Here are a few key terms that you will hear in discussion about hackers and what they do:
1-Backdoor-A secret pathway a hacker uses to gain entry to a computer system.
2-Adware-It is the softw-are designed to force pre-chosen ads to display on your system.
3-Attack-That action performs by a attacker on a system to gain unauthorized access.
4-Buffer Overflow-It is the process of attack where the hacker delivers malicious commands to a system by overrunning an application buffer.
5-Denial-of-Service attack (DOS)-A attack designed to cripple the victim's system by preventing it from handling its normal traffic,usally by flooding it with false traffic.
6-Email Warm-A virus-laden script or mini-program sent to an unsuspecting victim through a normal-looking email message.
7-Bruteforce Attack-It is an automated and simplest kind of method to gain access to a system or website. It tries different combination of usernames and passwords,again & again until it gets in from bruteforce dictionary.
8-Root Access-The highest level of access to a computer system,which can give them complete control over the system.
9-Root Kit-A set of tools used by an intruder to expand and disguise his control of the system.It is the stealthy type of software used for gain access to a computer system.
10-Session Hijacking- When a hacker is able to insert malicious data packets right into an actual data transmission over the internet connection.
11-Phreaker-Phreakers are considered the original computer hackers who break into the telephone network illegally, typically to make free longdistance phone calls or to tap lines.
12-Trojan Horse-It is a malicious program that tricks the computer user into opening it.There designed with an intention to destroy files,alter information,steal password or other information.
13-Virus-It is piece of code or malicious program which is capable of copying itself has a detrimental effect such as corrupting the system od destroying data. Antivirus is used to protect the system from viruses.
14-Worms-It is a self reflicating virus that does not alter files but resides in the active memory and duplicate itself.
15-Vulnerability-It is a weakness which allows a hacker to compromise the security of a computer or network system to gain unauthorized access.
16-Threat-A threat is a possible danger that can exploit an existing bug or vulnerability to comprise the security of a computer or network system. Threat is of two types-physical & non physical.
17-Cross-site Scripting-(XSS) It is a type of computer security vulnerability found in web application.It enables attacker to inject client side script into web pages viwed by other users.
18-Botnet-It is also known as Zombie Army is a group of computers controlled without their owner's knowledge.It is used to send spam or make denial of service attacks.
19-Bot- A bot is a program that automates an action so that it can be done repeatedly at a much higher rate for a period than a human operator could do it.Example-Sending HTTP, FTP oe Telnet at a higer rate or calling script to creat objects at a higher rate.
20-Firewall-It is a designed to keep unwanted intruder outside a computer system or network for safe communication b/w system and users on the inside of the firewall.
21-Spam-A spam is unsolicited email or junk email sent to a large numbers of receipients without their consent.
22-Zombie Drone-It is defined as a hi-jacked computer that is being used anonymously as a soldier or drone for malicious activity.ExDistributing Unwanted Spam Emails.
23-Logic Bomb-It is a type of virus upload in to a system that triggers a malicious action when certain conditions are met.The most common version is Time Bomb.
24-Shrink Wrap code-The process of attack for exploiting the holes in unpatched or poorly configured software.
25-Malware-It is an umbrella term used to refer a variety of intrusive software, including computer viruses,worms,Trojan Horses,Ransomeware,spyware,adware, scareware and other malicious program.
After 7 years of Contagio existence, Google Safe Browsing services notified Mediafire (hoster of Contagio and Contagiominidump files) that "harmful" content is hosted on my Mediafire account.
It is harmful only if you harm your own pc and but not suitable for distribution or infecting unsuspecting users but I have not been able to resolve this with Google and Mediafire.
Mediafire suspended public access to Contagio account.
The file hosting will be moved.
If you need any files now, email me the posted Mediafire links (address in profile) and I will pull out the files and share via other methods.
P.S. I have not been able to resolve "yet" because it just happened today, not because they refuse to help. I don't want to affect Mediafire safety reputation and most likely will have to move out this time.
