Security through Insecurity

Google Instant is a new search enhancement that shows results as you type. We are pushing the limits of our technology and infrastructure to help you get better search results, faster. Our key technical insight was that people type slowly, but read quickly, typically taking 300 milliseconds between keystrokes, but only 30 milliseconds (a tenth of the time!) to glance at another part of the page. This means that you can scan a results page while you type.

The most obvious change is that you get to the right content much faster than before because you don’t have to finish typing your full search term, or even press “search.” Another shift is that seeing results as you type helps you formulate a better search term by providing instant feedback. You can now adapt your search on the fly until the results match exactly what you want. In time, we may wonder how search ever worked in any other way.

Benefits

Faster Searches: By predicting your search and showing results before you finish typing, Google Instant can save 2-5 seconds per search.

Smarter Predictions: Even when you don’t know exactly what you’re looking for, predictions help guide your search. The top prediction is shown in grey text directly in the search box, so you can stop typing as soon as you see what you need.

Instant Results: Start typing and results appear right before your eyes. Until now, you had to type a full search term, hit return, and hope for the right results. Now results appear instantly as you type, helping you see where you’re headed, every step of the way.

via Google Instant.

A few months ago, this website was hacked by a Russian group for the purposes of hosting Malware, specifically a botnet trojan. Ultimately, they used this site for several purposes such as to find other vulnerable sites, provide a direct download of viruses, and as a somewhat anonymous proxy for them to use. I was aware of this almost immediately, and began reversing their files to find out just who made these programs, and where they were coming from.

I’ve been very busy this summer, taking on a Job, and joining the Volunteer Fire Department, so progress was slow. But eventually I found a surprising unsecure botnet that was being hosted primarily in China, but also with backup servers in India, and Russia. I found a pretty decent net, consisting of over 200,000 infections. Gaining roughly 20,000 a day, but they were selling more of them.

An authhost was set on the bots, but other than that, the password to get into the channel was very simple, and it was easy to blend in. These bots were quite, obviously due to size, as it would ping out any user who tried to command 1000′s of bots at once when they all reply.

Eventually I was able to fully dismantle the botnet, as they had a small backdoor in their bots, allowing for super anonymous communication, kind of like a p2p network. The bots could be given commands directly, which is very common now days, but there was no authentication. Furthermore, if you told the bot to spread the command, it would assign 9 other bots to due the same, and they would all message every bot in the channel and server the command, and jump to the other servers and due the same, until all bots were updated. It would have been a nice feature… had it been secure.

Either way, I issued a command to update the password for a week, until they were all under my command. At this point, the bot masters began realizing they were losing control, and attempted to shut down the servers, but failed. I don’t know why they failed, but it was humorous watching them panic.

After I had control of the general population, I stopped all the attacks these bots had been performing (everything from password cracking, exploit scanning, and spamming), and uninstalled them. From that point I simply said have a nice day to the former Bot Masters.

I finally cleaned up this webserver from all they did, I was just lazy about doing it. Any way, I thought I’d share that little mishap in my research of botnets. It all happened because I choose to take the easy way one day, a mistake I should have known not to do, and I won’t do again.

Comments more than welcome, as well as questions.
Also, would you like to write on this Blog? Contact me here, or through josh@joshhouston.net . I’m looking for some good articles, there is no pay, just something to do in your free time like I do, as I’m extremely busy now days. Video Tutorials are the best in my opinion, either way, whether it be text or video, all I ask is a Full, Detailed write-up as I do myself.

In this Video Tutorial, I show you how to crack a wireless network secured with WPA encryption. Although it may sound hard, it is actually quite easier than you may think. I also have provided a Written tutorial for you to save, and the video is also available for download. The following are links to an outside website (mediafire) providing hosting for the videos. Video

About 2 months ago, I decided to try out a RC version of Windows 7, but it would not support my SATA drive for an odd reason.  So, i rebooted into the BIOS, then proceeded to change my SATA mode to Compatible, which did not help. So, in my last attempt, i activated TPM in the BIOS, and the strangest thing happened; As soon as I switched form Disabled to Enabled, the computer shutdown, without my even saving the changes. I tried restarting…. but to no avail, ever. My BIOS is somehow fried now in my laptop, and whenever I try to boot, it doesn’t even show the POST.

So, in desperation, I called up ASUS, and they said it was something they had never seen before, and surely wasn’t something that was supposed to happen. Luckily, they have excellent customer support, didn’t charge me for the phone call, and are going to have the laptop shipped to them, replace the bad parts, and ship it back to me, all without me paying a cent. I must give them props for that, I have never, ever had such good support, They put be through no loops of forwarding to another department or anything, they just took care of me. Now I just actaully have to ship the thing with the RMA printout they gave..

