Secret Life of Hashes Divulged – Length Extension Attack Explained

Sounds interesting!! Doesn’t it? Well, it sounds to me and so I want it penned down. Let’s see how this goes.

If you feel you’ve nailed it after reading through the entire blog, then I can consider diving deep into the blogging world. It’s my second post within 24 hours and I already feel I was born for it. Let’s not bore you guys with my shit, and learn something about a new form of cryptographic attack called the Hash Length Extension Attack, instead.

It all started when I was at Goa in India (an exotic place to be in for sure) a year ago for the null conference. I know, when I say Goa, the only thought that comes to your mind is the beaches – pristine blue with golden sand and perhaps a bottle of Goa’s favorite chilled beer “Kings”.  The thought of not attending the conference crossed my mind, but then my Boss gave me an intensive look and there I was, (‘Coz my employer paid for the trip). I already knew that I was going to hate it but things changed at the blink of an eye the moment I entered the conference. One of the trainings at this conference was about an attack called a Hash Length Extension Attack. This was the first time I've heard it and it kept me on my toes for the entire session.

Half way down the session, I realized that the attack is not only super awesomely cool, but also conceptually easy to understand and perform. To make your job much easier, there are various modules available over the internet such as HashPump and hash_extender. There’s another module which I like personally, is the one from Stephen Bradshaw called hlextend. This module can be found at GitHub.

As per Wikipedia, the basic definition of this attack goes by:

“In cryptography and computer security, a length extension attack is a type of attack where an attacker can use Hash (message1) and the length of message1 to calculate Hash (message1 ∥ message2). This attack can be used to sign a message when a Merkle–Damgard based hash is misused as a message authentication code, allowing for inclusion of extra information.

This attack can be done on hashes with construction H (secret ∥ message) when message and the length of secret is known. Algorithms like MD5, SHA-1, and SHA-256 that are based on the Merkle–Damgard construction are susceptible to this kind of attack.”

Before we begin, a quick go-through on how Hashing works:

·         Hash functions operate on fixed block sizes

·         Input data is split into fix-sized parts equal to the block size

·         If any of these parts is smaller than block size (mostly the last part), the missing bytes are padded

ü       PKCS7

ü       Bit Padding

·         The hash value represents the internal state of the hash function

ü       You can simply continue adding data + padding and hash again using the internal state

The Attack:

Let’s assume a web application which uses a known hash generated from an unknown secret value tied to a user entered input. The basic purpose of doing so is to check the integrity of the entered value to avoid any form of manipulation. For example, let’s assume the desired SHA1 hash value generated with an unknown secret length for a valid parameter value ‘student’ is ‘204036A1EF6E7360E536300EA78C6AEB4A9333DD’. So, if we try to access the below mentioned URL, we get all the details of a student.

Cool! I guess that’s what the application was supposed to do. It’s a valid request after all. Let’s see what happens if we try to play with the ‘param’ value. Let’s try to access the ‘/etc/passwd/’ file using path traversal. What do you think will happen?

Oops!! File not found.

Of course! And did you think it was that easy? So what do you think happened? 

Well, the requested file did not match the above SHA1 hash value since it belonged to ‘student’. In order to perform this attack successfully, we would need a valid SHA1 hash value for the ‘/../../../../etc/passwd’ file, combined with an unknown length of the secret value.

And how do you think we get that? Well, the first thing we need to do is to guess the length of the secret value. Without which it won’t be possible to generate a valid hash. In such cases, brute forcing the value by trying multiple different lengths can sometimes be possible, depending on the application.

Let’s first see what all data we already have that might come in handy:

Known Data: student

Hash of known Data: 204036A1EF6E7360E536300EA78C6AEB4A9333DD

Extended Data: /../../../../etc/passwd

Hash of Extended Data: <unknown>

Length of secret: <unknown>

Great!!

If I have to explain it in simple words, the application creates a sha1 hash value of '204036A1EF6E7360E536300EA78C6AEB4A9333DD', by concatenating an unknown secret of length ‘X’ and known data of 'student'. You wish to append the text '/../../../../etc/passwd' after 'student' and also provide a valid hash back to the application that it will produce when it concatenates your provided value (which will include the string 'student' followed by '/../../../../etc/passwd') with its secret.