The main challenge is not to find hosting, it is not difficult and I can pay for it, but the effort move all files and fix the existing links on the Blogpost, and there are many. I planned to move out long time ago but did not have time for it. If anyone can suggest how to change all Blogspot links in bulk, I will be happy. P.P.S. Feb. 24 - The files will be moved to a Dropbox Business account and shared from there (Dropbox team confirmed they can host it )
The transition will take some time, so email me links to what you need. Thank you all M
Welcome back to Linux Command Line Hackery, hope you have enjoyed this series so far. Today we are going to learn new Linux commands and get comfortable with reading text files on Linux.
Suppose that you wanted to view your /etc/passwd file. How will you do that? From what we have learned so far what you'll do is type:
cat /etc/passwd
And there you go, but really did you see all the output in one terminal? No, you just ended up with last few lines and you'll have to cheat (i,e use graphical scroll bar) in order to see all the contents of /etc/passwd file. So is there a command line tool in linux with which we can see all the contents of a file easily without cheating? Yes, there are actually a few of them and in this article we'll look at some common ones.
Command: more Syntax: more [options] file... Function: more is a filter for paging through text one screenful at a time. With more we can parse a file one terminal at a time or line by line. We can also go backward and forward a number of lines using more.
So if we're to use more on /etc/passwd file how will we do that? We'll simply type
more /etc/passwd
now we'll get a screenful output of the file and have a prompt at the bottom of terminal. In order to move forward one line at a time press <Enter Key>. Using enter we can scroll through the file one line at a time. If you want to move one screen at a time, you can press <Space Key>to move one screen at a time. There are more functions of more program, you can know about them by pressing <h key>. To exit out of more program simply type <q key> and you'll get out of more program.
Command: less Syntax: less [options] file... Function: less is similar to more but less has more functionality than more. less is particularly useful when reading large files as less does not have to read the entire input file before starting, so it starts up quickly than many other editors.
less command is based on more so what you've done above with more can be done with less as well. Try it out yourself.
Command: head Syntax: head [OPTION]... [FILE]... Function: head command prints the head or first part of a file. By default head prints out first 10 lines of a file. If more than one file is specified, head prints first 10 lines of all files as a default behavior.
If we want to see only first 10 lines of /etc/passwd we can type:
head /etc/passwd
We can also specify to head how many lines we want to view by using the -n flag. Suppose you want to see first 15 lines of /etc/passwd file you've to type:
head -n 15 /etc/passwd
Ok you can view the first lines of a file what about last lines, is there a tool for that also? Exactly that's what our next command will be about.
Command: tail Syntax: tail [OPTION]... [FILE]... Function: tail is opposite of head. It prints the last 10 lines of a file by default. And if more than one file is specified, tail prints last 10 lines of all files by default.
To view last 10 lines of /etc/passwd file you'll type:
tail /etc/passwd
and as is the case with head -n flag can be used to specify the number of lines
tail -n 15 /etc/passwd
Now one more thing that we're going to learn today is grep.
Command: grep Syntax: grep [OPTIONS] PATTERN [FILE...] Function: grep is used to search a file for lines matching the pattern specified in the command.
A PATTERN can simply be a word like "hello" or it can be a regular expression (in geek speak regex). If you aren't familiar with regex, it's ok we'll not dive into that it's a very big topic but if you want to learn about it I'll add a link at the end of this article that will help you get started with regex.
Now back to grep say we want to find a line in /etc/passwd file which contains my user if we'll simply type:
grep myusername /etc/passwd
Wohoo! It gives out just that data that we're looking for. Remember here myusername is your username. One cool flag of grep is -v which is used to look in file for every line except the line containing the PATTERN specified after -v [it's lowercase v].
Take your time practicing with these commands especially grep and more. We'll learn a lot more about grep in other upcoming articles.
This is our final free chapter in this smart contract hacking series, hopefully you enjoyed it, I am not sure what I am going to work on next, perhaps some malware analysis, reverse engineering or maybe some hacking in the cloud.
