Top 500 Passwords

The starting point of every password cracker (or should be). Of course the first ten from the list are: 123456, password, 12345678, 1234, pussy, 12345, dragon, qwerty, 696969, mustang. There are some small variations from top password lists around the web, but they cover up most of them.

Anyway take a look at the Top 500 Worst Passwords Of All Time to get the big picture of password complexity/safety from an average users perspective.

Wordlists

The most important resource when it comes down to password cracking. Some wordlists (and collections of wordlists): Oxford Uni Wordlists, The Argon Wordlists, Wordlists for brute forcing, Openwall Wordlists Collection, Outpost9 Wordlists, Packetstorm Wordlists. How was I to forget Milw0rm’s dictionary full of funky passwords.

Also don’t forget that some tend to use l33t passwords. Forging a l33t wordlist would also bring a higher success rate.

cat words.dic | sed s/e/3/g | sed s/a/4/g | sed s/i/1/g | sed s/o/0/g > leet.dic

Profiled Wordlists

If the above wordlists didn’t cover already all the words you needed, than you may be also interested in password profiling. One such tool (script) is Wyd which produces wordlists from given html, doc, mp3, jpeg, pdf, php files. You can imagine the abundity of uncommon words that may be extracted from files like doc, pdf, mp3.

Still not satisfied? As a last instance I would recommend the Associative Word List Generator.

The Associative Word List Generator (AWLG) is a tool that generates a list of words relevant to some subjects, by scouring the Internet in an automated fashion.

Gave it a couple of tries and can say that it seems very useful. One thing that surprised me about it was that it threw some css/javascript code in the result. Parser bug? Who knows.

Password versus Pass Phrase

I think that passwords should be put in a chest and buried alongside with all the uppercase/lowercase, special characters enforcements. I really don’t want to have jk3$x@#I as a password.

Instead I would recommend developers to enforce passwords to a minimum of 10 characters. Also I would recommend sysadmins to check periodicaly the passwords with wordlists just to make sure that their systems won’t be penetrateble due to foolish passwords.

Another thing about malware, as I pointed it out in my article about the AV industry, they tend to use the same code with minor modification; to be read as strains. If you’re new to this term (Malware), then I would recommend you an introductive article: Stop malware in it’s tracks.

Following the latest article on F-Secure Downadup has 2,395,963 infections worldwide. Of course this is an optimistic scenario, even for a skeptic person at numbers as I am. You can see now the big threat that malware posses, that’s why we should protect ourselves…

Greasemonkey: Malware Script Detector

Malware Script Detector is a Greasmonkey script which will:

Detect & Alert Malicious JavaScript : XSSProxy, XSS-Shell, AttackAPI, Beef. But No guarantee for full prevention of XSS-Injection threats. Many ways to bypass it such as via iframes but I’m sure it protects you from casual attackers.The main objective of developing Malware Script Detector is that I’m so much afraid of XSSProxy, XSS-Shell, AttackAPI, Beef and I want to detect them. Malicious sites intentionally embed them. Firefox XSS Warning addon can’t check this.

It’s a highly recommended script, because malware scripts can be as dangerous as normal malware. The difference is that normal malware posses little threat if you download software from official sources, and verify the checksum…

Malware Blocker

Malware Blocker is a tool useful before and after infection. The description of the program (as taken from SourceForge):

Malware-Blocker blocks communication from your computer to any server that is known to be a malicious one. It does that by replacing your HOSTS file (deep inside Windows directory) with a blacklist of malicious servers, which are redirected to 0.0.0.0

The projects last update is from February 2005. Although likely outdated it maintains a constant number of downloads, this being the reason I recommend it. Who knows what funky old school malware will you cross upon one day…

MalZilla

This is an unexpected turn, is it? First of all you would probably like to know what MalZilla is. In simple words:

Malzilla is an advanced malware-hunting tool specialized for hunting web-based exploits, decode obfuscated JavaScripts etc.

Although limited only for malware scripts I can guaranty you that its very good at it, giving you all the tools needed for such a task. More information in it’s own pdf file, which comes along with the package.

Most of you can ignore the last application presented, I would think that having the first two installed is more than enough for regular users. And no, it’s not dangerous playing with malware if you got the proper tools.

