bwall

So if you've seen any of my work, its a lot of defensive software. Whether its setting up port traps, making a custom firewall, or taunting your attackers, I try to make sure there are at least some good tools for the job. This post is about a new Apache WAF I have been working on for bit. It uses regular expression rules to match raw URIs to determine if it should block an IP or not. I've been considering if I want to make this software publically available or not, or just use it for fun of taunting people scanning firebwall.com I set it up so it will dump information on attacks to a publicly viewable file so people could use it to add to their own ban lists. You can take a look at http://www.firebwall.com/BallastSecWAFBans.cfg The attackers are more than just logged, but also inspected by the WAF and detailed for me to review whenever I feel like looking into who failed to hide their attack. I figured I'd open a thread to get comments/ideas and just to see general interest in me making it public. Also, if you follow me on Twitter, I usually post attacks with the tag #AnotherOneBitesTheDust

By the way, if you have any ideas for new features, bugs, and/or holes please don't hesitate to contact either digip or me. :)

https://github.com/bwall/PHP-RFI-Payload-Decoder The source code for anyone still looking into this project. Probably should have an area for people to post where they have their's up so people know where to decode payloads.

I recently released an attack on the iterative use of hashing functions. Here is a link to my blog post about it. http://ballastsec.blogspot.com/2012/07/transferable-state-attack-on-iterated.html This attack has proved to be faster than jtr at cracking Password Safe hashes, taking only 90% of the time it takes.

Thank you both for the advice. As digip knows, I was recently side tracked from the OpenCL/CUDA integration as I may have stumbled onto a weakness with SHA-256 when used with the algorithm described in section 4.1 of this Bruce Schneier paper http://www.schneier.com/paper-low-entropy.pdf I'm trying to get in contact with him so I can see if he agrees its a weakness, and hopefully publish the weakness along with him. I did have an idea which would make this useful for a back|track or similar forensic tool. It would search for different password databases in the current system(like for KeePass, Password Safe, Mozilla, Chrome, etc) then recover passwords for the databases as well as the passwords stored inside them.

I'm planning on open sourcing every part of the project, but I want to see how many people actually want that. So retweet this https://twitter.com/bwallHatesTwits/status/226490924686000128 if you want it open sourced. You can always mention it here, but retweeting does also show it to more people who may want it open sourced.

So recently my buddy and me started poking holes in some password safe systems(like KeePass). I made a blog post about most of these could easily be defeated by adding a WndProc listener to the clipboard, and watching for passwords as they get copied and pasted. That post is here: http://ballastsec.blogspot.com/2012/07/insecurity-in-password-management.html Not all of the password safe systems use this method, or have alternative methods as well. So the best way to attack these safes is to crack the safe. Currently, I have only implemented a safe cracker for Password Safe(http://passwordsafe.sourceforge.net/) after doing a light analysis then spending a lot of fun time making a dictionary cracker for it. Blog post about it here: http://ballastsec.blogspot.com/2012/07/auditing-of-password-safe-continues.html You can also find the source code that I've released so far here: https://github.com/bwall/SafeCracker/ and finally find the tarball of the latest version with a nice little Makefile here: https://github.com/downloads/bwall/SafeCracker/safe-cracker.tar.gz safe-cracker has currently only been tested in a Linux environment, if you really wanted to compile it on Windows, you would need the pthread library. If I were you though, I would wait until I finish implementing OpenCL into the cracker, as I will supply a compiled copy for Windows. What I would like to know is, what other password safe systems would you want audited? I want to add a few to this project, and hopefully start pushing development towards cracking more state of the art hashes.

This could help on Linux, I have a simple implementation of it(private) for fireBwall, but I don't know of any other firewall for Windows that handles that. http://ballastsec.blogspot.com/2012/07/using-iptables-to-setup-port-traps.html

When the base64 is decoded, it comes to 20 bytes(same as raw sha1), and when converted from binary data to ASCII hex, its comes to 51C796A40692EA2C39E48D5CC2873BE718EC5C39. I would try cracking that SHA-1. A hash does not need to be ASCII hex, as the format that comes from the actual algorithms is the binary form, not the ASCII hex form. The ASCII hex form is just the default way to display it, even though base64 is more compressed(but takes more time to compute). Most hashing algorithms end up with just a set of 4 byte integers lined up to make the actual hash. In MD5, its 4 4 byte integers. In SHA-1 it is actually 5 4 byte integers, hence 20 byte raw SHA-1.

