archiveren

development

Everyone is tracking everyone nowadays…

Yet, sometimes I really have trouble remembering what I did, and where I was…
The “what I did” is easily reproducable by using NirSoft’s LastActivityView, checking my send e-mails, and my browsing history… (But as I’m using 3 computers not in logical order, this is also not ideal)

The “where I was” is more difficult…

Enter tracks: https://mendelonline.be/tracks/

Clientside it’s built on top of Nokia’s SensorCore SDK example Tracks (yes, i stole the name, and the layout, and actually just about everything =) ) https://github.com/Microsoft/tracks
The only thing it does it getting all track points containing geographical information from the co-processor on my old but trustworty Nokia 930 running W10M, and posting it to some stupid php “api” putting it in a MSSQL db. (nope, no authN here…)

 

I build some stupid front-end for it, but for now, it looks something like this: https://mendelonline.be/tracks/share.php?accesskey=xqnmSI4vAEItrRaQKaiVnGTx

But you can do way cooler things with it! For example heatmaps! Where did I go most:

Next on the to-to list are statistics…

  • how much time in the car a week
  • how many km in a week
  • how much time in traffic
  • ..

Password Filter

A DLL that provides password policy enforcement and change notification. The functions implemented by password filters are called by the Local Security Authority. – http://msdn.microsoft.com/en-us/library/windows/desktop/ms721882%28v=vs.85%29.aspx 
The purpose for this hook into the LSA is to create custom filters when users change password. Want some specific “default for your company” password filtered out? Want a custom RegEx next to Microsoft’s Complexity Requirements? Want to setup a real ugly sync passwords to another database? Or do you just want access to plaintext passwords? Than this is the way to go…But you can also do other stuff with it, because: “hey! a cleartext pasword!” :-p

Next piece of code doesn’t work, but also talks about the idea: http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
And this blogpost tries to fix what the previous one couldn’t do: http://www.phocean.net/2013/10/02/password-stealing-using-a-password-filter.html

Anyway, code is visualcpp,

Most code (pretty much everyting) came from devx, who did a great job with his article: http://www.devx.com/security/Article/21522 !

Next functions are called by the OS when a users changes a password:

BOOLEAN PasswordFilter(
  _In_  PUNICODE_STRING AccountName,
  _In_  PUNICODE_STRING FullName,
  _In_  PUNICODE_STRING Password,
  _In_  BOOLEAN SetOperation
);

NTSTATUS PasswordChangeNotify(
  _In_  PUNICODE_STRING UserName,
  _In_  ULONG RelativeId,
  _In_  PUNICODE_STRING NewPassword
);
BOOLEAN InitializeChangeNotify(void);

 

Visual studio 2013 project to download: https://www.mendelonline.be/downloader/?file=passwordfilterregex.zip

The only thing this code does, is write out the cleartext password to a textfile… Just a proof of concept of what you can do of course… Rest is for you guys to code 😉

So, model 2013 revealed some more secrets!

using Newtonsoft.Json;
using ManagedUPnP;

Finding all upnp services on the current network

Services lsServices = Discovery.FindServices(null,timeout, 0,out lbCompleted,AddressFamilyFlags.IPvBoth);

And filter out the ones being Sony.

foreach (Service IndividuallsService in lsServices)
{
if (IndividuallsService.Description().Actions.ContainsKey("X_SendIRCC"))
{
sony bravia television found! :-)
sonytv=IndividuallsService;
}
}

Register to the device by calling webservice (json) twice! Once without basic auth and once with basic auth and password the number shown on the television itself! Catch the cookie, because it contains the authentication key! (With expiration date 00-00-0000).
Using the same json.net library, you can easily serialize the cookiecontainer for later use.

string hostname = System.Windows.Forms.SystemInformation.ComputerName;
string jsontosend = "{\"id\":13,\"method\":\"actRegister\",\"version\":\"1.0\",\"params\":[{\"clientid\":\"" + hostname + ":11c43119-af3d-40e7-b1b2-743311375322c\",\"nickname\":\"" + hostname + " (Mendel's APP)\"},[{\"clientid\":\"" + hostname + ":11c43119-af3d-40e7-b1b2-743311375322c\",\"value\":\"yes\",\"nickname\":\"" + hostname + " (Mendel's APP)\",\"function\":\"WOL\"}]]}";


var httpWebRequest = (HttpWebRequest)WebRequest.Create("http://"+theipadres+"/sony/accessControl");
httpWebRequest.ContentType = "application/json";
httpWebRequest.Method = "POST";
httpWebRequest.AllowAutoRedirect = true;
httpWebRequest.CookieContainer = allcookies;


string authInfo = "" + ":" + pincode; #pincode shown on television
authInfo = Convert.ToBase64String(Encoding.Default.GetBytes(authInfo));
httpWebRequest.Headers["Authorization"] = "Basic " + authInfo;
(HttpWebResponse)httpWebRequest.GetResponse();