I hope by now you already know what our ultimate goal is. Ready for some action!!! Here we go……

The goal is to read the /etc/passwd file, via bypassing the hash integrity check on the param parameter. This is what the script below will automate using the hlextend module to generate the extended hash values.

And the output:

Once we access the above displayed URL:

You may notice that the new value produced above contains a lot of additional data (in this case, a 0x80 followed by a number of 0x00s and a message length, which is the length of the key plus the original message, appended at the end) between the 'student' and the '/../../../../etc/passwd' - this is hex encoded padding data used by the hash algorithm that needs to be integrated into the hashed data in order for the attack to work - So strictly speaking you can't specify the EXACT value to append, only what comes after the padding, but under the right circumstances you can make the application ignore this extra padding.

So in short, if the hash algorithm used is vulnerable, it is possible to achieve this without knowing the secret value as long as you know (or can guess, perhaps by brute force) the length of that secret value. This is called a hash length extension attack.

Happy Hacking my Friends!!!

Kali linux: BareMetal, Virtualized or USB Stick

Few days ago, we had a discussion about what is the best approach for Kali Linux installation.

A lot of guys complain about the performance in virtualized installations - I have one word for that: BULLSHIT!

I have almost 10 years of pentesting/security experience and I have never problems with virtualized installation, except for some years ago with Wi-Fi dongles (We will discuss it later).

Based in my observations to where and when to install, here are few ideas to follow:

- New in Linux:

If you are new, you should not start with Kali, go back and read this article first: http://blog.dclabs.com.br/2016/05/wanna-be-pentester.html and related links.

From this point I will assume that you have Linux and security skills.

As was described in the link above, Kali is not for general purpose or day by day distro, so, here is the first point:

- As Kali is not a day by day distro, some applications like Skype, Flash player and others are not supported by Kali Team, in other words, non-official/external repositories can be added in your Kali in order to install tools/packets.

Also, in Kali there are tools like calendars, agenda and stuff, but these tools are not priority.
In case of problems with this kind of application, for sure you have to wait a long time to get it fixed.

Obliviously, the best approach is to use Kali virtualized in your daily distro or Windows.

But before installing it, please RTFM (Read the Fucking Manual)! Is very common for people to complain about errors during the installation and performance. Of course, they are not following the basic recommendations. http://docs.kali.org/installation/kali-linux-hard-disk-install - Check all requirements before starting!

If you are planning to use Gnome as your default desktop environment, you need more RAM memory.

I recommend XFCE, because you are a Pentester and not a Designer.
If you want something cute, forget Kali and install HannaMontana Linux. http://hannahmontana.sourceforge.net/ -> Just to help you! (:

- Performance:

If you follow the requirements, the likelihood of facing problems is very low. Nowadays, machines have a very powerful processors, very good memory and disk size, so it is easy to allocate some of these resources to a VM. However, if your machine does not have good hardware specifications (maybe it is time to throw it away and buy a new one) I recommend the bare metal installation.

This way kali is able to use the complete machine hardware resources and it will not be shared with another OS.

- System restoring and backup

If you have minimum skills regarding virtualization, you know that making virtual machines backup/restore is easier than a bare metal installation - you only need to copy a couple of files and that´s it.

Also, you can revert to the last snapshot, the system will be up in few minutes or less.

For bare metal breaking, you need to check logs, files, disk healthy and stuff. Or, in the worst case, install the system again. It’s really not a good thing if you are inside a customer for example.

-Mobility

If you have a dedicated hardware to perform pestest for customers, is a good idea to have it bare metal. However, is possible to face some hardware compatibility problems, it will be discussed in the next topic.

Nevertheless, if you don’t have a dedicated hardware and carrying a notebook is not an option, you can use OVF format (https://en.wikipedia.org/wiki/Open_Virtualization_Format).
Just put the file in a pendrive and load it in the Vbox or Vmware for example. 

Another option is to create a bootable pendrive, also,  the mobility in this case is easier than carrying a notebook in the bag all the time.

