2008 January | Phn1x - Hamsterswheel

Lessons from Mexico

Posted by Eric | General | Tuesday 22 January 2008 9:51 pm

<meta name="GENERATOR" content="OpenOffice.org 2.0 (Linux)" /><meta name="CREATED" content="20080122;19180900" /><meta name="CHANGED" content="20080122;19400100" /><br /> <style>  </style> <p style="margin-bottom: 0in">Recently returned from Mexico with a few valuable lessons.</p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in">First off, with copious amounts of time and the lack of an Internet connection, or English speaking television channels you can pretty much learn a language given the proper material. I blew threw an entire python book this past weekend and started hacking on code to better myself! I bought down a hard copy book and a bunch of e-books with me. All in all, it was a good weekend without the Internet.</p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in">I also learned that 2wire is the dominate source of Internet down there. Beyond that, which really is not a discovery worth mentioning is the fact that I think Mexico has better education on securing wireless networks than America. Out of all the Wireless networks I came across, especially in the area I Was staying, all of them had security on! Yet, throw on a scanner in my neighborhood and you hit 20+ access points with no security at all.</p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in">Los Sanitarios, Are far from Sanitary. While we were at El Mercado to grab some candy for the party I had to goto the bathroom really bad! When I walked in, there was shit on the walls, dirty paper all over the place. It was horrible, I felt as though I was going to contract a disease just pissing there. So, if you find yourself in Mexico and you need to use the bathroom… Beware of places that charge 1 peso!</p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in">While I was down there I also found some old docs on Rootkits, Anti Forensics and my architecture manuals for ARM and MIPS. W00t, now I just need to get one of <a href="http://www.revogear.com/ProductDetails.asp?ProductCode=KURO-BOX%2FPRO">these<br /> </a></p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in">and I’ll be good to go! I know its muy temprano, but I’ve been up since 3 a.m and doing too much travel for the day. Plus I got a speeding ticket again, so I’m not happy! Back to PPC later this week!</p> <p><center>  <script type="text/javascript"></script> <script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> </script>  </center></p> </div> <div class="feedback"> <a href="http://hamsterswheel.com/techblog/?p=36#respond" title="Comment on Lessons from Mexico">Comments (0)</a> </div> </div> <div class="post"> <h2 id="post-35"><a href="http://hamsterswheel.com/techblog/?p=35" rel="bookmark">LSo Crackme Numero uno</a></h2> <div class="meta">Posted by Eric | <a href="http://hamsterswheel.com/techblog/?cat=14" title="View all posts in Crackme" rel="category">Crackme</a>, <a href="http://hamsterswheel.com/techblog/?cat=13" title="View all posts in Reversing" rel="category">Reversing</a> | Monday 14 January 2008 12:08 am </div> <div class="storycontent"> <p><meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8" /><title /><meta name="GENERATOR" content="OpenOffice.org 2.0 (Linux)" /><meta name="CREATED" content="20080113;21493100" /><meta name="CHANGED" content="20080113;22014400" /><br /> <style></style> <p>Not to stray off topic but Learnsecurityonline.com had their first ever crackme which was released Friday night. Apparently I didn’t get the memo about it until sometime late Saturday. I ran into some trouble with it because the file wasn’t loading. I was stuck in “DLL Hell.” The crackme was written in vb.net using visual studio 2005. I didn’t have what it needed apparently. However, once I updated to .Net 2.0 everything worked like a charm.</p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in">First thing to do since this was supposed to be a n00b challenge was dump strings. Nothing for hard coded passwords came up but i did notice a lot of crap. First thing, I was able to identify that I would be working with vb code, and then I was about to determine that the version of the file was a debug file, which coincidentally (not that it mattered) still had debug symbols in it (as it should in a debug version). Anyhow, I was also able to obtain the names of functions to start poking around in.