And you can send any command using upnp. The list of commands can be found grabbing the response from the correct request (click here for known requests)

sonytv.InvokeAction("X_SendIRCC", "AAAAAQAAAAEAAABgAw==");

Or the special commands using json

string jsontosend = "{\"id\":78,\"method\":\"setTextForm\",\"version\":\"1.0\",\"params\":[\"http://www.mendelonline.be\"]}";

sonybravia

After a few years of fighting with Lync2010 , we decided to stop using this service on premise and migrate everyone to the cloud/Office365!

For something as Lync, privacy and auditing isn’t that important (not yet), so we guessed we can trust Microsoft on this one…

  • First thing to do: create a trust between Microsoft and our on-premise AD.

This is done by implementing ad fs.
On top, you need to have an active “DirSync”, syncing your AD to the cloud.

To create the hybrid set-up with an on-premise Lync environment, and the “in the cloud”-office365 one, you’ll need the latest iteration of the Lync server software: version 2013.
So, we added the Lync 2013 servers to our 2010 deployment. And after some little hassles, everything started to work. (Single IP deployment, you can google around how to set it up)

You need a lync2013 edge and front-end, because we’ll need some specific features introduced in 2013.

  • Next: the Office 365 part.

Office 365 is a complete infrastructure as a service platform from Microsoft offering Sharepoint, Exchange,  Lync and some more Microsoft Services in the cloud. It’s pretty cool actually.
I’ve never been too fond of office 365: it’s cool, nice and cheap when everything is working. But when it start failing… You’re gone… AAAND you always have to mention the Patriot Act…

Anyway, since it’s February wave of updates, office 365 became even more functional!
It’s PowerShell support got an update, and now supports Lync Online cmldlets!

Before, you actually had to ask Microsoft to enable the PowerShell for Lync Online because it was in beta. Nowadays (since august), everyone gets it!
So, nice again 🙂

Msol-powershell doesn’t support a lot of cmdlets, but at least some essentials.

  • To be able to migrate a user, we’ll have some more requirements: on premise active directory tweaking and office 365 domain setup.

Of course you need to connect your DNS-domain to your office365 tenant (can be done easily using dns-verification)

Next, make sure your AD upn (username@domain.com) corresponds to your lync domain and your office 365 account. You can add the domain as a custom suffix in ad.
So, you’ll have an internal AD user frafra@domain.com, name.firstname@lyncdomain.com as sip-address, and the same frafra@domain.com as office 365 user (synced by dirsync).
Your lyncdomain doesn’t exactly has to be the same as your login domain, but hey, “why make it simple and functional if you can make it complex and wonderful?!”…

After that, you can fire up PowerShell!

Fist of all, you have to add Lync Online as an trusted host on your onpremise lync and you have to make your on premise Lync share the SIP address-space with Lync online
Use “Set-CsHostingProvider” here…

And then you can actually move someone between both environments! 🙂 (make sure the user has a office365 license assigned). Again, all can be done in PowerShell.

So, connect to your onprem lync and office365, and push your clients to the cloud!


#onprem
$CSSession = New-PSSession -ConnectionUri https://onpremlync.contoso.lcl/ocspowershell -Credential $AdminUsername -ErrorAction SilentlyContinue
Import-PSSession -Session $CSSession
#exchange online
$ExSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $ExSession
#office365
connect-msolservice -Credential $cred
#lync online
Import-Module LyncOnlineConnector
$CSolSession = New-CsOnlineSession -Credential $cred
Import-PSSession $CSolSession –AllowClobber

get-msoluser -UserPrincipalName user@contoso.com | Set-MsolUser -UsageLocation “BE”
Set-MSOLUserLicense -UserPrincipalName user@contoso.com -AddLicenses CONTOSO:MCOSTANDARD
get-csuser user@contoso.com | Move-CsUser -Credential $cred -target “sipfed.online.lync.com” -HostedMigrationOverrideUrl “https://admin0a.online.lync.com/HostedMigration/hostedmigrationservice.svc” -ProxyPool “onpremlync13registrar.contoso.lcl”

AD FS, STS, SSO, Claims, Realms, Tokens, SAML, WS-Federation, WS-Security, … All these fuzzy terms that where thrown at my last month…

The project was to implement AD FS (see title) in our environment.
The single and only purpose of AD FS is to create a “single sign on experience” between applications. Sign on on any website, and you can visit all other websites with that same account! (Only trusted websites that is, ofc…)
There are claims providers for Exchange OWA, Sharepoint. You can use it native in custom and cross-platform applications, on Microsoft Azure and in our case Office 365.
And because it’s based on an open standard, you don’t have to use .net, but you can use Java (jeej) as well! Or even php -> http://code.google.com/p/simplesamlphp/.
As long as your application is compatible with saml, you’re good to go!

