inBINcible Writeup - Golang Binary Reversing

This file is an 32bits elf binary, compiled from go language (i guess ... coded by @nibble_ds ;)

The binary has some debugging symbols, which is very helpful to locate the functions and api calls.

GO source functions:

-  main.main

-  main.function.001

If the binary is executed with no params, it prints "Nope!", the bad guy message.

~/ncn$ ./inbincible 

Nope!

Decompiling the main.main function I saw two things:

1. The Argument validation: Only one 16 bytes long argument is needed, otherwise the execution is finished.

2. The key IF, the decision to dexor and print byte by byte the "Nope!" string OR dexor and print "Yeah!"

The incoming channel will determine the final message.

Dexor and print each byte of the "Nope!" message.

This IF, checks 16 times if the go channel reception value is 0x01, in this case the app show the "Yeah!" message.

Go channels are a kind of thread-safe queue, a channel_send is like a push, and channel_receive is like a pop.

If we fake this IF the 16 times, we got the "Yeah!" message:

(gdb) b *0x8049118
(gdb) commands
>set {char *}0xf7edeef3 = 0x01
>c
>end

(gdb) r 1234567890123456
tarting program: /home/sha0/ncn/inbincible 1234567890123456
...
Yeah!

Ok, but the problem is not in main.main, is main.function.001 who must sent the 0x01 via channel.

This function xors byte by byte the input "1234567890123456" with a byte array xor key, and is compared with another byte array.

=> 0x8049456:       xor    %ebp,%ecx

This xor,  encode the argument with a key byte by byte

The xor key can be dumped from memory but I prefer to use this macro:

(gdb) b *0x8049456
(gdb) commands
>i r  ecx
>c
>end
(gdb) c

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x12 18

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x45 69

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x33 51

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x87 135

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x65 101

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x12 18

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x45 69

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x33 51

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x87 135

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x65 101

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x12 18

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x45 69

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x33 51

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x87 135

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x65 101

Breakpoint 2, 0x08049456 in main.func ()
ecx            0x12 18

The result of the xor will compared with another array byte,  each byte matched, a 0x01 will be sent.

The cmp of the xored argument byte,
will determine if the channel send 0 or 1

(gdb) b *0x0804946a
(gdb) commands
>i r al
>c
>end

At this point we have the byte array used to xor the argument, and the byte array to be compared with, if we provide an input that xored with the first byte array gets the second byte array, the code will send 0x01 by the channel the 16 times.

Now web have:

xorKey=[0x12,0x45,0x33,0x87,0x65,0x12,0x45,0x33,0x87,0x65,0x12,0x45,0x33,0x87,0x65,0x12]

mustGive=[0x55,0x75,0x44,0xb6,0x0b,0x33,0x06,0x03,0xe9,0x02,0x60,0x71,0x47,0xb2,0x44,0x33]

Xor is reversible, then we can get the input needed to dexor to the expected values in order to send 0x1 bytes through the go channel.

>>> x=''
>>> for i in range(len(xorKey)):
...     x+= chr(xorKey[i] ^ mustGive[i])
... 
>>> print x

G0w1n!C0ngr4t5!!


And that's the key :) let's try it:

~/ncn$ ./inbincible 'G0w1n!C0ngr4t5!!'
Yeah!

Got it!! thanx @nibble_ds for this funny crackme, programmed in the great go language. I'm also a golang lover.

Read more

1. Hacker Google
2. Pentest Plus
3. Hacking 3Ds
4. Hacker Computer
5. Pentest Red Team
6. Pentest Usb
7. Hacking Wifi

Nipe - A Script To Make TOR Network Your Default Gateway

Tor enables users to surf the Internet, chat and send instant messages anonymously, and is used by a wide variety of people for both Licit and Illicit purposes. Tor has, for example, been used by criminals enterprises, Hacktivism groups, and law enforcement agencies at cross purposes, sometimes simultaneously.

Nipe is a Script to make Tor Network your Default Gateway.