</p> <p style="margin-bottom: 0in"><img src="http://www.hamsterswheel.com/blogpics/Screenshot.png" /></p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in"><meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8" /><title /><meta name="GENERATOR" content="OpenOffice.org 2.0 (Linux)" /><meta name="CREATED" content="20080113;21493100" /><meta name="CHANGED" content="20080113;22014400" /><br /> <style>  </style> </p> <p style="margin-bottom: 0in">After we found our functions and what not I decided to load her up in IDA Pro. Now, you could have used a debugger such as Ollydbg which is now in version 2.0, it’s really a matter of preference. But since I figured Id go a static analysis route first, I used IDA.</p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in">Scrolling through, we were able to locate the function titled “Submit_Click” which we saw in our strings dump.</p> <p style="margin-bottom: 0in"><a href="http://www.hamsterswheel.com/blogpics/LSO-Crackme.jpeg"> </a></p> <p style="margin-bottom: 0in"><meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8" /><title /><meta name="GENERATOR" content="OpenOffice.org 2.0 (Linux)" /><meta name="CREATED" content="20080113;21493100" /><meta name="CHANGED" content="20080113;22014400" /><br /> <style>  </style> </p> <p style="margin-bottom: 0in">We also see that within that function there is what appears to be a hard coded password in it, and a string comparison call. I think we got it! Lets have a look see!</p> <p><img src="http://www.hamsterswheel.com/blogpics/Forthewin.jpeg" /></p> <p><meta content="text/html; charset=utf-8" http-equiv="CONTENT-TYPE" /><title /><meta content="OpenOffice.org 2.0 (Linux)" name="GENERATOR" /><meta content="20080113;21493100" name="CREATED" /><meta content="20080113;22014400" name="CHANGED" /><br /> <style>  </style> <p style="margin-bottom: 0in">And such is the reason, we don’t hard code passwords!</p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in">Another route you could have taken would have been to open up the executable in a hex editor. Of course, there was a chance you would have blown over the password, but if you were looking carefully you would have found it!</p> <p><img src="http://www.hamsterswheel.com/blogpics/lso-crackme-hex.jpeg" /></p> </div> <div class="feedback"> <a href="http://hamsterswheel.com/techblog/?p=35#comments" title="Comment on LSo Crackme Numero uno">Comments (1)</a> </div> </div> <div class="post"> <h2 id="post-34"><a href="http://hamsterswheel.com/techblog/?p=34" rel="bookmark">Power Pc Intro</a></h2> <div class="meta">Posted by Eric | <a href="http://hamsterswheel.com/techblog/?cat=12" title="View all posts in Architecture" rel="category">Architecture</a>, <a href="http://hamsterswheel.com/techblog/?cat=11" title="View all posts in Research" rel="category">Research</a> | Sunday 13 January 2008 12:17 am </div> <div class="storycontent"> <p><meta http-equiv="CONTENT-TYPE" content="text/html; charset=utf-8" /><title /><meta name="GENERATOR" content="OpenOffice.org 2.0 (Linux)" /><meta name="CREATED" content="20080110;21250500" /><meta name="CHANGED" content="20080112;22152400" /><br /> <style>  </style> <p style="margin-bottom: 0in">PowerPC runs on a Reduced Instruction set (RISC) and Intel runs on a Complex Instruction set (CISC). RISC is a CPU strategy that focuses on simplified instructions which do less, but may still provide for higher performances if the simplicity can make instructions execute very fast. SPARC, ARM and MIPS also run on a Reduced instruction set. Intel on the other hand, utilizes a complex instruction set which, within each instruction can execute several low level operations such as load from memory, do a math operation and perform a memory store all in one instruction.</p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in">The Power PC Architecture has some of the following features.</p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in">Separate 32 bit register file for integer and floating point instructions.</p> <ul> <li> <p style="margin-bottom: 0in">The General purpose registers hold source data for integer arithmetic instructions</p> </li> <li> <p style="margin-bottom: 0in">The Floating point registers hold source and target data for floating point arithmetic instructions.</p> </li> </ul> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in">Instructions for handling data loading and storing between memory and the FPR and GPR’s</p> <p style="margin-bottom: 0in">The ability to perform both single and double precision floating point operations</p> <p style="margin-bottom: 0in">User level instructions for storing, flushing and invalidating data in the on chip caches.</p> <p style="margin-bottom: 0in">Support for both big and little endian addressing modes</p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in">The Power PC Architecture is defined in three levels, This layering of the architecture provides flexibility, allowing degress of software compatibility across a wide range of implementations. The three levels of architecture are:</p> <ul> <li> <p style="margin-bottom: 0in">User Instruction set architecture : Which defines the base user level instruction set, user level registers, data types, floating point memory and interrupt model as seen by user programs.