So, all mentioned abbreviations also have a meaning! And if you want to know what it means and what their purpose is, read this article on msdn!

A more “conceptual” article you can read: A Guide to Claims-Based Identity and Access Control (2nd Edition)
Especially the part about “the airport” explains a lot 😛

Some more “academic” OASIS articles on WS-Trust and WS-Federation

And if you want to know more about WSDL, just read wikipedia 🙂

Powershell is being positioned by Microsoft as a “unix shell loookalike”.
And with the release of W8 it’s lifted to edition 3.0

If you have absolutely never heard of it: it’s the successor of dos -> cmd -> cscript (VBscript) -> powershell.

Nowadays, you can actually script a big part of almost any Microsoft product installation/configuration/administration in this shell (like windows, exchange, sharepoint, lync, …)
Plus, you can make calls to .net/COM/windows!

Let’s get you started!

Start -> search for “powershell” -> start it!

You can run commands you already know like ipconfig/nslookup, cd/ls/dir or even something like “Get-Counter -ListSet processor | Get-Counter” (more info) for more advanced usage 🙂

I’m not going to rephrase great readings, but I am going to put them in a list to get you started!

  1. Read this: http://www.johndcook.com/PowerShellCookbook.html
    It’s very brief summary of how to get you started in powershell scripting (the setup, especially the “set-executionpolicy”, and some real basic commands!)
  2. Check this page: http://www.computerperformance.co.uk/powershell/index.htm
    It’s also a very good introduction to the conditional branching, comparators and loops syntax in powershell!
  3. or google anything with “powershell” and your question 😉

If you’ve programmed before, you’ll be up and running in no time!
Otherwise, it’ll take you like 2 minutes 😛

Anyway, some example scripts for you! -> http://www.mendelonline.be/code/index.php?filename=get%20all%20servers%20from%20ad%20and%20get%20version%20of%20specific%20file.ps1

WP_000313 (1)

In my bed, the weirdest things happen…
Today, I woke up, and tough to myself: “why do people sign their code, but not their stored data & variables?”

Let’s explain what I mean…

I’ve been messing around with Windows Phone 7 quite some time.
And now Windows 8 has the same fun challenges.

Some (most) applications which are developed by home-programmers, don’t make time to “secure” their applications. Mostly because their isn’t time, money, or the effort is just too high…

Anyway, this results in a lot of apps you can play with 😎

codeintegrity.cat

codeintegrity.cat

Nowadays, when you edit a W8 xaml file, the codeintegrity.cat (miaow) file makes sure you app crashes…
The codeintegrity file (part of the MS App Store) verifies the integrity of the code (no way 😛 ).
It’s a quick fix for a hack that came out a long time ago (the one where you could edit anything you wanted): www.extremetech.com/computing/143002-how-to-pirate-windows-8-metro-apps-bypass-in-app-purchases-and-more

Some thoughts: why isn’t all this encrypted/obfuscated/minimised/…, aka: why it it plain text?

A really good read from justin angel! It’s quiet funny too!

So at least I’m not the only one who thinks like that!

But a solution can be that easy!
Take your vars, and multiply them with 4. Convert them to another type (var something = (new int32(1234).tochar() ). Create a stupid mathematical formula to “hide” your variables. Or even: don’t store your variables with easy names (The function of the variable “AmountOfGold=5000” isn’t THAT difficult to guess :-p ), or just salt the entire variablebullshit!

If only our precious NMBS would do that! 😆

  • First of all, you can’t play with this unless your phone is completely unlocked. Since the new version of the wp marketplace, all xap files are completely encrypted. So you can’t download them, and unzip them as before…
  • Second of all: this is only a very basic post on this matter, but it’s a good start for more 🙂

Well, let us start with a random no-name application.
You’ll need a .net decompiler as well! Just google one 🙂
I’ll use ilspy because it’s fast and portable 🙂

Here you can read some things about how wp7 trials CAN work, using the istrial() method.
This function is added, making sure the xap you’ve downloaded is the trial version.
Developers are given the choice on the marketplace to upload two different versions of any application: a trial version and a “full/paid” version.

