n00b in Excel) calculating and automating some equations for the risk assessment methodology I've created for a company.

Example of threat evaluation (taken from the Internet):

The methodology that we created as a team, includes the basic principles of risk management. I've used some references such as NIST-800-30 special publication (Risk Management Guide for Information Technology Systems), ISO/IEC 27005:2008 Information technology - Security techniques - Information security risk management and many others documents widespread on the Internet !

Finally, a few moments ago I optimized an excel formula to automate the process of THREATS valuation using their impacts and likelihoods. First, I tried this one:

=IF(AND(C4=1,D4=1),1,
IF(AND(C4=2,D4=1),1,
IF(AND(C4=3,D4=1),2,
IF(AND(C4=1,D4=2),1,
IF(AND(C4=2,D4=2),2,
IF(AND(C4=3,D4=2),3,
IF(AND(C4=1,D4=3),2,
IF(AND(C4=2,D4=3),3,
IF(AND(C4=3,D4=3),3,0)))))))))

But... It's too long, and excel sends u a syntax error. So, I exercised my mind and I could make it easier taking leverage of the boolean operators OR() and AND() as well as nested IF() statements.

=IF(OR(
AND(C4=1,D4=1),
AND(C4=2,D4=1),
AND(C4=1,D4=2)),1,
IF(OR(
AND(C4=3,D4=1),
AND(C4=2,D4=2),
AND(C4=1,D4=3)),2,
IF(OR(
AND(C4=3,D4=2),
AND(C4=2,D4=3),
AND(C4=3,D4=3)),3,0)))

Works fine !, not a big deal though. As you can see, this is something VERY VERY simple, but I'm pr0ud of my newbie Excel Skillz jajaj :D...

Have fun ! ;)

NY Times - Bombing Suspect's Long Path to Times Square

2010-07-11T14:05:00.003-05:00

This is a picture that I took the past month to a New York Times newspaper ... I was there a week after the failed attemp..

Fuck t3rr0r1st5 !!.. Fuck 'em all !!

2600 m33ting @ Toronto, Canada

2010-06-19T21:55:00.006-05:00

me (nitr0us) holding a Lineman's Handset (the *LEGAL* beige b0x :D)

I spent a great time with some Canadian friends in the monthly Toronto's 2600 m33ting. It started at 6pm when I arrived to the venue (Free Times Coffee), met Nicholaus and at the same time we asked for organic beer. We talked for about half an hour when another girl & boy arrived to the place =).

After that, we asked for more beer and fries !.. Meanwhile, we were talking about some interesting topics such as Toronto's airport physical insecurity, urban exploration, plants growth, comics, phreaking, electricity, comedy, etc..

1 hour later, another guy and hi's girlfriend joined us. He was a very interesting guy who brought a Lineman's Handset (the *LEGAL* beige b0x :D) and knew a looooot of things about phreaking and electricity.

2 hours later, 2 radical guys, dressed all in black (I mean, ALL), I can't remember where they came from, if from Chicago or San Francisco, but anyway... They were there, in Toronto, 'cause of their work: CAR HACKING =)... Yes, those guys were aliens or something like that, they weren't humans jejeje, they knew a lot of things to hack new and old Cars!!! and also, they carried a lot of cool stuff and devices in their bags ;).. Aw3some shit !!!...

As you can see, THAT'S HACKING ... As I said before, hacking is not about 31337 üb3r 0-day exploits and l33tz0r pwnz0r st3alth b4ckd00rz ...

I had a great and interesting time there !...

The venue, Free Times Coffe @ Toronto, Canada

Keep rocking !

Trend Micro Data Loss Prevention 5.2 (formerly LeakProof) Data Leakage

2010-06-01T20:24:00.003-05:00

I just published a security advisory regarding a vulnerability that I found the last year.

CLICK HERE TO READ IT

Keep rocking !!!

I'm a GPEN now ! ;)

2010-05-26T22:55:00.007-05:00

Today I presented the 4-hour GPEN Certification exam (by SANS Institute), and finished it in 1 1/4 hours, yes, Childs play (hehe just kidding).

I like this certification, 'cause is one of the most advanced in the market and also, demand very realistics hardc0re n1nj4 h4cking skillz that MUST be presented in all the (supposedly) EXPERT PENETRATION TESTERS xDDD !...

But anyway =) ... keep pwning

SANS Toronto - I got the Flag in the CTF ! ;)

2010-05-11T19:22:00.006-05:00

Well, I'd like to post my experience at SANS 560 CTF (Captuer The Flag), which was held on May 10th at the Intercontinental Toroton Centre in Toronto, Canada.

Everything started at 9 am and 4 specially configured & hardened servers and 2 routers were setup in order to break into them. Anyway, it was one of the most challenging CTF's I ever had, 'cause I showed up my COMPLETE NINJA SKILL-SET B-D !!.. yeahh baby !!

Well, the challenge was about to get a 4-times GPG encrypted file, by different people, and then, decrypt it in the inverse order it was encrypted. So, the challenge was to obtain the public and private keys from the 4 different users from the Windows and Linux b0xes.

