Hacking The Everyday

Life Hacks

2011-05-20T15:09:00.000-04:00

While browsing around the Al Gore-created series of tubes, I came across this nice collection of life hacks. While I didn't come up with these hacks (nor do I endorse all of them), I figured they deserved some airtime.
Happy Hacking,
-J

Dynamic Passwords

2010-08-25T13:46:00.001-04:00

There will come times that, like it or not, you will not be able to use passphrases. A service might require you to follow "complexity requirements" in your password, or you might be limited to a certain number of characters. So, if you can't use your a passphrase, what is your next, most secure option?

Traditional security rules state that a password should be least 8 characters long, with at least one capital letter, one lowercase letter, one number, and one special character. It is also recommend practice that each service, website, or application you use have a separate password. Sounds great, but is this really a practical solution? Unless you have exceptional memory, remembering all those unique passwords is going to be extremely difficult, and chances are you will either forget them or write them down. Sure, you could use one complex password for everything (as many people do, unfortunately), but what if one of your services get compromised? The attacker would then be able to log into any other service you use. So, what is the best compromise?

Enter dynamic passwords. Put simply, a dynamic password is simply an algorithm that is used to produce a password that is unique to each site or service you create the password for. All you need to do is remember the algorithm you used; if you forget the password, you can always use the same algorithm to arrive at the same password. This keeps passwords easy to remember, and if the algorithm is sufficiently complex, difficult for attackers to figure out. This is best explained by example:

Let's start with a very basic password, such as "Q". Now, let's throw in some dynamic variables at the end of the password, such as the first and last character of the service or website you're using, represented by X and Y. The password would then look like: "QXY". Applying this to a website is easy. For example, if you're creating a password for Amazon, X would be "a" and Y would be "n". Thus the password for Amazon would "Qan". Using the same algorithm, the password for Walmart would be "Qwt".

But let's not stop there - obviously a three-character password isn't going to last for long. We could add on other variables, such as the length of the first word of the service (represented by LL), as well as static characters, like "3!". Now the password is "QXYLL3!", and if used for Newegg, would be "Qng033!". To top it off, you could add a shift-cipher at the end that capitalizes the first character of the website/service, and moves it forward two letters in the alphabet (thus, 'a' would become 'C', 'b' would be 'D', etc).

Thus, our final algorithm would look like "QXYLL3!(+2)", and would generate the following passwords:
GovernmentSecurity.org:    Qgy103!I
Yahoo.com:                       Qyo053!A
Paypal.com:   Qpl033!R

This is just a sample algorithm, but it has the advantages of being sufficiently complex for most websites, is unique to each site, and is relatively easy to remember. Experiment with your own algorithm, combining various features and other tricks to obscure it. The possible variations are endless. Note, that if an attacker has access to enough passwords, they may be able to deduce the algorithm. However, they would need to compromise several such services that you use and then correlate the results. Even so, a sufficiently complex algorithm should be able to resist casual deduction, short of statistical analysis.

Happy Hacking.
-J

New Tool: Combo Splitter

2010-07-23T12:38:00.001-04:00

For those of you who audit passwords or need to crack hashes, you've probably had the need to create or split combolists at one point or another. For those who are new to the term, combolists are just text files with a list of usernames and passwords on each line, separated with a colon (like admin:password). They are most often used by cracking/brute forcing programs. Until now, I had published a simple Perl script to join two files into a combolist, but not split them. However, this is finally fixed with the release of ComboSplitter, another simple Perl script designed to make life easier for those who need to use combolists.

You can find it in the Tools section, or download it directly here.
Happy Hacking!

-Juno

The Myth of 'Security Questions'

2010-04-07T11:18:00.001-04:00

Security questions are dangerous. For those who aren't quite sure what I'm referencing, security questions are simply those questions that you are asked to set up when creating an online account. They often ask things like "What is your mother's maiden name?" or "What city where you born in?" or any number of other such questions. These are often used to confirm your identity should you need to reset your password, and therein lies the danger.

Unfortunately, answers to simple questions such as "What's your favorite color?" can often be determined from a person's social networking sites, like Facebook, Myspace, etc. Even if they don't, a simple conversation can easily dupe a victim into revealing those answers, without any suspicion from the target. After all, when's the last time you became concerned when someone asked you about your favorite color? Indeed, Sarah Palin's email account was broken into because the attacker was able to reset her password, after using publicly available information to answer the 'security questions'.

