Installing thc-hydra on Ubuntu 8.10 Intrepid Ibex
********************************************************************

I had a hard time making hydra work on my Intrepid. And I wanted to write this post because while googling I found a lot of people facing similar errors. Especially making the GUI work on Ubuntu. I have provided the links from where I got clues. THis includes making minor change in the code as well.(thanks to the author Mark who provided this info)

For those who are unaware of hydra, thc-hydra is a brute forcing tool used by penetration testers to check the security of their network. Hydra lets you create an attack on network services like ftp, telnet, http, smb and many more but most importantly ssh. Its a wonderful tool to analyse the security of your network.

I would only mention the errors that are faced in general. If you face some more errors then you may have to install additional packages depending on your configuration.

Theory

1.Download hydra source from here
http://freeworld.thc.org/thc-hydra/

2. You will need libgtk2.0-dev, if you want hydra GUI. Install it using apt-get

apt-get install libgtk2.0-dev

3. If you want ssh support (I bet you badly want it ;)) then download the library from here: http://0xbadc0de.be/libssh/libssh-0.2.tgz

For more details:
http://0xbadc0de.be

This may save you from the frustrating ssh errors that I saw after installing libssh 0.11 and through the default installation from the repository. (apt-get install libssh-dev)

This is when I read in the hydra messages that I need to install libssh0.11 from 0xbadc0de.be.
I faced this error (Error 1) when I tried installation after libssh 0.11 install. Somewhere I read that it has to do with symbolic links. But the libraries seemed to be at their right place. These errors vanish when you use libssh-dev from apt-get or libssh 0.2 from 0xbadc0de.be. I would recommend the latter one.

Error 1:
hydra error while loading shared libraries: libssh.so: cannot open shared object file: No such file or directory

I faced Error 2 when I installed libssh-dev from apt-get. May be it has something to do with the version. You dont see these errors when you install libssh0.2 from 0xbadc0de.be

Error 2:
hydra-ssh2.o: In function `start_ssh2':
hydra-ssh2.c:(.text+0x57): undefined reference to `options_new'
hydra-ssh2.c:(.text+0xaf): undefined reference to `options_set_wanted_method'
hydra-ssh2.c:(.text+0xc1): undefined reference to `options_set_wanted_method'
hydra-ssh2.c:(.text+0xcc): undefined reference to `options_set_port'
hydra-ssh2.c:(.text+0xd7): undefined reference to `options_set_host'
hydra-ssh2.c:(.text+0xe2): undefined reference to `options_set_username'
hydra-ssh2.c:(.text+0x12e): undefined reference to `ssh_error_code'
collect2: ld returned 1 exit status

Once you install libssh 0.2, you also need to download a patch provided by the author to make hydra 5.4 work with libssh 0.2. (This is much simpler and works like a charm :))

Get the patch from here:

http://0xbadc0de.be/libssh/hydra-libssh0.2.patch

4. OK, another problem that you may face (for sure) is that your GUI part (hydra-gtk) wont compile. Sort of:

/usr/include/bits/fcntl2.h:51: error: call to "__open_missing_mode" declared with attribute error: open with O_CREAT in second argument needs 3 arguments

Check out this link for details (needs minor tweak in code, and it worked for me. The errors vanished.):
http://www.hacktoolrepository.com/tool.pl?tid=37

5. This error/solution is displayed during hydra install, but anyways I am mentioning it: "cannot find -lpq"

run those commands:
make clean
./configure

Edit Makefile and and remove the "-lpq" and "-DLIBPOSTGRES" statements.

XDEFINES= -DLIBOPENSSL -DLIBPOSTGRES -DLIBSSH
XLIBS= -lssl -lpq -lssh -lcrypto

to

XDEFINES= -DLIBOPENSSL -DLIBSSH
XLIBS= -lssl -lssh -lcrypto

then,
make
make install

Installation Summary.

1. Download and extract thc-hydra source :

wget http://freeworld.thc.org/releases/hydra-5.4-src.tar.gz

tar -xvzf hydra-5.4-src.tar.gz

2. Download libssh0.2 and the patch:

wget http://0xbadc0de.be/libssh/libssh-0.2.tgz

wget http://0xbadc0de.be/libssh/hydra-libssh0.2.patch

3. Install libssh0.2:

tar -xvzf libssh-0.2.tgz
cd libssh-0.2
./configure
make
make install

4. Change directory to hydra source and apply the patch:

cd hydra-5.4-src
patch -p1 < /path/to/hydra-libssh0.2.patch

5. Install hydra (in case you dont get -lpq error or the gtk compile error, else edit the Makefile, or edit the hydra-gtk/src/callbacks.c code respectively)

./configure
make
make install

Run hydra command line by "hydra" or hydra GUI by "xhydra".

Happy Learning!!!