This Perl Script enables you to directly route all your traffic from your computer to the Tor Network through which you can surf the Internet Anonymously without having to worry about being tracked or traced back.

Download and install:

    git clone https://github.com/GouveaHeitor/nipe
    cd nipe
    cpan install Switch JSON LWP::UserAgent

Commands:

    COMMAND          FUNCTION
    install          Install dependencies
    start            Start routing
    stop             Stop routing
    restart          Restart the Nipe process
    status           See status

    Examples:

    perl nipe.pl install
    perl nipe.pl start
    perl nipe.pl stop
    perl nipe.pl restart
    perl nipe.pl status

Bugs

• Report bugs in my email: [hi@heitorgouvea.me]

Download Nipe

Continue reading

1. Hacking Tutorials
2. Pentest Tutorial
3. Pentest Gear
4. Hackerrank
5. Pentest Dns Server
6. Hacking Script
7. Pentest Dns
8. Pentest Vs Ceh
9. Hacker Wifi Password
10. Pentest Practice Sites
11. Pentest Guide
12. Hacking Language
13. Hacking With Python
14. Hacking Process
15. Pentest Companies
16. Hacking Gif
17. Pentest Web Application
18. Hacking Jacket

Spaghetti: A Website Applications Security Scanner

About Spaghetti
   Author: m4ll0k

• Github: m4ll0k
• Twitter: m4ll0k

   Spaghetti is an Open Source web application scanner, it is designed to find various default and insecure files, configurations, and misconfigurations. Spaghetti is built on Python 2.7 and can run on any platform which has a Python environment.

Spaghetti Installation:

Spaghetti's Features:
   Fingerprints:

• Server:
• Web Frameworks (CakePHP,CherryPy,...)
• Web Application Firewall (Waf)
• Content Management System (CMS)
• Operating System (Linux,Unix,..)
• Language (PHP,Ruby,...)
• Cookie Security

   Discovery:

• Bruteforce:Admin Interface
  Common Backdoors
  Common Backup Directory
  Common Backup File
  Common Directory
  Common FileLog File
• Disclosure: Emails, Private IP, Credit Cards

   Attacks:

• HTML Injection
• SQL Injection
• LDAP Injection
• XPath Injection
• Cross Site Scripting (XSS)
• Remote File Inclusion (RFI)
• PHP Code Injection

   Other:

• HTTP Allow Methods
• HTML Object
• Multiple Index
• Robots Paths
• Web Dav
• Cross Site Tracing (XST)
• PHPINFO
• .Listing

   Vulns:

• ShellShock
• Anonymous Cipher (CVE-2007-1858)
• Crime (SPDY) (CVE-2012-4929)
• Struts-Shock

Spaghetti Example:
python spaghetti --url example.com --scan 0 --random-agent --verbose

Download Spaghetti

Related word

1. Hacking Meaning
2. Hacking Tutorials
3. Pentesting And Ethical Hacking
4. Hacking Tutorials
5. Hacking Jailbreak
6. Pentest Cheat Sheet
7. Hacking Vpn
8. Pentest Jobs
9. Hacking Device
10. Hacking Attack
11. Pentestmonkey Cheat Sheet
12. Pentest Online Course
13. Pentesting
14. Hacking Wifi
15. Pentest Questions

BurpSuite Introduction & Installation

What is BurpSuite?
Burp Suite is a Java based Web Penetration Testing framework. It has become an industry standard suite of tools used by information security professionals. Burp Suite helps you identify vulnerabilities and verify attack vectors that are affecting web applications. Because of its popularity and breadth as well as depth of features, we have created this useful page as a collection of Burp Suite knowledge and information.

In its simplest form, Burp Suite can be classified as an Interception Proxy. While browsing their target application, a penetration tester can configure their internet browser to route traffic through the Burp Suite proxy server. Burp Suite then acts as a (sort of) Man In The Middle by capturing and analyzing each request to and from the target web application so that they can be analyzed.