Following the links related to USB install:

http://docs.kali.org/downloading/kali-linux-live-usb-install
http://docs.kali.org/downloading/kali-linux-live-usb-persistence

One more, but not powerful option is to install Kali in your mobile device, there is a especial Kali edition called NetHunter (https://www.kali.org/kali-linux-nethunter/) for this purpose.
Also, you can proceed with a chroot installation (https://www.kali.org/tutorials/kali-linux-android-linux-deploy/)

This last two cases are very useful when you are performing a pentest with very restrict devices access. I mean, when the customer does not allow you to go inside the company with your notebook. Normally mobiles devices are allowed and pendrives are very easy to hide.

-Hardware compatibility

If you dont wanna face hardware problems, the best way is to use virtual system. 

Only one problem in my point of view (and it not is that problem):
You are not able to use your GPU to crack passwords. 

You still able to use virtualized to crack, but for sure not the same speed.
However, the passwords can be cracked in your normal Linux/windows installation, don’t try to use this "problem" as excuse to have Kali bare metal installed and look cool for your friends.

For Wi-Fi penetration tests, some years ago I had some problems because VMware and Vbox didn’t have a nice USB management, nowadays, it already fixed.
Basically 99% of the problems with Wi-Fi pentesting are because the Wi-Fi card does not support packet injection, so, check it before buying the Wi-Fi adapter.

Conclusion:

A virtualized Kali will work pretty nice for you, covering almost all the cases.
If it is not working with satisfactory performance, maybe you did something wrong.

Probably I didn’t cover all possibilities ins the article, but I hope it helps you to choose the best way to install your Kali.

Compromising Security using Online Products

A big Hi to the online world out there! Since I don’t write much, let me first introduce myself. My name is Bikramaditya Guha aka PhoenixX and I'm an Indian Computer Enthusiast. These days I mostly work with information security, with a special interest in Web Applications. If you let me, I'll find my ways into your site or application, hopefully before the bad guys do. You can find a little more about me by visiting my LinkedIn profile.

It's very common these days to find and exploit zero days. Some of them are really intriguing based on the popularity of the products and their usage.

It has been observed that a lot of costly products (and by that I mean really costly) sold to the general public/corporations are not tested for security or to say the least, tested with negligence. It's 2016 and security still serves only as a mean to fulfill compliance requirements. Everybody seems to be in a hurry to release the product to the end users. It seems like the value of money is still more important than an individual's personal data.

Today I want to share a tale about how I started pawning shells across multiple demo products (mostly PHP based). Like all good tales, this one also begins long time ago (actually about a year).

Given that every organization or individual are becoming increasingly dependent on a one-click solution for all their problems, multiple (small and big) vendors are spawning up with online solutions/products to ease the pressure out of big MNCs. Though it saves you a lot of money, it raises a troubling question.

Are the products really secure? Do they really care about the reputation you carry? Or is it just a sprint for money?

These questions really raise an eyebrow (being paranoid helps when it comes to personal data) and then I decided to explore these products from a security perspective. And guess what!!! I felt like I can train junior pentesters to be hackers by using these online demos, the vendors offer, as a training ground. Or in short, nobody gives a 'Fish' about security. There's an open vulnerable world out in the wild ready to be PWNED.

In my recent researches, I have observed that a lot of popular products (CMS, LMS, WMS, etc.) wildly used in the market are prone to some serious vulnerabilities. 6 out of 10 major organizations which use these products are vulnerable to flaws which include but are not limited to SQL Injection, Remote Code Execution, LFI, XXE, XSS, etc. This is just a small example considering the enormousness of the online world.

The web's architecture, having become so important that many confuse it with the internet itself, is also problematic from a security standpoint. The web uses client-server architecture on a peer to peer network. The web and the internet pass messages asynchronously, essentially a file transfer system.

Each time you visit a website you open the door to your computer through which the site can send files. All of these separate files have been used by criminals and other evil doers to harm computer users.

• Your identity can be stolen for financial fraud.
• You can be redirected to phony sites and sold fake products.
• Your computer can be controlled for nefarious schemes using vulnerabilities in Flash and Java.

Worse, the peer to peer nature of the internet means that a network is only as vulnerable as its weakest link. Too often, network administrators and users are complacent about a computer or website because it is by itself insignificant. Why add SSL to a test website on a minor project? Why add a firewall to a computer that does not have significant data on it?