How I broke my wifi (WEP) Encryption
*********************************************************
Hey Guys. Last time I worked on figuring out how packet injection works on Ubuntu Intrepid. However even after my best efforts I could not increase the data capture through packet injection. Well packet injection works, but still I am unable to move any further. The fake authentication works until the authentication step, but it fails at the association. Replaying a packet again doesnt work. Didnt try the other techniques. I wasnt pretty sure if was following it correctly. But this weekend many of friends came for a gaming night. As they used the same wifi network, an overwhelming amount of traffic was generated. I captured some 700000 packets, and broke the passcode with some 5 secs of aircrack run. At least I am confident now that it works on my box. Only need to learn the packet injection technique. I will narrate down the steps:

I did this purposely to learn the basics of wifi security, and that too on my own test network. I purposely chose a weak password for the testing. If you are trying to intrude a wifi network which doesnot belong to you, then you could land yourself in serious legal trouble, unless you have a written permission from the owner to do so and you are doing it for ethical reasons. This guide or the author are not responsible for the destructive actions you take. Technology is for the betterment and ease of lives. Dont misuse it. This article serves as a guide for learning the commonly used security tools for wifi auditing. Use at your own risk.


Open a shell as root

1. Start airmon-ng to bring your wireless interface in monitoring mode.

airmon-ng start wlan0

This will add an interface mon0 which will be in monitor mode. I didnt specify the channel though.

2. Start capturing the packets of your home network

airodump-ng -c 1 --bssid 00:1E:40:xx:B1:xx -w home305 mon0

00:1E:40:xx:B1:xx is the mac address of my wireless router, and home305 is the name of my network. You can get this info by kismet or even your normal wifi explorer. For other options see the man page of airodump-ng
Below is the scene when I was capturing packets:



The first red box on top left is the number of data packets that we captured. The second one on top right is the rate.. Any rate above 100 is excellent. Around 50 is ok. It means you are capturing 100 useful packets per second. By this rate you can estimate how long it will take to capture some 1000000 data packets (I think this should be good enough for a 128 bit encryption, I am not sure some say it should be 3000000). Some say you need atleast 300000 packets for a 64 bit encryption scheme. Oops, if this sounds a little techie then in simpler terms: If you set your password as 5 char length then you should capture some 300000 or more packets (depends on the password strength of your network) If you set your password as 13 char length then you should capture some 100000 or more packets (depends on the password strength of your network) Well, this is not a fact, just my own estimate and as you know, I am no expert at this. My own password was "password12345" and I think it should have required much less than what I was expecting. In fact I had captured some 700000 packets and it worked like a charm for me. I have no experience as to how the password stength will affect the minimum number of packets required. That would be interesting stuff. The third red box contains the table of clients connected. We all were playing games.


3. Optionally you can try injection techniques to increase the rate of packet capture. But as I said earliar, my injections failed miserably. May be as of now I am not that good in judging packets. And also injection techniques may or may not work depending on the wireless router. I didnt researched this either :( So still not sure why it doesnt work for me.

4. When you feel you have captured suffiecient amount of packets, you can stop capturing. I captured some 700000 packets. You will find a file (in the same directory from where you ran airodump-ng) containing the captured data with the name of your network. On this file you can need to run aircrack.

aircrack-ng -a 1 -c -n 128 home305-01.cap

I already know that my encryption is 128 bit. So I used the option -n 128 to save time. The following screen capture is the result of the exercise. My password (password12345) was so lame that it got broken within 5 secs of aircrack run.




This article ends here. I know now that breaking the WEP encryption isnt that difficult. Unfortunately at many places wifi is used without any encryption. Anyways the only suggestion from my side is to use strong passwords as of now. I have heard there are other alternatives to WEP available as well but I didnt have a look at them. Will let you know which one is better in terms of security when my research proceeds. In a way this article is incomplete as I didnt mention what needs to be done to ensure that your wifi is secure. Just wait for some more time. :)

Making Packet Injection work on Ubuntu 8.10 (Intrepid Ibex) kernel 2.6.27 on Intel 4965 AG/AGN wireless card

Primarily I followed the following link to make packet injection work on my new Intrepid Ibex (Ubuntu 8.10) kernel 2.6.27 with an Intel 4965 card on a THinkpad T61.
http://tinyshell.be/aircrackng/forum/index.php?PHPSESSID=395694818ce8f33e9810767d30518a2d&action=printpage;topic=3954.0

Before we start, I should suggest you read the complete document and all posts (the tinyshell link), so that as you complete the reading you will have an idea of what to do and what not to. I am not an expert at giving advice in linux, and so I will only mention the steps that worked for me. You may be required to apply your brains at some places and knowledge about patches etc and why we apply them. Remember I already screwed my Gutsy Gibbon (Ubuntu 7.10) while upgrading the kernel. So be prepared for any such occurences.
THese things happen while learning. :) THats the real fun.

Previously in my Gutsy, I was having a kernel 2.6.22, As I have read so far, packet injection doesn't work properly (http: //tinyshell.be/aircrackng/forum/index.php?topic=3954.0 ) below kernels 2.6.25. Even I had to install the driver for Intel 4965 wireless card. That made my wireless work but even after applying the relevant patches I couldn't make injection work. When I tried to update my kernel through apt-get it showed me some errors. And finally the newer kernel never booted and my 2.6.22 was rendered almost useless.
I never debugged as I was more interested in making injection work somehow.
My next endeavour included downloading Backtrack 3, installing it in a USB drive. But still the injection through aireplay-ng didn't work. I also downloaded the latest Ubuntu 8.10 Intrepid Ibex, which is having a kernel 2.6.27.

