Archive for March, 2010
Extremely Simple Steganography
by zitstif on Mar.25, 2010, under Posts
Dabbling about with the command line one day, I thought to myself, “Can’t I append text to a picture and be able, at a later time, read the text from the image?”.
By simply just using ‘>>‘, under Windows and Linux, you can append text to a picture file (like a jpeg for example). Bear in mind that this does change the hash sum of the file. Lastly, I’ve only tested this with jpeg images.
Here’s an example:
We have a file called ‘linux.jpg’ from, http://www.bose.res.in/~kapil/linux.jpg
By simply invoking:
echo "Secret Message: toor" >> linux.jpg
To find our “Secret Message”, simply invoke the follow:
egrep -a 'Secret' linux.jpg
If you’re using ‘xterm’, your output may look like this:
However, if you’re using something else and your output ‘borks’ your terminal and the output looks completely alien, use the reset command.
You can also do this in Windows as well, but the command would look like this:
type linux.jpg | findstr "Secret"
Netgear RP614v4 exploit
by zitstif on Mar.24, 2010, under Code, Exploits, Posts
Website/Company: http://zitstif.no-ip.org
E-mail: zitstif[at]gmail.com
Name: Kyle Young
Device: Netgear RP614v4
Firmware version: v1.1.2_09.01
Firmware release date: November 2009
HTTP service: Boa HTTPd 0.93.15
Exploit release date: Wednesday March 24, 2010
Default router credentials:
username: admin
password: password
Scope: Local/Remote
Vulnerability:
The Netgear RP614v4 is susceptible to an end user making a request for the netgear.cfg file which is located at:
http://[RouterIP]/vgn/jsp/netgear.cfg
This file, is a plain text ASCII file that contains the router’s password at line 216, which looks similar to this:
http_passwd=myvulnerablepassword
You don’t have to authenticate to obtain this file at all.
The qualm with this exploit is that, it works in the LAN that the router is on, or even remotely over a WAN, that is if the remote administration
option is enabled and the default port for this is 8080.
PoC: http://zitstif.no-ip.org/rp614v4/rp614v4exploit.txt
Additional notes:
After discovering this vulnerability, I’ve noticed with other routers that have http based administration, is that you can make requests for config files without authenticating. However, this does not always work and at times the config file is obfuscated.
From my experience, most of the config files for routers are in a binary format and can be viewed with a program like ‘bvi‘. At times, you can view credentials to the device and also PPPoE credentials.
I’m reporting this vulnerability to securityfocus.com, due to the lack of support on Netgear’s end.
Stripping SSL & Sniffing HTTPS (SSLStrip) (by g0tmi1k)
by zitstif on Mar.18, 2010, under Code, Videos
Testing for existence of programs via bash
by zitstif on Mar.15, 2010, under Code, Posts
For those of you who are into shell scripting, and want to know what in my opinion is the best way to test for whether programs exist or not, pay close attention.
In my humble opinion, the best way to test for the existence of a program, is to test the exit code of the previous command in an if loop.
Firstly, if you run a command that doesn’t exist, the exit code will always be ‘127′. If you don’t want to see the output of the command while testing for it, then just simply redirect all the output to /dev/null .
idontexist &> /dev/null
echo $?
127
Now, a friend suggested using this method for testing for programs in bash:
idontexist &> /dev/null || echo "You don't have 'idontexist'"; exit 1;
There are a few qualms with this. Firstly, depending on the program, if the program does not exit with the exit code of ‘0’, your shell script will then state ‘You don’t have ‘idontexist’ and then exit. However, you might actually have the program! Some programs exit with non-zero exit codes if you pass no arguments to them or even if you pass a ‘-h’ for a help argument to it. Also, since the echo statement is being terminated via the semicolon, ‘exit’ will then be executed. Ergo, this method looks great for just being a one liner, but if I want to test for the existence of a program, and if it doesn’t exist, and then exit with an error message displayed to the user, I highly suggest my following method:
idontexist &> /dev/null;
if [[ "$?" == "127" ]];
then
echo "'idontexist' appears to not be installed, check your PATH variable"; exit 1;
fi
More to come…
Why wireless networks can be an anathema towards security..
by zitstif on Mar.10, 2010, under Posts, Videos
Xplico Part 1:
Xplico Part 2:
http://www.securitytube.net/Xplico-Network-Forensic-Analysis-Tool-Demo-video.aspx
If you’re curious about a good live Linux forensics distro that even includes this tool, check out:
http://www.deftlinux.net/