Here are the hash cracking competition details. http://forum.intern0t.org/web-hacking-war-games/4365-ballast-security-hash-cracking-competition.html Happy Cracking :D

It was a pretty interesting talk to listen to, but they didn't really settle on anything other than "the system is borked". As the paper mentions, Ballast Security is working on a new authentication system, that can be patched into websites and the like as a method for verifying user/passwords. We are hoping to do a public live demo of this project soon, but we need to find somewhere to host it because its likely someone will try to just brute force the authentication on the server, D/DoSing the live demo. We plan on implementing throttling methods, but we host on a VPS, and maxing out the CPU would probably get our account dropped.

Hey, Planning on publishing this paper soon about how to properly hash a password as well as including a new idea for dynamic entropy. Let me know what you think. http://ballastsec.blogspot.com/2012/06/proper-password-hashing.html

Here's a video related to the paper. Enjoy :)

lol, I got second place :P

Oh yeah, its hot to take them down. :P Sorry DigiP, had to play on your typo there. *how

Just going to put this out there. RC4 is probably going to be the simplest to implement. If you do proper key management, it can be quite secure, not to mention fast, easily to add onto(making it so someone would need entire new attacks against the algorithm). If you want anywhere to look for how to implement RC4, the wikipedia page for it is pretty in depth. I have an implementation that another person and I optimized to death for class project, let me know if you want that.

Hey, A few of us have been working on a project for a while now working on making knowledge about the botnets building themselves up with servers infected via RFI vulnerabilities more public, as well as finding and exposing their vulnerabilities themselves. Here is the first paper: http://www.exploit-db.com/wp-content/themes/exploit/docs/19032.pdf Here is a blog post with the first paper in non-pdf form: http://ballastsec.blogspot.com/2012/06/insecurity-of-poorly-designed-remote.html Here is where you can submit RFI payloads you have found for analysis and automated decoding: https://www.firebwall.com/decoding/index.php The second paper is in the works, this time with coauthors. This paper can be more complete with more samples of bots. I can also make the auto-decoder better with more examples of encoding. One of the coauthors is the one and only DigiP!

That's what my current 404 is.

Double posting, sorry. So I did some work with netcat and Apache. Apache seems to automatically remove the "./" but I'll keep that functionality in for other webservers. Also, HEADs do run PHP code, so using a HEAD will not avoid detection. Here is my current version. http://pastebin.com/h7SPzftp I'm going to add more locations to it later.

Good idea, I was planning on adding to the methods I use to sanitize urls for checking. Right now I have it removing an extra / at the beginning, but I think I'm going to loop that, and change how the values are stored. I'll post the next version. I also want to change everything over to the startsWith check, so excess stuff like the GET args will be ignored.

Ok, I figured -R would send HEAD requests, as that's a good way to check if a file exists. I see what you are doing with the Content-Range though, that is pretty neat. That way only bytes 0 through 1 get returned. Although, it does process the whole php page, meaning the 404/403 script will block it. Would it be difficult to add a flag to send HEADs instead of GETs? http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html 9.4

Hey, I tried using -R, and its still only sending GETs, not HEADs. I'm not sure if the command line argument is catching or not.

True. Also seems like an interesting piece of info to be released as Anon is ripping itself apart. I've been watching stuff that's been trending on pastebin, and its getting ugly lol. Edit: But on the other hand... http://topics.nytimes.com/top/reference/timestopics/subjects/c/computer_malware/stuxnet/index.html

http://arstechnica.com/tech-policy/2012/06/confirmed-us-israel-created-stuxnet-lost-control-of-it/ To be honest, I'm happy. I thought it was the Russians trying to push the Iranians to increase tension with Israel so the Cold War could restart/continue.

The engines I mentioned have their own methods of training. With .Net, you preset training words, and train it at runtime. I guess you could also set the words at runtime. Granted, the cookie cutter engines I'm mentioning are not nearly as accurate as those bobbyb is mentioning. The question is, is it a feature or a bug that the system would only respond properly to your voice/accent? :P