Skip navigation

Category Archives: web security

John Heasman just posted a rocking method of obtaining NTLM hashes out of an enterprise by turning a Java applet into a web server! Check it out!

This year I’ll be presenting at DefCon on the history of NTLM attacks, how they work and why we need to get rid of it. I’ll release a tool that will combine as many hacks as I can get working to use captured users and their authentication tokens. There’s been a lot of talk in the past few years about browser security and it’s mostly hinged around using Javascript as a port scanner, sending attacks through the browser, attacking the platforms, etc. Few have been talking about an Enterprise-class risk and since that’s what I get paid to think about I’m gonna blow it open. 🙂 Come to DefCon and have a great time!

SyScan was great, a little small but helpful to bring the confidence up speaking to people who have no clue who I am! I learned quite a bit about my speaking style which helped firm up ideas about the DefCon presentation. I presented a combination of Web Security Mistakes including how to get a free MacWorld pass and spoke more about the future of PokeHashBall.

We stayed a few extra days to soak up the culture and soak the sweat into our clothes some more since this was our first trip to Hong Kong. The MongKok Computer Center was interesting but didn’t seem to really have the deals I was expecting. I didn’t get to any of the other computer centers however. Maybe next trip!

We went through Narita airport on the way back so I stopped at Duty Free and bought a bottle of Suntory Whiskey, the kind Bill Murray is hawking in the movie “Lost In Translation”. For relaxing times, make it Santory time. . .


I’ve been given the opportunity to talk about Web Security at this year’s SyScan conference in Hong Kong. This is my first trip to Asia so I’m really really excited about it! I haven’t traveled much outside of North America — the trip to Chaos Camp was my first oceanic flight. The Pacific Ocean is so huge that our flight from SFO will total 17 hours! It was only 9 hours to Dusseldorf!

This talk will expand on my OWASP talk on trusting the client and the MacWorld Pass hack. I’ll also give a brief bit on NTLM Single Signon (NTLMSSP) attacks. Looking forward and will update at the con!

Last night I presented at the local OWASP chapter titled “Your Client-Side Security Sucks: STOP USING IT (as your only method of security)” and the turn-out was great. I met some really awesome people and the subject matter, while not cutting-edge research, appeared to hit home.

We, as Web Application people, are still making some simple mistakes. This presentation highlighted three REAL WORLD examples of client-side security done incorrectly.

The PDF slides are available here and soon I’ll have a QuickTime video with a voiceover. I LOOOOOVE Keynote now! It has such useless transformations that you must pull back or else the content will be lost. How awesome is that? Plus exporting to a QuickTime so others can enjoy your ego-boosting flame build-in!

Rumor has it there will be an OWASP regional conference in the near future so hopefully I’ll present this again with some improved slides and other real world examples. If you have any examples but don’t want to “go public” yourself, let me know and I’ll share them. This is one of the first things you’re supposed to learn as a web developer so I have no problem exposing others. JavaScript, Java and Flash do not equate to protection! Shoot me an e-mail.

The second presenter, as luck would have it, is working on a tool exactly like I had done for NTLM relay attacks! We had a good chat about where we both saw our tools going in the future. It has renewed my energy in completing the PokeHashBall tools
at least. Thanks, eric!

Last year at this time I disclosed an issue with the IDG/MacWorld Expo registration that allowed people Free Platinum Passes (valued at $1,695). I communicated this issue with IDG the week of MacWorld and they removed all the codes, fixed the site, and said thanks. Questions were asked on how to write better code and I gave them a few tips (don’t trust user input, don’t give your secret codes to everyone, encryption is not one-way, etc). Did they listen?


Why Do I Do This?

Who wants to stand in line to see the Steve Jobs keynote at MacWorld? I mean have you SEEN the lines there? Really? I want to know WHATS IN THE AIR(tm)!!!

Honestly it’s academic to me. I didn’t even go to the keynote. 😛

Getting Your Golden (Well, Blue) Ticket:

This year the cost of Platinum Passes has gone up to $1,895. That’s a lot of money but you get a lot of cool things:

  • A free lunch every day
  • Free ticket to the MacWorld Blast
  • Seminars (MacWorld is more than just the keynote and Expo)
  • Priority Access Line to the Keynote

You can see why the cost. Last year the word “CREDIT” provided a 100% discount on checkout. These are called Application Logic Flaws and aren’t new attacks but they can be devastating .