A good guide (article) on configuring safely PHP can be found here, but for the ones truly interested about the subject I would recommend the PHP 5 from OWASP. Guide which besides telling you how to configure PHP, also presents the implication of every insecure configuration of it.

Another thing I would modify (and it’s not mentioned anywhere) is the session cookies lifetime. Maybe a little annoying for the visiting user, but it protects better (sometimes) against CSRF that a cookie which expires on browser restart.

session.cookie_lifetime = 600

But don’t think you’re done yet… This is just the beginning. The guys back at PHP Security Consortium have created an automated testing suite for PHP configuration. You can download it from here.

Doing the test on the php.ini-dist gave me 7 Notices, 2 Passes and 3 Warnings. And doing the tests on php.ini-recommended gave me 5 Notices, 4 Passes and 3 Warnings.

If you think that is too much effort, than you’re gonna love their alternative. As the testing suite above, they have also created a Greasemonkey script version. You can download it from here. For Greasemonkey phpinfo() Security Checker to work you just have to visit a page that outputs the result of phpinfo().

Adobe Reader oriented attack was also the malicious injection on my last hosting service…

In the recent issue of (in)SECURE Magazine, namely issue 21, there is an article named “Malicious PDF: Get owned without opening” by Didier Stevens which shown an exploit in an Adobe Reader filter which made possible successful exploitation without file opening.

When a PDF document is listed in a Windows Explorer window, the PDF column handler shell extension will be called by Windows Explorer when it needs the additional column info. The PDF column handler will read the PDF document to extract the necessary info, like the Title, Author, etc. (…) Under the right circumstances, a Windows Explorer Shell Extension will read the PDF document to provide extra information, and in doing so, it will execute the buggy code and trigger the vulnerability

Other ways how the exploit could be launched (from the explorer window) where by: selecting the pdf (left click), hovering over it and changing the folder view to “Thumbnail”.


All these previous exploitation scenarios required minimal user interaction, but the author had another card in his pocket. The JBIG2Decode vulnerability could be exploited by the Windows Indexing Service alone, the only difference being that this way the exploit would run with less privileges; namely with Local System ones…

There you have it, another reason to switch to a pdf reader alternative.

UPDATE: a resourceful article about pdf exploitation can be found here.

Due to this direction that Twitter is adopting (involuntarily) dozens of web applications have sprung up; from url shortening services to web applications like: WeFollow, TwitterSheep, TwitterTag, TwitVid, YFrog, TwitPic and many more…

Anyway, we’re going to talk about TwitPic… Among some annoyances it comes with; like: using HTTP even if SSL certificate is available, requesting username/password instead of using OAuth; recently (or at least I noticed yesterday and the blog didn’t work for me now) it implemented a more than annoying feature.

What’s wrong?

If you are using TwitPic you may notice that on the upload page there is a notice after the upload form, and I quote (partially, because I don’t want my account to be spammed):

Did you know you can post photos from your phone?
Just send your photos to
dblackshell.1768@twitpic.com

You can use the Subject line of the email to send a message along with your photo

A series of issues arise from this point onwards:

1. TwitPic stores usernames and passwords somewhere in plain text for Basic Auth authentication and tweeting when contacted via email.

2. The email option cannot be deactivated. Once you’ve logged to TwitPic you’re already vulnerable in a smaller or larger percentage.

3. The generated email address is of the format twitter_username.xxxx@twitpic.com, where xxxx is in a numeric format.

And how is that wrong?

It depends. On a targeted attack someone wouldn’t mind putting some effort in it. There are enough free hosting services out there which give you email sending functionality (restricted by a daily number thou), so mass mailing would be an option. Or welcome…

CSRF!

The setting page is CSRFeable, so setting a desired PIN (the 4 number digit) by the attacker isn’t out of the question.

How could this be beneficial for an attacker?

If you’re asking this question, maybe you should do more research on how influential people may be helpful for someone with obscure intentions.

• Would you click on a link Obama would post?
• What if I would have posted that tweet (assuming he ever used TwitPic)?
• What if on the landing page would be a Adobe Reader (it’s in vogue) exploit, browser exploit or some gay nigga porn (just for the lulz)?

p.s. If you were logged into TwitPic at the moment you visited this page, feel free to share you twitter username :)

Filters

In the filters extensions we have 3 types of filters: validate, sanitize and other filters. Let’s take em each separately and see what the extension has to offer us.