These questions are often answered the hard way. When hackers gain access to one computer on a network they can work their way onto other computers on the network. Drop a sniffer on one computer and you can eventually identify the login credentials to access other computers. With patience and persistence, hackers can move from a low priority computer with minimal access rights to more important computers with higher levels of access. Get root privileges, own the system/server. There's a hell lot of other things a hacker is equipped with to throw at your personally owned beloved system.

The main purpose of this article is to instill among the individuals the necessity and importance of security in whatever they do or try to do online. Be it using an online product, surfing on the internet, or playing online games, whatever. Being cautious doesn't harm. It definitely helps against such sophisticated and cleverly planned attacks.

In my work experience, I just don’t see organizations/individuals paying much of a heed to security. So in case you find this article interesting, I would recommend few things that might help you to improve security (only if you care enough).

1. Protect your network with a robust hardware-based firewall, at the same time keep personal firewalls on all computers. A layered approach to network security is essential.
2. Use remote management tools to ensure that all computers on your network have an up to date firewall and antivirus program correctly configured.
3. Restrict user’s rights to install software. I hate this myself, but it is important. When you give everyone installation rights you are giving it to the malware they download!
4. Use Firefox instead of Internet Explorer. It may not be practical to migrate away from Windows, but you can do a lot of good by using the much more secure Firefox.
5. Identify and secure all access points, no matter how seemingly insignificant. Every web site, every ftp server that can be accessed via the public internet needs to be secured and monitored for compromises.
6. Require strong passwords for your computers and applications. This is another one I hate, but weak passwords are the best friend of every hacker.
7. Last but not the least! Watch over your shoulder.

Given the nature of the internet, network security is a never ending battle that requires constant vigilance. Best of luck….

Wanna be pentester

Hi guys!

So, if you are reading this, I'm dead! Lol kidding.

Seriously now, if you are reading this, you are trying to become a pentester and not a stupid teenager who just wants to run a tool and tell his friends that he is a hacker.

Also, if you are concerned/complaining about the icon size on your desktop, your sound card is not working in Kali Linux, or you are too lazy to read it, go back to your everyday life. You don't have the pentester/hacker soul.

If you are still reading at this point, I already suppose that you have at least the basic knowledge of:

- Linux operation and management

- Windows operation and management

- Some programming language skills (Perl, python, ruby, javascript) also, for web pentest event HTML is required, even if it isn't a programming language

- Basic Network knowledge (TCP/IP, ICMP) /Network services (Proxy, VPN, Samba, AD)

- Protocols like HTTP, FTP, DNS, SSH

- SQL (DDL, DML, and so on), MySQL, SQL Server, Postgres, Oracle.

- NoSQL - MongoDB, and others.

If you don't have these skills, don't try to get into the security world at this moment, or you will get frustrated. You will need a lot of reading before you can start it.

Don't think just installing Kali Linux on your machine magically makes you a pentester. It takes time, and to be honest, a lot of time!

If you want to learn Linux, don't start with Kali for the following reasons: http://docs.kali.org/introduction/should-i-use-kali-linux. Basically, these lines: "The fact of the matter is, however, that Kali is a Linux distribution specifically geared towards professional penetration testers and security specialists, and given its unique nature, it is NOT a recommended distribution if you're unfamiliar with Linux or are looking for a general-purpose Linux desktop distribution for development, web design, gaming, etc."

The most important thing is: Know how things work.

I will not discuss the guys who use SET to grab Facebook credentials. I know a lot of "hackers" who can dump entire databases, but they don't even know how a SELECT or CREATE TABLE statement works, or guys who can take down a server, but they don't even know what an ICMP type 8 is. I felt sick writing this last sentence…

So, don't be big-headed. Just executing tools does not make you a hacker/pentester. Correctly start your studies.

Don't be a simple stupid script, kiddie. These guys are jokes in the security world. Do you wanna be like these guys? I don't think so.

And another tip: Don't think that everything is for free. You'll need to save money to buy books, training, or certifications.

There is a lot of training available on the internet. I'm saving some time for you:

Here are some books and links to start (I put them in the order that I think is the best way to learn, feel free to choose the best way for you):

https://en.wikipedia.org/wiki/Modern_Operating_Systems

http://iips.icci.edu.iq/images/exam/Computer-Networks---A-Tanenbaum---5th-edition.pdf

http://www.amazon.com/HTTP-Definitive-Guide-Guides/dp/1565925092

https://www.edx.org/course/introduction-linux-linuxfoundationx-lfs101x-0

https://linuxacademy.com/linux

http://linux-training.be/

http://www.htmlandcssbook.com/

https://en.wikiversity.org/wiki/Programming_Logic

https://www.python.org/about/gettingstarted/

https://www.perl.org/books/beginning-perl/

http://www.sqlcourse.com/

https://go.dev/

Now you have at least 6 months of studying ahead, and you can find more related training. Remember, Google is your friend.

