ZeroCheck

Hello :),

I was testing an viewing the new crypto paste ZeroBin and two of it’s main disadvantages were the fact that a user has to trust the server for It’s anonymity and the Man-In-The-Middle on javascript.

• Users still have to trust the server regarding the respect of their privacy. ZeroBin won’t protect the users against malicious servers.
• Won’t protect against Man-in-the-middle attacks (eg. javascript substitution)

Well tried to think of a way to protect the user and minimize these disadvantages. And came up with ZeroCheck.

What is ZeroCheck?

ZeroCheck is a chrome extension to fingerprint ZeroBin clones, it tries to make sure that a Zerobin clone is safe, this doesn’t mean that an approved website is safe because it can be keeping track of your IP address or some other connection info that may be used to track the person that made a paste.

SO A SITE MARKED AS SAFE BY ZeroCheck DOESN’T MEAN THAT YOU ARE 100% ANONYMOUS.

Only gives you some security about the version of the page and the libraries used on that website and the ability to check if the page or it’s libraries have changed in any way.

Where can I download ZeroCheck?

You can download it from the official github repository github.com/lbragues/ZeroCheck

What does it do?

This extension generates a unique fingerprint of the page and tries to detect any change on the core functions that may compromise the security provided by the zerobin original code.

It has two main features:

• Uniquely identifies the zerobin version of the javascript that is being used on the page.
• Uniquely identifies the page and checks to see if has been marked as a safe page.

Now a simple overview on how the extension works. If a website is detected as a zerobin clone a icon will show in the omnybox

The presence of this icon means that a website is a clone of the zerobin project, if you find any website that doesn’t show this icon and it’s a zerobin page then most certainly is because it’s in a iframe, so you need to open the real link of the page.

Example “http://www.anonpaste.tk/” the real url to the zeropaste is “http://www.peoplesliberationfront.net/anonpaste/index.php”

Notes:

Please keep in mind that this is a very simplistic approach to the problem, with this I mean that this extension may still have many bugs, and it certainly needs more work. 🙂

If you want me to check any website please leave a comment with his address here.

Tip: If you are getting some strange results use the refresh button 🙂

What kind of information can I get with ZeroCheck?

• Information about the crypto libraries used
• The classification of the website

For example this is the info about the original ZeroBin site:

As you can see it show the information about the libraries used and their version and the website origin (This is manually checked to make sure it’s safe) If you open a website that wasn’t checked this is how it looks like:

This means that the libraries used are safe but the website hasn’t been manually checked.

Now an example of unsafe libraries:

And for last an unsafe website:

Obfuscating messages in pastebin.com

A couple of days ago I was playing with pastebin, and started to “crawl” around in their website, at the same time I was reading a few news about botnets and decided to go deep into this subject, specifically their C&C. How they normally controlled the botnet using IRC channels, among others, there are a few nice references about this subject on the wiki page.

Then I was viewing some bots “pasting”. Some are clever, this is me guessing :), they even change their message structure or text to avoid hashing and add a very long list of TAGS at the end to make sure they popup on the results of any crawler. Others just send a very long list of links to download services.

So if you are monitoring the posts how do you prevent your crawler to index these messages? My solution was to look for common points, like blog links or some other characteristics. After analyzing some of these posts a thought crossed my mind and I mixed both subjects…

I thought that I could easily pass messages around pastebin that will be “ignored as spam” in most cases, using these spam messages to obfuscate the real content of the post. When I get something like this in my mind I wont rest until I get some results, positives or negatives…

So I decided to look even closer to the messages, and found two possibilities of doing this. Here’s a link to some spam messages that I found.

1. On the first message we can use the TAG list as dictionary and hide the messages there.
2. On the second we can use the link codes to hide the message, this means that a simple solution will not be able to give valid links to files, but it’s not impossible.

As I didn’t wanted to spend a lot of time on this subject I followed the first option.

First I got all the TAG’s from the message and created a list. To make this work I needed to be able to encode a TAG into a 0 to 255 value, so I started testing and ended up with this simple function:

# last - last key used, keyword - TAG
def makeKey(self,last,keyWord):
	# make a hash from the keyword
	key = hashlib.md5(keyWord+self.salt).hexdigest()
	# some operations that use the last value
	# to generate an index to a byte in key
	l=len(key)
	i=(last*1337)%(l/2)
	# get that byte
	byte=key[2*i:(2*i)+2]
	val=int("0x"+byte, 0)
	return val

Given the last calculated code and a keyword will generate the next code. I tested this function with the dictionary, adjusted a few things in the dictionary and created a few helper functions and was able to use the TAG’s to pass messages YEY!

In order to make the message pass as a normal spam message I still needed to add some more random TAG’s and add the normal spam text before the TAG’s.

At this point I was able to hide a message in an apparently “normal” spam message, and even pass multiple messages with different encodings or from the socket point of view, different ports.

But you only need to send a message if there is someone waiting for it 🙂 so I needed a way to distinguish these “special” messages from a “normal” message. I was already spending too much time in this subject, so I came up with a simple solution and made a checksum using the dictionary and inserted it in the first line of the message.