Validate Filters
• Data Type Validation
  • FILTER_VALIDATE_BOOLEAN

    Validates if the specified variable/value is a boolean value.

  • FILTER_VALIDATE_FLOAT

    Validate if the specified variable/value is of type float.

  • FILTER_VALIDATE_INT

    Besides the fact that it validates integers it allows you to specify a range in which the specified variable or value should be. It also allows you to validate octal and hexadecimal numbers.

• String Validation
  • FILTER_VALIDATE_EMAIL

    Validates if the variable/value is a well formed email address.

  • FILTER_VALIDATE_IP

    Can be used for validating IPv4/IPv6 addresses, having flags to disallow reserved/private IP ranges.

  • FILTER_VALIDATE_REGEXP

    Validates variable/value with regular expressions.

  • FILTER_VALIDATE_URL

    Validate URL’s. I wouldn’t recommend it though, since it validates 'http://...'. Better of with regular expressions here.

Sanitize Filters
• FILTER_SANITIZE_EMAIL

  I highly recommend to not use this filter, because it won’t sanitize the email address. The characters !#$%&'*+-/=?^_`{|}~@.[] will remain intact.

• FILTER_SANITIZE_ENCODED

  URL-encode string, optionally strip or encode special characters.

• FILTER_SANITIZE_MAGIC_QUOTES

  Applies addshashes() to the specified variable/value. Seriously, shouldn’t this be extinct already. I though we should have left them behind once we moved away from PHP 4.x. Try to not use this one, because in some SQL systems backslashes are not escape characters.

• FILTER_SANITIZE_NUMBER_FLOAT

  Remove all characters except digits, +- and optionally .,eE.

• FILTER_SANITIZE_NUMBER_INT

  Remove all characters except digits, plus and minus sign.

• FILTER_SANITIZE_SPECIAL_CHARS

  HTML-escape '"<>& and characters with ASCII value less than 32, optionally strip or encode other special characters.

• FILTER_SANITIZE_STRING

  Strip tags, optionally strip or encode special characters.

• FILTER_SANITIZE_STRIPPED

  Alias for the above filter.

• FILTER_SANITIZE_URL

  Remove all characters except letters, digits and $-_.+!*'(),{}|^~[]`<>#%";/?:@&=.

• FILTER_UNSAFE_RAW

  Do nothing, optionally strip or encode special characters.

Other Filters
• FILTER_CALLBACK

  Call user-defined function to filter data.

As you must have noticed the sanitizing filters are pretty bad, some even repetitive. Although haven’t marked red all of them, I surely won’t use them. For sanitizing (against XSS) I’ll use good old strip_tags() combined with htmlspecialchars() because this way I can define quote style encoding, and charset in which to encode. As for safe SQL queries, I use db specific functions.

Functions

Ok, so we had some complains about the filters. But let’s look beyond that for a moment and see what the filtering functions have to offer us.

• filter_has_var

Through this function we can check if a POST, GET, ENV, SERVER, COOKIE value has been set.

if(filter_has_var(INPUT_POST, 'submit')) {
  echo 'yes the submit value has been set';
}

Although this might seem similar to a isset() usage, be not fooled by it. It (probably) takes a snapshot of all the superglobals (POST, GET, ENV, SERVER, COOKIE) so…

/*
 submit isn't set
*/
$_POST['submit']=1;
if(filter_has_var(INPUT_POST, 'submit')) {
  echo 'this will not be echoed';
}

Is this a good thing? Well, it depends. Haven’t seen till now somebody who controlled the flow of the application (in a script) through setting/unsetting a value in the superglobals, but I have seen hand coded register_globals implementation (for backwards compatibility) in PHPList which permitted that the SERVER['file'] (named something like that) to be overwritten and making it vulnerable to remote file inclusion. So in that particular scenario it would have helped.

• filter_id and filter_list

One returns the numeric value of a filter, while the other returns a list of filters… moving on.

• filter_input and filter_input_array

The (ONE) function for the “Data Filtering Extension”. I’ll post an example from the documentation.

