Archive for the ‘tools’ Category

WarVOX 1.0.0

March 6, 2009

I’ve been working on adding some wardialing and dialup hacking modules to the  Metasploit project for a while, which initially spawned this entire other project that HD went nuts on.  Hopefully we’ll get some of the tech that this project produced merged back into the Metasploit wardialling stuff, but for now it’s a separate entity.  Here’s the result:


Proof Hashes

June 17, 2008

As the field of security research becomes more and more crowded, it’s inevitable that people will begin to step on each other’s toes. Last year when I began my context-keyed payload encoding research, someone else that I know began extremely similar research at almost exactly the same time. Because I intended to present my research at ToorCon, I only discussed it with a very few select people, so neither of us had any idea the other was working on nearly the same thing. I apparently finished my work first, because when I presented the results at ToorCon 9 later that year, and subsequently published the research in Uninformed Journal vol. 9, I was told by a number of people that the other researcher, whom I consider a friend, was a little upset that I had beat him to the punch, as it were.

Just last month, I circulated among some small communities a draft version of a CFP for a project that I was working on for this year’s DEFCON called “Cirque du 0day”. It was in no way ready for public consumption, in fact, I hadn’t even heard back from the DEFCON staff if something like what I was planning would even be accepted for the conference. I was simply looking for initial feedback on the idea from the people I showed it to. I apparently gave the draft CFP to a group of people that I shouldn’t have, because not more than a couple days later a Full-Disclosure Troll going by the name of Michael Chatner (before he added the “Professor” to his nym) changed the email addresses in the CFP text and posted the CFP nearly verbatim to Full Disclosure as his own. If only there were some way to more convincingly dispute such claims other than to simply reply to it

Of course, things being as they are in this industry, people in such situations have very little recourse. These kinds of things happen all the time, and will only increase in frequency as this industry grows.

Enter “proof hashes”. For a short time now, people in this industry with information that they both want to keep confidential, as well as be able to prove prior-art for, have hashed some form of the information in question and sent the hash(es) to a public email list like Full Disclosure for posterity (and an irrefutable time-stamp at which point the hashes existed). I have done this myself on occasion, but unfortunately failed to do so when I had the idea to create and bring the Cirque du 0day event to DEFCON. Of course the first few times that this happened, some people on Full-Disclosure cried foul, that the list was no place for such things, and even a few conspiracy theories blossomed surrounding some of the more ambiguous or non-descriptive posts containing hashes. Some even began discussing the validity of an email time-stamp on a message distributed by a public mailing list, since most lists honor the original time-stamp on the message and forward it unchanged. The real indication to the date and time it was posted to the list comes from the surrounding messages delivered alongside it.

Even though there have currently been no reported cases of anyone publicly cross-referencing a proof hash posted to a list like Full-Disclosure in order to prove prior-art, idea ownership, or anything else, I do believe there is value in such a mechanism, and as such, I’ve created the Proof Hashes email list via Google Groups. This list lives at the Google Groups site to ensure that the hosting of the list remains with a 3rd party unmotivated to be involved in any time-stamp forgery scheme. The Group description really says it all:

This group allows establishment of confidential prior-art by posting a cryptographically hashed summary, proof-of-concept, schematic, or detailed description. Prior-art can then be proven by disclosing the original content with it’s hashes and cross-reference the date of the original post.

Subscription is not allowed and not required to post to this list. It is recommended that the poster include the result of multiple hash algorithms of the same content in a single message to eliminate the chance of calculating content which produces a hash collision in a single algorithm. It is also recommended that the poster cryptographically sign their message as this will not only both prove ownership of the hashes, but also provide a second, corroborating time-stamp.

I’m apparently not the only person who finds value in this type of thing, as I was recently directed to the PGP Digital Timestamping Service, to which you can send your original message containing your proof hashes. The service will then sign the message itself, essentially time-stamping it, and in “post” mode, forward the message to any number of recipients, including such destinations as public mailing lists.

EDIT: I’ve also recently come across, which is now using the Proof Hashes Google group as an additional archive for it’s timestamp blocks.

Real-time Steganography with RTP Whitepaper

September 18, 2007

My paper detailing the research I presented last month at DEFCON 15 was published today in Uninformed Journal Vol. 8. The paper is entitled “Real-time Steganography with RTP” and details using steganographic techniques to establish a covert channel within the protocol commonly used for the media channel in VoIP calls as well as a reference implementation.

Real-time Steganography with RTP

August 9, 2007

Last weekend I gave my presentation at DEFCON 15 entitled Real-time Steganography with RTP. At the same time, I released my reference implementation for the research which is called SteganRTP.

First, let me say that I hate computers. I hate them, hate them, hate them. Upon booting up my laptop in the speaker green room prior to my talk it decided to have all kinds of problems with my live demo setup. The audio was choppy, the endpoints didn’t want to sync up, basically mass chaos all contained within my laptop. Luckily I had gotten to the green room fairly early so after some quick debugging and a reboot everything was operating fine. It was a close call though, as the very minute I got it all back to normal it was time to walk down to the room I was scheduled to speak in.

My talk was essentially about a research project I’ve been working on for the past couple months in what little spare time I’ve had at home involving hiding a data communications protocol inside a VoIP call’s audio. My talk went well, although I did rush through it a bit hoping to end close to my allotted 50 minutes but I actually ended up finishing about 10 minutes early. Since I finished early I went ahead and took questions there in addition to later in the Q&A room for my track. I had some fairly good questions and one stupid question from intropy & co. at the back of the room (: I then went over to my Q&A room where this one guy proceeded to ask me questions for almost the entire next hour.

Anyhow, my presentation went really well, and you can check out the slides and the tool at the links above.

New Tool: hcraft – HTTP Vuln Request Crafter

April 18, 2005

hcraft is a HTTP systems penetration testing tool designed to make exploitation of known vulnerabilities in HTTP systems a dynamic, simple process. hcraft is intended to help take the details out of executing HTTP- based attacks that require you to specially craft an HTTP request. By defining a modeline for a given vulnerability in the modes file you can instruct hcraft in how the HTTP request should be constructed, then use the tool to select the appropriate mode and include the dynamic parts of the attack such as target host, port, and the filename to retrieve or the command to execute.

hcraft was originally designed to be primarily used for arbitrary file disclosure or command execution vulnerabilities, however it can also be used for cross-site-scripting and sql-injection attacks if the modeline for the vulnerability is carefully designed.

You can find the debut version of hcraft at the following URL:

New Tool: hcovert

February 8, 2005

The first source package for hcovert, which I)ruid debuted at a presentation he gave last month for the dc214 group, has been released:

The presentation can be found here: