One short of 1337
Friday, December 09, 2011 | Author: Deep Flash
A funny moment in Metasploit recently while exploiting the Mozilla Firefox ReduceRight() Method Integer Overflow vulnerability :)

Migrating to process with PID: 1336

TDL-4 Rootkit Functions
Monday, October 10, 2011 | Author: Deep Flash
The latest, most nefarious and sophisticated rootkit out there. A little insight into the functions of this rootkit and how it bypasses Windows Driver Signing Policy.

Bootkit Technique - It makes use of this technique to infect the Master Boot Record (first sector of your hard disk). The result being, it can load even before your Operating System loads.

How do you check your MBR contents? There's a wide variety of tools. You can use HD Hacker 1.4 if you prefer to go for the GUI.

However, if you have a Linux Copy, then you can, use the following command to view the contents of your MBR:

First Run: fdisk -l and not down the name of your hard disk device.

dd if=/dev/sda count=1 | hexdump -C | more

It will display the MBR contents in hexdump.

Encrypted File System - This rootkit has it's own encrypted file system. It is encrypted using RC4 encryption algorithm. The latest variant has it's own encryption algorithm, using XOR swaps. The rootkit writes it's files to the last sectors of the hard disk.

Driver Signing Policy Bypass - This rootkit infects the x64 version of Windows OS as well. These OS have a Driver Signature Enforcement Policy turned on. This will prevent any unsigned driver to be loaded during the boot process.

Developers actually need to pay Microsoft so that they can verify their drivers and sign them before these softwares/hardwares can be used with Windows x64 Systems.

To check whether your driver is signed or not. Run the Verifier command in CLI.

How it works?

Winload.exe is the windows executable which loads the Windows Kernel along with other dependencies like hal.dll and kdcom.dll. It also reads the Boot Configuration Data to determine whether or not the digital signature of the drivers have to be verified.

This rootkit infects the kdcom.dll and replaces the original one. However, the infected kdcom.dll is not signed. To be able to load this unsigned file successfully, the rootkit swaps 2 flags in BCD. The BCDLibraryBoolean_EMSEnabled is swapped with BCDOSLoaderBoolean_WinPE.

EMS - Emergency Management Services, a feature added by Microsoft in Windows 2003 which allows remote management and remote system recovery of the server in the event of it becoming unresponsive and inaccessible using standard network connections.

WinPE - Windows Pre Installation Mode.

Windows does not verify the digital signature of the drivers in Pre Installation Mode. This fact is exploited by the rootkit.

This will allow the infected kdcom.dll file to be loaded.

When does winload.exe load kdcom.dll?

The infection must start when kdcom.dll is being loaded by winload.exe. The rootkit will try to load it's infected version instead of the original kdcom.dll file. To be able to detect this point in the loading process, it makes use of a Signature Scan.

The rootkit uses the kdcom.dll's PE export directory data size as the signature to detect when kdcom.dll is being loaded. Once detected, the infection process starts.

What Microsoft has done so far?

In order to patch the above loopholes, Microsoft released a patch in April which patches the winload.exe and kdcom.dll. Winload.exe now verifies the digital signature of the drivers irrespective of whether it is being loaded in the WinPE mode or not.

kdcom.dll's PE export directory data size is modified and now changed to a different value to evade TDL-4's signature scan. This workaround is not impressive. Since, the rootkit authors can merely update the signature scan in their code to look for the new value.

Prevent the OS to load in WinPE mode

The rootkit changes the Boot Configuration Data to load OS in WinPE mode only for the purpose of bypassing Windows Driver Signing Policy to load infected modules like kdcom.dll. However, it must prevent the OS itself from loading in WinPE mode. To do this, we need to see what exactly happens when the OS loads in WinPE mode.

Windows passes a /MININT flag to the kernel while loading in the WinPE mode. This process is intercepted by the rootkit and the flag is replaced by IN/MINT. As Windows Kernel doesn't recognize this string, Windows is loaded normally with driver signing functionality enabled again.

/MININT is the switch passed to kernel in Windows Preinstallation Mode so that Registry System Hive is loaded in volatile mode and changes made to it in memory are not saved back to the hive image.

TDL-4 Rootkit updated

To bypass the latest patch developed by Microsoft, rootkit authors have made several modifications to rootkit.

Winload.exe verifies the digital signature of the drivers irrespective of whether the OS is being loaded in the WinPE mode or not. If the driver's integrity check fails, an NTSTATUS error code is returned to the Kernel. The security routine which checks the Digital Signature is intercepted by the rootkit and it modifies this error code to a non existent error code.

