This challenge was a little fun as people trying to wget the file would fail pretty terribly with random connection drops and a 95mb file to try to download. Luckily the answer is simple, just use cURL.

[01:25:15 connection@GLaDOS.local:~]$ curl -r 100000000-100000489 “http://119.70.231.180/secret_memo.txt”
………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………….key is : we will destroy the world!

The -r operand lets us specify a range of a file to grab. As the file was 95mb I decided to grab the last ~500 bytes and see what we got. The key to this one is “we will destroy the world!”

Keep your hacks up and your head down

These challenges were stupid simple because I’m sure the developers were ignorant to the fact that .phtml and .pht files existed. Upload your shell as a .phtml or .pht file and it’ll execute properly and let you pwn away. Keys are in /home/dwh/flags and /home/dwh_revenge/flags but you’ll need to use the “cat” command for the revenge challenge. I don’t know why I even made a writeup for this challenge since it was so terribly made.

Keep your hacks up and your head down

Many password crackers have their go-to lists of wordlists which they use time and time again due to the fact that they have the highest success rate for numerous leaks; I am no different but I was surprised to find out that it’s rare for many password crackers to create custom charset files for lists they are cracking and let alone a charset file to try as their go-to charset file. Because of this revelation I’ve decided to share my John the Ripper best.chr file with my readers.

This charset was generated from a rather large sample of 124 million cracked hashes and uses the full 95 character keyspace.

Click the link below to download

http://hacktalk.net/best.chr

I’m giving away this charset file for free but if you would like to donate to support the time and energy it took to create this charset file please consider donating through the following means:

Paypal email address : hacktalk@hacktalk.net

Bitcoin address: 127QMEsVdBzdeiL3ebnhGJec5gVwmJQVWe

Litecoin address: LXhp2LshF3tXxCTkeYZgB48ejge9HHcFJJ

Keep your hacks up and your head down,

~connection

Found this floating around on the internet and thought I would share. Use these at your own risk.

#
# list of safe-ish tor exits
#
# culled from https://www.torservers.net/exits.html and affiliates. 

axigy1	
axigy2	
voxility
nforce1
nforce2
assk
assk2
psilotorlu
bouazizi
raskin
zeller
morales

hala
othala
Cimmeria
orilla

noisetor01

(original source: http://pastie.org/7761306 )

As always, keep your hacks up and your head down.

~connection

I took their “CYBER WAR – ADVANCED PERSISTENT THREAT TACTICS FOR PENETRATION TESTING HIGH SECURITY ENVIRONMENTS” course back in February and just wanted to share my experiences with both the course and the facility.

First and foremost, the tl;dr ratings.

Instructor Knowledgeability : 5 / 5

Friendliness : 5 / 5

Accommodations : 5 / 5

Facility : 5 / 5

Staff Awesome Factor : 5 / 5

Would you recommend TrainACE to others : Hells to the Yes. I only wish I lived in the area so I could bug them every day!

Now down to the knitty gritty.

This course was taught by Joe McCray ( @j0emccray ) and covered a rather large spectrum of information in just 5 days. Mr. McCray takes students through attacking numerous environments and web applications at a pace that helps even those unfamiliar with the skills required to exploit the vulnerabilities get a good grasp on the core concepts. Structured very much like a CTF, Mr. McCray gives students challenge after challenge which build off of previously acquired skills  and often culminated in the student getting a shell on the target application/server. Admittedly, I knew most of the courseware before taking this class so I was a little bored my first day there  but once Mr. McCray recognized my current skill level he actually custom tailored the course for me and provided me with countless hours of enjoyment and challenge which truly helped me solidify skills I had, learn new skills, and think in new ways. I was super appreciative of the fact that Mr. McCray essentially created an all new course for me on the spot as I’ve been in many training courses where if you already knew the material, you were out of luck.

Mr. McCray definitely knew his course inside and out which was also a plus as it allowed him to deviate from the courseware to answer a question, let students go off in a tangent  to ensure they understand a concept, and then tie everything back into the courseware. This was my first in-person training led by Joe McCray and I definitely think I won’t be my last.

