Jump to content

bwall

Active Members
 View Profile  See their activity

  • Posts

    74

  • Joined

  • Last visited

 Content Type 

Posts posted by bwall

    Mod_Ballastsec_Waf

    in Everything Else

    Posted

    So if you've seen any of my work, its a lot of defensive software. Whether its setting up port traps, making a custom firewall, or taunting your attackers, I try to make sure there are at least some good tools for the job.

    This post is about a new Apache WAF I have been working on for bit. It uses regular expression rules to match raw URIs to determine if it should block an IP or not. I've been considering if I want to make this software publically available or not, or just use it for fun of taunting people scanning firebwall.com

    I set it up so it will dump information on attacks to a publicly viewable file so people could use it to add to their own ban lists. You can take a look at http://www.firebwall.com/BallastSecWAFBans.cfg

    The attackers are more than just logged, but also inspected by the WAF and detailed for me to review whenever I feel like looking into who failed to hide their attack.

    I figured I'd open a thread to get comments/ideas and just to see general interest in me making it public. Also, if you follow me on Twitter, I usually post attacks with the tag #AnotherOneBitesTheDust

    Cracking Password Safes

    in Hacks & Mods

    Posted

    Thank you both for the advice. As digip knows, I was recently side tracked from the OpenCL/CUDA integration as I may have stumbled onto a weakness with SHA-256 when used with the algorithm described in section 4.1 of this Bruce Schneier paper http://www.schneier.com/paper-low-entropy.pdf

    I'm trying to get in contact with him so I can see if he agrees its a weakness, and hopefully publish the weakness along with him.

    I did have an idea which would make this useful for a back|track or similar forensic tool. It would search for different password databases in the current system(like for KeePass, Password Safe, Mozilla, Chrome, etc) then recover passwords for the databases as well as the passwords stored inside them.

    Cracking Password Safes

    in Hacks & Mods

    Posted

    So recently my buddy and me started poking holes in some password safe systems(like KeePass). I made a blog post about most of these could easily be defeated by adding a WndProc listener to the clipboard, and watching for passwords as they get copied and pasted. That post is here: http://ballastsec.blogspot.com/2012/07/insecurity-in-password-management.html

    Not all of the password safe systems use this method, or have alternative methods as well. So the best way to attack these safes is to crack the safe.

    Currently, I have only implemented a safe cracker for Password Safe(http://passwordsafe.sourceforge.net/) after doing a light analysis then spending a lot of fun time making a dictionary cracker for it. Blog post about it here: http://ballastsec.blogspot.com/2012/07/auditing-of-password-safe-continues.html

    You can also find the source code that I've released so far here: https://github.com/bwall/SafeCracker/

    and finally find the tarball of the latest version with a nice little Makefile here: https://github.com/downloads/bwall/SafeCracker/safe-cracker.tar.gz

    safe-cracker has currently only been tested in a Linux environment, if you really wanted to compile it on Windows, you would need the pthread library. If I were you though, I would wait until I finish implementing OpenCL into the cracker, as I will supply a compiled copy for Windows.

    What I would like to know is, what other password safe systems would you want audited? I want to add a few to this project, and hopefully start pushing development towards cracking more state of the art hashes.

    Strange Hash - Mysql 2000

    in Security

    Posted

    When the base64 is decoded, it comes to 20 bytes(same as raw sha1), and when converted from binary data to ASCII hex, its comes to 51C796A40692EA2C39E48D5CC2873BE718EC5C39. I would try cracking that SHA-1.

    A hash does not need to be ASCII hex, as the format that comes from the actual algorithms is the binary form, not the ASCII hex form. The ASCII hex form is just the default way to display it, even though base64 is more compressed(but takes more time to compute). Most hashing algorithms end up with just a set of 4 byte integers lined up to make the actual hash. In MD5, its 4 4 byte integers. In SHA-1 it is actually 5 4 byte integers, hence 20 byte raw SHA-1.

    Proper Password Hashing

    in Security

    Posted · Edited by bwall

    Nice to see recommendations of crypto hashes rather than fast ones.

    Did you hear the recent Risky Business where Marcus Ranum talks about hashing?

    http://risky.biz/net...-recon-hd-moore

    It was a pretty interesting talk to listen to, but they didn't really settle on anything other than "the system is borked". As the paper mentions, Ballast Security is working on a new authentication system, that can be patched into websites and the like as a method for verifying user/passwords. We are hoping to do a public live demo of this project soon, but we need to find somewhere to host it because its likely someone will try to just brute force the authentication on the server, D/DoSing the live demo. We plan on implementing throttling methods, but we host on a VPS, and maxing out the CPU would probably get our account dropped.

    Rfi Payload Insecurities And Analysis

    in Security

    Posted

    Bwall setup a lab using the scripts we downloaded from the attackers, simulating an actual botnet using the same scripts the attackers used, only changing all the attack commands in the bot, to return dummy data, or static entries to whatever you want them to be. This video, is merely a demonstration though, of how the bots operate(some of them anyway), what to look for, and hot to take them down.