The winload function patched by rootkit is: I_CheckImageHashInCatalog.

Listening now: 009 Sound System - Born To Be Wasted
Botnet Bitcoin Mining - Just Another Devious Way to use Botnets
Sunday, October 09, 2011 | Author: Deep Flash
Botnets are an army of compromised machines over the net which can be controlled by a Hacker using a command and control server. There are many ways of utilizing the Botnets.

Hackers have been using Botnets to provide services such as an Anonymous Proxy Service for quite some time. For a reasonable fee per month, they allow you to use the Botnets to surf the internet anonymously. While the end user is not aware of what exactly is the proxy served to them, it could be a compromised machine on the network which is acting as a proxy.

Recently, the TDSS rootkit has widespread to millions of computers and is considered as one of the most sophisticated rootkit ever developed. One of the primary reasons of it's invincible persistence is the way it manifests itself on your machine.

It makes a place for itself in your Master Boot Record. By doing this, it's able to load itself from the first boot sector of your hard drive even before your Operating System loads. This is also a reason for the TDL-4 rootkit to be known as a bootkit.

Kaspersky Labs have developed a small utility which allows you to remove the TDSS rootkit. It's called the TDSS Killer. The most recent variant of the TDSS rootkit (TDL v4.2) still remains persistent though.

Speaking of the ways Botnets have been used by Hackers for commercial purposes. Besides providing Anonymous Proxy Service to naive internet users, they are also used to commit Click Fraud.

Here, huge campaigning lists are download to the victim's machine by the rootkit and it visits these advertisement sites in the background. This way, they can generate a lot of revenue within a short duration.

Apart from all the above devious ways in which Hackers have used Botnets till date. The most recent and innovative way is to use these Botnets for Bitcoin Mining.

Trojans such as Trojan.CoinBitMiner were used to mine for Bitcoins on victim's machine using their CPU Computing Power. But as we know, the performance of GPUs is better than CPUs by a factor of almost 100 for Mining, the latest Trojans use the GPU Computing Power of the victim's machine instead.

Trojan.BadMiner is one among these latest category of Trojans which detects your Hardware and looks for any Graphics Cards installed. If it finds a GPU running on the victim's machine, an appropriate miner such as Phoenix Miner is downloaded and setup for mining.

If no GPU is found on the machine, then an RPC Miner is downloaded which uses the CPU Computing Power.

By doing so, hackers are now able to utilize the distributed computing power of Botnets to mine Bitcoins at a rate unimaginable for a single machine owner.
Time to Revisit, Relisten!
Sunday, October 09, 2011 | Author: Deep Flash
One must never lose touch with their roots.

Been so long, since I took a listen to my favorite artists. Revisiting to see if they came up with some new tunes lately.

Asphyxia - No new music in the past 6 months. One of the most talented solo Dark Electro artists I have ever come across.

http://www.myspace.com/asphyxiaa

A7ie - Sick is what they are and hell yeah, I like them! Another French Dark Electro act. Harsh as ever and I am glad they didn't change their style.

http://www.myspace.com/a7ie

Velvet Acid Christ
- What more must I say, Bryan Erickson was the reason I got into Industrial Music. One of the most complex compositions out there and interesting stuff. Those rolling synth sounds, tickling the neurons, ah that feeling!

http://www.myspace.com/velvetacidchrist93

Besides these, there are a whole lot of artists I need to revisit. What's been happening in the underground scene?

Wintersoul, Winterstahl, Force.Is.Machine, Acid Trauma, Sadiztik:Injektion, Yersinia Pestis, Rabia Sorda. Going to be a busy week.

Oh god, did you eat all this Acid?
.... That's right. Music!


Listening Now: Velvet Acid Christ - Fun With Drugs
Network Steganography
Friday, October 07, 2011 | Author: Deep Flash
Steganography is the art of concealing the existence of hidden data inside cover mediums without effecting their functionality. It's been around ever since there was a need to protect the private information.

As the way people exchanged information evolved, so did the ways of information hiding changed with time.

There's been a lot of research work done on hiding information inside cover mediums like images, audio files and videos. These are all static storage mediums and the amount of data which can be hidden remains limited depending on the cover medium.

The latest vector in the field of Steganography is Network Protocols. Instead of using the cover medium to propagate the hidden message, the communication protocols which govern the path of cover mediums on the network are used to send the hidden message.