The problem is, far too many services online rely on such pseudo-personal information to "prove" your identity, while the truth remains that most of the answers to these questions can usually be easily determined by a third party. So, what's the defense? Easy: just the questions incorrectly. For example, if you simply use a completely unrelated word, such as "quantify" for the answer to every password question, you greatly decrease the chance a third-party has at compromising your account . A security question may ask, "What is your favorite color?", but it won't matter that an attacker knows or not if you put "quantify" as the actual answer.

This problem exists because many people predictably answer the questions exactly as asked, even when 'security questions' usually weaken your account security. The solution, as you may have guessed, is simple: Don't be predictable.

Happy Hacking.
-Juno

Password Phrases: Time to get with it!

2010-02-05T05:56:00.008-05:00

Anybody who has been in the computer security business long enough has probably encountered plenty of lectures, articles, and snippets discussing complexity requirements for passwords. Even the average user has been forced to meet complexity requirements at some point in time, so one might be inclined to believe we're reached the best practice possible for securing passwords - but this couldn't be further from the truth.

Traditionally "secure" passwords suffer from the fact that most users will choose something easy to remember, versus an entirely random sequence of characters. Hence, you have the creation of 'psuedo-secure' passwords. I'm sure you've all seen them before in some form (or perhaps even used them). I'm referring to passwords like "Acme73!", "Secur4", and "l33t". While technically these kinds of passwords may satisfy a number of complexity requirements, they are still relatively easy to crack.

You may be wondering, "Sure, but who really does brute-forcing anymore?" True, traditional brute forcing every possible combination has seemed to decline in recent years in favor of other, easier methods of intrusion. However, the threat is no less relevant. The older method has given way to a more targeted form of brute forcing that can make quick work of your "secure" passwords. Some of the tools that I've written (and freely downloadable from the Tools section) make use of targeted brute forcing, and have the capability of finding a password like "Acme73!" relatively quickly, simply because they first try the standard gimmicks that people commonly use to add complexity - like capitalizing the first letter, adding numbers at the end, and ending with a exclamation mark. Does that sound like one of your passwords? If so, you might want to rethink your password strategy.

This is where password phrases (also known as passphrases) come into their own. While by no means a new concept, their ability to secure access supersedes that of even the most complicated password. Essentially, password phrases are simply passwords that consist of a simple phrase thought up by the user. It could be a personal quip, a random statement, or a nonsensical sentence. The only requirement is that it have sufficient length - something around 15 or more characters, though there's no hard and fast rule.

While this may seem like a horribly insecure method of creating passwords at first glance, it actually provides a boost to security by reducing the likelihood that users will use traditional gimmicks (like those I've previously mentioned) and vastly increases the effort required to bruteforce a password.

Statistically speaking, this is easy to prove. Let's consider the numerical permutations in a traditionally "secure" password. You have uppercase characters(26), lowercase characters(26), numbers (10), and special characters (33 on most keyboards). This creates 95 possible variations per keyspace. In an normal eight character password, this results in 95^8 possible permutations, or 1,370,114,370,683,136 variations (1.37E+15 in scientific notation).
Now, let's look at a passphrase. Even if we use only lowercase characters(26) and limit ourselves to 15 characters, we wind up with 26^15 possibilities, or 1,677,259,342,285,725,925,376 variations (1.68E+21). That increases the number of possibilities over a million times compared to the traditionally "secure" password. You really want to brute force that? Good luck.

Not to mention, passphrases are also far easier for the brain to remember than strings of random characters, so usability also increases (which incidentally helps reduce the chance that your employees will leave those post-it notes of their passwords under their keyboard!).

Naturally, some will contend that popular quotes may be used, enabling dictionary-type attacks to take place. Thankfully, the English language has about as many popular quotes as it does words, making any such attempt a near futile effort from the beginning.

Currently, the mandate of password complexity requirements is a deeply rooted belief held at many organizations and institutions. However, computer security is subject to constant change and improvement, and those entities that heed policies that are demonstrably more secure will always benefit from their implementation. Those that do not, become more vulnerable, and will eventually reap the consequences.

Backtrack 4 Final Released

2010-01-13T17:21:00.002-05:00

In case you haven't heard, Backtrack 4 Final has been released by the folks over at backtrack-linux.org, the new site for all things Backtrack (remote-exploit.com has since moved on to other things). It's a pretty hefty download - no longer can you burn Backtrack onto a CD. As usual, expect some potential delays as everyone tries to get their own copy.