We are currently in 4th quarter and slammed with work so I wouldn't expect any more posts or the full blockchain release till after that eases up.
If you have any questions or comments you can hit us up at:
Within operations that require random values we generally need a form of randomness coupled with our algorithm. If we do not have sufficient randomness and large character sets, we would end up with cryptographic collisions or predictable values depending what we are doing. This Is often the case in video game operations and data security encryption schemes. For example, we do not want to create random values which are predictable and repeatable based on known values or controllable values. With controllable values an attacker could duplicate the value by reverse engineering how it was originally created and what that random seed is. Also, If the value is predictable within a game, we may be able to cheat the game by creating our own valid values that exploit the perceived randomness.
Now we are not going to deep dive into cracking cryptography or brute forcing hash values. First off it takes too much time and effort. Secondly because there are easier more efficient ways of tackling cryptographic issues. Lastly, we do not have time for rabbit holes in a week-long penetration test that require us to explore many other attack vectors. Wasting a whole week on cracking a single cryptographic issue would be a terrible and inefficient penetration test leaving the rest of the target vulnerable. This may be suitable for R&D or a CTF but not for a penetration test.
What you need to understand is that certain functions often used as randomness on the blockchain is not suitable as a source of randomness. Additionally, understanding how things are implemented will get you much farther when it comes to cryptography then attacking it directly. You do not need to break NSA level encryption by attacking it directly. Instead you should concentrate on finding insecure implementations of these algorithms to get what you need.
Oracle padding attacks are a great example of this if you were in the hacking community back in the late 2000s. The padding attack relied on error messages based on padding within blocks to determine a way to decrypt them. This was a brilliant attack vector as you didn't need to understand deep cryptographic concepts to decrypt data blocks only how blocks work and how it was implemented. With this knowledge you could leverage the flawed implementation to get the decrypted values.
On the blockchain there are a number of insecure functionality that developers like to use when implementing random values. Most of these are very bad ideas for reasons we will discuss below.
For Example, the following non-exhaustive but often used list of values are not suitable for randomness within sensitive operations. Usage of these types of values for any sort of calculation is always suspect for closer review:
üSecret keys in private variables
üBlock Timestamps
üBlock Numbers
üBlock Hash values
Why you ask? Well regardless of the data being set as private on the blockchain a private variable storage value is 100% readable on the blockchain. There are no secret values. These can be queried as you saw in the storage issues chapter. Also embedding hard coded values are certainly not private as they are in the source code which may be posted directly on the blockchain. Or could be reverse engineered out of the bytecode used to deploy the contract when the source code is not available. If you can get a hold of that value, then you can violate the security of that functionality.
Secondly do not rely on predictable values for randomness especially from block data sources. Block timestamps are controlled by miners which can aid in orchestrated attacks when used as a source of randomness. Also block numbers are easy to query and create predictable attacks when used in calculations, if internal functions are using a block number, they are all using the same PRNG. Finally, block hash values are terrible to use for randomness as only the last 256 block hash values on chain actually have a real value. Anything older than 256 is reduced to 0 meaning that every calculation will use the same value of 0. We will cover that in some of our examples.
This is not an exhaustive list but instead just a small portion of bad decisions for random values. There are plenty of other values which could be used within calculations as a random seed which are also predictable. It is always important to review the data used in these calculations when reviewing smart contract functionality. So, without the need of a PHD in cryptography you should easily discern that all of the above implementation examples are terrible for the inclusion of random data within cryptographic operations.
Let's start out taking a look at a simple example of using a blockhash value with a blocknumber value. While a hash of a block might seem like a good idea as a random number there are numerous issues with it. Firstly, a blocknumber is a known value set by a miner that persists for a set length of time and can be queried and used in an attacker's similar algorithm to produce the same result and bypass controls. But there is also an underlying vulnerability to this approach when coupled with a blockchash which we will take a look at below.