This is why, as you may imagine, that I have had no updates in a good time. Luckily the hard drive is still good, and I got everything off of it, but I still do not have my recording software, or any of my tools. I’d like to apologize for not posting this sooner, but when Real Life gets down to it, so do I. Rest assured, there will be plenty more updates and youtube videos very soon.

Thanks,

Josh Houston~

EDIT: This method will no longer work soon due to the kwiry service closing down. More information here. This will go into affect on On April 23, 2009.

You heard the forecast this morning, but totally forgot to turnoff your computer this morning; You’re on vacation, and need to get your computer running a backup, just in case. But in both scenarios, you don’t have access to your computer. In this video, I show you how to setup a solution, that will allow you to run any predetermined command, with a simple Text message.

You’ll need Microsoft Office, or just Microsoft Outlook (any version will do), and a working internet connection. In this tutorial, we will be using gmail.com for a free email account, and although you can use your own, I like to keep my texts and emails seperate. And we will be using a free service, at kwiry.com that allows you to send text messages to them, and they send it to you as an email.

1. Goto gmail.com to sign up for a free email account, and copy down the new email you have.
2. Goto kwiry.com and sign up with your new e-mail address.
3. Open up Microsoft Outlook and create a new account.
   1. If this isn’t your first time to setup an account, you can click on “Tools” and then “Accounts” to set up a new account.
4. On the First page, fill in “Your Name:”, “E-mail Address:”, “Password:”, and “Retype Password”, and then click the box at the bottom that says “Manually configure serer settings or additional server types”
5. Click “Next”
   1. Leave the “Account Type” unchanged. It should be POP3. If not, change it to that.
   2. Set “Incoming mail server:” to “pop.gmail.com”
   3. Set “Outgoing mail server (SMTP):” to “smtp.gmail.com”
   4. Set “User Name:” to your user name that you chose for your e-mail account.
   5. Click “More Settings”
      1. Click “Advanced”
      2. Change the Port on “Incoming server (POP3):” from “110″ to “995″ and click the check box that says “This server requires an encrypted connection (SSL)”
      3. Click “Outgoing Server”
      4. Check the box that says  “My outgoing server (SMTP) requires authentication” and choose “Use same settings as my incoming mail server” if it is not already checked.
      5. Click “OK” and test the settings by clicking on “Test Account Settings …”
      6. If all is well, click “Next” followed by “Finish”
6. Return to your Desktop
7. Open up My Computer
8. Open up “Local Disk (C:)” — may be different for you.
9. Create a folder called “commands” and open it.
10. Right-Click and create a new text document called “shutdown.bat” and click Yes when it asks about the extension change. Now open the document.
11. Right Click on the newly created shutdown.bat and click “Edit”
12. Type in “shutdown.exe -s -t 5″ and Press Ctrl + S to automatically save the file.
13. Open Outlook back up and click on Tools followed by Rules and Alerts…
14. Click “New Rule…”
15. Near the bottom, under “Start from a blank rule”, click “Check messages when they arrive”
16. Check the box that says “with specific words in the subject” followed by clicking on “Specific Words“ in the bottom of the window.
17. Add the subject title, which was “your kwiry – Shutdown” and click “Add”, followed by “OK”
18. Click “Next”
19. Check the box that says “start application“ followed by clicking on “application“ in the bottom of the window.
20. Browse to your shutdown.bat, it should be in this order: My Computer, Local Disk (C:), commands. You may have to Click “Files of type:“ near the bottom and choose “All Files (*.*)“
21. Click Finished, followed by Apply

Send yourself a message to kwiry that says shutdown

Now watch the magic!

Questions? Comments?

Video Requests?

Admit it. Even you, a savvy veteran e-mail user, have fallen for one or more of these Internet rumors. Or, even if you weren’t quite sure of the veracity of a particular story or photograph, you e-mailed it to your friends to amuse/warn them, or to see what they thought.

Don’t be embarrassed, you’re not alone. Despite our increasing technological sophistication, we seem to be as susceptible as ever to people determined to make suckers of us. After all, Internet hoaxes play on our human, not technical, vulnerabilities.

via 7 Fantastic Internet Hoaxes — E-mail — InformationWeek.

In light of recent activity, or the lack thereof..

We have concluded that the most probable cause of the Conficker worm not taking any threatening action, is because the developer wants his worm to not only have a have infection rate, but to also have the first worm in history that is able to butter toast.

Buttered Toast

Although clueless as to why this undoubtly unique feature is desired, it would be the very virus that is also destructive to our health.