Download links:
Backtrack 4 Final .ISO image (Also available as a torrent)
Name: bt4-final.iso
Size: 1570 MB
MD5: af139d2a085978618dc53cabc67b9269

Backtrack 4 Final VMWare image (Also available as a torrent)
Name: bt4-final-vm.zip
Size: 2000 MB
MD5: 733b47fad1d56d31bc63c16b3706a11c

Updates to the Tools section

2009-12-17T10:35:00.004-05:00

Finally got around to posting some new material; this time, I've updated the Tools section with some other utilities that I wrote a while back but never released.
The first one is HybridMaker, a Perl script that creates a wordlist based on commonly used derivations of a user-supplied wordlist, resulting in a much more targeted and efficient approach to brute forcing.
The second tool is E107Bruter, a Perl based bruteforcer that I originally wrote for websites that used an E107 CMS login page, but it can easily be modified for most any other form-based login (just edit lines 71 and 72). It utilizes WWW:Mechanize, so it's not incredibly fast, but it's also a lot more flexible (ie, uses Java to 'click' on a button and properly handles cookies, etc).
The last item is simply a wordlist that contains approximately 250 of the most commonly used passwords. I don't claim any credit for creating it. It works especially well with the two tools listed above.

Remember, use of these programs is permitted for legal purposes only - ie, educational purposes or targets you have permission to test. Hope you find them useful - if you have success/failure with them or have any ideas for improvement, just leave a comment below.

Happy Hacking,
-Juno

BackTrack 4 Pre Release Now Available

2009-06-23T11:21:00.004-04:00

The folks over at Remote Exploit have released the latest version of the extremely popular penetration testing ~~LiveCD~~ LiveDVD, Backtrack. With over 300 updated tools included in this release, auditors, investigators and security researchers should all find something to like. The DVD ISO is about 1.4 Gigabytes in size, and with reports of missing bandwidth, it may take awhile to finish the download. Download information below:

Main link for download: bt4-pre-final.iso
MD5 Cheksum: b0485da6194d75b30cda282ceb629654
Size: 1390 Megabytes
Image for Disk label: bt4-label.png

You can find the official announcement at: http://remote-exploit.org/backtrack_download.html

Slowloris: A New Way To DoS

2009-06-18T13:22:00.004-04:00

Two days ago, a new exploit was released (via milw0rm) that highlights a new way of performing a DoS (Denial of Service) attack with a relatively low bandwidth requirement. Oftentimes, DoS attacks are simply a matter of which side has the fastest connection.
It is relatively simple to set up a SYN flood, for example, and if you have the faster connection, there's a pretty good chance you'll keep your victim offline until your victim adjusts their connection or yours is forcibly adjusted (e.g., by your ISP once it detects your DoS). There have been variations of this attack, such as Smurf, which uses broadcast addresses to amplify the traffic, but this recent exploit plays on the "kindness" of the webserver so to speak.

Essentially, it sends a connection request to the victim's webserver, much like any other normal request that a browser would send. However, it doesn't quite finish the request, but rather leaves off the last carriage return, and instead sends another header. The webserver will wait to receive the rest of the header, which never comes. Instead, new headers are sent, keeping the connection open and preventing other users from using that thread to connect with.

As might be expected, not a lot of bandwidth is needed to accomplish this attack, just enough to keep the webserver 'expectant' of more data, so to speak. As most webservers have a preset limit for the amount of incoming requests that it will accept at a time, send the traffic as described above will fill up the connection queue, preventing legitimate users from sending their own connection requests, and effectively taking the webserver offline with much less effort than is normally required. Interestingly, this attack is effective on Apache and others, but not on Microsoft IIS 6 & 7. You can find the exploit here: http://www.milw0rm.com/exploits/8976.

Right now, this isn't much of a patch to defend against this. It will almost certainly involve patching the way Apache and similar webservers process incoming connections, likely by limiting the amount of time a connection has to transmit its header information before dropping the connection entirely. Hopefully, this will get patched soon - with 47% of webservers being Apache, it has a lot to lose if this isn't fixed quickly.

