November 1st, 2014

How Gentoo got hacked

I picked this image up from the sensepost blog. It appears to be logs from the gentoo server that got hacked into about a week ago.

Update: Here are some more details on the hack in the bug report for “Gentoo Website Command Injection Issue” on the website, :)

Microsoft “hacker” blog

Looks like microsoft has a new hacker blog that they just put up. It’ll be interesting to see if any real content gets put up, but somehow I doubt there will.

We had a good meeting at the east-coast MRL corollary meeting (VRL) last night. Pretty low key. We talked about scapy, fuzzing smart phones and ate pizza.


Thanks to everyone who showed up for the meeting. As promised, slides and a tarball have been posted:



August meeting announcement

/* **************************************************************************** 
*                           Midnight Research Labs                            * 
*                      !! August Meeting announcement !!                      * 
*                        (                        * 
**************************************************************************** */ 
                        __  ____    __     _      __   __ 
                       /  |/  (_)__/ /__  (_)__ _/ /  / /_ 
                      / /|_/ / / _  / _ / / _ `/ _ / __/ 
                     /_/  /_/_/_,_/_//_/_/_, /_//_/__/ 
                        ___               /___/       __ 
                       / _ ___ ___ ___ ___ _________/ / 
                      / , _/ -_|_-</ -_) _ `/ __/ __/ _ 
                     /_/|_|__/___/__/_,_/_/  __/_//_/ 
                              __        __ 
                             / /  ___ _/ /  ___ 
                            / /__/ _ `/ _ (_-< 

                Fellow Hackers, Slackers, and Code-crackers:   

        On Sunday August 19th at 12pm PST (noon) we will be holding our monthly 
        official Midnight Research Labs meeting.   

        This month will be focused on reverse engineering and other CTFish 
        exploits.  Jason will be presenting his reverse engineering 

        Light refreshments, and pizza will be served.   

                Phase 0x0: Bootstrapping 
                  - Greetings and welcome 
                  - MRL updates and status 
                Phase 0x1: Initialization 
                  - Reverse engineering/exploitation presentation 
                  - Open mic / lightning round presentations 
                Phase 0x2: Local exploits 
                  - Food 
                  - OSX GUI development for wicrawl 
                  - Wake in memorial of the E drive (2004-2007) 
                  - Off topic tools, toys and other shiny things -- If anyone 
                    has any interesting to show off or play with, please bring 
                  - Whatever till whenever -- This is the more social 
                    part of the event.  People are invited to stay and 
                    hack and have a couple drinks till whenever this 
                    phase is no longer self-sustaining, =)   

        This is an "invite only" event, so, don't distribute the location to 
        just anyone =).  That being said, we're still looking for active 
        members, so if you know someone that would be interested in 
        contributing and want to sponsor or vouch for them, feel free to bring 
        them along (let me know in advance if possible)   


        The usual place in Mountain View.  If you don't know where it is, do
        the social networking thing to find an MRLer or ask your sponsor.

Random API of the Day

Today’s API is the traditional UNIX API login(3), which updates
the system utmp and wtmp databases so the sysadmin can figure out
who’s using the computer. On most systems, you use it something like this:

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

/* Linux */
#include <sys/types.h>
#include <pwd.h>

/* BSD */
#include <utmp.h>
#include <libutil.h>

/* Mac OS X */
#include <util.h>

/* Solaris and IRIX */
#include <utmpx.h>

void log_user(void)
  struct utmp ut;

  memset(&ut, 0, sizeof(ut));

  if(geteuid() != 0) {
    fprintf(stderr, "You need to be root.\n");

  /* Here's how to fill out the structure on one OS */
  ut.ut_type = USER_PROCESS;
  ut.ut_pid = getpid();
  memcpy(ut.ut_line, ttyname(STDIN_FILENO), UT_LINESIZE - 1);
  memcpy(ut.ut_user, getpwuid(getuid())->pw_name, UT_NAMESIZE - 1);
  gethostname(ut.ut_host, UT_HOSTSIZE);
  gettimeofday(&ut.ut_tv, NULL);


On nearly all systems, login(3) just writes out some database
records to some log files, usually utmp and wtmp. It may surprise you
to know that any remote logging that’s provided by your system is done
by the login(1) program, not the login(3) API. In fact,
it’s possible to log in successfully without ever using login(3) if
your site uses another mechanism for accounting, such as a dedicated
WORM logger.