If you are considering taking the OSCP I feel that this is the perfect course to teach you the skills you’ll need as well as help fill in the gaps that the OSCP seems to have, especially around web applications.

As for the TrainACE staff: these guys are AWESOME ! Everyone is super nice and really approachable and everyone there definitely knows their stuff. I actually still keep in touch with some of their staff and definitely look forward to seeing them again (hint, hint, I’ll be at blackhat, defcon, and derbycon so if any of you TrainACE folks make it out I owe ya a drink or two).

All in all, I had a blast during my time taking TrainACE’s Cyberwar APT course and would recommend it to anyone who is looking to get started in security, or just want to learn a new skillset; this course has a little something for everyone.

As always, keep your hacks up and your head down.

~connection

This is a super simple vulnerability to validate and can be done with nothing more than telnet. The following commands will illustrate how to validate the finding:

telnet host 80

PROPFIND / HTTP/1.0

Host:

Content-Length:0

<press enter a few times>

This will cause the server to output some stuff and the IP address will be after one of the <a:href> tags.

To automate this process and make things look a bit more pretty for screenshotting you can run the following ruby script (make sure to install the ‘minhttp’ and ‘colorize’ gems)

require 'minhttp'
require 'colorize'

data = <<-HTTP
PROPFIND / HTTP/1.0\r
Host:\r
Content-Length: 0\r


HTTP

target = ARGV[0]
puts """\n#######################################
# PROPFIND IP Address Leakage Checker #
# Coded By : Luis \"connection\" Santana#
# HackTalk Security #
#######################################\n\n"""

puts "[+] Connecting to #{target}"
EventMachine::run do
Http::Min.connect(target, data) do |raw_response, parsed_response|
response = raw_response[0..9001]
if response =~ /https?:\/\/([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})/
puts "[!] Host Vulnerable To PROPFIND IP Leakage!\n IP Address: #{$1}".red
else
puts "[+] Host Is Not Vulnerable To PROPFIND IP Leakage!\n".green
end
EM::stop
end
end

To run this simply type “ruby propfindIpLeak.rb [ip/hostname/url]”

It’s that simple

Keep your hacks up and your head down – connection

By far the easiest method I’ve found for validating this finding is by using the telnet command to interact with the FTP server in question. By telnetting to the FTP server and typing : “AUTH GSSAPI” we can see whether we get a 500 error (FTP Syntax error, command not recognized) or not. A 500 error is proof that the AUTH command is not supported and as such we can screenshot the 500 error for inclusion into reports.

One thing I’ve personally noticed though is that simply showing an error message isn’t enough for some clients and often they want to see a definitive yes/no and as such I’ve crafted up the following script which will automate the testing and output a “yes this is vuln” or “not this isn’t vuln” styled output complete with red text (red means bad right?) if the server does not support AUTH and green text (green means go, it’s gotta be good) if AUTH is supported.

#!/bin/bash
#######################################################
# FTP Server Does Not Support AUTH Validator #
# Coded By Luis "Connection" Santana #
# HackTalk Security - Security From The Underground #
#######################################################
if [ $# -ne 1 ]
then
echo "Usage: $0 IPAddress"
echo "Example: $0 127.0.0.1"
exit
fi

if { echo "AUTH GSSAPI"; sleep 1; }|telnet $1 ftp |grep "500 Syntax error"
then
echo "\033[1;31m[!] FTP AUTH Not Supported\033[0;38m"
else
echo "\033[1;32m[+] FTP AUTH Supported\033[0;38m"
fi


I hope this helps out anyone trying to validate this finding

Keep your hacks up and your head down – connection

The current mitigations for CSRF often include referer checking (easily bypassed), nonce tokens (bypassable through XSS. Look at my Joomla 1.6.3 XSS->CSRF exploit at : http://www.exploit-db.com/exploits/17496/ ), and sending all your data in POST requests (bypassed simply by a social engineering attack causing users to visit a server you control which sends the POST request). All of these are terrible solutions — sans the nonce tokens — but I’m here to let you know that it is much simpler to prevent CSRF including in those times where an XSS bug has been discovered which will render your nonce tokens useless. Are you ready to have your mind blown and yell at your developers for being utter idiots? Wait for it……. wait for it……

Captchas.

