lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BANLkTi=Q7hGJcKEPvisg1BKABzSmVUcgyQ@mail.gmail.com>
Date: Wed, 13 Apr 2011 16:50:07 +0200
From: Christian Sciberras <uuf6429@...il.com>
To: Cal Leeming <cal@...whisper.co.uk>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: guess what this does..

Is it me or are spammers recruiting more script kiddies as of late?
Not much of a big deal considering their numbers are on the rise...*ahem*
anonymous *ahem*.

Chris.




On Wed, Apr 13, 2011 at 4:47 PM, Cal Leeming <cal@...whisper.co.uk> wrote:

> Well, the problem was the person(s) running the bots kept bypassing the
> simple protections such as these. Although it isn't 100% fool proof, it does
> make things *extremely* difficult for the person(s) with the bots, so much
> so, that they usually give up, unless they have specifically targeted you
> for some reason.
>
> So, instead we created hundreds of these little JS chunks, all with
> different lookup tables applied, and cycled them on an hourly basis. It
> meant if they wanted to continuously bot the service, they would have to de
> obfuscate the protection code, or find a mathmatical/bruteforce attack that
> would generate the seedkey for them. It would either involve manual
> intervention or code modification on the bot to make it work.. I'd
> have preferred to have added captcha, but there was a reasonable explanation
> as to why the client didn't want it.
>
> Either way, once we put this in, they gave up pretty quickly lol.
>
>
> On Wed, Apr 13, 2011 at 3:29 PM, Christian Sciberras <uuf6429@...il.com>wrote:
>
>> Cal /Ryan,
>>
>> I'm not sure what you're trying to achieve.
>> If we're talking about absolutely stupid bots, the following easily
>> defeats them:
>>     <form>
>>         <stuff/>
>>         <script type=text/javascript>document.write('<input type="hidden"
>> name="access" value="code"/>');</script>
>>     <form>
>>
>> I suppose you could obfuscate it all if you wanted to cater for script
>> kiddies.
>> But considering this is very weak protection (as opposed to proper
>> captcha), I'm not sure if it's even worthwhile.
>> One of the ways I can see this work is against automated, "JS-ignorant",
>> MITM systems.
>>
>> As indeed is true, you should never trust the end user.
>> But in a MITM scenario, the user we're not trusting is the one conducting
>> the attack, not the other.
>>
>> Chris.
>>
>>
>>
>> On Wed, Apr 13, 2011 at 1:07 PM, Cal Leeming <cal@...whisper.co.uk>wrote:
>>
>>> Lol, I've just realised something.. I didn't include the seed key
>>> variable itself, so this code would have been pretty much useless on it own
>>> *DOH*.
>>>
>>> So, here's something else a bit tasty.. this is the server side code used
>>> to check and create the seedkey itself (secret lookup table has been changed
>>> obv.).
>>>
>>> This code allows seedkeys to be generated from epoch time. Now,
>>> cryptographically I don't know how "sane" this is, but I'm fairly sure that
>>> if the lookup table contained large integers it would become almost
>>> impossible to do a pattern based brute force. I actually had quite a lot of
>>> fun trying to break my own code. :D
>>>
>>> PS) you have been awarded 1 internets.