The good part is that the driver support for Intel 4965 is included in this kernel. What I read from the Intel site is that driver support for this card (Intel iwl4965) is included in kernels higher than 2.6.24. (http://www.intellinuxwireless.org/?p=iwlwifi) So, no doubt my wireless connection is working well with the default config.

But for making packet injection work, I read through the forum and learned that I need to download the latest compat driver to make injection work.
OK, so I downloaded

http://wireless.kernel.org/download/compat-wireless-2.6/compat-wireless-2.6.tar.bz2

from here:

http://linuxwireless.org/en/users/Download

Besides this there is a mention of separate injection patches for iwl4965 and mac80211 but nevertheless I never needed them. :) (Thanks to alex88)

After downloading the compat driver to my root folder.

tar -jxf compat-wireless-2.6.tar.bz2
cd compat-wireless-2009-01-08/
make
make install

and then reboot!!

After that I set my wireless interface in monitor mode by
airmon-ng start wlan0

The airmon-ng creates another interface mon0 in monitor mode. (NOt sure how and why but there is no need to mess with wlan0 :), something that I realised late :/)
and you can try the packet injection test:

root@r00t3r:/home/hax0r# aireplay-ng -9 mon0
14:41:02 Trying broadcast probe requests...
14:41:02 Injection is working!
14:41:04 Found 0 APs
root@r00t3r:/home/hax0r#

Although it says Injection is working, but it can be misleading as it showed me the same message when I ran it for the first time after patching in my Ubuntu 7.10 Gutsy.

So again went through the forum and used the following commands to reload the driver modules (I don't know why they again installed compat, I think once you have installed it correctly, reloading the modules should do the work)
Go to the compat directory (where you extracted compat driver) and issue the following commands:

make
make install
rmmod iwlagn
rmmod iwlcore
rmmod mac80211
rmmod cfg80211
modprobe iwlagn
modprobe mac80211
modprobe cfg80211

When I again tried the injection test it gave me positive results:

root@r00t3r:/home/aditya# aireplay-ng -9 mon0
19:43:21 Trying broadcast probe requests...
19:43:21 Injection is working!
19:43:22 Found 1 AP

19:43:22 Trying directed probe requests...
19:43:22 xx:xx:xx:xx:xx:xx - channel: 1 - 'Gamtal@280'
19:43:24 Ping (min/avg/max): 9.500ms/40.762ms/70.648ms Power: 167.00
19:43:24 28/30: 93%

As of now I only tried to run 'Interactive frame selection technique' the option 2 of aireplay-ng. And it seemed to work normally. Didn't do other tests, as I don't know the theory part of it. Will try them and let you know later. As of now I am more than elated that somehow injection is working on my machine. :)


Summary
**********
1. No injection patches required. (I havnt checked each and every attack, so this may change depending on the attack, like earliar we used to install specific patch for fakeauth. )
2. Download latest compat driver.
3. Install it using 'make' and 'make install'
4. reboot.

Guidelines
************
5. Make sure the 'Network Manager' of Ubuntu is not using your wireless card for wireless connections. Else while placing the interface in monitor mode, it will give a 'device busy' error. For this, Right Click the 'Network Manager' icon on your system tray and uncheck the enable wireless option. If you don't see the icon you can start it using 'nm-applet' command in the terminal. (as it used to happen in Ubuntu 7.10, the icon goes away sometimes :/)

6. Make sure your card is switched 'ON' if any hardware key exists in your laptop. (yes, this can happen as well :))

Hope this works for you.

BByes for nows. See you laters. :) MUha

Wireless Insecurity

Noobish Theory for understanding the aircrack suit tools and their purpose:

1. When you are using a personal wireless connection, it typically consists of a small wireless router. THis wireless router emits radio signals which can be detected by a compatible wireless card installed in your laptop/desktop.

2. The normal process is that your laptop (wireless card) connects to the wireless router and thus you can enjoy an internet connection without connecting through a wire (so its called wireless).

3. Now if your neighbour's laptop can detect those signals as well, he can connect to the router and enjoy the free internet connection as well. His internet usage will be billed to you and so your internet bill will shoot to a high.
Plus he/she can use your internet connection for illegal activities like sending fake mails from your ip, downloading pr0n, and hacking.

4. For this purpose the wireless router lets you enable a lame security called WEP and now you can set a 5 char or 13 char long passphrase. THis passphrase is required when you connect to your wireless router. So now, in order to use the internet you or your neighbour must provide the 5/13 char passphrase.

5. This may protect your internet from normal users, but its still insecure due to the inherent weakness in the WEP encryption scheme. So a determined hacker can still break into your wireless network and find the passphrase. THereby enjoying free internet again.

6. If you did some reading on WEP encryption you may have heard of Initialisation Vectors and 64 bit/ 128 bit encryption scheme. Let me tell you, the passphrase in the WEP can be of 5 or 13 characters only. Once you have supplied the passphrase tHe WEP encryption appends 3 more characters to it making it 5+3=8 or 13+3=16 bit passphrase, this 3 char set is known as the Initialisation vector which is generated randomly for each packet. THese 8 or 16 character bytes amount to 8*8=64 or 16*8=128 bits and so its called 64/128 bit encryption.
So the bottomline is:
5 char passphrase means 64 bit WEP encryption and
13 char passphrase means 128 bit WEP encryption.

