March 21, 2008

New Blogger resources for pictures

If you're a blogger like me and looking for pictures to brighten up your posts, there are a couple of new resources I've found in the last week that look really promising.

First there is compfight. Its a search tool that will take your keywords and dig through all the tags, file names and relevant information on Flickr and return the results to you. There are several things that are cool about this search compared to others I've seen that mine the Flickr repository.

compfight does a good, fast job at searching. It returns results in the form of a set of thumbnails - which makes selecting the right result to view much easier. This is along the lines of some search tools like Exalead that return thumbnails in a results set. In addition you have the option of searching through images that are under a Creative Commons license, thus reducing your exposure to unwanted usage of images.

The other tool is picapp which lets you search their own repository. You can use any image returned through picapp's search in your blogs freely. They have a lot of high quality stock images and also a number of more popular pictures as well. For example, if you did a search on Aishwarya (Rai), you'd get a number of images that you can plug into your posts without worrying about copyright violation.

March 08, 2008

A command based program launcher

If you have a Start Menu that is full of programs, you're probably just as frustrated as I am when it comes to starting them. You have to click on the button, then scroll up and down trying to find the group folder you want.

This need to hunt programs down from weeds of stuff results in all kinds of program launchers being devised for quick starts. However, if you want to launch something which you use only occasionally and isn't in the launcher (because they are constrained by real-estate), then you are stuck with the old problem.

Recently I started using Enso Launcher from Humanized. This utility in essence indexes the program names in your Start folder and makes them available for recall via typing instead of clicking.

The way you use it is pretty simple: you keep the Caps Lock key pressed down and start typing the name of a program you want to launch. Say I want to launch Adobe Illustrator, I hold the Caps Lock key down and type in Adobe. At this point the Enso Launcher will start suggesting names based on keyword matches with the programs in your Start folder.

You can either type out the full name or type in enough characters to narrow down your choice to a few and then scroll and pick the right one. The only awkward thing about this is that you have to keep the Caps Lock key depressed all the time you are doing this. This can lead to some funny accidents. But the only other option would be to launch the Enso Launcher first (or give it focus - thus requiring it to run somewhere on the desktop).

With a key recall, it can run invisibly and pop up only when called on. The choice of the Caps Lock key is a good one once you get past the idea that you have to keep a key down during its operation. For those of us who know have learned to type via instruction - this works very well although I would think hunt and peckers might have a rougher time with it.

In any case, I'm glad I found the utility and I'm only too happy to use it.

March 02, 2008

A brief glossary from Hacking: The Art of Exploitation

In his introduction to spelunking for system hacks, Hacking: The Art of Exploitation, author Jon Erikson outlines a number of techniques for the readers. While his treatment is thorough and essential reading to understand how the hack works, I've outlined the majority of techniques listed in his book in glossary form.


Buffer Overflows
Inject a piece of code in a program buffer, causing it to overflow and transfer control to the injected code. When the corrupted piece of memory is a variable on the stack, this is called a Stack-based Overflow. Buffers allocated on the heap can also be subjected to the same corruption. So can the BSS segment by overflowing function pointers.

Format String Vulnerability
This particular exploit is related to using a function like printf in an unprescribed way such as printf(text) instead of printf ("%s", text). When text contains a format parameter, printf will add to the frame pointer to reference memory in the preceding stack frame. Thus, %s can be used to read from arbitrary memory addresses and %n can be used to write to the same. Code injection is now possible.

In addition two techniques: Direct Parameter Access using the $d feature of printfs and Short Writes using the %h feature can be used to simplify reading and writing memory addresses with this exploit.

Overwriting .dtors
This technique involves overwriting memory reserved for destructor functions (the .dtors section which is writeable) to spawn a root shell.

Overwriting the Global Offset Table
The GOT contains a jump entry for the exit() function. Overwriting this function in memory can be used to spawn a shell.


Network Sniffing

A network device can be set in promiscious mode to sniff packets sent to other computers on an unswitched network. Useful information (say a username and password from someone logging on) can be obtained in this way.

Raw Socket Sniffing
A programmatic technique to sniff packets at layers below 5 (session) in the OSI model. Somewhat unreliable in terms of capturing packets and requires logging in as root, but useful if session layer sniffing is not possible.

libpcap Sniffing
Using the cross-platform libpcap make life easier when sniffing raw sockets.

Active Sniffing
This technique - used on switched networks where packets are only sent to specific MAC addresses - involves inserting a proxy system between two MAC addresses and intercepting packets that go between them. The proxy system sends spoofed ARP replies to each MAC address (ARP cache poisoning).