</p> </li> <li> <p style="margin-bottom: 0in">Virtual Environment Architecture: which defines additional user level functionality that fall outside typical user level software requirements.</p> </li> <li> <p style="margin-bottom: 0in">Operating environment architecture: Which defines supervisor level resources, which are typically required by an operating system.</p> </li> </ul> <p>For further information on Risc, And CISC:</p> <p>http://en.wikipedia.org/wiki/RISC</p> <p>http://en.wikipedia.org/wiki/Complex_instruction_set_computer</p> <p>http://cse.stanford.edu/class/sophomore-college/projects-00/risc/risccisc/</p> <p style="margin-bottom: 0in"> </div> <div class="feedback"> <a href="http://hamsterswheel.com/techblog/?p=34#respond" title="Comment on Power Pc Intro">Comments (0)</a> </div> </div> <div class="post"> <h2 id="post-33"><a href="http://hamsterswheel.com/techblog/?p=33" rel="bookmark">Damn its Jan already!</a></h2> <div class="meta">Posted by Eric | <a href="http://hamsterswheel.com/techblog/?cat=1" title="View all posts in General" rel="category">General</a> | Monday 7 January 2008 11:35 pm </div> <div class="storycontent"> <p><meta content="text/html; charset=utf-8" http-equiv="CONTENT-TYPE" /><title /><meta content="OpenOffice.org 2.0 (Linux)" name="GENERATOR" /><meta content="20080107;20581500" name="CREATED" /><meta content="20080107;21124700" name="CHANGED" /><br /> <style>  </style> <p style="margin-bottom: 0in">A new year has come, Its been almost two months since my last post. I’ve been so busy lately, especially last month. I recently endured the holidays, purchased a house, had 3 major car repairs, and changed jobs all in one month. I recently took on a position doing reverse engineering. The company allowed me to break into the field through some people I knew. As it stands, I’ve been there a month and I already love the place. The atmosphere is great, the group is small and we seem to have fun on Friday afternoons. At any rate, I’m still paying attention to the penetration testing side of the house, but I don’t do it full time anymore. This year I have set out a few goals I have in mind that I would not only like to learn more about, but also enhance my skills with and perhaps make some entries about. I intend to write at least 1 post per week. Lets see if we can do it.</p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in">So this year, we have some new goals I would like to accomplish.</p> <p style="margin-bottom: 0in"> <p style="margin-bottom: 0in">Exploitation Development</p> <ul> <li> <p style="margin-bottom: 0in">With Post exploitation I’d like to get a firm grip on linux based and win32 exploitation. I have the concepts down, but I really need to practice the application. I’ve been running into some vulns lately that have been road blocks for me do to some type of filtering or advanced vulnerability</p> </li> </ul> <p style="margin-bottom: 0in">Post Exploitation</p> <ul> <li> <p style="margin-bottom: 0in">I really need to get up to par with my post exploitation, which includes RootKits, IDS Evasion, and Anti Forensics. When I say rootkits, I don’t mean using them I Want to know how they work, well enough to create my own. IDS Evasion is self explanatory, I Should add HIPS evasion as well. Anti Forensics is another that is self explanatory but Its something I want to learn more about.</p> </li> </ul> <p style="margin-bottom: 0in">Architectures</p> <ul> <li> <p style="margin-bottom: 0in">Although not many are laying around I need to learn sparc and power pc. My friend Rick gave me his mac mini which runs on the power pc architecture. I already have 3 pizza boxes also. But I need to learn both of them!</p> </li> </ul> <p style="margin-bottom: 0in">OS</p> <ul> <li> <p style="margin-bottom: 0in">I need to learn more on Open and FreeBSD, as well as MAC OS X. I’ve been seeing quite a few of the wargames going towards Mac OS. This was evident in last years pre qualifications for Defcon CTF.</p> </li> </ul> </div> <div class="feedback"> <a href="http://hamsterswheel.com/techblog/?p=33#respond" title="Comment on Damn its Jan already!">Comments (0)</a> </div> </div> </div> <div id="footer"> © Copyright 2009 | <a href="http://hamsterswheel.com/techblog">Phn1x – Hamsterswheel</a> | Theme by <a href="http://clubparexcellancetech.com/">Club Par Excellance</a> | All Rights Reserved | Sponsored by <a href="http://www.voipkit.ca/">VoIP</a> </div> </body> </html>