Yes, the humble captcha, when implemented on all post-authentication pages which would allow any potentially malicious CSRF activity (profile edit pages, file upload pages, user administration pages, EVERYTHING belonging to admins/moderators) will destroy even XSS -> CSRF attack vectors rendering a potential vulnerability utterly useless.

In ‘normal’ CSRF styled attacks the attacker has no way of solving the captcha and thus the attack fails horribly; in XSS -> CSRF attacks where attackers could normally just iframe the form they wanted and have the nonce token pre-populated for them, the attacker could still not solve the captcha and thus, once again, the attack fails.

The beauty in this solution is that Google’s ReCAPTCHA makes implementing a captcha into your application so easy a CISSP could do it.

Hopefully this post will help enlighten some of you out there to the fact that simple solutions often solve “complex” problems (or at least those perceived as complex) and that amazingly, anti-automation solutions stop automation attacks.

Keep your hacks up and your head down — connection

“In battle, there are not more than two methods of attack–the
direct and the indirect; yet these two in combination give rise to
an endless series of maneuvers.” – Sun Tzu

[Note: While reading this article I noticed a lot of the COINTEL concepts which The Grugq was speaking about and applying to Cyberwar made huge parallels to the lessons of Sun Tzu in The Art of War and I will more than likely abuse the hell out of Sun Tzu quotes]

In a cyberwar (such as the ongoing events on the Internet), all actors are motivated to remain silent about incidents that they detect. However, on some occasions, strategic and political considerations will be more powerful motivators. These rare disclosure events don’t negate the primary motivations for remaining silent, they simply demonstrate that sometimes there are better reasons for speaking out.

TL;DR; actors in a cyberwar are motivated not to disclose incidents, but sometimes strategic and/or political realities take precedent.

This is a very obvious idea here which applies not only to Cyberwar but to battle in general; as Sun Tzu would say:

“Appear weak when you are strong, and strong when you are weak.” and “All warfare is based on deception.”

The Grugq seems to subscribe to a similar philosophy as Sun Tzu as he essentially paraphrases both of these quotes in the following paragraphs:

Fear, Uncertainty and Doubt

By not disclosing known intrusions, the adversary is denied knowledge of his success rate (as measured by covert persistence). Without feedback on what boxes and networks he controls vs. those he only believes he controls, his confidence is diminished. He is also significantly more likely to utilize a compromised resource that is under active surveillance or has been otherwise neutralized. Also, the adversary’s military leaders will be less confident that they can utilize a specific capability, perhaps even completely dissuaded.

Additionally, if the opponent learns that their operation was a failure (e.g. their intrusion was discovered and cleaned up), they are likely to attempt it again. Subsequent operations by the adversary might not be successfully detected and thwarted.

I agree very wholeheartedly with The Grugq on this and it exemplifies appearing strong when you are weak by essentially brushing off the intrusion event as highly minimal should you chose to disclose details about the intrusion event. Furthermore, this exemplifies the very basic OPSEC concept of STFU and demonstrates how selectively “blurting out” information can be a powerful de-motivator to adversaries. This same paragraph also should be analyzed by any intrusion agent, hacktivist, freedom fighter, etc. because it is a very good lesson. Not only should you selectively leak (read: don’t deface the page and blast it out to twitter the second you compromise it. STFU, lay low, increase compromised surface area, clean up your logs, and then and only then should you consider disclosing the fact that a compromise has been achieved on systems which you deem the least beneficial to your intelligence campaign) information about a compromise to attempt to garner information from the target, but you should avoid disclosing any information about a compromise which does not benefit your intelligence campaign; doing so would only alert the Incident Response team to begin their forensic analysis and ruin your chances of gaining further foothold into the network; or as The Grugq would say, “As I’ve said in the past… the hacker’s enemy is the SysAdmin, not the forensic analyst.”