In that unpleasant event in your life, you sit down at your computer, and totally draw blank on your password. All hope seems to be lost without those crucial letters and numbers. But as luck would have it, there is still another way to help you out. Using a tool called chntpw, we can remove your passwords from any account.

1. Open the BackTrack Folder from the Menu.
2. Open Privilege Escalation
3. Open PasswordAttacks
4. Click on “chntpw”
5. Type in “chntpw -i /mnt/hda1/Windows/system32/config/SAM”
   1. You may have to change the “hda1″ to something else such as hdb1, sda2, sdb3. Try a few different combination until you can get it, or ask me for help.
6. Press “1″
7. I want to remove my password, and my username is simply “josh”. So here, I will type in “josh”.
8. Press “1″ to clear the password. If all is well, it should say “Password cleared!”
9. Again, lets type in our name, mine is still “josh”.
10. Press “4″.
    1. The reason behind why we do this? Sometimes the account will get locked after we change the password, so we want to make sure we unlock it before we save the changes and boot back up to Windows.
11. Type “!”
12. Type “q”
13. You will be asked, “Write hive files? (y/n) [n] : “ We want to press “y” for yes.

There you go! Your password is not reset and you can now log onto Windows again! Congratulations!

Questions? Comments?

Feel Free to Ask!

In the last Article, I showed you how to crack your own wireless network encrypted with WEP Encryption. In the video, you saw how easy it was to crack the network. And sad to say, this kind of attack affects most home users, and even many businesses. Fortunately for everyone, WEP Encryption is not the only security option available for wireless networks. WPA Encryption, is FAR more secure (For more information about WPA Encryption, go to WPA on Wikipedia.org). Virtually every router that is has WEP encryption, also has WPA and WPA2 encryption.

Since the Linksys WRT54G Wireless Router is extremely popular, I will be showing you how to secure your wireless network using WPA2 Encryption.

Linksys WRT54G Router

Open up your favorite browser of choice (mine happens to be Firefox),and and goto 192.168.1.1. This is the most common address for your router. You should be promted with a username and password dialog. Just try admin for both, unless you’ve changed it. If you don’t get a dialog box, or the page doesn’t come up, the address may be different. You can follow these directions to find out the address, but if you already found it, you can just skip ahead.

Lets find out your Routers IP address. The following instructions are for Windows.

1. Click the “Start” Button
2. Click on “Run”
3. Type in “cmd”
4. A console window should come up.
   Type in “ipconfig”
5. Look at “Default Gateway” Write down the address, it should be in the form of xxx.xxx.xxx.xxx
6. Now like before, go into your favorite Web Browser, and Put in the address.

You should now be at the Linksys Router Start Page. It should look very similiar to this:

Linksys Start Page

All the settings on this page should be fine already.

Lets click on the “Wireless” link at the top of the page.

Now click on the Wireless Security subsection at the top of the page.

Click on “Security Mode” and select “WPA2 Personal” as shown below

Linksys Wireless Security

From here we will choose a password. DO NOT use something common, ie.. names, places, numbers. Instead, use a combination. The best passwords, are long, and very random. Something like U71tR8zi89B is good. Passwords such as grandmother, San Diego, 123456, and password are horrible to use, and will usually be guessed with great speed.

That’s it! Save the settings by clicking on the “Save Settings” button at the bottom, and you will be good to go. Now just connect your computer to your WAP (Wireless Access Point) and put in the same password you did on the Wireless Security page. Note: It’s a good idea to memorize your passwords. You can also write them down, but make sure it is in a safe place, such as a safe.

Questions, Comments?

I love feedback.

Thanks!

In this Video Tutorial, I show you how to crack a wireless network secured with WEP encryption. Although it may sound hard, it is actually quite easier than you may think. I also have provided a Written tutorial for you to save, and the video is also available for download. The following are links to an outside website (mediafire) providing hosting for the videos. Video 1. Video 2.