$search_html = filter_input(
    INPUT_GET,
    'search',
    FILTER_SANITIZE_SPECIAL_CHARS
);
$search_url = filter_input(
    INPUT_GET,
    'search',
    FILTER_SANITIZE_ENCODED
);

echo "You have searched for $search_html.\n";
echo "<a href='?search=$search_url'>Search again.</a>";

• filter_var and filter_var_array

It works in the same way as filter_input, just that now you can use the filters on variables/string… these examples are also from the documentation.

// will validate
var_dump(filter_var(
    'bob@example.com',
    FILTER_VALIDATE_EMAIL
));

// will fail (return false), because it
// misses the scheme (http://)
var_dump(filter_var(
    'example.com',
    FILTER_VALIDATE_URL,
    FILTER_FLAG_SCHEME_REQUIRED
));

Should I use it?

Well, can’t say for sure. The validation filters seem pretty good unless you count the URL one… actually that could be a good filter also if you shouldn’t add 3 flags to behave like you normally would expect…

The other reason why I can’t pronounce a final answer (maybe someone who reads this will) because I haven’t checked the source code of the extension…

You have more information about it (not quite that big of a difference) from the online documentation page found here. Waiting your opinion on this one…

Update: Chuck Norrises was here and updated the text, removing my opinion of vulnerable code. eof!

This new methodology mentioned earlier is slightly different from OpenID because it suggests its implementation directly into the browser. Implementation that would be highly welcome, but unlikely to be found native in current browsers, and those soon to come. Another interesting paper I’ve read was Web Authentication by Email Address which takes the OpenID concept and brings it closer to the user, because a user is more accommodated in using an email address as an identifier instead of an url.

For more papers from the W2SP conference check out the 2007 or the 2008 papers.

Remember password for this website!

I think that this is somewhere on top of the stupidest things a user can do. I mean seriously, once somebody knows the password (even your browser) than already it’s not a password. As talked today with somebody that used to store his passwords in a file on a encrypted partition. Even if they were secure this way, that also misses the point of passwords. Can’t remember it? Use a pass phrase that fits the scenario, not #h#41i”] as password.

And before we forget, by having your browser remember passwords you’re helping anyone interested in your private data with access to the PC. Kudos to you.

Password Anti-Pattern

There has never been an easier way to teach people how to get phished.

Wondering what this is about? Well, if imagine you’re in the following situation: you register on a website, the website asks you to “spam” your friends, you have to supply your email address and password to send them the message.

Sounds familiar? If yes, that’s a typical password anti-pattern.

You should never have to give your password to anybody (or any third party), for such situations there are special API’s and stuff like that. For example OpenID, OAuth… Didn’t use any of them (didn’t have the need till now), but people tend to praise them. If a website uses a password anti-pattern way, just let it be, it doesn’t deserve your time and private data security.

Write it down…

And people still tend to do this. The problem that people don’t realize that not only hackers are interested in your personal data (and most of the time they won’t be), but so do your so called friends…

What…

If you haven’t got anything that you think might create a negative image of yourself? Then just post your password all over the places, in every signature you’ve got, on every desktop, every picture, etc… and yes don’t forget to submit it to bug me not, some people might find it useful.

If there is a phrase that describes in the best way the distribution, it has to be the one from LinuxTracker:

Damn Vulnerable Linux (DVL) is everything a good Linux distribution isn’t. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. DVL isn’t built to run on your desktop — it’s a learning tool for security students.

To be honest I didn’t play with it till now (even if have been a user of the website for a year or so) because off limited free time that I’ve got. But in the near future (hope so) I will give it a shot, you know demonstrate my “talents” to my work colleague, maybe even do a video to help out DVL.

More specific info about included vulnerabilities/tools you can find on this page, but just up to version 1.4, and the download mirrors can be found here.

If this is an unknown domain for you (security) I would recommend you firstly to start out with some basics before even taking a glimpse at DVL. In such a case you might be interested in David Melnichuk book The Hacker’s Underground Handbook.

Before I forget… You would highly be appreciated for seeding the torrent, not just leeching it, because the free stuff never gets seeded well, IMO.

Anyway, you’re came here for other reasons. I found today a comprehensive article on .htaccess files, which you can (and highly recommend) read it here. Also you might be interested in a mod rewrite cheat sheet and a regular expression cheat sheet.