Tag Archives: security


Post exploitation tools: Lazagne

lasagnaOften, after a compromise of a machine, red teams / adversaries search for certificates or credentials to hop to other machines, often referred to as “lateral movement”. When doing so, many use Mimikatz, a tool that extracts credentials, PIN codes and kerberos tickets from memory. There are countless blog articles about how to detect it, and hide it from AV, etc.

But another nifty tool, that many don’t know about is Lazagne. It searches for credentials in files and registry. Not just your windows credentials, but things you save in your browsers, mail clients, FTP clients, keyrings etc.


KeyWalking: pattern based passwords

keywalkingTL,DR; download the script here.

In security audits, when we get a password file we -even though we may have admin or root access on the target already- usually grab the password file for offline cracking, just to see if there’s any passwords that users re-use, which would give us more access to other systems.

Doing so, we sometimes find passwords such as “cft6&YGVbhu8“, which by the looks of it seem secure; they have uppercase characters, special characters and numbers. When typing them, you’ll notice that they are keyboard patterns.

For this, I was wondering if it was possible to generate a list of all/many keyboard pattern based passwords, a technique referred to as “key walking“. Some tools exist already, but are often based on predefined patterns (“qwe”, “asdf”, “1qaz”, …). I wanted to make something based on a keyboard layout, so it could be extended. This is KeyWalker; a ruby script that generates keyboard pattern based passwords.
read more »


But the camera rocks

On my way home form a merely thought-inspiring movie, I passed by a few girls sharing a cigarette on your typical San Francisco cafe’s terrace. One of them was showing her (?) phone to the other, who told her friend “…but the camera rocks”.

It made me, continuing the movie’s aftermath realize how we’ve given up openness and privacy on our mobile devices, the modern equivalents of our dearest friends (who else do you check at night, early in the morning and take with you to the restroom?), for gimmicks such as cameras and polyphonic ringtones (ok, not anymore, but you get the idea).

Earlier I checked the website of Openmoko, whose goal was to “Free the phone”. Now it seems they have abolished these projects in favor of making a mobile wikipedia device, but I wish they or a similar body would take up the movement again.

We live in an ecosystem that has many “services” and closed systems; and we happily accept it. It’s ok to give up the freedom of tinkering with a mobile phone you just paid 500$ for, because it has cool apps the other platform doesn’t have, oh and of course, because “the camera rocks”.

I hope we start swaying towards openness again, and take back the right on our digital devices and lives, the same as we have with other, everyday, things. You buy a car, you’re allowed to open the hood and change pretty much everything about it, as long as it doesn’t affect it’s safety or the environment. You spend money on clothes but want to rip off the sleeves, nobody stops you. Let’s keep that in mind, and hold on to that. A device that his so dear to us should be transparent;. And I’m sure its camera would not be so bad either.

internet security uae

Phone numbers as default eLife WiFi keys

antsThe UAE’s internet is pretty much provided by two ISP’s: Etisalat and Du who provide broadband services to its customers.

Focusing on the largest of the two, Etisalat, they provide a eLife program that allows triple play services into the homes of their customer base, which include a WiFi network. The problem though is that many of these wireless access points are setup by Etisalat’s technicians themselves, sporting a certain convention for encryption keys; the client’s mobile phone number.

This mobile number convention is a limited keyspace, with just a few numbers short of 36 million possibilities. (8999999 * 4 prefixes). Knowing a possible key, helps tremendously in brute forcing the keys of a Wireless network. To create a list that creates all these numbers in a list, one could write that in Perl:

# generates 05[0256][1-9][0-9]{6} numbers
$| = 1;
foreach my $a (0, 2, 5, 6){
  foreach my $b (1000000..9999999){ print "05".$a.$b."\n"; }

*Note: this script can be optimized of course, since it will be unlikely that you’ll have networks with several repetitive numbers having a default eLife installation.

