Sunday, 3 August 2014

Setting up and cracking! [Mac]


Intro
Hello, and welcome to my tutorial. If you – like me – are a Mac user, who’s been looking to get into Reverse Engineering, you’ve probably already Google’d around, finding nothing but useless stuff (Although, a few Mac RE’s actually exists. I’ll link my favourite in the ’Credits’). Well, I sat down one day, and just began reading, and suddenly, I had a working setup and a CrackMe solved.
So, here’s my tutorial :-)

Disclaimer
What you do with this knowledge, I am NOT responsible for. The example included is a simple CrackMe, but should You choose to crack some expensive software, I am not to blame if something happens to you! I simply shared some knowledge.
The method I’m using, is just one of many. This is just to get you started. You should be able to find another way to crack it when you’re done here.


Software
Well, do solve Part 2, we’re going to need some software. First of all, you should have XCode installed. It’s a tool for Apple Developers, but AFAIK it’s available for everyone else too.
Next, you’re going to need OTX. There’s multiple version available loads of places on the internet, but you’ll need the latest. IF you download one of the older versions, you wont have access to disassembling x64 binaries. You can download the latest from here:

Quote:http://otx.osxninja.com/builds/trunk/
using SVN. 

You’ll need to compile this yourself in XCode, but that’s as easy as opening the .xcodeproject file, and ’Archive’ the application, and share it to your destination of choice.
Now you’ll need Class-Dump, this can be downloaded from here:

Quote:http://www.codethecode.com/projects/class-dump/

We’re also going to use GDBInit. A nifty script created by one of the most helpfull Mac RE’s I’ve seen. This tool can be downloaded from here:

Quote:http://reverse.put.as/gdbinit/

Be sure to download the newest version. When this is done, you’ll have to move it into your user’s folder, and rename it .gdbinit. This can be done via Terminal like this:

Quote:mv ~/Downloads/gdbinitVERSION ~/.gdbinit

Of course, you replace the ’gdbinitVERSION’-part with the filename of the file you downloaded. And the path of it’s not in the Download-directory.

Another great tool to get is ’Hopper Disassembler’. It’s on the Apple Mac AppStore, and is worth every penny (Actually, it’s pretty cheap!). If you can’t afford this, GDB will do just fine for now.
You could choose to use IDA instead, but that’s really your choice. I chose to use Hopper and GDB for doing this. :-) 


Using GDB
For this CrackMe we’ll be using GDB debugger. This comes with XCode (Or OS X, not sure TBH). This is used in the Terminal.
There’s a few things you should know about GDB. When using gdbinit, we’ll have to first start GDB, like this:

Quote:gdb

Now we’ll choose our ’target’ file, with the following command:

Quote:exec-file ~/MyFolder/MyFolder2/File.app/Contents/MacOS/File

As you see, the .app file you normally launch, is actually just a folder. I’m not going to explain how this works, but just that you’ll find the ’real’ executable in the Contents/MacOS/ folder.
To find out what’s actually happening while debugging the app, we’ll have to set some breakpoints. This can be done like this:

Quote:break *0x11

But, you can use functions, lines and other methods too. So if you want to know when the app is checking the length of a string, you can use the following:

Quote:break [NSString length]

Really, if you know how Objective-C works, this should be easy enough. :-)

To continue when the breakpoint has been reached, just write ’c’ or ’continue’, and the app will continue execution.

We’re also going to have to actually run the app. This can be done by either writing ’r’ or ’run’.
When the app is being paused by a breakpoint, you can exit the app by writing ’kill’, or simply CMD+Q the app while it’s running.

We’re also able to read from these addresses. With a simple command like this:

Quote:x/s *0xADDRESS
This’ll output a string. 

A list of other types: 

- o(octal)
- x(hex)
- d(decimal)
- u(unsigned decimal)
- t(binary)
- f(float)
- a(address)
- i(instruction)
- c(char)
- s(string)
- T(OSType)

But looking at the app isn’t enough for us. We want to change some values too. This can be done with the ’set’ command. It’s actually as simple as it seems. Can be done like this:

Quote:set $eax = (int) 0x12345

Of course, this can be done with addresses too.

We’re also going to use the ’cfz’ command, which’ll make the je, jne and so on not to be followed. Simply skipping the jump.