Stop Adaptive Denial

The adversary is an intelligent dynamic opponent who will alter his tools, techniques and methodologies to remain effective. By denying the adversary information about which of his operations have been discovered, and how, you are reducing his ability to detect and address vulnerabilities within his tradecraft. Keeping the knowledge of this vulnerability to yourself (and possibly your allies) provides you with an advantage against the adversary. Maintaining this advantage is, obviously, in your best interest. Therefore, practicing basic denial and not disclosing which of the subset of successful intrusions you have detected, and particularly how they where detected, is an important COINTEL practice.

The motivation here can be summed up as: “keep the adversary’s knowledge about our knowledge of his activities, capabilities and techniques in the ‘known unknowns’ quadrant”.

This is a very important concept and has been employed since the dawn of time in battles and is obviously still a highly viable strategy considering the large number of recon missions which armies partake in during real war. With the current security products available to us and their ability to detect more sophisticated attacks as well as be taught of new attacks, any information gained about an attacker will be nothing but beneficial for an entity.  If the numerous blog posts about finding 0day exploits in the wild which lead eventually to a publicly released, fully working exploit teach us something it’s that it’s not very difficult to go from intrusion event to attack signature, and more importantly, a better understanding of an adversary’s toolchain. This concept segways perfectly to another topic brought up by The Grugq:

Back Hack

First, a brief history lesson. In the 1990s hackers used to put systems online with the latest rumored vulnerabilities. They would monitor to see when they were hacked, and from where. Then the hacker would hack each bounce box back up the chain (hence “back hack”) until he was in a position to collect the adversary’s toolchain. This was one way that 0days and private tools were stolen. This technique predates honeypots.

As has been noted in numerous research reports, the quality of the adversary’s toolchain varies considerably, and generally tends towards shoddy. Exploitable bugs in the C&C software used in intrusions are common, and indeed are typically easy to find and exploit. Laurent Oudot published a large number of such bugs at SyScan Singapore 2010 (unfortunately the archive isn’t online, so here’s the [http://seclists.org/fulldisclosure/2010/Jun/432]).

One possible COINTEL operation would be to replace the opponent’s software with a malicious version that attacks the C&C infrastructure. This would enable any number of follow-up operations to exploit the intelligence opportunities. A recent public example of this was the “Georgia Hacker”, well summarized in this [article].

“To know your Enemy, you must become your Enemy.”

While the topic of “Back Hacking” has been discussed lately and focused mostly on the legality of businesses back hacking attackers, in cyber war these possible legal issues are highly insignificant; just as the crime of murder is rarely regarded in traditional war.  By determining not only the contents of an adversary’s toolchain but also its effectiveness it becomes trivial to detect, mitigate, and possibly reverse an intrusion event. Knowing which exploits are being used by an adversary also allows for the potential to create patches for private vulnerabilities to increase the effectiveness of your own security, but it also allows an opportunity to use the same exploits against the adversary.

In conclusion, I think that the idea of selectively deciding to loosen up your STFU policy in order to gain a more strategic advantage over an adversary is not only a great idea, it has also been employed for long enough to vet it as a very effective strategy.

Until next time,

Keep Your Hacks Up And Your Head Down ~connection

These passwords are ordered from most frequent to least.

123456
111111
123456789
password
123
12345678
000000
123123
welcome
12345
654321
ninja
abc123
1234
1234567
1
123321
qwerty
666666
iloveyou
sunshine
princess
abcd1234
5201314
888888
monkey
michael
aaaaaa
112358
freedom
123456jcow
record_created
password1
writer
record_modified
baseball
0
jcow
shadow
881022
tigger
dragon
computer
alonelypuma
success
jordan
123654
football
whatever
superman
michelle
08416263aaaaaa
159753
06092684
purple
ashley
112233
ginger
1234567890
maggie
daniel
love
justin
jasmine
rainbow
1q2w3e4r
samantha
pepper
121212
jennifer
charlie
333333
family
cookie
acm
babygirl
1a1a1a1b
115599
thomas
joshua
associated
5025578
31415926
william
the
nicole
buster
blessed
314159
money
lovely
destiny
butterfly
brandon
anthony
angels
1qaz2wsx
hunter
crystal