Denial of Service
This form exploits put the system under attack in a state where it is unable to respond to requests from legitimate users. This can be done in two ways: by crashing a service via program exploits or by flooding a service with so many requests that it runs out of resource to handle them all.

Denial of Service - SYN Flooding
This technique exhausts the "reliable" connection states maintained by TCP/IP by flooding the system with SYN packets from a spoofed nonexistent source address.

Denial of Service - The Ping of Death
An ICMP echo message is sent with a payload that exceeds the permitted 65k of data. Although this is an old vulnerability that has been fixed it tends to show up in newer protocol implementations such as Bluetooth.

Denial of Service - Teardrop
This attack sends fragmented IP packets with no overlap, which is expected by all systems. However some systems do not check for this error condition and can crash.

Denial of Service - Ping Flooding
A deluge of pings is sent to a system, thus making it too busy to respond to any other requests.

Denial of Service - Amplification Attacks
Ping Flooding can take a lot of resources to maintain. Instead using spoofing and broadcast addressing a single stream of packets can be sent to a number of hosts with a spoofed address of the system under attack.

Denial of Service - Distributed DoS Flooding
A basic ping flood but launched from a large number of compromised systems in order to increase the deluge to the system under attack.

TCP/IP Hijacking
Carried out from the same network as the system under attack, the TCP packet sequence number from the header is spoofed (after discovery via sniffing by the attacker) and sent to gain trust with the system under attack.

TCP/IP Hijacking - RST Hijacking
This form of hijacking involves injecting a Reset packet in the header.

TCP/IP Hijacking - Continued Hijacking
The attacker sends a spoofed data packet to the host with a bogus sequence number. This causes the entire sequence incrementing and acknowledgment to get out of sync, causing a hung connection at the system under attack.

Port Scanning
This technique involves figuring out which ports are open, listening and accepting connections on the system under attack. This is usually a non-destructive way of getting information about where system vulnerabilities can be exploited by determining which network services are available on the system under attack.

Port Scanning - Stealth SYN (or Half Open) Scans
A SYN packet is sent by the attacker and the response (a SYN/ACK packet) from the system under attack is examined for validity. When validated it indicates a port that is open for business. A RST packet is sent to the port for a graceful shutdown of the sequence - thus leaving the system under attack none the wiser.

Port Scanning - FIN, X-mas and Null Scans
Three ways to find out if a port is open for business. A nonsensical packet is sent to every port on the system under attack. If the port is listening, the packet will be ignored and lost. If the port is not listening, the attacker will get back a RST packet.

Port Scanning - Spoofing Decoys
This is a actually a countermeasure to avoid detection. The attacker simply hides attempts at port detection between connections from decoy IP addresses, thus making it harder to pin point the attacking IP.

Port Scanning - Idle Scanning
This involved port scanning technique is also a countermeasure that makes the attacker's IP undetectable. In this technique the attacker uses an idle host machine to perform proxy port scanning on the system under attack.

Port Scanning - Proactive Defense (shroud)
The author presents a number of defensive techniques to prevent accurate port scanning by an attacker.


Shell-Spawning Shellcode
Various techniques to transfer execution to shellcode in a program that spawns a shell.

Port-Binding Shellcode
Once spawned, the shell needs to bind itself to a port and listen for incoming connections.

Connect-back Shellcode
Port-binding shellcode is easily foiled by firewalls. In that case, shellcode that initiates the outbound connection (not filtered by firewalls) and spawns a shell can succeed.


In order to avoid detection after an exploit, a number of different things need to be considered. For example, your IP address can be logged in a file and traces of this must be erased or obfuscated. In addition, the loss of service itself might alert the system administrator of an intrusion - in which case the author shows an example of how to perform an exploit and keep the service running so no one is wiser.


Man-in-the-middle Attacks
The attacker sits between two systems both of whom believe they are communicating with the other. The attacker maintains two separate encrypted communication channels with two encyrption keys with each system under attack. This form an attack starts by redirecting traffic with a known technique like ARP cache poisoning.

Password Cracking
User passwords are hashed one-way, it is mathematically impossible to reverse the hash. When a user enters their passwords, the value is hashed again and compared to the pre-hashed stored value for authentication.

Password Cracking: Dictionary Attacks
In this technique, every word in the dictionary (potentially) is run through a one-way hash and compared with the user's password. User passwords are stored somewhere and must be available to the user in encrypted form first. If a match is found, the word hashed from the dictionary is the user's password. Custom dictionaries can be made using different languages, standard word modifications and appending numbers to words.