For most of these methods, theres more options that what I listed, but this is the basics, and it’s all we need to solve the CrackMe.
If you want to know more about GDB, look at the help, or go Google around.

The cracking part
Well, seems like we’re finally ready to crack something! Yay!
The CrackMe we’re going to use, can be downloaded from here:


I made my own CrackMe too, if you guys want it, I’ll upload it to so you can have a go at it. (Although, it’s VERY easy!).

We’re going to need to know what we’re up against, so what we want to do, is to find all functions and global variables. This can be accomplished by using class-dump. The following command should do it:

Quote:class-dump ”Path/To/File/Challenge #1.app/Contents/MacOS/Challenge #1” >> classdump.txt

This will dump the variables and functions in a file named classdump.txt. This will be in your current working folder (seen by using ’pwd’ in Terminal).
When we open this file, we see a few functions. My classdump.txt looks like this:


Quote:/*
* Generated by class-dump 3.3.4 (64 bit).
*
* class-dump is Copyright © 1997-1998, 2000-2001, 2004-2011 by Steve Nygard.
*/

#pragma mark -

/*
* File: /Users/Christian/Desktop/Challenge #1.app/Contents/MacOS/Challenge #1
* UUID: B4FB5C47-4F51-F65D-E63B-9B5652A2346D
* Arch: Intel 80x86 (i386)
*
* Objective-C Garbage Collection: Unsupported
*/

@interface Level1 : NSObject
{
id errorSheet;
id incorrectSerialSheet;
id mainWindow;
id nameField;
id registeredSheet;
id serialField;
id welcomeSheet;
BOOL hasBeenRegistered;
}

- (void)awakeFromNib;
- (void)applicationDidFinishLaunching:(id)arg1;
- (void)continueWelcomeButton:(id)arg1;
- (void)quitCorrectSerialButton:(id)arg1;
- (void)okErrorSheetButton:(id)arg1;
- (void)okIncorrectSerialButton:(id)arg1;
- (void)cancelButton:(id)arg1;
- (void)unregisterButton:(id)arg1;
- (void)emailResults:(id)arg1;
- (void)verifyRegistration:(id)arg1;
- (BOOL)isRegistered;
- (BOOL)validateSerial:(id)arg1 forName:(id)arg2;
- (BOOL)applicationShouldTerminateAfterLastWindowClosed:(id)arg1;

@end

The method ’verifyRegistration:’ seems like something we could use.
Now we want to get the ASM-code of this application. It’s time to use OTX. Open OTX, and drag the binary file into the window. It should recognize it, and you should be able to save the dump.
This file is a little longer, so I’m not going to post the content, but it should be the same.

In most ASM-dumps, you’re probably not going to have such ’good’ output. Everything I get my hands on, I’ll have to find the addresses using another app (Hopper), and then find the address, but in this case, we got the method names before the ASM code, which allows us to search for our function. Now search for

Quote:-(void)[Level1 verifyRegistration:]

and you’ll get to the function that gets called when you press the ’Register’-button.


I assume you know some ASM before beginning this, so you should be able to spot where the action happens. But if not, here’s the ’if’-statement that we’re going to tamper with: 


Quote:+174 0000293c e81d270000 calll 0x0000505e -[(%esp,1) validateSerial:forName:]
+179 00002941 84c0 testb %al,%al
+181 00002943 0f84f500 je 0x00002a3e
+187 00002949 a100400 movl 0x00004000,%eax standardUserDefaults
+192 0000294e 89442404 movl %eax,0x04(%esp)

Start up Terminal, load up GDB and the Challenge #1 as previously explained..
Now we want to set a breakpoint on the address, so that we can stop it from jumping to the ’bad’ message.
This is done by using this:

break *0x00002943
Now we’ll run the app, simply by calling ’run’.
The app will open, and you’lle be presented with a window telling you about the rules and so. Continue, and you’ll see ’Name’ and ’Serial’ textfields. Write whatever you want, and press the ’Register’-button. This will pause the app and should focus the Terminal window.

Write ’cfz’, press enter and the crack is actually done. But since our app is still in pause, we have to tell it to continue running, by using the ’continue’ or ’c’ command.

Now the app will tell us that it’s registered succesfully, GJ! :-)

Now, as said in the ’Disclaimer’, this is not the only way, but it’s by far the easiest IMO.