    Oh yeah, its hot to take them down. :P

    Sorry DigiP, had to play on your typo there. *how

    Simple Encryption

    in Questions

    Posted

    Just going to put this out there. RC4 is probably going to be the simplest to implement. If you do proper key management, it can be quite secure, not to mention fast, easily to add onto(making it so someone would need entire new attacks against the algorithm).

    If you want anywhere to look for how to implement RC4, the wikipedia page for it is pretty in depth.

    I have an implementation that another person and I optimized to death for class project, let me know if you want that.

    Rfi Payload Insecurities And Analysis

    in Security

    Posted

    Hey,

    A few of us have been working on a project for a while now working on making knowledge about the botnets building themselves up with servers infected via RFI vulnerabilities more public, as well as finding and exposing their vulnerabilities themselves.

    Here is the first paper: http://www.exploit-db.com/wp-content/themes/exploit/docs/19032.pdf

    Here is a blog post with the first paper in non-pdf form: http://ballastsec.blogspot.com/2012/06/insecurity-of-poorly-designed-remote.html

    Here is where you can submit RFI payloads you have found for analysis and automated decoding: https://www.firebwall.com/decoding/index.php

    The second paper is in the works, this time with coauthors. This paper can be more complete with more samples of bots. I can also make the auto-decoder better with more examples of encoding.

    One of the coauthors is the one and only DigiP!

    Web Sorrow Tool/scanner

    in Applications & Coding

    Posted

    well I would have to make a subroutine to make requests and check whether the flag is set every time a request is made. so yes it would be hard. and you might want to use regex when checking the url to avoid evasions like ././././././passwords.txt?tgvfjhgvjhg=rgtrf444

    Double posting, sorry.

    So I did some work with netcat and Apache.

    Apache seems to automatically remove the "./" but I'll keep that functionality in for other webservers. Also, HEADs do run PHP code, so using a HEAD will not avoid detection.

    Here is my current version.

    http://pastebin.com/h7SPzftp

    I'm going to add more locations to it later.

    Web Sorrow Tool/scanner

    in Applications & Coding

    Posted

    well I would have to make a subroutine to make requests and check whether the flag is set every time a request is made. so yes it would be hard. and you might want to use regex when checking the url to avoid evasions like ././././././passwords.txt?tgvfjhgvjhg=rgtrf444

    Good idea, I was planning on adding to the methods I use to sanitize urls for checking. Right now I have it removing an extra / at the beginning, but I think I'm going to loop that, and change how the values are stored. I'll post the next version.

    I also want to change everything over to the startsWith check, so excess stuff like the GET args will be ignored.

    Web Sorrow Tool/scanner

    in Applications & Coding

    Posted

    Ok, I figured -R would send HEAD requests, as that's a good way to check if a file exists. I see what you are doing with the Content-Range though, that is pretty neat. That way only bytes 0 through 1 get returned. Although, it does process the whole php page, meaning the 404/403 script will block it. Would it be difficult to add a flag to send HEADs instead of GETs?

    http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html 9.4

    Web Sorrow Tool/scanner

    in Applications & Coding

    Posted

    neet idea! If you want a good list of things to block goto Web-Sorrow_v(version number)/DB/small-tests.db and open in text editor. In Web-Sorrow -ninja does NOT make other scans stealthy It Itself is a scan that uses very few requests. BTW I've just updated web-sorrow to v1.3.7

    Hey,

    I tried using -R, and its still only sending GETs, not HEADs. I'm not sure if the command line argument is catching or not.

    Sooo...apparently The Us And Israel Made Stuxnet...

    in Everything Else

    Posted · Edited by bwall

    I'm not seeing any proof or confirmation that the US/Israel made it. They just claim its detailed in some upcoming book. This could be Ars just being Ars again (sensationalistic and over dramatic)...

    telot

    True. Also seems like an interesting piece of info to be released as Anon is ripping itself apart. I've been watching stuff that's been trending on pastebin, and its getting ugly lol.

    Edit: But on the other hand...

    http://topics.nytimes.com/top/reference/timestopics/subjects/c/computer_malware/stuxnet/index.html

    Voice User Interface Interactive Computer Project

    in Applications & Coding

    Posted

    @Bwall - Well if you could do something like in Iron man, normally Tony has to state Jarvis's name and he quickly replies with a "Yes sir" or similar. Almost like a dialogue version of clicking the bash icon and a command prompt opening up. Then you begin the dialogue and the commands are ran. You could then make a universal terminating command. So if you could make a universal verbal initiator like that, problem more or less solved.

    @Bibbyb - Yes, Ive seen how voice synthesis works (in a small way, not in depth) so it will be a difficult thing to fine tune beyond personal use.

    The engines I mentioned have their own methods of training. With .Net, you preset training words, and train it at runtime. I guess you could also set the words at runtime. Granted, the cookie cutter engines I'm mentioning are not nearly as accurate as those bobbyb is mentioning. The question is, is it a feature or a bug that the system would only respond properly to your voice/accent? :P

×
×
  • Create New...