GSM hacking

I knew there would be some cool stuff that came up at the CCC Camp this year (hopefully next time around I can make it, I’m pretty jealous of anyone else that was able to get on the hackers on a plane event :). From Eliot’s (of hack-a-day) report , it sounds like David Hulton and Steve Schear gave an interesting presentation on cracking the A5 encryption used by GSM handsets. If you’re not already familiar with the other work that David Hulton does on cracking with FPGA’s, you should check it out. Even the latest version of wicrawl benefits from his work, and has hardware acceleration support built in for WPA-PSK cracking with Pico computing FPGA’s.

Here is an excerpt from their talk summary:

Some of the most promising attacks include implementing the ciphertext-only attack published by Barkan, Biham, and Keller and other variations that essentially build a rainbowtable for reversing parts of A5/1. We have also found that FPGAs have the potential of being able to brute force the A5/1 keyspace in a reasonable timeframe so we will also present on the feasibility and the amount of hardware required to brute force the keyspace in different scenarios.

And Eliot put together a good summary you should check out. Here’s another excerpt:

Using a box with at least 27 FPGA’s they plan on constructing a 6+ terabyte rainbow table (it’ll take a couple months). Once complete, any GSM conversation can be cracked in less than 5 minutes using a single FPGA. The Hackers Choice has more info on the USRP based GSM analyzer and what they did to crack A5.

6 terabytes. Wow. I wonder if they’ll be torrenting that, :)

VM escaping

I’m pretty surprised this hasn’t been more highly publicized in the last week, but I guess that everyone is recovering from defcon/blackhat/sansfire. Apparently there was a recent VMware escaping demo given at SANSfire this year. There were a few new tools demo’d (my favorite by name alone would have to be either “VMdrag-n-hack”, or possibly “VMdrag-n-sploit”) with some pretty interesting capabilities. While details are a little light on the actual escaping exploit, it seems they did show a live demo of an exploit that was able to crash a guest OS, and run code on the host OS. This has obvious amazingly crazy implications since many people use VMware for not only malware analysis, but for general segregation of services/vhosts/applications/OSs/etc with the assumption that each guest is securely isolated from each other. The bottom line is that this is not a safe assumption and precautions should be taken against any shared medium, despite its logical separation.

Thanks to Larry of paul dot com security weekly for hanging out with us at the kenshoto party and telling us about this at defcon on Saturday.

wicrawl backtrack module

Here is the updated wicrawl backtrack module. If you already have a backtrack CD, you can use this by downloading the module into the current directory and typing “uselivemod wicrawl-0.4a-backtrack2.lzm“. I should have the full CD uploaded soon as well. Thanks!

wicrawl release 0.4a

w00t. We’re happy to finally post the latest wicrawl version 0.4a, along with the slides from the defcon talk today.

Here is the 0.4a release of wicrawl.

Check out the projects page for some details (more updates will happen there in the near future), or the wicrawl wiki which has information on installing, troubleshooting, and card support, etc. If you have any issues, send mail to, or for general information feel free to join the wicrawl-users mailing list.

Here are updated slides for the defcon talk today if you’re interested.

Update: I’ll post the backtrack with updated wicrawl .iso (or a .torrent of it) in the next day or two.

wicrawl release (coming in a bit)

Welcome defcon attendees! If you’re looking for the latest version of the wicrawl code, the CD or the slides from my presentation, I’ll be posting them shortly. I do have stickers left if you’re interested. Thanks for all that came out!

Imhotep theme designed by Chris Lin. Proudly powered by Wordpress.
XHTML | CSS | RSS | Comments RSS