Needless to say, you must use 128 bit encryption all the times. Although it can be cracked but still, it will take longer time and will involve more skill.

7. Now about the cracking part, the use of weak IVs makes WEP a weak algorithm. (as far as i have heard so far :/) So inorder to crack the passphrase (key) successfully you need to capture a large number of packets. These captured packets will then be fed to the WEP cracking tool called aircrack-ng.
Which if successful will tell you the key.

8. OK, now about the tools purpose.
>>>airmon-ng
Its for setting your wireless interface in monitor mode.
You can do anything only if you have a wireless interface in monitor mode.



>>>Once you have your wireless interface in monitor mode, you can start airodump-ng to capture packets in a file.

>>>Your packet capturing rate will be very slow (in search of packets with weak IVs), and it may take days to crack. For this purpose we employ a new technique called packet injection. We use the tool called aireplay-ng for this purpose.
It will make your wireless card inject wireless packets in the wireless network. Chances are that the wireless router will respond to your injected packets (if they reach the router, your card should be powerful enough) and so the number of captured packets (in airodump-ng) will increase dramatically. Capturing more number of packets in less amount of time increases your chances of cracking the key quickly. Sometimes it can take only 5 minutes as I saw in some videos!!! Depending on the type of encryption in use (64/128) the number of packets to be captured may vary.
BUt let me warn you, packet injection is not that simple as injection support is not there in most of the wireless drivers. You may be required to patch your driver for injection support first, which can be a tiring procedure if you dont know much about linux. If that is the case you may choose Backtrack 3. (details later ;))

>>>Once you have captured a good number of packets you can use the aircrack-ng tool to find the key. Depending on your luck and the hardware config of your computer you may find the key in some time.

Till now I couldnt find any of the keys as I am still busy patching my new INtrepid. My friend has a Mac-book where we enable wep encryption and try our newly learned techniques. Dont do all this on any network that is not yours, it comes under criminal activites and you can be jailed for that. I havnt studied about the alternatives of WEP yet, but I will study them soon. (they exist)

So till then good-bye. I didnt tell you the story about how I screwed my Gutsy Gibbon while patching the driver for injection. :) Thats a hell long story.

See ya then.
Good Bye.

Intel 4965 wifi driver Ubuntu wireless

Long Break
**************
So here we meet again. :) Almost after 1 year. I had almost forgotten this technoshit during the preparation of CAT. THe results will be out this weekend, my DI score was pathetic, so not many expectations :/. And now I think I am back.

Trying hands at wireless hacking these days. I had an old ubuntu 7.10 "Gutsy Gibbon", which was screwed few days back while updating the kernel. As packet injection is not supported with older kernels (2.6.22) esp in Ubuntu. You know what I feel, if you want to learn wireless hacking, try your hands asap, or else WEP will become obsolete in the coming days and stronger algos wont let you steal the fun.Anyways I aint a supporter of hacking, but I like learning new things esp which give me a technical advantage and a feeling of technical prowess among my peers. ok, lots of shit here. Here is what happened in the last few days:

I have a THinkpad T61 with an Intel iwl4965 wireless card with an Ubuntu 7.10. So from the aircrack forums I got an idea that making wireless hacking work on an intel 4965 card on ubuntu is still under development. In fact some guys said that its impossible with a kernel less than 2.6.25. Mine was 2.6.22 :/ so I tried an array of commands as mentioned in the posts. I am sorry I never saved the links, but you will ultimately reach there, if you search google for intel 4965 wireless hacking ubuntu.OK, I must tell you that in the process I screwed my Ubuntu 7.10, but still I will mention few things that I learnt in the process.

How I made my wireless work on Ubuntu 7.10.

You may be facing some problems with enabling wireless on your Ubuntu. First you need to understand what wireless card is there in your laptop. (Its something for idiots like me, I never knew what card exists inside :/)
From what I learned from the aircrack site (I will try my best to provide the original links at the bottom) articles is that there are many manufactureres of wireless cards in the market. For eg. Netgear, Cisco etc.
A wireless card consists of two main parts:

1. The outer radio device
2. and the internal chipset.

MOst of the wireless card manufactureres dont disclose what internal chipset they are using. But we need to find it out, if we need to install the concerned drivers.

If you dont know what card is there in your laptop, try the command lspci on your terminal. It will give you a list of all pci devices that are there in your laptop.
TRy to find keywords like "wireless"
For eg. this is the output on my laptop:

root@r00t3r:/# lspci
00:00.0 Host bridge: Intel Corporation Mobile PM965/GM965/GL960 Memory Controller Hub (rev 0c)
00:01.0 PCI bridge: Intel Corporation Mobile PM965/GM965/GL960 PCI Express Root Port (rev 0c)
00:19.0 Ethernet controller: Intel Corporation 82566MM Gigabit Network Connection (rev 03)
00:1a.0 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #4 (rev 03)
00:1a.1 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #5 (rev 03)
00:1a.7 USB Controller: Intel Corporation 82801H (ICH8 Family) USB2 EHCI Controller #2 (rev 03)
00:1b.0 Audio device: Intel Corporation 82801H (ICH8 Family) HD Audio Controller (rev 03)
00:1c.0 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 1 (rev 03)
00:1c.1 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 2 (rev 03)
00:1c.2 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 3 (rev 03)
00:1c.3 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 4 (rev 03)
00:1c.4 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 5 (rev 03)
00:1d.0 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #1 (rev 03)
00:1d.1 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #2 (rev 03)
00:1d.2 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #3 (rev 03)
00:1d.7 USB Controller: Intel Corporation 82801H (ICH8 Family) USB2 EHCI Controller #1 (rev 03)
00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev f3)
00:1f.0 ISA bridge: Intel Corporation 82801HBM (ICH8M-E) LPC Interface Controller (rev 03)
00:1f.2 IDE interface: Intel Corporation 82801HBM/HEM (ICH8M/ICH8M-E) SATA IDE Controller (rev 03)
00:1f.3 SMBus: Intel Corporation 82801H (ICH8 Family) SMBus Controller (rev 03)
01:00.0 VGA compatible controller: nVidia Corporation Quadro NVS 140M (rev a1)
03:00.0 Network controller: Intel Corporation PRO/Wireless 4965 AG or AGN [Kedron] Network Connection (rev 61)
15:00.0 CardBus bridge: Ricoh Co Ltd RL5c476 II (rev ba)
15:00.1 FireWire (IEEE 1394): Ricoh Co Ltd R5C832 IEEE 1394 Controller (rev 04)
root@r00t3r:/#


As you can see in the bold, the wireless chipset that my card is using.

Now we can google with this name and try to find, if we can install the driver for this card. This guide helped me with the install:

http://ubuntuforums.org/showpost.php?p=2514602&postcount=8

http://ubuntuforums.org/showthread.php?t=471794

I installed ndiswrapper through apt-get.

root@r00t3r:/# apt-get install ndiswrapper-common

After that I downloaded the concerned windows driver from Intel site
I dont really know how the windows driver worked for linux using ndiswrapper.
Never researched about it either.

http://downloadcenter.intel.com/Product_Filter.aspx?ProductID=2753&lang=eng

I downloaded the driver and issued the ndiswrapper commands as mentioned in the link, and after a reboot it started working. (As far as I remember)

So I felt good when I made my wifi work. BUt my aim was to make it work for wireless hacking.


Brief Info of Wireless Tools.

1. In order to see wireless networks, you need to have a tool like NetStumbler/Kismet/Airsnort

Netstumbler is for windows, Airsnort is obsolete. and I liked KIsmet very much.

#apt-get install kismet

you may be required to edit the kismet.conf file (generally in /etc/kismet) by changing the sources parameter. This may depend on your chipset.

MIne worked by changing it to:

source=wlanng,wlan0,kismet

and yes, run it with root privilege, or else change this line with your sudoer, and uncomment it:

#suiduser=your_user_here

Now, kismet is a wonderful tool, so please have a look at the detailed tutorials available on google.

2. THe other tool list is for sniffing wireless packets and cracking them. Whatever I am writing, is by assuming that you already understand how wifi works and why it is insecure. If you dont, then google for the basics of wifi, and in particular weaknesses in WEP (Initialisation vectors (what,why etc)). Or else you wont understand what the tools do.
install the aircrack suit.

#apt-get install aircrack-ng

After installing this suit, you will find the following tools (list not complete):
airodump-ng : for capturing data packets
airmon-ng : for setting your wireless interface in monitor mode
aircrack-ng : for cracking the captured data and finding the keys
aireplay-ng : for injecting packets

Please note that I am a noob as well, I might be missing some important tool or the explanation may not be that good, but this is the idea that I got after 1 week of play. :)

Yet another XSS, yet another w0rm!

December 18-19 2007 was like a nightmare for orkut. Some bad code was executing behind the browsers of orkut users.This is about the worm outbreak which affected more than 600000 orkut users within a night. Although the worm was relatively harmless, it just demonstrated again, how disastrous a simple flaw can become, if it concerns persistent XSS. These days you may get a lot of search results if you search for "orkut scrapbook xss", but at that time the news wasnt that widespread.It was received as a hot cake by many who were in search of a good XSS to be discovered. And the only source of information was a few hacking communities on orkut and of course the infected scrapbooks.

Well for the first time when I heard of that embedded flash XSS I was a bit perplexed, I knew few things about XSS and I didnt even know how to embed a flash object in someone's scrapbook. When Orkut introduced the concept of embedding flash objects in scrapbooks, i never had a look on it, may be I never knew about the possibilities of XSS involved while embedding flash objects or simply because I wasnt interested in making flashy colorful scraps to orkut friends. But the vulnerability wasnt a very incredible one. If you search about flash XSS in general, you will find many good articles discussing about the common errors that can happen. And even one of these articles date back to 2003. So the concept isnt very new. Orkut embedded flash XSS vulnerability seems just to be another case.

Even other social networking websites like Myspace was hit by a flash worm in 2006. But the functionality of Myspace worm was far different from this worm.

The worm didnt do any harm to anyone, even if you dont know much about the technical workings of traditional viruses and worms, still you can have an idea on how web based worms work.
Here is the modus-operandi of the orkut worm...

1.It will appear in a scrapbook as a scrap

2.Normally orkut does not allow to scrap any executable code (javascript in most cases) in scrapbook. But because of the flaw in the handling of flash objects by the orkut filter, this worm code gets into your scrapbook.