Like last year IDG is passing a long list of MD5 hashes to the client browser and validating them in JavaScript before sending a request to the server — but that’s really only a problem if the codes that give the discounts exist and are easily cracked. Lets see if we can get lucky this year.

Obtaining the codes — Same as last year:

Step 1. Navigate to the main registration page
Step 2. Submit your initial data and view the source of the main registration page, search for “Priority Code”
Step 3. See the JavaScript “onchange” function? It’s calling “check_password()”
Step 4. Search for “check_password()” and you’ll find the list of valid codes in MD5
Step 5. Format the data for your cracker of choice and start cracking!

Cracking the codes:

I like John The Ripper for all my hash cracking needs. It’s flexible, easy to use and affordable! There are two main methods used to crack passwords in John, using a wordlist or incrementing through a given keyspace. I always begin with a wordlist run just to kick out the quickies. The hash for “NONE” breaks but we already know that doesn’t do anything for us.

Incremental mode is our next step but we know lower case letters aren’t used so a quick look at the configuration file shows an external mode “Filter_LanMan” that throws everything to upper case. A quick run through doesn’t net any cracked hashes unfortunately. There are still over 1,000 hashes to crack so we have to be a bit more intelligent in our cracking (or throw more machines, wait longer, get a PS3, etc).

A Brief Cracking Sidebar:

Incremental cracking can take a long time to perform. The size of your keyspace (k) and the maximum word length (l) determine the total number of permutations that have to be encrypted to check every instance (P). P=k^l. Take the benchmark cracks-per-second your machine takes (Cs), do the math (P/Cs) and you have the number of seconds it takes to run an Incremental.

For example lets make k = 69, l = 8 and Cs = 30 million:

((69^8)/30M) / 60 = 285,443.54 minutes (3.68 months!)

Changing l for different lengths and the time changes accordingly:

((69^7)/30M) / 60 = 4,136.86 minutes for 7 chars
((69^6)/30M) / 60 = 59.95 minutes for 6 chars

and so on. . . The time is cumulative and those are just my numbers. Some have found ways to increase the speed to 1 billion cracks-per-second. Until that code is released or we write our own, we have to work with clusters of machines to reach that. My little cluster of 9 nodes can do just about 60 million MD5’s a second so a full 8 character run would take nearly 2 months to complete.

Now that you know the math and the big mountain ahead of us, how can we get on the gondola that takes you over half of it without much effort? The answer is simple, vendor codes and keyword masking!

Here Come The Free Codes:

Vendors receive a group of codes each to pass along to their customers, potential customers, friends, family, etc. These typically provide free Expo access but maybe they’ll help trim down this mountain to something manageable. These free codes get passed around like candy so finding one takes a few Google searches. 08-G-PC189, 08-G-PC178, 08-G-PC260, do you see the pattern?

Time To Build An External Filter:

Now that we have a mask (08-x-y(n)) time to modify the john.conf accordingly:

File = $JOHN/all.chr
MinLen = 7
MaxLen = 7
CharCount = 95

void filter()
int i, c;
i = 0;
while (c = word[i++]) {
// if character is lowercase, don’t run it
if (c >= ‘a’ && c <= 'z') { word = 0; return; } } // We know the static filter 08-?-???? // Add or remove word[]s to fit the length word[10] = word[6]; word[9] = word[5]; word[8] = word[4]; word[7] = word[3]; word[6] = word[2]; word[5] = word[1]; word[4] = '-'; word[3] = word[0]; word[2] = '-'; word[1] = '8'; word[0] = '0'; } [/sourcecode] With that, we run and wait...

# john -i=MW -e=MW –format=raw-MD5
Loaded 1341 password hashes with no different salts (Raw MD5 [raw-md5 SSE2])

.. but not too long because the first code looks REALLY interesting: 08-S-STAFF. Lets try it!

Download the High Quality version.

Voila. For the second year in a row, a free Platinum Pass in less than a day.

On January 7th we noticed the MD5 hashes changed in the source code. While the special code was still listed it no longer gave a 100% discount when entered. Some codes still provide a small percentage discount and a few do provide a free expo pass. We still have 14 codes left to crack so no telling if those are any good. 🙂

Thanks to Josh Bernstein and Garrett Gee for reminding me MacWorld was coming up and independently confirming these findings.