Action Steps:
üOpen up your terminal and launch ganache-cli
üType out the code below into Remix
üWithin the Deploy Environment section dropdown change the JavaScript VM to the web3 Provider option.
üDeploy the contract to ganache with the deploy button in Remix
1. pragma solidity ^0.6.6;
2.
3. contract simpleVulnerableBlockHash {
4. uint32 public block_number;
5. bytes32 public myHash;
6.
7.function get_block_number() public {
8. block_number = uint32(block.number);
9. }
10.
11.function set_hash() public{
12. myHash = bytes32(blockhash(block_number));
13. }
14.
15.function wasteTime() public{
16.uint test = uint(block.number);
17. }
18. }
The simple contract above is querying for the current block number in the get_block_number function on line 8 and storing it within a block_number variable created on line 4. This is the current block number running on the blockchain.
Then we have a function on line 11 which takes the block number and uses it with the blockhash button to retrieve the blockhash and store it in the myHash variable.
üWhat happened and what implications would this have on calculations your using this value with?
So, we have 2 variables of a block number and a block hash associated with that block number. What's the big deal. Well let's walk through this step by step and then play around with the remaining wasteTime function on line 15 to find out.
Starting out if we have the deployed contract and we execute the get_block_number function followed by the set_hash function we will get the following result when checking the block_number and myHash variables.
We see the blocknumber of 3 and then a hex value representing the block hash that starts with 0x995f. Now if we were to use this hash as a random value or within some algorithm to create a random value it might work depending what we were doing and the level of security required for the length of time we need it to be perceived as random for. It wouldn't be secure but maybe good enough for your operations. However, a blockhash has a dark little secret a developer may not be aware of. Block hashes in Ethereum have short term memory when it comes to blocks older than 256 from the current block.
So, what happens when we calculate a block after a time lapse? Let's give that a try by executing the wasteTime button till we reach block 259. Waste time sets a block value and discards it to enumerate blocks for us, it doesn't actually make any real changes. Normally blocks on the Ethereum network enumerate on their own every 30 seconds and we would simply just wait for 256 blocks, but we don't have traffic on our blockchain so we will enumerate it ourselves with wasteTime.
After we reach block 259 we execute the set_hash function again which will take block_number of 3 which is older than 256 blocks and get the hash. If you retrieve the myHash variable again after executing the set_hash function again it results in:
You will notice the myHash variable is now 0x000. because blocks older than 256 from the current block are not stored and result in a value of 0. Having a predictable value of 0 in our random algorithm can very likely create a situation where it would be easy to recreate the random number to bypass or cheat functionality in the smart contract.
Video Walkthrough of Bad Randomness:
A classical terrible example is something similar to this.
1.Function checkWinner()public payable {
2. If(blockhash(blockNumber)%2==0){
3. Msg.sender.transfer(balance);
4. }
5.}
In the example above uses a blockhash function with a blockNumber variable within its calculation. The issue with this calculation is if that blockNumber variable is more than 256 blocks old it will return Zero and based on the calculation the user will win every single time.
All the attacker would need to do is play the game to create the blocknumber variable. Then the attacker would simply wait for 256 blocks to pass before checking if he has won the game. By doing this the attacker would guarantee a win.
In order to see how this would work let's take a look at a simple game of chance that implements this concept.
Action Steps:
üType out this code within remix
üDeploy the code using Ganache and Web3 options
üTry to locate the vulnerability within the code
üTry to exploit the vulnerability this code so that you are always the winner
The best way to prevent these issues is to avoid on chain predictable values or secret values as your seed to operations and calculations. We can do this with trusted external Oracles. Oracles are external data sources that your contract can use when it needs random values or trusted data. There are projects that specifically solve this problem for example ChainLink which has networks of Oracle nodes that handle data queries and provide back trusted verified data including random numbers. A simple example for using Chainlink for a random number is found at the following link:
It is always a good idea to avoid on chain secret data or block related information when performing any sort of sensitive operation and instead utilize an Oracle.