This has 2 major advantages. One being, the capacity of information hiding depends on the duration for which the communication in the network lasts. Also, unlike cover mediums like images and audio files, where a forensic investigator can perform steg analysis on the data to detect the presence of any hidden message. In case of Network Steganography, there must be a complete network capture of the activity between the sender and receiver to be able to conclude any covert communication channel. This is very unlikely.

The most significant research done in this field till date is by Polish Network Security researchers from the Warsaw University of Technology.

An in-depth understanding of the Network Protocols is required to implement Network Steganography.

Recently, one of the implementations which caught my attention was StegSuggest. Here, hidden data is transmitted by modifying the Google Search Suggestions returned by GoogleSuggest Server. Words are inserted at the end of Google Search Suggestions. These words carry the bits of steganogram.

Google Suggest was a feature developed based on AJAX to help an end user in choosing the right search phrase based on what they input.

The attacker can modify the search suggestions returned by Google Suggest Server to the Google Suggest Client by adding frequently used words at the end of these search suggestions.

To prevent any disclosure of steganography words embedded in the google search, a codebook is utilized to insert words. This codebook comprises of the 5000 most frequently used American English words as they appear on www.wordfrequency.info

In order to avoid any suspicion, this codebook is further refined by filtering out pronouns, prepositions and homograms. Reason being, the steg suggest words are added to the end of google search suggestions.

The 2 key protocols which are involved in this setup are HTTP and TCP. The Window Scale and Timestamp options of the TCP header message are altered to establish the covert communication channel.

HTTP protocol is involved in GoogleSuggest. Everytime, an end user types in a letter in the Google Search Bar, an HTTP GET Request is sent to the Google Suggest Server. It returns an HTTP 200Ok Response with 10 most popular suggestions according to the Google Query.

A video demonstration of this method can be found here:

http://www.youtube.com/watch?v=TanWj2fh2co

Listening Now: Adele - Rolling In The Deep
Rest In Peace Father
Wednesday, September 21, 2011 | Author: Deep Flash
I miss you.
Javascript Deobfuscation Contest
Tuesday, September 20, 2011 | Author: Deep Flash
There was a nice contest related to JavaScript Deobfuscation organized by BreakingPoint Systems. I would like to thank Ricky for putting up this interesting challenge.

They made use of some special obfuscation techniques in this challenge. XOR Encoding with a Random PreGenerated Passphrase depending on your Browser's UserAgent was an innovative concept.

You can find the contest here and in case you plan to try solving it:

http://www.breakingpointsystems.com/community/blog/javascript-obfuscations-contest/

Here are the results. I am glad to be one of the successful entrants of the contest and for solving this challenge.

48 people solved this challenge successfully. You can find my name in that list :)

http://www.breakingpointsystems.com/community/blog/javascript-obfuscations-contest-winner/

Waiting for the BreakingPoint Systems T-Shirt to arrive!

Listening Now: Alphaverb - The Otherside
Bitcoin Mining
Tuesday, September 20, 2011 | Author: Deep Flash
We come across innovative concepts everyday. Bitcoin is one of them which has gained a lot of popularity over the last few months.

It's a crypto currency and a new virtual monetary unit for exchanging goods and services with others in the P2P network.

How do you earn Bitcoins?

This is the interesting part for the tech savvy people. You earn Bitcoins by investing your CPU/GPU clock cycles to use. The more work your hardware does to create a Block of Data, the more you earn! This is indeed good and you have a complete control over it.

How much can you earn?

If you have a latest CPU or a GPU, then you stand a good chance to earn Bitcoins. You can either work on a Block of Data from Bitcoin Network in a Solo mode or be a part of the many pools out there and work along with other miners to build up a block of data.

In the early phase of 2011, when not many were aware of Bitcoin and how to mine them. We did not have many participants who were putting their GPU cycles to use this way. As a result, the difficulty was less and you stood a better chance to earn more Bitcoins.

As the word spread around, more and more users started building up GPU Clusters just to mine Bitcoins.

What are the factors to be considered?

When the Bitcoin Mining Concept started, a new single GPU Core would be sufficient to earn a good amount of Bitcoins.

But today, you don't stand a chance to mine Bitcoins with a single GPU Core. There are people building up Bitcoin Mining Rigs with many GPUs working in parallel.

The way I see it, the probability of you making Bitcoins is directly proportional to how superior your GPU hardware is compared to others.