Happy Hacking!
-Juno

Tools

2009-05-22T11:53:00.011-04:00

This posting is a catalog all of the tools I've released publicly, as well as some other tools that may be of particular interest to readers. This post will be continually updated as new tools are added, and can be accessed at any time by clicking the "Tools" link on the upper-right hands portion of the site. Enjoy!

-Juno

Custom Tools
(Created and released by Juno // Copyright 2010 Juno)

ComboCreator: A utility written in Perl to easily create combolists from two seperate username and password lists. Specify your input, and CC will zip the files together, ready for use. If you're not familiar with combolists, you can find out more here.
ComboSplitter: Another utility written in Perl that is designed to quickly split apart combolists into two files, one for usernames and one for passwords. The names/location of the output files is configurable.
HybridMaker: A utility written to facilitate the creation of custom wordlists. Oftentimes, passwords used by members of an organization are often related to the name of the organization or some derivative thereof; therefore, making a custom wordlist related to the target is oftentimes much more efficient and effective than a truly random brute force method. To use this tool, specify a wordlist (ideally one that has the name of your subject included), and this tool will create a new wordlist complete with commonly used password variations. Full instructions included in the tool itself.
E107Bruter: This Perl-based brute forcer accepts accepts usernames, passwords, and proxy inputs. Utilizes WWW:Mechanize, so while it's not the quickest bruter, it handles form actions pretty well (uses Java to 'click' on buttons and handle cookie management). Originally written to brute force login pages of E107 CMS webpages, it can be easily modified to handle many other login pages - just edit lines 71 and 72 as appropriate. Instructions included in tool. Note, this is still beta code, and has a couple rough edges - if you have any ideas for improvement, just let me know.

Third Party Tools
(Tools from other authors/companies)

250 Most Commonly Used Passwords: This is just a wordlist that I have found to be pretty useful. It is compromised primarily of passwords that have been statistically proven to be the most popular. Note, that many passwords listed are downright vulgar, but statistics are statistics. Blame the users. (This wordlist is very handy with the two above utilities).
ActivePerl: Produced by ActiveState, ActivePerl is a Perl interpreter for the Perl programming language on Windows systems. Currently available for 32/64 bit versions of Windows, including Vista.

Please note, these tools are released for public use only for systems you own or have legal permission to use them on. Any and all liabilty is disclaimed; use at your own risk, though I'm not aware of anything on this page that has the capacity to cause any serious damage. Feel free to distrubute, just remember to give credit to whom credit is due. "As freely ye have recieved, freely give."

BackTrack 4 Beta Released

2009-02-10T18:55:00.003-05:00

The next beta version of BackTrack, the popular LiveCD security tool suite for penetration testers, security researchers and computer professionals is now available. The beta version is said to be "very stable and usable" by the developers.

Official annoucement here, download page here.

You can download the ISO here: http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-beta-iso
MD5: 7d1eb7f4748759e9735fee1b8a17c1d8

You can also get the VMWare Image here: http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-beta-vm
MD5: 38acdcbaf6c73d7c55180dfea8641e5d

There is also an install guide, as there is currently no GUI installer.

Grab it now!

Happy Hacking.

HOW TO: 9V Battery Safe

2009-01-31T14:26:00.037-05:00

I originally wrote this post on my other blog (now retired), but thought it was worth bringing over. In today's How To, we'll be teaching you how to create a small, little safe out of something you probably never thought of: a standard 9v battery. The finished product is only slightly lighter than the original, and unless someone is looking very closely, you cannot tell the difference visually. For safeguarding your valuables, this is last place a person would think to look.

It's easier to make than you think, and since you probably have most of the required materials hanging around the house, you can't beat the price. While I don't claim to have come up with the idea, I've added a couple features that I feel make this the best 9v battery safe that your average hobbyist can make.

Cheesy Legal Warning: If you get hurt attempting to make this, use it, or get busted for doing something illegal with it, it's your responsibility. While I can't foresee any real danger to this project, I know someone will "accidentally" swallow the battery and want to sue for stomach upset. Also, all text, photos, and material are copyrighted by me, so no stealing (though linking to this blog is highly appreciated).

All right, let's get to it!

Required Materials: 1 9v Battery
Epoxy, Gorilla Glue, or JB Weld
Q-Tips (to mix/apply epoxy or glue)
Metal File
Sharpie (for marking)
Wire Cutters
Needle-nose pliers
Small flathead screwdriver
Stock metal (any kind, approx. 1/8 or 1/16 thick)
Measuring tape or Calipers

Your materials should look something like this:

Now that you've assembled everything, we'll start by flipping the battery upside down and prying open the two tabs (it's on the side of the battery that has the crease running down it.)