3.Now whoever opens that scrapbook will have that javascript code executed. The code instructs the browser (Internet Explorer or Mozilla or any other) to (1) send the same infected scrap to all the friends in the friend list and (2) to join a community "Infectados pelo Vírus do Orkut" just for the sake of counting of infected profiles.

Still the simple vulnerability could have been exploited in more dangerous way by simply redirecting them to a fake orkut login page. Although this version was a harmless one.And thanks to orkut for making their cookies safe (httpOnly), otherwise it could have a devastating effect. As I discussed in my previous article how orkut tightened the security of its cookies by making them inaccessible to javascript.


As for the technical details, the injection of code in this case reminds me of SQL injections. When you are embedding a flash object in the scrapbook, it is required that you paste the exact html code for embedding a flash object. Orkut handles the code in its own way and makes it appear in the scrapbook. Though I am not great at embedding flash files in html, but I know where the problem occurred. Suppose you are embedding a scrap with a flash file xss.swf on example.com. Then you will have to paste the following code in the scrapbook.

<embed src="http://example.com/xss.swf" type="application/x-shockwave-flash" wmode="transparent" width="10"
height="10"></embed>

After submitting the scrap. You can view the source of scrapbook and you will find the orkut implemented code:

<script type="text/javascript"> var flashWriter = new _SWFObject('http://example.com/xss.swf', '704557008', '10', '10', '9', '#FFFFFF', 'autohigh', '', '', '704557008'); flashWriter._addParam('wmode', 'transparent/e');flashWriter._addParam('allowNetworking','internal');flashWriter._addParam('allowScriptAccess', 'never'); flashWriter._setAttribute('style', ''); flashWriter._write('flashDiv704557008');</script>

Here it implements its own object called _SWFObject for handling flash files, and picks the parameters as the user provided. The problem occured because orkut never sanitized or may be incorrectly sanitized the input parameters that the user was providing. It did not validate correctly the wmode parameter. As a result it became possible to inject any javascript code if it is appended correctly to the "transparent" value
For example we could replace the "transparent" by "transparent');alert('xss" . So that our scrap to be posted looks like this.

<embed src="http://example.com/xss.swf" type="application/x-shockwave-flash" wmode="transparent'); alert('xss" width="10"
height="10"></embed>


and after posting, in the scrapbook source it would look like this...

<script type="text/javascript"> var flashWriter = new _SWFObject('http://example.com/xss.swf', '704557008', '10', '10', '9', '#FFFFFF', 'autohigh', '', '', '704557008'); flashWriter._addParam('wmode', 'transparent');alert('xss'); flashWriter._addParam('allowNetworking', 'internal'); flashWriter._addParam('allowScriptAccess', 'never'); flashWriter._setAttribute('style', ''); flashWriter._write('flashDiv704557008');</script>



See the alert box looks so beautiful when embedded successfully in orkut page code.:D
This is just an explanation of how the problem occurred and how it was exploited. If you try it now then orkut will successfully filter it out. The correction was made pretty quickly, i think it didnt took more than 2 days. As I already told you that orkut is getting smart day by day.
If you have a question that how can we protect ourselves from such web-based worms? Or how can we ensure that harmful scripts dont run on our browser..then the answer is that there is no such full proof solution. One thing that I didnt mention till now is perhaps the most imporatnt thing I wanted to focus on. Despite the widespread effect of worm and so many of my orkut friends getting infected and unknowingly joining the community "Infectados pelo Vírus do Orkut", I didnt get a single infection. Though I searched like hell on orkut and unknowingly visited infected scrapbooks, I was still not infected. My browser doesnt allow any kind of hidden code to run on my machine without my permission.
Yes the lesson of the story is I used a firefox extension called Noscript. Almost every website today uses javascript to provide greater functionality to the users. But things dont end here, a lot can happen over small code of javascript :D, as was the case of Myspace and orkut worms. Noscript is a small utility that blocks any kind of script to run without your permission. This way you can select the websites that you trust and allow only those that provide you added functionality. It helps greatly while browsing unknown sites listed by google. And believe me you will feel a lot more secure once you understand its working and the safety it offers. It also provides security against common XSS attacks and other harmful code executions. It certainly helps in blocking the most common XSS attacks, where your security can be compromised if if the site is a trusted one.

I you are interested in the exact javascript code that the virus used then you can read the article from symantec. I must say, the javascript code is heavily obfuscated. You will have to scratch your head for understanding it. And also I have given the link for noscript firefox addon. So just install the latest version of noscript and make your firefox a lot more safer. Happy Browsing! :)

Special Thanks to Mr. Nobody.


https://addons.mozilla.org/en-US/firefox/addon/722

http://www.symantec.com/enterprise/security_response/weblog/2007/12/the_orkut_worm_has_landed.html

Technical explanation for failure of Orkut cookie exploits
Why I am writing this...

Hi all. For the past few days and weeks I was studying about orkut cookie exploits and the familiar javascripts which when pasted in browser steal the cookie. Although I believe orkut is safe as of now, unless someone comes up with a new technique to bypass the new security feature. I believe these tricks used to work till August 2007,even somewhere somehow near in May 2007 I found my cookie being transferred to an anonymous account on orkut.
That sob deleted my 15 scraps. Perhaps I used some flooding script without understanding the content. I didn’t know much about cookies at that time. Anyways these tricks dont work now. because even if you type alert(document.cookie) in your browser URL, you get some cookie values but not the admired one called orkut_state. I studied a few interesting things and thought of sharing some useful info. The basic intent is to make normal users understand the dangers of cookie stealing, how to avoid that, and what orkut is doing to prevent cookie theft.