Ready, set, go !!... Then, I started my ninjutsu h4ck1ng, and also, I had no time to eat, nor time to go to the restroom, I had only time to go for phree c0ffee while my GBs of RAM-resident rainbow tables were destroying some NTLM hashes and my source-c0de patch3d John the ripp3r was cracking others *UNIX accounts.

So, teh hard work was based on some of the f0llowing n1nj4 skillz:

MOSTLY TACTICAL EXPLOITATION (yes, use of the BRAIN)
netcat hardc0re ninj4 hacking, using *NIX backpipes ($man mknod with the 'p' parameter for n00bz) in order to chain different b0xes/ports to bypass FW rules..
Hardc0re packet analysis, specifically capturing traffic with tcpdump with very specific pcap filters and sending the output somewhere you can reach it through a wind0wz machine in order to analyze all the traffic so as to detect a specific pattern to continue the attack against other servers (LOT OF PEOPLE DIED HERE xDDD, n000bz)
Very Rude ! UNIX commands !!! (not for newbies B-D !! like j00 !!!) and STDIN, STDOUT, STDERR deeeeeeeeeeeep knowledge
Rem0te and privilege scalation Exploits' source code modification and compilation...
iptables knowledge in order to append some SPECIFIC rule sets (no iptables -F allowed for kiddies xDDD)
Using l33t techn1quez like passing-the-hash to SMB services to PWN other win b0xez !! ;) (yes n00b, I know it's the first time you read about it xDDD)
d3crypting files using stolen public and private GPG keys (yes, I know, it was the easy part =D)

At the end, after of 6:30 hours of non-stopin' PWNAGE, I got teh madafakin' Flag ! ;) !!

Keep r0cking !! B-) !

c155p... my next challenge ! 4 phun & pr0fit

2010-04-30T20:03:00.006-05:00

Hi all, a couple of days ago, I bought the "CISSP All-in-one Exam Guide, 5th Edition (Hardcover)" by Shon Harris , yes, the *NEW* edition (2010). So, i'll have a lot of fun reading 1216 pages about "5ecur1ty" in the next months, and then, I'll try to obtain the certificate jeje ... For fun.. and for FUCKING pr0fit !! yeahh !!! xDD

XOR Swap Algorithm

2010-04-22T11:52:00.007-05:00

20 minutes before I got to work, I was tackling against a couple of Mexico City's traffic jams !! and then, I recalled a simple but pretty cool algorithm I used like 5 years ago to swap 2 different variables without using a temporary one. If you're new at programming, there exist a variety of such algorithms, more commonly referred as Sorting Algorithms, and most of them use a temporary variable in order to swap the values they have, so, if u want to optimize your c0de and n1nj4 skillz ;) take a look at this !..

This is the XOR Swap Algorithm, and instead I explain it... A picture is worth a thousand words ;) ...

As you can see, it's mathematically simple, and below you can see the c0de & screensh0t I took a few minutes before ...

Keep h4cking !!

31337 order at Cinépolis

2010-04-17T18:35:00.007-05:00

Yes! that'z right, more than a year ago, I received the order number 31337 !!! just imagine the number of posibilities, thousands of people buyin' shit at the cinema, hundres of malls within a movie theater, thousands of orders !!! pfff, and yes, teh fate, my fate, did the work !! B-D !...

Who one else better than me would receive "teh number" jajaj none !! that's right xDDD.. just kidding !!! ... someday, u'll have one too ... just fucking kidding again jajajajajja !!!! xDDDDD ..

Afterall, I still have the voucher in my wallet =D !

Exploiting apps replacing _init through shared libraries

2010-04-12T09:04:00.004-05:00

Yes, an old topic, but this time, with a different and interesting approach. This time, Rh0 found a new attack vector, taking advantage of Glibc's shared library.

It reminds me the old LD_PRELOAD technique ;). Anyway, this time, everything is on dlopen(3), so, let's take a look into the man-page:

"The four functions dlopen(), dlsym(), dlclose(), dlerror() implement the interface to the dynamic linking loader... The function dlopen() loads the dynamic library file named by the null-terminated string filename and returns an opaque "handle" for the dynamic library."

Independently the binary was compiled with RTLD_LAZY (Lazy Binding) or RTLD_NOW, the dynamic linker always execute the content of _init, which in a C programm it's defined by the function with the attribute __attribute__((constructor)) assigned.

So, I tested this in my leasure time and the results are displayed in the next screensh0t.

ch33rz!

From Hacker to C-Level

2010-04-11T21:42:00.003-05:00

This is the latest speech I gave. It was given in the Master of Business Administration at Universidad Anáhuac, a couple of months ago.

CLICK HERE TO DOWNLOAD THE PRESENTATION

Any comments, suggestions, or anything ... send them 2 me !

Welcome

2010-04-08T14:36:00.005-05:00

Hi all,

Welcome 2 my bl0g, yes, I'll retake it 'cause I removed the last I had (~4 years ago).. Anyway, I'll write in english 'cause I've to improve it ...

In this little internet corner, you'll find some things I've found interesting, voodoo, hilarious, complex, weird, cool, etc etc, and all about hacking, research, c0ding, security, inse-fucking-curity, voodoo coding shits, presentations, projectz, blah blah !!..

Hope u enj0y it !!

Kind regards madafakaz !!