I ALREADY HAVE THE SKILLS (Really? Double check it)

So, if you already have the required skills, there are some excellent references that you can use to get into IT security. Still, first, you should select one area and move to another one after you have mastered it (my recommendation). However, sometimes you have to mix them to get better results. Some security areas (it's not an exhaustive list):

Web Pentesting

Network Pentesting

Mobile Pentesting

SCADA Pentesting

Reverse Engineering

Malware Analysis

Forensics

Security Research

Hardware Security

Exploitation

Hardware Hacking

IoT Pentesting

RedTeaming -> Offensive

BlueTeam -> Defensive

Of course, you can simultaneously share your focus and study more than 1 topic.

If you are still lost, here there some careers you can search for and decide what is more suitable for you:
 

1.  Application Security Administrator – Keep software/apps safe and secure.

2. Artificial Intelligence Security Specialist – Use AI to combat cybercrime.

3. Automotive Security Engineer – Protect cars from cyber intrusions.

4. Blockchain Developer / Engineer – Code the future of secure transactions.

5. Blue Team Member – Design defensive measures / harden operating systems.

6. Bug Bounty Hunter – Freelance hackers find defects and exploits in code.

7. Cybersecurity Scrum Master – Watch over and protect all data.

8. Chief Information Security Officer (CISO) – Head honcho of cybersecurity.

9. Chief Security Officer (CSO) – Head up all physical/info/cyber security.

10. Cloud Security Architect – Secure apps and data in the cloud.

11. Counterespionage analyst – Thwart cyber spies from hostile nation states.

12. Cryptanalyst – Decipher coded messages without a cryptographic key.

13. Cryptographer – Develop systems to encrypt sensitive information.

14. Cyber Insurance Policy Specialist – Consult on cyber risk and liability protection.

15. Cyber Intelligence Specialist – Analyze cyber threats and defend against them.

16. Cyber Operations Specialist – Conduct offensive cyberspace operations.

17. Cybercrime Investigator – Solve crimes conducted in cyberspace.

18. Cybersecurity Hardware Engineer – Develop security for computer hardware.

19. Cybersecurity Lawyer – Attorney focused on info/cyber security and cybercrime.

20. Cybersecurity Software Developer / Engineer – Bake security into applications.

21. Data Privacy Officer – Ensure legal compliance related to data protection.

22. Data Recovery Specialist – Recover hacked data from digital devices.

23. Data Security Analyst – Protect information on computers and networks.

24. Digital Forensics Analyst – Examine data containing evidence of cybercrimes.

25. Disaster Recovery Specialist – Plan for and respond to data and system catastrophes.

26. Ethical / White Hat Hacker – Perform lawful security testing and evaluation.

27. Governance Compliance & Risk (GRC) Manager – Oversee risk management.

28. IIoT (Industrial Internet of Things) Security Specialist – Protect industrial control systems.

29. Incident Responder – First response to cyber intrusions and data breaches.

30. Information Assurance Analyst – Identify risks to information systems.

31. Information Security Analyst – Plan and carry out infosecurity measures.

32. Information Security Manager / Director – Oversee an IT security team(s).

33. Intrusion Detection Analyst – Use security tools to find targeted attacks.

34. IoT (Internet of Things) Security Specialist – Protect network connected devices.

35. IT Security Architect – Implement network and computer security.

36. Malware Analyst – Detect and remediate malicious software.

37. Mobile Security Engineer – Implement security for mobile phones and devices.

38. Network Security Administrator – Secure networks from internal and external threats.

39. Penetration Tester (Pen-Tester) – Perform authorized and simulated cyberattacks.

40. PKI (Public Key Infrastructure) Analyst – Manage the secure transfer of digital information.

41. Red Team Member – Participate in real-world cyberattack simulations.

42. SCADA (Supervisory control and data acquisition) Security Analyst – Secure critical infrastructures.