Maybe next year the problem will be fixed? Anyone in a betting mood? 🙂

This week is the joint OWASP/WASC conference in San Jose. Two days of web app nerds getting together and exchanging ideas about CSRF protections, web services, the Samy worm, etc. It’s loads of fun! I’m a big OWASP supporter and push their information wherever possible. I’m always shocked when I hear “I’ve never heard of them” from a developer.

Rsnake gave a presentation/rant about the sorry state of web security. Not that it’s something that was created out of malice, just that we’re seeing issues today that were never part of the original concept of the web. Just like spam was never on the minds of Ray and Dick when they created electronic mail.

He briefly mentioned one of my favorite topics – Windows hashes. Then I read his blog entry describing Natron’s ideas for using DNS Pinning to affect the IE Trust Zone. It’s an area I was thinking of but hadn’t worked on yet because I was focused on the insider attack space. Awesome!

Of course there are a few complications with the theory that have to be considered:

  1. If the attacker doesn’t send the domain name in the Type message that the victim’s computer is a member of, a dialog box will appear. People may still put their passwords in but the idea of mass transparent authentication capture isn’t there.
  2. IE Trust Zones are pretty akward in design. What constitutes an Intranet Zone site? Microsoft KB174360 says: By default, the Local Intranet zone contains all of the network connections that were established by using a Universal Naming Convention (UNC) path, and Web sites that bypass the proxy server or have names that do not include periods (for example, http://local), provided that they are not assigned to either the Restricted Sites or Trusted Sites zone.
  3. If a company is using a proxy server and you DNS Pin a name that doesn’t have a FQDN at the end, that address may never be reached because IE won’t use the defined proxy and attempt to connect directly to the attacker’s IP address.

Another option I was thinking of would be somehow creating a Java or Flash proxy server but unfortunately their sandboxes have locked down any bind requests (unless someone has some mojo that gets around this). Flash doesn’t support it and Java doesn’t permit binds in applets.

In any event the patch to Metasploit adding NTLM type message parsing was submitted back in October. I have some updates to send in but it’s still functional. The pre-defined nonce hash catcher (pokehashball.rb) script is fairly complete and the HTTP-to-POP3 tool (psyduck-pop3.rb) is fun to play with. None of these attacks have been incorporated into Metasploit modules yet but that’s still on the radar (smb_relay via HTTP).

Visit for the code.

Full Disclosure: This attack was first documented by Jesse Burns at iSec Partners using jCIFS. Where’s your code, Jesse? 🙂

Things got a little busy/crazy around here so I’m not satisfied with what I have done so far so no code yet. This past weekend was Toorcon 1001 and it was as enjoyable as ever. I had a few breakthrough ideas thanks to the talks and side chats with everybody. That’s mostly why I’m not satisfied — always room for improvement. 🙂

I promise to show something soon. Really.

The security freaks at Watchfire recently released an amazing piece of research against Google Desktop. If you use this product it’s best to update it now.

PDF and an awesome Adobe Flash presentation are worth checking out.

Essentially through Cross-site Scripting and a Javascript command and control API they’ve shown the ability to fully compromise a device. All of it can be automated.

As a web user I’ve been afraid of client-side language interpreters for a long time. Javascript, ActiveX, Java, etc — they take too much control away from my PC and give it to web servers. Blogs, forums, malicious trojan servers, etc all can carry dangerous payloads that will run unnoticed to me because that’s how the user experience is.

This year is going to be fun. 🙂

This morning I awoke to find an urgent posting from Websense. Somebody had placed a bit of javascript on the Dolphin Stadium website @ Don’t worry, it’s not there anymore. This weekend is the Superbowl and a LOT of football could very well visit this site and if they haven’t updated their Internet Explorer in a while they’d find a keylogger and backdoor installed on their PC.

A pretty big issue that was resolved fairly quickly by the host removing the offending source but our comfort level with that site is shaky now. How did the attackers get in, did they close the hole or just put some silly putty over it? We may never know.

The malicious code turns out to be a javascript file called 3.js loaded from a website named A very quick googledork search found something interesting:

The CDC’s podcast site! They’ve since brought down their system for repairs.

The site has been removed as well but how many people already had their machines trojaned?