You get a share of Bitcoins proportional to the amount of work done by your GPU hardware.

Let's look at some stats now. There are various Bitcoin Mining Calculators setup online that give you a projected estimate of how many Bitcoins you can earn depending on your Hash Speed.

With a fairly new GPU like ATI Radeon 6770M, you will get a hash speed of 100M Hashes/sec approx.

Let's look at the projected results for this speed:

Your hash-rate: 100000000 hashes/second
Difficulty: 1755425.3203287 times difficult than difficulty 1
Block time: 2 years, 4 months, 2 weeks, 6 days, 9 hours, 47 minutes, 49 seconds/block
Network total: 10,943 Thash/second

per Second - 0,00000066 BTC
per Hour - 0,00238739 BTC
per Day - 0,05729740 BTC
per Week - 0,4011 BTC
per Month - 1,742 BTC
per Year - 20,928 BTC

Look at the value of Difficulty - 1755425.3203287

This is quite high. The reason being, the number of peers participating in the Bitcoin Network is growing day by day.

It's a race to setup the fastest hardware, the more number of GPUs you can rack in parallel, the more Bitcoins you earn.

How do I earn cash with these Bitcoins?

It's important to understand that this is a Virtual Financial Infrastructure. So, there's an exchange as well. You can actually get money in your preferred currency in exchange for the Bitcoins you have earned.

Some famous ones - MtGox and Trademill.

Where can I view the current value of Bitcoin Exchange?

http://bitcoincharts.com/markets/

This site has a nice interface and it also allows you to put a filter depending on the currency in which you prefer to trade.

Let's extend the calculations based on the stats gathered above.

With an ATI Radeon 6770M GPU, you can earn 20.928 BTC/year at a difficulty rate of 1755425.32.

The current value of BTC in exchange against USD is:

1 BTC = 5,851 USD

In one year, you can earn: 122.44 USD.

The price of an ATI Radeon HD 6770M chipset from a decent brand like XFX in the market today is: 120 USD.

That would mean to say, in about 1 Year's time of running your GPU you can recover the price for which you purchased it? But hold on, you are not running your GPU to perform any other activity which you would have at the time of purchase.

This could have been any of the following:

Playing the Latest Computer 3D Games demanding latest GPUs to run at a good resolution.
Some GPGPU tasks like MATLAB, Digital Image Processing, Audio Signal Processing, Computational Finance, Bioinformatics, Neural Networks.
For Bruteforcing Hashes using the parallel processing power of GPUs with tools like oclhashcat, cryptohaze, EGB and others.

Now, are you doing any of these tasks?

Interesting fact is that, Bitcoin is listed as one of the GPGPU tasks on the wiki as well.

Besides the price of the purchase of your GPU. You also have to incur the price of electricity which will vary depending on your location.

Is it really worth to do Bitcoin Mining?

You decide it. You invest in the best GPUs out there, run them to their maximum capacity throughout for as long as an year and end up recovering the price for which you bought your hardware.

Is it safe?

This question needs some thought. You are connecting to a pool, accepting shares, your GPUs are working on data blocks, there's indeed a high possibility for some malicious code to be downloaded to your PC.

Malwares have already been developed and are out there in the wild which are phishing for Bitcoin Wallets and this is what is being termed as Virtual Pickpocketing.

Bitcoin does provide you a feature to encrypt your wallet.dat file. Be sure to do that, since if you lose that file, you lose all your bitcoins and there's no way you can claim them. Bitcoin clearly states that they are not responsible for your wallet.dat file and it's the user's responsibility to ensure it's safe.

Bitcoin as a concept of Virtual Crypto Currency is good but how exactly it works is even more interesting.
JTR with MPI Patch
Friday, August 12, 2011 | Author: Deep Flash
Finally got the JTR with MPI patch working on Ubuntu 11.04

System Specs:

Intel Core i7 Q2630M (2 Ghz, Turbo upto 2.9 Ghz)
4 GB RAM

Host OS: Windows 7 Home Premium
Guest OS: Ubuntu 11.04, 32 bit

JTR version, 1.7.3 with a precompiled MPI patch. JTR was built using:

make clean linux-x86-sse2

MPICH2 was installed for MPI support.