Everyone has their favorite security tools, but when it comes to mobile and web applications I've always found myself looking BurpSuite . It always seems to have everything I need and for folks just getting started with web application testing it can be a challenge putting all of the pieces together. I'm just going to go through the installation to paint a good picture of how to get it up quickly.

BurpSuite is freely available with everything you need to get started and when you're ready to cut the leash, the professional version has some handy tools that can make the whole process a little bit easier. I'll also go through how to install FoxyProxy which makes it much easier to change your proxy setup, but we'll get into that a little later.

Requirements and assumptions:

Mozilla Firefox 3.1 or Later Knowledge of Firefox Add-ons and installation The Java Runtime Environment installed

Download BurpSuite from http://portswigger.net/burp/download.htmland make a note of where you save it.

on for Firefox from   https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/


If this is your first time running the JAR file, it may take a minute or two to load, so be patient and wait.


Video for setup and installation.

You need to install compatible version of java , So that you can run BurpSuite.

Read more

1. Pentest Report Generator
2. Pentestlab
3. Pentest With Metasploit
4. Pentest Environment
5. Pentest +
6. Pentest Reporting Tool
7. Pentest Meaning
8. Hacker Keyboard
9. Hacker Box
10. Hacking With Linux
11. Hacking To The Gate
12. Hacking Jacket
13. Pentest Online Course
14. Hacker Computer
15. Pentestgeek
16. Pentest Book
17. Pentest Smtp

Samurai: Web Testing Framework

"The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test." read more...

Website: http://samurai.inguardians.com

More information

• Hacker Software
• Pentest Aws
• Hacking Bluetooth
• Pentestgeek
• Hacking Process
• Pentest Active Directory
• Hacking Vpn
• Pentester Academy
• Pentest Checklist
• Hacking Box
• Pentest Reporting Tool
• Pentest Practice Sites
• Pentesting Tools
• Pentest Hardware
• Pentest News
• Pentest Ios
• Hacker Website
• Pentest Standard
• Hacking Process

Trendnet Cameras - I Always Feel Like Somebody'S Watching Me.

Firstly this post requires the following song to be playing.

http://www.youtube.com/watch?v=wVfjwIyc-CU

Now that we got that out of the way... I have been seeing posts on sites with people having fun with embedded systems/devices and I was feeling left out. I didn't really want to go out and buy a device so I looked at what was laying around. 

Enter the Trendnet TV-IP110w - http://www.trendnet.com/products/proddetail.asp?prod=145_TV-IP110W

To start off the latest firmware for this device can be found at the following location :

http://downloads.trendnet.com/tv-ip110w/firmware/FW_TV-IP110W_A1.x(1.1.0.104).zip

First order of business was to update the camera with the most recent firmware:

Device info page confirming firmware version

Now that the device was using the same version of firmware as I was going to dive into, lets get to work. I will be using binwalk to fingerprint file headers that exist inside the firmware file. Binwalk can be downloaded from the following url: http://code.google.com/p/binwalk/

Running binwalk against the firmware file 

binwalk FW_TV-IP110W_1.1.0-104_20110325_r1006.pck 
DECIMAL   HEX       DESCRIPTION
-------------------------------------------------------------------------------------------------------
32320     0x7E40     gzip compressed data, from Unix, last modified: Thu Mar 24 22:59:08 2011, max compression
679136     0xA5CE0   gzip compressed data, was "rootfs", from Unix, last modified: Thu Mar 24 22:59:09 2011, max compression

Looks like there are two gzip files in the "pck" file. Lets carve them out using 'dd'. First cut the head off the file and save it off as '1_unk'

#dd if=FW_TV-IP110W_1.1.0-104_20110325_r1006.pck of=1_unk bs=1 count=32320
32320+0 records in
32320+0 records out
32320 bytes (32 kB) copied, 0.167867 s, 193 kB/s

Next cut out the first gzip file that was identified, we will call this file '2'

#dd if=FW_TV-IP110W_1.1.0-104_20110325_r1006.pck of=2 bs=1 skip=32320 count=646816
646816+0 records in
646816+0 records out
646816 bytes (647 kB) copied, 2.87656 s, 225 kB/s