Please keep in mind that this was a code made in a few hours after work, and a proof of concept, so it may not be the best or the most pretty… 🙂

def checkHeader(self,control,header):
	spl=header.split(" ")
	try:
		spl.remove("")
	except ValueError:
		pass
	l=len(control)/2
	base=0
	sum=0
	for i in xrange(len(control)/2):
		x=(i*2)
		y=(i*2)+2
		seq = control[x:y]
		while(base<len(spl)):
			h=self.joinArray(spl[0:base+1])
			base+=1
			key = hashlib.md5(h).hexdigest()
			if(seq in key):
				sum+=1
				break
	if(sum==l and base==len(spl)):
		return True
	else:
		return False

def makeHeader(self,control,limit=50):
	while(True):
		header=""
		for i in xrange(len(control)/2):
			while True:
				header+=random.choice(self.keylist)+" "
				key = hashlib.md5(header).hexdigest()
				if(control[i*2:(i*2)+2] in key):
					break
		if(len(header)<=limit):
			return header

Now I was able to identify a message addressed for me from other messages. At this point I thought, well I did it, it’s possible, time to stop now! And I did stop, but I was talking to one of my friends and he convinced me to share this, I normally don’t do this I simply get over it and start thinking on something else…

But since he convinced me into sharing this, I decided to make the code more fun and made a simple shoutbox over pastebin. It’s not very easy to use because you’ll have to open a link and fill the captcha every time you send a message, it was not my objective to try to bypass pastebin spam control system.

Keep in mind that this is a proof of concept code, probably has many bugs in the obfuscating algorithms or they aren’t secure or fail in some cases. And I know that this isn’t a viable way of chatting or making a shoutbox due to many constraints.

BUT remember that I was doing this to try and pass hidden messages in normal spam messages, creating a system capable of sharing messages anonymously, under the subject of botnet C&C. By doing this little research I can conclude that ignoring spam may not be a solution in some forms of investigations. And I think that probably this was already thought and done or being used by someone else.

Without delay here you can find this simple code and some screen shots of it working.

https://github.com/lbragues/pasteshout

shARPWatcher Protect your android phone from faceniff and droidsheep

shARPWatcher is an application to protect your android phone against arp spoof attacks, used by software like faceniff and droidsheep. 

This application has two modes:

1. Rooted phone – Preemptive mode: As soon has your device connects to a network it prevents all spoof attacks, rendering them useless (Low battery consumption and 100% bullet proof).
2. UnRooted phone – Best Effort mode: It keeps monitoring your phone, from time to time, searching for attacks if it detects one and the disconnect on attack option is on it deactivates your wifi, otherwise sends an alert.

To be completely protected against these attacks you need to have a rooted phone, otherwise there’s always the chance  the attacker gets what he wants.

[How to install]

Simply go to android market and search for “sharpwatcher”, follow this market link or read the qrcode. 🙂

[How to use]

It’s very simple to use and you almost don’t need to configure anything.

1. Tap the shield image to turn on or off (Green WiFi symbol On, Red WiFi symbol off)
2. You need to turn on or off with your WiFi disabled, turning on with an already connected WiFi may not protect you.

Rooted phone (Preemptive mode) it’s all you need to know… 🙂

For UnRooted devices (Best Effort) you still have one more option!

• Disconnect under attack check box

If you have this option checked when an attack is detected shARPWatcher will disable your WiFi preventing any further damage. If this option if off then it will send a notification warning you that it detected an attack.

IMPORTANT: If sometimes on preemptive mode your connection seems to stop working for a while it’s not shARPWatcher fault. It means that you are under attack and it’s not working for the attacker 🙂

shARPWatcher UI

shARPWatcher UI

sslstrip mod to support plugins

This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU

This is my modification of sslstrip to support plugins.
setup.py was removed so you cant install directly this version
use it only from the folder

I created this to help me on some tests I did, it got a lot easier. This code isn’t perfect, far from it…
For someone that hasn’t much experience in python this was made in record time… don’t be too hard on the errors
it might have.

Screen shots:

Starting sslstrip example

Some actions printed

Some more

Installing:

• Do it like you where installing normaly sslstrip
• Don’t use setup.py wont work. This is a experimental version.