I am running Ubuntu inside a Virtual Machine using VMWare Workstation. Now, the tricky part is, by default only 1 processor, 1 core is assigned to the VM Image.

with this, if I run the benchmarks, following are the results:

cat /proc/cpuinfo | grep processor

processor: 0

cat /proc/cpuinfo | grep processor | wc -l

1

./john --format=DES --test

Benchmarking Traditional DES [128/128 BS SSE2]... DONE

Many salts: 2512K c/s real, 2537 c/s virtual
Only one salt: 2101K c/s real, 2118 c/s virtual

mpirun -np 4 ./john --format=DES --test

Benchmarking Traditional DES [128/128 BS SSE2]... DONE

Many salts: 2512K c/s real, 10245K c/s virtual
Only one salt: 2108K c/s real, 8448K c/s virtual

There's no change in the real c/s stats, however, what we expect to see, shows up under virtual c/s stats.

It took some time to figure out, that I had to manually assign more cores to the Virtual Machine using VMWare Workstation settings option.

Below screenshot shows how to:



After this was configured, everything was in place :)

cat /proc/cpuinfo | grep processor

processor: 0
processor: 1
processor: 2
processor: 3

cat /proc/cpuinfo | grep processor | wc -l

4

Now, there's a significant increase in the value of real c/s while benchmarking.

mpirun -np 4 ./john --format=DES --test

Many salts: 8935K c/s real, 8940K c/s virtual
Only one salt: 7594K c/s real, 7602K c/s virtual

Now this looks good :)

I need to check the latest openmpi des patch for JTR 1.7.8 which is supposed to speed up DES by 12% to 14%. New s-box expressions were designed which reduces the number of gates used.

Will I get better speed if I use a 64-bit Ubuntu 11.04 and build JTR using linux-x86-64? This will be tested.

Listening Now: Andraculoid - Lifecycle
DEFCON 2011, Crack Me If You Can
Thursday, August 11, 2011 | Author: Deep Flash
We came like a storm and blew away all the hashes leaving behind only the plain text passes.

It was fun, exciting, challenging, eye opening and nerve wracking! :) There was a close competition between us and Hashcat. We emerged as the winners and it was great how we kept up with the challenge till the end.

Check out the stats here:

http://contest.korelogic.com/stats.html

Waiting for the winning goodies to arrive!

Some new projects which I am going to work on going forward:

FPGA based Bruteforcers.
John the Ripper with OpenMPI patch.

Here are some stats specific to our team, InsidePro 2011

Cracked by length



Cracked by charset



Cracked vs Uncracked



The slowest and the most precious hashes on the contest were, MS Domain Cached Credentials and OpenBSD Blowfish.

I'll look for ways to speed up these algorithms for cracking.

It was a great experience and the fact that we won, makes this more memorable.

Regards,
c0d3inj3cT

Listening Now: Groove Cutter - My Shooter
Chasing the Spyware
Sunday, July 31, 2011 | Author: Deep Flash
Today I was hit by the Spyware, "XP Antispyware 2012". It looks very genuine and quite advanced to trick any naive user. It kick starts an intuitive interface. It pretends to Scan your PC for Trojans/Viruses/Rootkits/Malwares/Spywares and provides you various options to remove them and clean your PC though it's doing the exact opposite.

So, this is dangerous and had to be removed as soon as possible. I wanted to find this one manually and take it down. After around, 1 hour of research, I fixed it myself without the use of any Spyware Removal Kits.

Below are the details about this Spyware:

It copies itself into the Application Data directory. It updates some really important Windows Registry Keys. To summarize, it binds itself to the Operating System Subroutine which is used to open and run any Executable File.

The name of the Spyware was: kts.exe

If you remove it from the Application Data folder and place it somewhere else or even delete it. The result would be, you won't be able to run any executable on your PC.

It was time to check the registry for all the occurrences of this Spyware.

A comprehensive listing below which can be used as a reference by anyone here:

Key Path: HKEY_CLASSES_ROOT\.exe\shell\open\command:

{Default} - "C:\Documents and Settings\My computer\Local Settings\Application Data\kts.exe" -a "%1" %*

Key Path: HKEY_CLASSES_ROOT\exefile\shell\open\command

{Default} "C:\Documents and Settings\My computer\Local Settings\Application Data\kts.exe" -a "%1" %*

Key Path: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

3793153621: C:\Documents and Settings\My computer\Local Settings\Application Data\kts.exe

Key Path: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache

C:\Documents and Settings\My computer\Local Settings\Application Data\kts.exe kts

Key Path:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command

{Default} "C:\Documents and Settings\My computer\Local Settings\Application Data\kts.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe"

Key Path:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command

{Default} "C:\Documents and Settings\My computer\Local Settings\Application Data\kts.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe"

Key Path:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command

As you can see, it prefixes the Key values with the path to the kts.exe spyware. Now, if you delete the spyware manually, you should be able to make out from the above Key Values, why no executable runs.