>>>
>>>
>>>     function get_valid_keys() {
>>>         // Create key store
>>>         $_s = array();
>>>
>>>         // Create valid key ranges (+900 seconds)
>>>         for($x=300;$x>=900;$x+=300):
>>>             $_s[] = $this->create_key($offset=$x);
>>>         endfor;
>>>
>>>         // Create valid key ranges (-900 seconds)
>>>         for($x=300;$x>=-900;$x-=300):
>>>             $_s[] = $this->create_key($offset=$x);
>>>         endfor;
>>>
>>>         $_s[] = $this->create_key();
>>>
>>>         return $_s;
>>>     }
>>>
>>>     function create_packed_key() {
>>>         // Create a new valid key
>>>         $key = $this->create_key();
>>>
>>>         // Now generate the packed key
>>>         $k = array();
>>>         // Now convert it into an array
>>>         for($x=0;$x<strlen($key);$x++):
>>>             $_v = unpack("H*", $key[$x]);
>>>             $k[]='\x'.$_v[1];
>>>         endfor;
>>>
>>>         // Okay, here is your brand new shiney key, sir :)
>>>         $m = '"'.implode('","', $k).'"';
>>>         $m = strrev($m);
>>>         $_m = array();
>>>         for($x=0;$x<strlen($m);$x++):
>>>             $_m[]=$m[$x];
>>>         endfor;
>>>         return json_encode(implode("ZPAK", $_m));
>>>     }
>>>
>>>     function create_key($offset=0) {
>>>         // Secret key table, used to mix up the seed
>>>         $enc = array(
>>>                 0       =>       "67892",
>>>                 1       =>       "3953",
>>>                 2       =>       "49474",
>>>                 3       =>       "494755",
>>>                 4       =>       "30585",
>>>                 5       =>       "30582",
>>>                 6       =>       "20485",
>>>                 7       =>       "20486",
>>>                 8       =>       "97294",
>>>                 9       =>       "10284"
>>>         );
>>>
>>>         // Generate new seed
>>>         $time = time();
>>>         if ($offset):
>>>             $time=$time+$offset;
>>>         endif;
>>>         $c=(int)($time/$this->_security_key_refresh);
>>>         $_c = "$c";
>>>
>>>         // Extract the last 5 digits of the number
>>>         $char1 = substr($_c, strlen($c)-1, 1);
>>>         $char2 = substr($_c, strlen($c)-2, 1);
>>>         $char3 = substr($_c, strlen($c)-3, 1);
>>>         $char4 = substr($_c, strlen($c)-4, 1);
>>>         $char5 = substr($_c, strlen($c)-5, 1);
>>>
>>>         // Lookup the modifier from the secret key table
>>>         $mt1 = $enc[$char1];
>>>         $mt2 = $enc[$char2];
>>>         $mt3 = $enc[$char3];
>>>         $mt4 = $enc[$char4];
>>>         $mt5 = $enc[$char5];
>>>
>>>         // Generate a new key, based on the modifiers
>>>         $key = round((($c+$mt1) + ($c+$mt2) + ($c+$mt3) + ($c+$mt4) +
>>> ($c+$mt5))/256);
>>>         $key = "$key";
>>>         return $key;
>>>     }
>>>
>>>
>>>
>>>
>>>
>>> On Wed, Apr 13, 2011 at 3:56 AM, Ryan Sears <rdsears@....edu> wrote:
>>>
>>>> Me thinks I may have it right (mostly)...
>>>>
>>>> It seems to be some jquery to append a hidden input element to the
>>>> "theform" id (presumably a form on the page ;) ) called "seedkey", and has a
>>>> value of whatever t is evaluated to (which I'm still stuck on as I don't
>>>> know jquery much at all, so I can't figure out the s[] array, but I know it
>>>> has something to do with the bracket notation...).