1. Type in “airmon-ng” to see wireless adaptors on your computer.
2. You should see a listing come up. Mine showed wlan0. Yours may be different, such a rausb0.
   Type in “airmon-ng start wlan0” to start your wireless device. Replace the “wlan0” with whatever yours showed to be. This will create a new “virtual” device, and will show the name. The name for mine was “mon0“
3. Open a new terminal window, and type “airodump mon0” again, replacing “mon0” with your new virtual devices name.
   You will begin to see a listing of different APs (access points). Find the one you want and press Control + C. Pressing Control + C will cancel the current program running in terminal. The name of the networks found is under the ESSID column. You may not see anything there, which is fine, some of them are invisible. FUSiON is the name of my network, so I went over to the BSSID column, and copied the address, which was 00:23:69:18:E4:7D. This address is important, so I could recommend copying it, or writing it down. Also take note of what channel it is on.
4. This is what I typed after that, “airodump-ng –bssid 00:23:69:18:E4:7D –channel 6 –ivs -w FUSiON mon0” This is all real easy stuff, so I’ll just explain it to you right quick. airodump-ng is the program that captures what is called IVs, the primary component in cracking WEP networks. Here goes!
   • Type “airodump-ng”
   • Add a space and type “–bssid 00:23:69:18:E4:7D” replacing the address with the address of your Network. This “flag” says we only want to see this address, and nothing else.
   • Add a space and type “–channel 6″ replacing the number 6 with the number of the channel of your Network (although 6 is VERY common, so don’t be surprised if that is it)
   • Add a space and type “–ivs” This command only captures IVs, which will make cracking the password faster.
   • Add a space and type “-w FUSiON” replacing FUSiON with the name of your network, or something that you will remember, as we will be cracking this file later to find the password. I just use the name of the network, because it helps me remember easier.
   • The “mon0″ at the end, simply defines which device to use.
5. Open a New Terminal Window. In it, type “aireplay-ng -5 -b 00:23:69:18:E4:7D mon0″
   
   • aireplay-ng is a tool that greatly helps generate IVs. Without it, it wouldn’t be possible to crack most WEP networks.
   • The “-5″ flag is one method, and the most common, that is used to generate the IVs.
   • The “-b 00:23:69:18:E4:7D” tells which address to attack. The -b stands for bssid which is the address of your network. So you will have to replace 00:23:69:18:E4:7D with the address of your network (the one that I recommended you write down or copy earlier).
   • The “mon0″ at the end, again just defines which device to use.
6. Wait and Press “Y” for yes, when it asks if you would like to use the selected frame.
7. This process may have to be repeated until you have a resulting fragment file. It will say when you do. Additionally, you can run this command “aireplay-ng -1 1 -a 00:23:69:18:E4:7D mon0″ to help assist with getting a fragment file. Again, make sure to replace my address, with your own.
8. Now we must build a file that will be used to gather those precious IVs! I did it with the following command:
   “packetforge-ng -0 -a 00:23:69:18:E4:7D -h 00:11:22:33:44:55 -k 255.255.255.255 -l 255.255.255.255 -y fragment-0324-230256.xor -w arpy”
   Let me break this down for you.
   • packetforge-ng is the program which will build the arp file, as I like to call it, which you will soon see.
   • Add a space, and follow it with “-0 -a 00:23:69:18:E4:7D” and of course, replace it with your own network address.
   • Add a space, and type in “-h 00:11:22:33:44:55 -k 255.255.255.255 -l 255.255.255.255″ This part of the command is pretty universal, rarely is it changed. So we won’t go into detail on it here.
   • Add a space, and type in “-y fragment-XXXX-XXXXXX.xor”, replacing your fragment file, place of this one, as well.
   • And lastly, type in “-w arpy” just the -w is important. The arpy can be anything you can remember. It’s something I’ve just always used, cuz it’s easy for me to remember.
   • If all goes well, it Successfully built our Arp Packet.
9. Almost Done!  “aireplay-ng -3 -r arpy -b 00:23:69:18:E4:7D mon0″ is our next command.
   • aireplay-ng, like before, should get those IVs flowing in. At an average, I see about 500 IVs/Second. Which isn’t too bad. But some cards do better than others, so you may have better, or worse luck.
   • -r arpy is a flag that tells aireplay-ng to play the arp file we created called arpy.
   • Like before, -b 00:23:69:18:E4:7D specifies which address to attack, and mon0 says which wireless interface to use.
10. If all went well, we are gathering IVs! Open the airodump-ng terminal window that we’ve had open, and look at the Data column. It should be constantly rising. This is the longest process, as we have to wait. While others recommend you getting at least 100,000 IVs, I’ve never waited that long. I’ve cracked many WEPs at just 20,000, although I recommend cracking at 40,000 IVs. So go get a Dr. Pepper and wait a while until you have enough accumilated.
11. Once you have at least 40,000, we can start cracking the WEP Password!
    • This step, has to be the simplest.
    • Open a new Terminal window, and type “aircrack-ng XXXX-01.ivs” replacing the XXXX with what you used when you first started the airodump-ng command.
    • Depending on the speed of your computer, you will soon have the WEP Key Decrypted. Just make sure to remove the colons “:” before confirming the Key.

There we go, that is my tutorial on basic WEP cracking. Any Questions, Comments, or Suggestions are GREATLY appreciated!