After editing all the above Registry keys, the executables were running as expected.

However, the interesting part would be to do some reverse engineering on this spyware and see what it really does.

Ofcourse, it wasn't designed to scan your PC for Spywares/Malwares and protect it, right? Lulz!

Is there any sort of Network Activity exhibited by it. What are the DLLs it loads into the Process Memory and a bunch of other stuff needs to be checked.

I need to copy over this spyware from my Host Machine to the Virtual Machine and attach it to a debugger like Immunity Debugger. Then we can start with the analysis.

Listening Now: Adema - Giving In
Decryption heats up my baby!
Wednesday, July 27, 2011 | Author: Deep Flash
Yep, that's right! I am running an old generation, Intel P4 Processor clocked at 3 Ghz. It's a single core processor and in this modern age when we have real fast processors like Quad Core, I am still on an old single core processor. But hey, that's my baby and he's going to turn 7 years old this October :)

But being a Security Enthusiast, I gotta invest more on technology. One of the main reasons I haven't been able to do that is, due to instability in my life. I am relocating to a new place so this is not the right time for me to invest. But I already have a long list of stuff to buy. Among the processors, it's going to be an Intel Core i7 2600k. And an Extreme GPU for which I have the budget.

But before I decide the vendor of GPU, I have to decide, whether I want CUDA or OpenCL. Based on that it's going to be either, Nvidia GTX 590 or an ATI Radeon 6970.

Anyway, this topic is about, Decryption Processes heating up my Baby! yep! I have accidentally caused my machine to shutdown several times by running the Decryption Process for a long duration at a stretch. It's max operating temperature according to Intel is somewhere around 75 degrees. Which means, it can operate safely at that temperature. Also, the new processors are designed in such a way, that they can slow themselves down to bring down the temperature.

In any case, making my machine shutdown as a result of heating up beyond operating limits is not good. It reduces the lifeline of it. So, I need something to monitor my CPU/Motherboard/HDD temperature. I got Everest Home Edition for this purpose. It's a freeware and really good to quickly monitor some essential performance parameters of your PC.

Grab it from here: hxxp://www.softpedia.com/get/System/System-Info/Everest-Home-Edition.shtml

If you have an Intel Core Based Processor, then you can go for Realtemp. Pentium 4 Processors are not supported by it.

Grab it from here: hxxp://www.techpowerup.com/realtemp/

There are sensors on the Core Processors called DTS (Digital Thermal Sensors) which are probed by this software to gather statistics of several parameters. Of the key significance to us are:

- Motherboard temperature
- CPU
- HDD
- Cooling Fan Speed

I have observed on my Intel P4, 3 Ghz processor, that anything below 70 degrees is safe. So, I usually run the decryption process at a stretch till the temperature doesn't hit that mark. If it does, I stop the process for a while.

The Cabinet which houses all these components doesn't have a proper cooling mechanism. Who cared much about the cooling mechanism anyway, 7 years back? :D

Now, you have cabinets with support for upto 6 fans. Yes, it makes sense, when you have power hungry components like Nvidia GTX GPUs and Intel Core i5 and i7 processors, you indeed need a proper cooling mechanism.

For now, I use external cooling, Bringing down the room temperature does have some effect on the processor temperature. So, I have to turn on the fan in my room at max speed while the decryption process runs.

This is one of the key reasons, I have caught the cold *sneezes*

But I have done a considerable amount of research on using JTR to crack MD5 and SHA-1 hashes, both raw and salted.

I have come up with some effective and quick ways to crack many hashes using JTR!

Cracked: 70994 hashes which includes a mixture of DES, raw-MD5, raw-sha1, SHA-1 Salted (SMF and VBulletin), MD5 (Unix) hashes.

That's a good result considering I am running my JTR on a P4 processor.

Listening Now: Tycho - Sunrise Projector
DES (Unix) Hashes cracking using GPU
Tuesday, June 14, 2011 | Author: Deep Flash
I had to make this blog post, about the Included Support for DES (Unix) hashes in Oclhashcat-plus new version 0.04

type: improvement
file: kernels
desc: added -m 1500 = descrypt, DES(Unix), Traditional DES
refe: http://hashcat.net/forum/thread-299.html

Though we are aware that DES hashes are old and not used in top notch security systems anymore. There are harder and better encryption algorithms out there.