As you get the tabs open, you'll want to cut a slit on the corners to allow you the bend the tabs down without bending the rest of the metal.

You'll now want to fully bend both tabs down just enough so that you can see the layer of plastic that makes up the bottom of the battery. With your needle-nose pliers, grasp the end of the plastic and pull it straight out.

Cut the plastic shell that wraps around the internal unit to create access to the layer beneath. Don't worry, this kind of battery won't leak just by cutting this shell.

Now just remove the internal paper liner with your needle-nose pliers like you removed the plastic bottom earlier.

You'll now need to pry one of the metal ridges on the side up so that you can pull out the individual cells later.

Now you can finally remove the individual cells from inside the battery.

Remove everything from inside the battery. You should wind up with 6 cells, the plastic shell, another paper liner, and the contact points.

We'll need to clean up the edges of bottom of the battery and reshape the side metal ridges that we bent earlier. Cut off the metal tabs that you bent down in the beginning and bend down the side ridges until it looks something like this:

Now comes the trickiest part: creating the spacers. These will be glued on the interior sides of the battery so that we can create a sliding door that opens and closes the hidden compartment. The exact sizing of the spacers is CRITICAL! If they are not tooled correctly, they will either not support the plastic battery contacts piece or they will let the bottom compartment cover slide out by itself. Use careful measurements and a metal file to obtain the perfect fit.

The most critical part of the spacers is that they are relatively flat, are spaced relatively close towards the bottom (but not touching, as the compartment cover needs space to slide), and have enough surface area with which to be glued. Another important feature is that they must be about as long as the battery is, so that it will support the battery contacts when you go to reassemble it.

Now we need to apply the bonding agent. You can use gorilla glue, JB Weld, or others products, but I decided to go with an epoxy. With epoxies, make sure you mix both agents thoroughly before use or you'll end up with weakened adhesion. You'll notice I didn't cover the whole side with the bonding agent; it's so that it won't spread into the sliding compartment and jam up the cover.

I recommend using Q-tips to apply the bonding agent, as this deposits cotton fiber into the mixture. This actually helps the agent to cling more securely to the two surfaces. To prep the battery, make sure the battery contacts (the piece of plastic that contains the battery terminals) are properly situated. The spacers will be inserted, and if they are sized correctly, they will support the battery cover piece. After the agent is applied, insert the spacers into the interior sides of the battery.

At this point (before the bonding agent sets), we want to check for three things:

1) That the spacers properly support the battery contacts.

2) That the spacers sit flush against the interior walls.

3) That there is enough room for the plastic bottom piece to be re-inserted, but not so much room that it falls out by itself.

If any of these conditions are not met, the spacers must be retooled. (Just wipe off the glue and try again. You didn't let it dry, right?) If everything looks good, then we can proceed. Stuff a paper towel wad inside the battery to provide pressure between the spacers and walls of the battery. Then, insert the compartment cover piece halfway so that the spacers don't shift and block the spacer from being inserted later. Allow to dry for whatever your bonding agent has recommended.

After it has dried, remove the paper wad and cycle the compartment cover piece a couple times to make sure it works correctly. If you did it right, the cover will securely hold your valuables in place, but can still be easily opened by using your thumb to slide it back. After you create a couple, making these safes becomes relatively easy.Finished product! I certainly hope you've enjoyed our first how to. It won't be the last.

Happy Hacking.

Juno

So it begins... again

2009-01-30T18:00:00.003-05:00

Welcome to the second iteration of HTE. For those who know me, my blog at Blogiversity will not be updated any longer. For those who don't know me, the opening post from my previous blog would seem to best sum up what you can expect:

Hacking The Everyday is really exactly what it sounds like: I'll be posting about different events, techniques, or social paradoxes that all are an effort to change the way you think. Not to create a bunch of mindless blog readers, but active participants that can take what discussion is brought to the table to enrich their own lives and the lives around them. Hacking at its roots is simply finding unique ways to solve interesting or complex problems. Sometimes the problems are given to us, and sometimes we create our own problems without realizing it. Either way, this blog will attempt to expand your mind, to think out of the box past the linear realm of 1+1=2.

Let's see what we can discover.

-Juno