Yummy!!! I luv your cookie..........

This is an introductory tutorial for those who dont know about cookie stealing and the science behind that and also for those who would like to know how it used to work and why it doesnt work now. Now if you dont know what a cookie is then read the next few lines. Whenever you login into orkut with your account and password, orkut gives you a cookie which stores some information about your session. It means for all the further requests that you make to orkut you dont need to give that username/password everytime, you just send the cookie that orkut gave you in the beginning. In this way orkut keeps a track of its legitimate users. When you log out, orkut destroys this cookie so that no one can access your account unless he/she provides your username/password and gets a new cookie valid for that session.Imagine if somehow some bad person like me gets hold of your cookie. Now I can send orkut your cookie to orkut and orkut will think its you who has requested a page and not the bad person. The result is simple to understand: even if I dont know your username/password still I can still login into your account and do whatever shit I want to, provided that I have your cookie.

A typical scenario which used to occur some time back on orkut: someone sends you a javascript and says that run this after pasting in your browser URL to see "cool effects". Never run that unless you understand Javascript and you what what exactly it is going to do. It may contain a hidden malicious code which can transfer your cookies to the attacker. This is not only for orkut but also for any other site. A more dangerous exploit was in circulation in late 2006, due to an XSS bug in orkut whose sole intent was to steal cookies, and transfer the ownership of the community. As a result some big communities were hacked. And people used to ask, how to get their communities back.

How to see a cookie.............

You can see the cookies of any other site by opening that site, and typing javascript:alert(document.cookie) in the browser. The sites store some additional cookies if log in with a userid and password to track that you are an authenticated user. You can also see all the cookies stored in Internet explorer in "C:\Documents and Settings\Administrator\Cookies" and in Firefox "C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xxxxxxx.default\cookies.txt".

Muhahahaha....So how can I hack her account....

I know most of the evil minds must be jumping right now thinking about how to get the cookies of their girlfrnd. And girlfrnds, dump these guys if you know their malicious intents...lol...So malicious Dude..you cannot do it now as orkut has already taken care of your malicious intents. :D So now if you want to see your orkut cookie you can type "javascript:alert(document.cookie)" without quotes in the URL of your browser where orkut page is already loaded. After you hit enter you will see an alert box showing you some values. This is the information stored in your cookie.(_utma,_utmb,_utmc,_utmz,TZ) But wait, the interesting part is yet to come. What you see is not the complete cookie.
The precious orkut_state cookie is missing.


Orkut_state ...Hmmm

Out of the six cookies on your computer stored by orkut, (_utma,_utmb,_utmc,_utmz,TZ, orkut_state) orkut_state is responsible for the identification of the user. Well orkut_state is the cookie which is destroyed when you log out from orkut. Unfortunately this cookie remains active on the orkut server for around 14 days. That is if someone got your orkut_state using malicious javascript or else then he/she can login in to your account on orkut. Earlier the orkut_state cookie captured by an attacker would be stored using cookie editor in the attacker's browser (typically mozilla) and saved. After that the attacker goes for www.orkut.com/Home.aspx and voilla!! He is in
the home of the victim.


HttpOnly....TechnoShit!!!!

Orkut seems to be getting intelligent in terms of handling cookies. Now with the new security feature added, Even if you manage to run a javascript in the victim's browser you dont get orkut_state value. How this happened?? Well this is the new cookie protection of orkut for saving its innocent users from prying eyes. Although its not like orkut has stopped the use of orkut_state, if you use Firefox you can use an add-on called cookie editor. From the cookie editor you can see all the cookies that orkut has stored on your computer. If you are logged into orkut you can see 6 cookie values (the sixth and the important one being orkut_state) in the cookie editor. So how this 6th cookie became invisible to our javascript? The answer came after understanding the headers exchanged between my browser and orkut.com when I was logging in.
For this you will require another userful addon for Firefox called "Live http hearders". During logging in and capturing the headers, I got two useful headers where the orkut cookies can be seen. After google successful authentication you are redirected to orkut where orkut sets its own cookies.

==========================================================================
GET /RedirLogin.aspx?msg=0&auth=DQAAAHUAAADgfXp8G6ymWC35cNERFjIJD0ITpC9mLiofGy1ur0I6
jkeSdIgZQR9hth2wHVecjHstHm5wUfl_g4-Gji-6MmglgCnf3fp_e1pc3GiWS4G0x1tFh5O8NGnpAdzWH
zCJDiIEHfOCCqMDlXdT8XxIOezFc2UYQkaY-70L-l2Iqb_-ng HTTP/1.1
Host: www.orkut.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 (CK-IBM) Firefox/2.0.0.9
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: __utmb=85909575.0; __utma=85909575.458437098.1194587408.1194587408.1194587408.1; __utmz=85909575.1194587408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmc=85909575.0; TZ=-330
========================================================================


Although in the previous headers surprisingly there was no orkut_state, and it became very clear why, after watching the next header.