Password Cracking: Exhaustive Brute-Force Attacks
This is an academic technique in which every possible combination of words in a dictionary are used to compare with a hashed password in order to find a match. The sheer number of possible permutations makes this technique an unrealistic one in terms of yielding a result in a reasonable amount of time.

Password Cracking: Hash Lookup Table
A variation of the exhaustive brute force attack but all the hash values for words in a dictionary are precomputed and stored in a lookup table. This technique requires gobs of storage and only works for one salt value.

Password Cracking: Password Probability Matrix
In an effort to balance storage space required beforehand and computational power required at the time of the hack, a lossy form of compression can be used to create an inexact hash table. In this technique, each password hash will map to several thousand precomputed values which are then converged in real-time.

Wired Equivalent Privacy (WEP) Attacks

WEP Attacks: Offline Brute-Force Attacks
First a few packets are captured over wireless and then an attempt is made to decrypt them using every possible key. A practical cracking method has been devised that reduces a 40-bit keyspace down to 21 bits.

WEP Attacks: Keystream Reuse
A keystream is an encrypted seed that is used to produce encrypted packets. It consists of a WEP key and an Initialization Vector (IV). The encrypted packet is produced by XORing the plain text message with the keystream. If two packets have been encrypted with the same keystream, then XORing these two packets will yield the two plaintexts XORed with each other. If one plaintext is known, the other can be recovered.

WEP Attacks: IV-based Decryption Dictionary Tables
Once the keystream is known (using the technique above) it can be used to decrypt other packets with the same IV (IVs are 24bit). A table of keystreams can be saved for each IV and all subsequent packets can be easily decrypted.

WEP Attacks: IP Redirection
In this technique, an attacker will receive an encrypted packet from the access point and send it right back after modifying it to ensure the checksum remains the same. The attacker must know the destination IP address (which can be determined via keystream reuse due to IV collisions). The access point will decrypt this packet and send it back to the attacker's IP.

WEP Attacks: Fluhrer, Mantin, and Shamir (FMS) Attack
This commony used attack against WEP takes advantage of weak IV values that leak information about the secret key in the first byte of the keystream. Erikson's book contains a detailed explanation of how this attack works.

March 01, 2008

Book Review: Hacking: The Art of Exploitation

In the preface to his book Hacking: The Art of Exploitation, author Jon Erikson does a crisp job laying out the counter argument to letting the art of hacking flourish unfettered by artificial legalities. "There's nothing good or bad about knowledge itself; morality lies in the application of knowledge". Being unfamiliar with actual hacking techniques (beyond what I chuckled at in Die Hard 4), this happened to be a really good way to begin the book.

Its important to understand what this book tries to cover. Erikson covers specific hacking techniques. He stays close to Linux and C to illustrate the techniques and he exploits a lot of open source software. The goal is to familiarize the reader with the different modes of exploitations.

Later in the book (Chapter 6), he explains: "The state of computer security is a constantly changing landscape...if you understand the concepts of the core hacking techniques explained in this book, you can apply them in new and inventive ways to solve the problem du jour. Like LEGO bricks, these techniques can be used in millions nof different combinations and configurations. As with art, the more you practice these techniques, the better you'll understand them." Clearly, Erickson is passionate about the subject matter he covers in his book.

Any ability to exploit vulnerabilities requires a thorough understanding of the underlying subject. Here Erikson's book offers a number of quick primers on topics such as C programming and network protocols. These introductions are valuable because they introduce the subject and give you deep dives into specifics. They give you some sense of how hacking can lead to a greater understanding of the system under exploit. For example in Chapter 4, Erikson goes from introducing us to the OSI model to socket programming in four pages. But because of a very engaging writing style, it doesn't feel like a hurried course.

After the introduction in which he covers C programming language basics, Erikson introduces us to exploitation via a buffer overflow example. He covers network hacking techniques such as denial of service, TCP/IP hijacking and port scanning. He delves into the more involved topic of spawning shell code to gain control of a system. And in a very entertaining Chapter 6, he shows you how to bypass security measures that detect and track hackers. In the final chapter, he covers hacking techniques for cryptography.

Given its structure, Hacking is part introduction, part handbook. If there is one recommendation I would make, it would be to embellish the source code with figures. The issue here is that you have to read through reams of code to understand how the hack works. Which is as it should be, but when you are reading about a particular hack, it breaks the flow of thought considerably.

Instead if the code could have been explained with a flowchart or pseudocode and the hack shown with a diagram, the reader would get a quick understanding of how the hack worked and would be better positioned to work through the code. In addition, the book could address a wider audience - especially those that are interested in learning more about hacking without necessarily being hackers themselves.