But due to the ignorance of many Webmasters who think that implementing Strongbox or OCR Security at their login pages is the last step of security, they forget that the hashes need to be hard-to-decrypt as well.

"You close the Doors and we'll find the Windows to Get In "

Hola amigos!! ever thought of cracking DES hashes using the parallel processing power of GPUs?

oclhashcat-plus v0.04 has support for DES Unix Hashes.

You need to pass the -m 1500 argument at the command line while running oclhashcat

Hardware Support!

Now this is the most important part. You need to install ATI Catalyst 11.04 and ATI Stream SDK verison 2.4 installed.

However, I believe, it means that it has support for the latest drivers and SDK as well. But it can still run on older versions of SDK as long as you have the OpenCL support. I need to confirm this by running some tests.

In my case, I don't have a strong GPU. I am using an ATI Radeon HD Mobility 4570. ATI Radeon HD 4xxx series are supposed to be slow with oclhashcat due to bad OpenCL Support, so that's not good news for me. But it gives me a reason to go for better GPU now.

I want to decompile the m1500 kernels and read the code :) For my GPU the Kernel used will be: m1500.ATI RV710.64.kernel

The first biggest contribution of oclhashcat to me was the support for ATI Radeon HD Graphic Cards using OpenCL. And now they have DES Support, just pure awesomeness!!

Most of the passfiles retrieved from the servers by expoiting them; still have many DES hashes in them. Makes our life easier. Though down the line, we can expect stronger security mechanisms in Websites making it harder to intrude them.

After revisiting the bugs in some websites I already noticed that in the past 1 year they have advanced from DES to MD5 already.

"Who buys GPUs for gaming any more?!" :D

Listening Now: Kim Wilde - Words Fell Down
Flash Intros
Tuesday, June 07, 2011 | Author: Deep Flash
It's early in the morning, 4 AM and I am half asleep. But I thought of updating my blog with the new stuff that I am planning to work on.

Will be creating some Flash Intros for my videos to be uploaded in Youtube.

I'm going to need a Flash Intro and this will be decompiled and converted to FLA format, then edited with Adobe Flash CS5.

Sequence: Flash Intro -> FLA -> AVI

What is required?

Adobe Flash CS5 Professional
SWF Decompiler

Once again, my machine doesn't have enough of RAM to make this work. So, I'll have to give it some time before I can purchase a new faster machine.

Listening Now: Apoptygma Berzerk - Love To Blame
Busy Setting up Lab
Sunday, June 05, 2011 | Author: Deep Flash
This week, I was busy preparing for something to come up soon on my Youtube and Vimeo channels.

Pondering lately over how to make my videos more professional and catchy. How to make them a cut above the rest?

Alright, I got a nice theme as usual. Network Security Videos showing Latest Advanced Vulnerabilities in the Operating Systems with some cool Electro Music playing in the background.

But, for people who prefer a visual writeup instead of going through huge documents, I need to spice things up a bit!

So, I am using Camtasia Studio 7 for the videos I create. One conclusion I have come to is that I need more RAM for my PC. Since it doesn't have support for DDR3 Memory Modules and the latest processors, I need to purchase a new one.

For the time being, been setting up Lab for the experiments to be performed:

Lab Set up Accomplishments:

Ubuntu 11.04 Virtual Machine installed and configured OpenSSH on it.
Backtrack 4 VM installed.
Created a video to demonstrate the SSH Downgrade Attack using ARP Cache Poisoning.

Lab Set up for the coming videos:

Windows Server 2003 Enterprise Edition, SP2 VM
Windows XP Professional SP2 VM
Windows 7 Ultimate SP1 VM

Set up the Terminal Server on Windows Server 2003
Configure the Windows Server 2003 as a Domain Controller
Add other Windows VMs as a client to this domain
Perform Tests on RDP and test the vulnerabilities using Tsgrinder, TSCrack, Ncrack, rdesktop

Things to do:

Read the source code of rdesktop on Linux
Experiment with it in the Lab
Read about the patches made to rdesktop to include support for RDP version 5
Test the Heap Overflow Vulnerability in RDP version 5.1 and 5.2
Test rdpproxy and rdpprobe
The Soul is In The Software
Saturday, May 28, 2011 | Author: Deep Flash
It feels great to listen to some of my old favorites after such a long time. I have a lot of respect for Andy LaPlegua, his music was the reason I got into Industrial music from a country where this Music Genre has 0% awareness! But that doesn't matter to me! Since I am proud to listen to this music, which is real and makes so much sense!