43. Security Auditor – Conduct audits on an organization’s information systems.

44. Security Awareness Training Specialist – Train employees on cyber threats.

45. Security Operations Center (SOC) Analyst – Coordinate and report on cyber incidents.

46. Security Operations Center (SOC) Manager – Oversee all SOC personnel.

47. Source Code Auditor – Analyze software code to find bugs, defects, and breaches.

48. Threat Hunter – Search networks to detect and isolate advanced threats.

49. Virus Technician – Detect and remediate computer viruses and malware.

50. Vulnerability Assessor – Find exploits in systems and applications.

In these links, you can find more detailed information regarding each carrier: 

https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt6b6beaf55a366a55/Poster_Coolest-Careers_v0322.pdf

https://www.sans.org/cybersecurity-careers/20-coolest-cyber-security-careers/

If you are considering using Kali to start your studies, you should visit the link http://docs.kali.org.

This link has a lot of Kali documentation that can help you before you go to the #kali-Linux channel on Freenode and ask an obvious question. Also, you can use forums.kali.org. Additionally, as Kali is Debian-based, it is good to check the Debian Linux documentation if you are unfamiliar with this distro.

Some helpful links to start your pentest journey:

Books:

http://www.hackingexposed.com/ - Very nice book series that covers a lot of different topics.

This is another very nice book series that covers many topics, like Mobile, Android, Cars, and others, not only Web Applications, search for it.

http://www.amazon.com/Web-Application-Hackers-Handbook-Exploiting/dp/1118026470

http://www.amazon.com/s/ref=nb_sb_noss_1?url=search-alias%3Dstripbooks&field-keywords=hacker%27s+handbook&rh=n%3A283155%2Ck%3Ahacker%27s+handbook

http://www.amazon.com/SQL-Injection-Attacks-Defense-Second/dp/1597499633/

Red Teaming: 

https://www.amazon.de/Red-Team-Succeed-Thinking-Enemy/dp/0465048943

https://www.amazon.de/-/en/Joe-Vest/dp/B083XVG633/ref=pd_lpo_4?pd_rd_i=B083XVG633&psc=1

Also, you can google "Pentest Kali Linux" on google. There are a lot of related books, just choose one and try.

Links:

One more link in the same style as this post:

https://www.corelan.be/index.php/2015/10/13/how-to-become-a-pentester/

http://www.vulnhub.com - > A lots of vulnerable machines to play with.

http://www.securitytube.com -> A lots of security videos and tutorials.

https://www.cybrary.it -> More security videos

https://pentesterlab.com -> Various pentest exercises

http://hackthebox.eu -> Various pentest exercises

https://en.wikipedia.org/wiki/Hacking:_The_Art_of_Exploitation -> Low Level exploitation

http://www.owasp.org

https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

https://github.com/enaqx/awesome-pentest

http://worldwideprogramers.blogspot.com.br/2016/07/22-hacking-sites-ctfs-and-wargames-to.html?m=1

Certifications/Training:

https://www.offsec.com

https://kali.training/ --> FREE TRANING! 

https://portswigger.net/web-security --> FREE TRAINING! 

http://www.elearn.com -> Moved to https://ine.com/learning/paths -> CyberSecurity

https://www.sans.org

https://www.eccouncil.org/Certification/certified-ethical-hacker

https://courses.zeropointsecurity.co.uk/courses/red-team-ops
https://www.webhacking.com.br/ -> Portuguese language

Here, there is a list of the most expressive certifications in CyberSecurity according to each area:

https://pauljerimy.com/security-certification-roadmap/
Click on the image to enlarge it.

Building a pentest lab:

https://pen-testing.sans.org/blog/2014/02/27/building-a-pen-test-infrastructure-hacking-at-home-on-the-cheap

https://community.rapid7.com/docs/DOC-2196

https://www.cybrary.it/0p3n/tutorial-for-setting-up-a-virtual-penetration-testing-lab-at-your-home/

Also, you can find an excellent pentest LAB for FREE on

www.hackthebox.eu

I recommend you take VIP access. It's about U$10/month, and it's totally worth it!

How To Ask Questions The Smart Way:

http://www.catb.org/esr/faqs/smart-questions.html

Thanks to <Illusional> for the help! \o/