Running:

• To activate plugins add the -x or --s1plugin option in the command line

####### Plugin Info #########

File structure:
s1plugin
|____ plugins (All plugins are here)
|                 |____    _OSFinder (Plugin folders, each plugin has it’s own folder)
|____ * (All the other files, you don’t need to change anything)
It’s easy, so if you know what you are doing you shouldn’t have a problem understanding
if you can’t then don’t change anything 🙂

About plugins folder:

• A plugin is only loaded if it’s folder HAS the file __init__.py
• Deactivating a plugin Rename or remove “__init__.py”
• To be loaded a Plugin must have a file named S1Plugin.py with a class named S1Plugin respecting the rules

Plugin class:

• EventSender it’s an empty plugin, you want to create a new one use that and remove what you don’t need
• What can you do and listen: (I think I don’t need to explain)

1. onResolveHost(self,client,host,result)
2. onHostResolvedSuccess(self,client,address)
3. onHostResolvedError(self,client,error)
4. onCleanHeaders(self,client,headers,result)
5. onClientConnection(self,host,headers,client,path,postData,url)
6. onSendSpoofedFaviconResponse(self,client,icon_path)
7. onProxy(self,client,host, method, path, postData, headers, port, ssl)
8. hijackConnection(self,client,url,clientConnection)
9. onVisitUrl(self,client,url,postData)
10. injectContent(self,client,contentType,data)

• Store and read values on disk (settings.db) -> sqlite3

1. storeValue(“key1″,”ohhyeah”)
2. readValue(“key1”)

• Communicate between plugins

1. View _OSFinder and UrlLogger plugins for reference

Modifications on sslstrip.py:

Find this:
print “\nsslstrip ” + gVersion + ” by Moxie Marlinspike running…”
Here:
# —— SizeOne Mod —————————————
# import The event manager class if detected
if(os.path.exists(“s1plugin”)):
from s1plugin.S1StrippingProxy import S1StrippingProxy
#create replace normal classes
strippingFactory.protocol = S1StrippingProxy
# ———————————————————-

I think it’s all I have to say for now

More Info:
https://github.com/lbragues/sslstrip

Heroes of Newerth Resource Editor

Hi, before anything else, this is a tool to edit the s2z files of the HoN (Heroes of Newerth) game.

This tool isn’t any thing “new” since these files format is public, it’s aim is to make their edition easier to every one with a few clicks. Don’t be expecting something completely overwhelming it’s in the early stage and it has a lot of bugs. It’s evolution depends directly on the acceptance it will have on the community and the number of people using it. It’s completely free, there aren’t any drawbacks or pro versions.

Keep in mind that this tool isn’t made by any company and it’s made exclusively on the spare time of a single person. So if you wish to contribute with anything use the Paypal buttons. 🙂

IMPORTANT: I will not take any responsibility for any harm done by this tool. USE AT YOUR OWN RISK!

So I think now is the time to start explaining how this works…

Requirements:

• Java Virtual machine installed and on the latest version.

Operating Systems:

• Windows 7 (Working)
• MacOSX Snow Leopard (Working)
• Linux (Not tested should be working)
• It Should work on any System that has JavaVM installed.

(If you test it on any other platform send some feedback and I’ll update these infos)

So if you download the tool you should have the following files and folders.

• default.png – Default icon used when you create a *.honmod
• SizeOneHoNRELauncher.jar – This is the one you should run it will check for updates
• SizeOneHoNResources.jar – The application, if you run this it will start the launcher
• extract – (Folder) It’s where all the files you extract will go to.
• lib – (Folder) This folder contains all the necessary libs to run the application (Don’t mess with this folder)
• mods – (Folder) This is the default folder where the program stores your mods.
• tmp – (Folder) Folder to store temporary files (You may delete it’s contents if you want)

If your application crashes it will send me a report with your operating system application version and the actual error.

You shouldn’t be able to run the SizeOneHoNResources.jar directly.

Features:

• Viewing and Extracting contents of an *.s2z, *.honmod file (Any zip file :))
• Creating New mod files (resourcesXXX.s2z or *.honmod)
• Editing this files (add, remove, replace)

(Expect a few more features in the near future)

Tutorial:

• First Tutorial

Downloads:

1. V1.0.0.2 – Here
2. V1.0.0.1 – Here
3. V1.0.0.0 – Here

Special Thanks to bezta that made the icons and graphics 🙂

Any suggestions just send me an email 🙂

DropPrint – Share a printer using Dropbox

Dropprint is a small application to share a printer using Dropbox.

Requirements:

• Dropbox Account (If you don’t have one create here)
• Java Virtual Machine installed (Download from Oracle)
• A copy of Dropprint (here)
• And a working printer 🙂

This application is very simple, only has one option it’s the Dropbox folder location, you should run this application on the machine that is connected to a printer. 🙂

Dropprint Window

After Setting the correct path to your Dropbox folder, press start. If you are running this for the first time you should see some messages saying that two folders were created, “printQueue” and “logPrint”. If you get a message saying that the Dropbox folder couldn’t be found check the path.

• printQueue – Every file that you copy to this folder will be printed!
• logPrint – All printed files will be moved to this folder.

Now that you have the Dropbox installed on the computer connected to the printer and the application running, let’s talk about the Dropbox configuration!

To be able to print something using another computer, you need to share printQueue with the different Dropbox accounts. If you are using the same Dropbox account on all computers you don’t need to do that since Dropbox does all the sync for you.

So if you are using the same account on all the computers you it’s done! To try you just need to copy a file to printQueue. 🙂 If you are using different accounts you need to access the website and share printQueue with every account that you want to be able to use the printer.
And it’s done! 🙂

Any question leave a comment 😉