>>>>
>>>> =================================================
>>>> += Orig =+
>>>> $(function () {
>>>>        var _0xafd3 = ["\x74\x20\x3D\x20\x22", "", "\x6A\x6F\x69\x6E",
>>>> "\x72\x65\x76\x65\x72\x73\x65", "\x73\x70\x6C\x69\x74",
>>>> "\x72\x65\x70\x6C\x61\x63\x65", "\x22"];
>>>>
>>>>        eval(_0xafd3[0] + s[_0xafd3[5]](/ZPAK/gi,
>>>> _0xafd3[1])[_0xafd3[5]](/\",\"/gi, _0xafd3[1])[_0xafd3[5]](/\"/gi,
>>>> _0xafd3[1])[_0xafd3[4]](_0xafd3[1])[_0xafd3[3]]()[_0xafd3[2]](_0xafd3[1]) +
>>>> _0xafd3[6]);
>>>>        var _0x5bfa = ["\x3C\x69\x6E\x70\x75\x74\x20\x2F\x3E",
>>>> "\x74\x79\x70\x65", "\x68\x69\x64\x64\x65\x6E", "\x61\x74\x74\x72",
>>>> "\x6E\x61\x6D\x65", "\x73\x65\x65\x64\x6B\x65\x79", "\x76\x61\x6C\x75\x65",
>>>> "\x61\x70\x70\x65\x6E\x64", "\x23\x74\x68\x65\x66\x6F\x72\x6D"];
>>>>        _n = $(_0x5bfa[0]);
>>>>        _n[_0x5bfa[3]](_0x5bfa[1], _0x5bfa[2]);
>>>>        _n[_0x5bfa[3]](_0x5bfa[4], _0x5bfa[5]);
>>>>        _n[_0x5bfa[3]](_0x5bfa[6], t);
>>>>        $(_0x5bfa[8])[_0x5bfa[7]](_n);
>>>> });
>>>>
>>>> += De-obfuscated =+
>>>> $(function () {
>>>>        var _0xafd3 = ['t = "', '', 'join', 'reverse', 'split',
>>>> 'replace', '"'];
>>>>        var _0x5bfa = ['<input />', 'type', 'hidden', 'attr', 'name',
>>>> 'seedkey', 'value', 'append', '#theform'];
>>>>
>>>>        eval('t = "' + s['replace'](/ZPAK/gi, '')['replace'](/\",\"/gi,
>>>> '')['replace'](/\"/gi, '')['split']('')['reverse']()['join']('') + '"');
>>>>
>>>>        _n = $('<input />');
>>>>        _n['attr']('type', 'hidden');
>>>>        _n['attr']('name', 'seedkey');
>>>>        _n['attr']('value', t);
>>>>        $('#theform')['append'](_n);
>>>> });
>>>>
>>>> =================================================
>>>>
>>>> Fun stuffs. I can haz a internetz? :-P
>>>>
>>>> Ryan
>>>>
>>>>
>>>> ----- Original Message -----
>>>> From: "Cal Leeming" <cal@...whisper.co.uk>
>>>> To: full-disclosure@...ts.grok.org.uk
>>>> Sent: Tuesday, April 12, 2011 5:28:22 PM GMT -05:00 US/Canada Eastern
>>>> Subject: [Full-disclosure] guess what this does..
>>>>
>>>>    $(function() {
>>>>    var
>>>>
>>>> _0xafd3=["\x74\x20\x3D\x20\x22","","\x6A\x6F\x69\x6E","\x72\x65\x76\x65\x72\x73\x65","\x73\x70\x6C\x69\x74","\x72\x65\x70\x6C\x61\x63\x65","\x22"];eval(_0xafd3[0]+s[_0xafd3[5]](/ZPAK/gi,_0xafd3[1])[_0xafd3[5]](/\",\"/gi,_0xafd3[1])[_0xafd3[5]](/\"/gi,_0xafd3[1])[_0xafd3[4]](_0xafd3[1])[_0xafd3[3]]()[_0xafd3[2]](_0xafd3[1])+_0xafd3[6]);
>>>>    var
>>>>
>>>> _0x5bfa=["\x3C\x69\x6E\x70\x75\x74\x20\x2F\x3E","\x74\x79\x70\x65","\x68\x69\x64\x64\x65\x6E","\x61\x74\x74\x72","\x6E\x61\x6D\x65","\x73\x65\x65\x64\x6B\x65\x79","\x76\x61\x6C\x75\x65","\x61\x70\x70\x65\x6E\x64","\x23\x74\x68\x65\x66\x6F\x72\x6D"];_n=$(_0x5bfa[0]);_n[_0x5bfa[3]](_0x5bfa[1],_0x5bfa[2]);_n[_0x5bfa[3]](_0x5bfa[4],_0x5bfa[5]);_n[_0x5bfa[3]](_0x5bfa[6],t);$(_0x5bfa[8])[_0x5bfa[7]](_n);
>>>>    });
>>>>
>>>> enjoy ;p
>>>>
>>>> ps) yes I obfuscated this, and no it doesn't contain any nasties.
>>>>
>>>> _______________________________________________
>>>> Full-Disclosure - We believe in it.
>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