Finally cut the last part of the file out that was identified as being a gzip file, call this file '3'

#dd if=FW_TV-IP110W_1.1.0-104_20110325_r1006.pck of=3 bs=1 skip=679136
2008256+0 records in
2008256+0 records out
2008256 bytes (2.0 MB) copied, 8.84203 s, 227 kB/s

For this post I am going to ignore files '1_unk' and '2' and just concentrate on file '3' as it contains an interesting bug :) Make a copy of the file '3' and extract it using gunzip

#file 3
3: gzip compressed data, was "rootfs", from Unix, last modified: Thu Mar 24 22:59:09 2011, max compression
#cp 3 3z.gz
#gunzip 3z.gz
gzip: 3z.gz: decompression OK, trailing garbage ignored
#file 3z
3z: Minix filesystem, 30 char names

As we can see the file '3' was a compressed Minix file system. Lets mount it and take a look around.

#mkdir cameraFS
#sudo mount -o loop -t minix 3z cameraFS/
#cd cameraFS/
#ls
bin  dev  etc  lib  linuxrc  mnt  proc  sbin  server  tmp  usr  var

There is all sorts of interesting stuff in the "/server" directory but we are going to zero in on a specific directory "/server/cgi-bin/anony/"

#cd server/cgi-bin/anony/
#ls
jpgview.htm  mjpeg.cgi  mjpg.cgi  view2.cgi

The "cgi-bin" directory is mapped to the root directory of http server of the camera, knowing this we can make a request to http://192.168.1.17/anony/mjpg.cgi and surprisingly we get a live stream from the camera. 

video stream. giving no fucks.

Now at first I am thinking, well the directory is named "anony" that means anonymous so this must be something that is enabled in the settings that we can disable.... Looking at the configuration screen you can see where users can be configured to access the camera. The following screen shows the users I have configured (user, guest)

Users configured with passwords.

Still after setting up users with passwords the camera is more than happy to let me view its video stream by making our previous request. There does not appear to be a way to disable access to the video stream, I can't really believe this is something that is intended by the manufacturer. Lets see who is out there :)

Because the web server requires authentication to access it (normally) we can use this information to fingerprint the camera easily. We can use the realm of 'netcam' to conduct our searches 

HTTP Auth with 'netcam' realm

Hopping on over to Shodan (http://www.shodanhq.com) we can search for 'netcam' and see if there is anyone out there for us to watch

9,500 results

If we check a few we can see this is limited to only those results with the realm of 'netcam' and not 'Netcam'

creepy hole in the wall

front doors to some business

Doing this manually is boring and tedious, wouldn't it be great if we could automagically walk through all 9,500 results and log the 'good' hosts.... http://consolecowboys.org/scripts/camscan.py

This python script requires the shodan api libs http://docs.shodanhq.com/ and an API key. It will crawl the shodan results and check if the device is vulnerable and log it. The only caveat here is that the shodan api.py file needs to be edited to allow for including result page offsets. I have highlighted the required changes below.

    def search(self, query,page=1):
        """Search the SHODAN database.
     
        Arguments:
        query    -- search query; identical syntax to the website
        page     -- page number of results      

        Returns:
        A dictionary with 3 main items: matches, countries and total.
        Visit the website for more detailed information.
     
        """
        return self._request('search', {'q': query,'page':page})

Last I ran this there was something like 350 vulnerable devices that were available via shodan. Enjoy.

Update: We are in no way associated with the @TRENDnetExposed twitter account.

Related articles

1. Hacker Box
2. Hacking Health
3. Pentest Guide
4. Pentestgeek
5. Pentest Practice Sites
6. Hacking Box
7. Hacker Wifi Password
8. Pentest Process
9. Hacker Tools
10. Hacking The System
11. Pentest Cheat Sheet
12. Pentest Keys
13. Rapid7 Pentest
14. Pentest With Kali Linux
15. Hacking Network
16. Hacker
17. Pentest Process