He's got multiple Music Projects like Icon Of Coil, Combichrist, Scandy and Panzer AG. Without a single doubt, it would be right to say, this guy is a Musical Genius! :)

In my humble opinion, Icon of Coil needs more recognition than Combichrist. Combi hits it harder with their aggression and in-the-face lyrics. But Icon of Coil, does the thing for me! Intelligent lyrics, danceable music and Andy LaPlegua's voice :)

Dancing like a Rivet head to the following Lyrics:

Punishment for intolerance, so
Entertain us when you’re still able to perform
I’m sorry to admit that I won’t be around
When the world you created will collapse and drown

Back to the crypt, nothing will last
We’ll all fade away, in one single blast
Out from the dust, machines arise
One second left to live and we’ll open our eyes.

I can’t find shelter in this world
I’m searching for another world
Where I’ll feel safe


Listening Now: Icon Of Coil - Shelter (Analogue Brain Edit)
5 Years on Last.fm
Wednesday, May 25, 2011 | Author: Deep Flash
I'll take this time to make a note of the fact that I have completed 5 years on Last.fm today!

When I look back and see, my music taste has evolved into something more versatile over time. But every time I think; I have listened to every music-genre out there, Last.fm reminds me, "The journey must go on!".

Justice needs to be done to this date, I'll take a listen to all the favorite songs today. A good way to swim out of the pool of Stress and Trouble, life keeps throwing you in :)

Listening now to: Ebeneezer Goode by The Shamen.
On Vimeo and Youtube now!
Saturday, May 21, 2011 | Author: Deep Flash
Alright, long time, no blogging! So time to pen down a few things. They say it feels better to do so, so will give it a shot! Been occupied and confused about my life off late. It shouldn't be this way, I know, so trying to channelize my energy in the right direction. Drifted again from the main topic.

So, here it is. I am on Youtube and Vimeo now. Of course not under my real name but an alias, c0d3inj3cT. Down the line, if the need may arise, this blog might give you hints to trace down c0d3inj3cT to his real identity. And most probably it will, since that's how it's going to be. I don't really like to use my real name on the net.

Vimeo Link: http://vimeo.com/user5628057
Youtube Link: http://www.youtube.com/user/c0d3inj3cT

Why am I on Vimeo as well if I already am on Youtube? What's the reason to open up an account on these streaming websites?

To answer this. First of all, Vimeo has some advantages it offers over Youtube. Not many folks are aware of Vimeo, but Youtube is as well known as Google now, as we know it :)

Soon, people would be saying it "Youtube It" and not just "Google It"

But if you try and upload a screen recording of your activities on Youtube, let's say an educational video, a video that showcases your skills. You need the viewers to be able to see the video in high resolution and make sense out of it! No matter how catchy is the title of your video, you sure will get a lot of hits with a catchy title, since everyone's curious. But no good comments or thumbs up, if it isn't visible clearly.

This was the reason, I decided to re upload some of my videos on Vimeo.

I have done screen recording on Windows OS, since a long time using softwares like HyperCam. It just struck me after seeing some creative videos on Youtube, with people using fancy transition effects in their videos, that plain and simple videos aren't really that impressive. So, decided to use a more professional Screen Recording and Video Editing Software called Camtasia Studio 7. It's for professionals but it's easy to use at the same time for end users too.

Check out my videos on Vimeo and Youtube. My recent videos will of course be on Vimeo and not Youtube for reasons mentioned above.

It feels great to capture the screen recording of yourself doing some cool stuff on your PC. I decided to make some tutorial videos where I demonstrate some advanced Network Security techniques like Buffer Overflow Exploits.

Videos available at present:

- DNS Cache Poisoning against my ISP :) Just the flaw is shown and not exploited.
- Router Hacks
- SIP Extensions hack using Asterix PBX along with Backtrack
- Buffer Overflow exploit demo for Winamp

The videos are cool with some nice background music. So click and view! :)

It just struck me, been a long time since I made any video. I have been doing a lot of research work lately on topics like GSM Networks and Security Loopholes in it, SS7 Networks and ways of exploiting it, SIM Card Forensics, Cryptography and Mathematics :)