========================================================================
HTTP/1.x 302 Moved Temporarily
Cache-Control: no-cache, must-revalidate, no-cache="Set-Cookie", private
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Set-Cookie: orkut_state=ORKUTPREF=ID=XXXXXXXXXXXXXXXXXXX:INF=0:SET=111236588:LNG=1:
CNT=16:RM=0:USR=Z2VudHVpX3NvcGthQXXXXGlmZm1haWwuY29t:PHS=:TS=1145665351:
LCL=en-US:NET=1:TOS=2147483647:GC=DQAAAHQAAABaeE29AFA9Q2Y4xxxxxLk9vbqGlpxF
3DzzLJgCNWJGyEe_mMzOxxxxx6TK7NpktZYx6KgCsjT6Mbdoz7l-si5z23qknQOqKRQRNLyf5gpnPix
UVrsuJlikrr2o2Gzo-XF-_atZXl9xJRpZRr_FDHZ_i8qow_HgPzhZ4vo4rfg:PE=Z2VudHVpX3NvcGthQH
JlZGlmZm1haWwuY29t:GTI=0:GID=:VER=2:AST=1:SID=0:S=F2oSxzVWAx5wji0y75HyNYSFtq0=:; Domain=www.orkut.com; Path=/; HttpOnly
Set-Cookie: orkut_state=; Domain=.orkut.com; Expires=Thu, 08-Nov-07 06:42:31 GMT; Path=/; HttpOnly
Content-Type: text/html; charset=UTF-8
Location: http://www.orkut.com/Home.aspx?
Content-Encoding: gzip
Content-Length: 179
Server: GFE/1.3
Date: Fri, 09 Nov 2007 06:42:31 GMT
=====================================================================


The five orkut cookies are placed normally, but orkut_state is sent in a seperate header with an additional tag in the name of "HTTPOnly".As we can see the orkut_state content, in the end there is a tag attached called 'HttpOnly'. This is interesting as it wasnt there in previous cookie values. A little googling will tell you that the 'HttpOnly' tag instructs the browser to disallow javascript from accessing the content of this cookie. In fact this is a feature introduced by MicroSoft few years back in Internet Explorer 6 for protection from Cross site scripting attacks. Although there are few techniques by which you can bypass 'HttpOnly' like requesting the
http headers using the TRACE method,
(reference to http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
by Jeremiah Grossman) the TRACE method is aqn HTTP method which is generally used for debugging purpose. If a client sends a TRACE request to a web server and the webserver supports TRACE requests, then it echoes back the header sent by the client. In a typical XSS scenario, the attacker may send a link to the user of vulnerable site,(that supports TRACE method and uses HttpOnly protection for cookies) which when clicked may send a TRACE request to the webserver and the echoed response by the webserver can be captured by the attacker. Fortunately they not possible in case of Orkut as of now for two good reasons.

1.Most of the browsers like the popular ones Firefox and IE donot support TRACE for obvious security reasons.(Though it was possible earlier for IE)
2.Orkut does not entertain a TRACE request at all.

The following functions can explain this:
For Firefox:

javascript:var xll;function load(url){xll=new XMLHttpRequest();xll.open("TRACE",url,false); xll.send(null);
var doc=xll.responseText;alert(doc);}load('http://www.orkut.com/');

For IE:

javascript:var xll;function load(url){xll=new ActiveXObject("Microsoft.XMLHTTP"); xll.open("TRACE",url,false);xll.send(null);var doc=xll.responseText;alert(doc);} load('http://www.orkut.com/');

Its not a surprise that nothing will happen when you paste them in URL and test. Ensure that orkut is already open in the browser because no browser allows cross domain AJAX requests for obvious security reasons. After hitting enter, For IE at the bottom of page you see "Error on page" and for Firefox (If you have installed FireBug it will clearly show an exception marked read.

"uncaught exception: [Exception... "Component returned failure code: 0x80070057
(NS_ERROR_ILLEGAL_VALUE) [nsIXMLHttpRequest.open]" nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)" location: "JS frame :: javascript: eval(__firebugTemp__); :: anonymous :: line 1" data: no]")

You can change the TRACE with GET and see the alert box popping out the content.
Though this may not work with orkut but still there are many webservers which allow TRACE requests by default. And if somehow the browser can be tricked into sending the TRACE request, combined with an XSS flaw, it can have a devastating effect on the vulnerable site's users. It just a theoretical idea, not an actual threat.

So as of now your orkut cookies seem to be safe. There were some ideas to test with the TRACE method but they werent looking much exciting. You can read the below mentioned articles which I studied. And a list of Firefox addons that are very helpful for analysing and debugging. The list is a long one and I have stated only those which I used now.

Date:23 Nov 2007
Aditya Lad.

References:
http://www.webappsec.org/lists/websecurity/archive/2006-01/msg00056.html
http://www.cgisecurity.com/lib/XmlHTTPRequest.shtml
http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.w3schools.com/ajax/default.asp

Useful Firefox addons:
Cookie editor : https://addons.mozilla.org/en-US/firefox/addon/573
Live HTTP Headers : https://addons.mozilla.org/en-US/firefox/addon/3829
FireBug: https://addons.mozilla.org/en-US/firefox/addon/1843