Next, you’ll need the wp7 app (or parts from it) on your computer.
As mentioned earlier, Microsoft now encrypts the entire xap file (which I don’t blame them for). So we’ll have to install the app on the phone and copy the necessary files from our phone to a desktop computer 🙂

You can do this using a file managers. I used the “root webserver” application to download some dll’s from my phone to my computer.
Just fire up a browser, or even a WMDC/USB connection, browse to \Applications\Install\*applicationid*\Install\, and take a look around. This is the place you applications are actually stored.

So, when you’ve got your dll-files, open them in your decompiler!

Next, the real “hacking” begins. Take your time to examine the source code, and find a way to exploit it 😛
If you can write an application, you can read one as well 😉 (reading is not always easier than writing 😉 )

You’re looking for a boolean value, or a method you can bypass, or something you don’t like that you want to disable (or want to enable!)

In our example we find the method istrial(), which pretty much says it all…
You notice the code is a bit obfuscated, again to make it a bit harder for you like hashsums, dynamic memory allocation, … I’ll blog about this subject later 😉

If we let this function always return “true”, we’re done already.

This gives the biggest challenge: making it actually work. This “easy” method described above definitely won’t work in all cases. Most of the time there are more functions and checks you’ll need to bypass.

Maybe in another part of the dll there’s a piece of code checking the date. You can adjust that specific call, always returning a day in 2017.
Or even funnier, maybe there is a config file with a boolean “istrial”, and you can change it to “false”, and you’re done as well.

Be creative!

To wrap up: you decompile the dll completely. Open the result in visual studio, just change the stupid line to always return the boolean value “true”, compile the new dll and you put that back onto your phone!

This posts only describes a very basic technique in .net for wp7, but at least it gives you an idea how to start exploring the wonderful world of reverse engineering, and you can go WAY deeper. Start google’ing about software instrumentation (extremely cool technique), disassemblers (bypass loops in x86 assembly code), debuggers, hex editors and you’ll probably never stop reading.

Maybe I’ll write something about reverse engineering pc apps as well 🙂

In this first part, in a series of posts, I want to talk about obfuscation.

This pretty hard to pronounce word actually means “the art to make things difficult”.
Google translates this word in Dutch as “verduisteren”, to darken/occult or something like that.

In the IT world, it’s a technique to make code or information unreadable by humans, which on its turn makes it almost impossible to analyse…

This can be done because of multiple reasons.

  1. a software developer doesn’t want his code to be read (think of RSA, iTunes’ DRM fairplay, copy protection like StarForce or SecuROM)
  2. virus writers trying to hide malicious code, making it harder detect by anti-virus software
  3. defense contractors making sure not a single terrorist can find a hole in mission control software of a missile

So, any programming language (or even hardware designs!) can be obfuscated (yep, even javascript).
It transforms your initial source code, to something.

A nice example.

void main(){
   string name="mendel";
   int age=24;
}

could make

void main(){
   string a = function1("mendel","24",1);
   int b = convert.toint32(function1("mendel","24",2));
}
string void function1(string a, int b, int c){
   if(c==1)
      return a;
   if(c==2)
      return b
}

(or something like that ^^)
The result is 100% the same, but the first part gives away a lot more information about what this function does.!

An even funnier example:

void function2()
{
   for(int i=0; i<5; i++)
   {
      if(i>3)
         x=4;
      else
         i++;
   }
}

which actually just sets the variable x=4;

The idea behind all this, is when you as a reader, analyse the code, you would not be able to figure out what is does 🙂
It just doesn’t make sense..

These obfuscation translations can go pretty far.
Take a look on the annual IOCCC contest, which results in really crazy stuff!

There are a lot of obfuscators written for IDE’s like visual studio (dotfuscator), java (proguard), and many, many others… All with one reason in mind: protect (or just hide) your code!
If you want to read more code obfuscation, this series is a very good start!
But you’ll find a whoooole lot more on google!

There is no actually reason for this post. But sometimes you come across this kind of code. And I wanted to share this out-of-your-mind subject with you 🙂
I just hope you’re as intrigued with it as I was when I first saw it 🙂

javascript code from the “runforestrun” infection

My first introduction with this subject was at Ghent University.
Next, I stumbled upon more obfuscated code when Stuxnet appeared.
After that,  a virus infected a website of a customer at work (screenshot above), also pretty weird.
And even more recently in a DLL originating from a WP7 app.

More on that dll later! 😉