Another handy fact is that “default” eLife setups have their SSID configured as etisalat-XXXXX where XXXXX is a “random” number.

Aside from “having free Internet access” to load balance your torrent web surfing traffic, there’s a much greater risk here.

eLife is delivered with a Aztech HW550 3G wireless router. These devices have an embedded version of Linux available, and Aztech was so kind to have make the source code available. Alternatively, you can resort to OpenWRT’s efforts, but the latter might raise some suspicion if the original owners decide to change something about their WiFi network.

Now, the danger lies in the following scenario:

  • Attacker adds a backdoor into the HW550’s firmware.
  • Attacker cracks your wireless keys and accesses your network
  • Attacker accesses your wireless router (assuming you didn’t change the admin password)
  • Attacker uploads the new firmware
  • Attacker has access to your connection at all times, can use it to launch attacks and tunnel connections

Since the HW550 has a MIPS CPU of “only” 384 Mhz, and only 32 Megabytes of RAM, it can’t be used for heavy load network traffic, but you get the basic idea. Aside from creating “AP zombies”, one could redirect your traffic to do a MITM attack, etc …

So, to prevent this scenario from happening, choose a strong Wireless encryption key and change it regularly. Or, install OpenWRT yourself, or just get an other (better) Access Point.
That, and living inside a Faraday cage, so nobody picks up your wireless signals.


keyspace limitations

I can’t really say which website this is, but it’s a middle eastern telecommunication company.

Maximum 8 character password, in 2012, really?

But then again, in a confirmation email, I noticed that these guys store the password in cleartext. Is diskspace really that expensive that we have to make it a VARCHAR(8)? I know these guys have an internal IT security department, wonder why.

Javascript security web

JQlog: JQuery Keylogger, or why not to trust your proxy admin.

Note that this post is for awareness and educational purposes only. I do not encourage, and cannot be held responsible for malicious actions using these tools.

The Internet, as it is today, is a mash-up of JavaScript enabled services, often included from external websites. Internet companies offer so-called widgets, which are JavaScript tools that can be used in your own page. Popular examples of this are site analytics (Omniture, Google Analytics, etc) or share-abilities (AddThis, AddToAny, …). It’s by overwriting Javascript libraries on a page, that we can do other things, such as recording keystrokes.

“Overwriting” javascript libraries, or rather “inserting javascript” can be done in several ways. Cross Site Scripting is one of them, but for the sake of this blog post, I will act as a malicious proxy administrator, and overwrite the Google Analytics DNS entry (www.google-analytics.com) and “fake” the ga.js javascript file.

For this, you’d need only 2 files:

This javascript file, found here, holds 3 parts: JQuery, a base64 encoder and the keylogger code itself: read more »


Dubai Credit Card Fraudsters arrested

Dubai Police arrested a gang of Arab men, who stole over 200 million dirhams using credit cards doing online shopping, Gulf News said.

They were tipped off in August about the guys, and caught most of them now (one out of four is out of the country).


Holiday in Indonesia

Dear all,

This blog is a bit quiet, since I am on a short trip in Jakarta, Indonesia. I’m visiting a friend of mine and it is a nice break from the busy Dubai life.

Plus, I met some cool people at the Bellua Cyber Security Asia 2008 conference.



MS08-67 released out of the patch cycle, new blaster coming up?

A newly discovery vulnerability made Microsoft release a security patch aside from it’s usual cycle, the notorious Patch Tuesday. This “Patch Tuesday” is normally every second Tuesday of the month.

MS08-067 fixes a bug in the RPC handling of the Windows Server service.

The bug was deemed as “critical” on pre-Vista machines, which is still the majority of Windows clients.


UAE Banks hit by ATM fraudsters

Multiple banks issues SMS messages and emails for UAE customers to change their PIN codes. Some banks even disabled international ATM cash withdrawal (which would suck if you’re on a holiday and need cash).

So, if you are living in the UAE; it never hurts to change your pin. Which is something you should do on a regular basis anyways.