This attack is called “Persistent Cross Site Scripting (XSS).” in that the malicious JavaScript code gets left behind on the web application, usually as a database entry that is displayed at some point during the user’s experience. When a somebody goes to visit the website the malicious code is loaded and, in this particular case, bad things happen to the browser if it hasn’t been patched against two recent Microsoft bugs (MS06-014 and MS07-004).

There are a lot of XSS bugs out there. Michael Sutton did a massive check and reliably confirmed that out of 272 sites, 47 (17.3%) of them had a XSS vulnerability. The XSS Wall of Shame at the forum never stops, most of them being non-persistent.

Browsing the web with a JavaScript-enabled browser is just plain dangerous. It’s not just those ‘seedy’ underground sites you should avoid, it’s everywhere.

Some very good resources on XSS and its very real threats:

Happy new year everybody! Here’s a little secret for web developers: client-side verification of user data is sometimes ok, but back it up with a server verification AND don’t give important/secret stuff to the client.

I wanted to head over to MacWorld this week and obtained a “PC” code for a free Expo pass. That’s cool and all but it doesn’t get me access to see Jobs’ keynote unless I sneak in. Plus if I got a regular badge I wouldn’t have priority seating, something you really need since everyone and their goat flocks to hear Jobs say “One more thing…” But, alas, I’d only receive an Expo pass.

I plug in the register URL and start inserting my information. The second screen is where your Priority Code gets entered. Being the curious person I am I took a peek at the source code. Much to my chagrin I find this:

Well huh. These look like MD5 hashes. Lets look a little deeper in the code. On line 2515 there’s a javascript function named “check_password” which is called any time the Priority Code field changes. Let’s see what it does:

  1. Convert the cleartext to upper-case and strip invalid characters
  2. Calculate the MD5 of the new cleartext
  3. Check the list of valid_codes for the MD5(cleartext)
  4. Pop an alert box if the code isn’t found

So what we need to do is crack the MD5 passwords with what we know about our keyspace: All upper case, most likely keyboard ASCII characters and numbers only. We can probably rule out non-printable ASCII so now we’re just looking at A-Z0-9. Just an educated guess.

A quick conversion of the javascript to “code#:md5hash” and a quick addition to John The Ripper’s rules:

void filter()
int i, c;

i = 0; // Convert to uppercase
while (c = word[i]) {
if ((c 'z') &&amp; (c '9')) {
word = 0; return;
} else {
if (c >= 'a' &&amp; c <= 'z') word[i] &= 0xDF; } i++; } }

We begin the crack:

$ john --format=raw-MD5 --incremental=alnum --external=alnum_upper
Loaded 897 password hashes with no different salts (Raw MD5 [raw-md5])
CREDIT (1183)
guesses: 1 time: 0:00:00:09 c/s: 20372K trying: ADRY

Less than 10 seconds and I’ve already cracked a code that looks interesting. Lets see what we get:

A Platinum Pass for $0.00? Special line access to the Keynote! Alright!

So it looks like a combination of client-side authentication with all data being delievered to the end user. OWASP has a very good description of this vulnerability here. Utlimately you don’t want to give the client everything they need to gain access to something they shouldn’t. Validate on the server rather than the client and keep the keys secret. Of course you also shouldn’t use a very easy key that will provide discounted access (CREDIT ? Hmmmpf!)

But did it work? You need a government ID or credit card to receive your badge at the conference. Not a very hard thing to forge but no need to as I used my real initials. The badging people gave me an odd look at the pick-up window but everything matched and voila:

This was discovered and verified on Monday, 1/8/07 by picking up the above badge. On Tuesday I e-mailed IDG to report it and met with the web support team at MacWorld to say hi, hows it going, yeah this didn’t take long to figure out, you gave me everything I needed to know in the code, etc. They’re very nice people and were happy to discuss this issue and about web security in general. They’d spent most of the day looking back over their logs and found that others also had found this vulnerability and used it but I was the only one to report it.

Given what’s mentioned in this article from CSO Online I can understand why that is. This experience helped me feel that it’s not always a strong-arm, FBI jackbooted thug response for finding a web application vulnerability. Then again I only learned how to defraud a company of $1,695 (per instance) and didn’t try to access a database containing credit cards, social security numbers, etc.

I made a video of the hack but it was after I talked to IDG so the final page doesn’t show $0.00 anymore. Oh well, it’ll give you the general idea of the vulnerability and how long it could take to figure out. As soon as it’s finished I’ll post it.