Credits
There’s only one guy that I’ll show you, it’s fG.
This guy made a tutorial, that everyone is able to follow, and the blog is worth following. He’s also the author of various tools, including gdbinit. You can find multiple CrackMe’s on his site, and links to other sites.
The blog can be found here: http://reverse.put.as/

The End
If you found any errors or something weird in the tutorial, just let me know, and I’ll fix it ASAP. 
Feel free to ask questions, and I’ll do my best to answer them. :-) 

Cracking Hashes - How-to's And What-Not's


1. Intro
Ive seen a few requests for people to crack hashes, and some people aren't doing it right, just leaving a hash is not enough to help us help you.
This tutorial will walk threw the basics and try and help you out in your future of hashing.

2. Hashes
It is common practice for most web programmers to secure passwords by storing the encrypted value of the password in a database, because if they don't they risk a major security flaw which can harm their customers and themselves.

Hashes are also known as Cryptography, in a way.
Some hashes can decode on purpose, while others you need to brute force.
An example of encryption that allows decoding is Base64.

2.1 Need-To-Know's about Hashes

Widely used Hash Types include:
MD5 | SHA-1 | SHA-2
This means these 3 are the ones you need to be looking into when you grab a hash.

Type | Word Size| Collision |MD5 | 32 | | Yes |SHA-1 | 32 | Yes |SHA-2 | 64 | No |

2.1.1 Hash Collisions
From the graph I made above you can see MD5 and SHA-1 have Hash Collisions. This means that more then 1 value can equal the same hash value.
This is common sense seeing as MD5 and SHA-1 are both 32 Characters long, and there is a limit of how many 32 random characters you can make, I mean it isnt infinite. So their aught to be a Collision at some point.
Code:
H(a) = H(b)H representing the hash function.

3 Hash Decrypt Sites
many sites host services where you can md5 encode whatever you want, but at the same time this service saves both values for later.
So be aware when you use these services your md5 input and output will be saved in their database for their "md5 decode" service.

A list of Hash Decrypt Sites you can use.

- http://www.cmd5.com/english.aspx (457,354,352,282)
- http://www.md5crack.com
- http://www.hashchecker.com
- http://md5cracker.tk/ (MD5 Search engine by searches a total of 14 on-line crackers.)
- http://www.md5decrypter.com (5,889,729)
- http://www.md5oogle.com
- http://md5-db.com (The database is approximately 70gb)
- http://md5.rednoize.com (56,502,235)
- http://gdataonline.com/seekhash.php (3,251,106)
- http://www.tmto.org/?category=main&page=search_md5 (306.000.000.000)
- http://www.milw0rm.com/cracker/insert.php (Milw0rm Cracker db)
- http://blacklight.gotdns.org/cracker/crack.php (2,456,288)
- http://www.shell-storm.org/md5 ( The data base currently contains 169582 passwords )
- http://md5.xpzone.de (Need Account)
- http://passcracking.com/ (Register to increase your priority)
- http://www.xmd5.org

4 Brute Forcing
Most secure CMS's (Content Management Systems) use Salts and different algorithms.
an example is
Common: md5($password);PHP-Fusion: md5(md5($password));VBulliten: md5(md5($password).$salt);MyBB: md5(md5($salt).$password); 
Knowing the Hash + Hash Algorithm is needed when requesting help on cracking a hash.

Recommended Brute Forcing Programs
HashCat
Click Me To Download

HashCat = Linux
HashCat GUI = Windows.

PasswordsPro
Click Me To Download



4.1 WordLists
To brute force passwords its common sense you need a list of words.
Depending on the site of your CPU it all depends on how much space you want to use.
You can look at all the different word lists here

http://hashcrack.blogspot.com/p/wordlist-downloads.html

http://www.net-comber.com/wordurls.html

OR Download the wordlists I used.

NamesNumbers - 4MB - 4000800 Words
Really useful list, it provides top 200 popular male and female names followed by numbers.JacobJacob0Jacob1Jacob2....Jacob1000
28GB Wordlist - 28GB - 4103549326 Words
I Opened this up and it looked pretty useless as well as a waist of time to look threw. Around 28GB of just 6-7 characters long with special characters, letters, and numbers. Like ()D@WFOWI.
wordlist1 - 107MB - 9657365 Words
This file contains alot of number combination's as well as common passwords. This has gotten me afew cracks in the past.
UrbanDictionarySlangA-Z - 26KB - 3087 Words
I took the time and copying and pasting the top popular A-Z Urban Dictionary words, because some people use slang terms like friend and cumdumpster as a password.
Last Resort
If this tutorial doesn't help you or teach you how to crack hashes, then you can lead me to a nice one, but before you do look at this layout:
Hash:
Hash Algorithm(if known):Salt (if any):CMS(if known):

Common Types Of Password Cracking And Their Countermeasures


Social Engineering

Social engineering is when a hacker takes advantage of trusting human beings to get information from them. For example, if the hacker was trying to get the password for a co-workers computer, he could call the co-worker pretending to be from the IT department. Social Engineering is used for different purposes.

Countermeasure:

If somebody tries to get login information or any other sensitive information from you, ask them some questions. Try to find whether the one who is trying to get the info is legit or not.

Shoulder surfing

This method doesn’t need the usage of hacking knowledge. The hacker would simply attempt to look over your shoulder as you type in your password.

Countermeasure:

Make sure nobody’s looking when you type your login info.

Dumpster Driving

In this the hacker would simply try to find any slips of paper in which you have written the password.

Countermeasure:

Do not write your passwords or login information anywhere. If you write, keep them somewhere safe.

Guessing

If yours is a weak password, a hacker could simple guess it by using the information he knows about you.
Guessable passwords
1. Blank (None). (Most of the websites do not allow blank passwords)
2.The word "password" "passcode" "admin" and their derivatives.
3. The username or login name.
4. The names of their loved ones.
5. Their birthplace or date of birth.
6. A dictionary word in any language.
7. Automobile license plate number.
8. A row of letters in a standard keyboard layout.Example: asdfghjkl or qwertyuiop etc.
Countermeasure:

Use passwords that are not easily guessable and not found in any dictionary.

Dictionary Attacks

A dictionary attack is when a text file full of commonly used passwords, or a list of every word from the dictionary is used against a password database. Strong passwords usually aren’t vulnerable to this kind of attack.

Countermeasure:

Use the passwords that are not found in dictionary in any language.

Brute-force Attacks

Brute-force attacks can crack any password. Brute-force attacks try every possible combination of letters, numbers, and special characters until the right password is found. Brute-force attacks can take a long time. The speed is determined by the speed of the computer running the cracking program and the complexity of the password.

Countermeasure:

Use a password that is complex and long. Brute-force attack may take hundreds, even thousands of years to crack complex and long passwords.

Rainbow Tables

A Rainbow table is a huge pre-computed list of hashes for every possible combination of characters. A password hash is a password that has gone through a mathematical algorithm (such as md5) that transformed it into something which is not recognizable. A hash is a one way encryption so once a password is hashed there is no way to get the original string from the hashed string. A very common hashing algorithm used as security to store passwords in website databases is MD5. It is almost like a dictionary attack, the only difference is, in rainbow tables attack hashed characters are used as passwords whereas in dictionary attack normal characters are used as passwords. ‘hello’ in md5 is 5d41402abc4b2a76b9719d911017c592

Countermeasure:

Choose a password that is long and complex. Creating tables for passwords that are long takes a very long time and a lot of resources

Phishing

Many hackers and internet security experts say that Phishing is the most easiest and popular way to get the account details. In a Phishing attack the hacker sends a fake Facebook or any other webpage link to the victim which the hacker has created or downloaded and uploaded it to any free hosting sites like http://www.100mb.com or any free webhost. The hacker sends the fake login page link through E-mail or while chatting, etc. When the victim enters the login details, the victim is redirected to the original login page and the hacker gets the victim's login details.

Countermeasure:

Phishing attacks are very easy to avoid. When you are asked to put your personal information into a website, look up into the URL bar. If for example you are supposed to be on facebook.com and in the URL bar it says something like facebook.something.com or something, the you should know it’s fake.

RATing and Keylogging

In keylogging or RATing the hacker sends a keylogger server or RAT server to the victim. The keylogger records every key stroke of the victim. When the victim is typing the account details, the keylogger records and sends it to the hacker.

Countermeasures:

It is better to use on-screen keyboards or virtual keyboards while tying the login info or personal info. Install the latest anti-virus software and keep them updated.



Note: There are several other types of password cracking but, these are the most common types.

If Yu like this tutorial. Simple thanks wouldn't take more than 10 seconds.

Hope you liked the tut. :)