hakin9_2009_05_24.pdf

Discover what you can do ...

out that they are really hard to find. It seems that they are hidden out of sight and

at times are really hard to perceive. I would imagine you have been in a situation

where you wanted to – let’s say – hack some website or develop some new code; and

your mind was blank, and you had no idea of how to do it. I think that happens to each

and everyone of us, if not often then at least once.

I think that all of us want to avoid being stuck in such situations. We always want to

have fresh and new ideas of how to overcome obstacles and find solutions to all our

difficult and complicated tasks.

I think, the reason we reach this situation could be because of boredom, a repetitive

routine or just the lack of inspiration coming from an external stimulus – something

new and different. Sometimes, it seems that most techniques used are old and useless;

but it is not true. New ideas exist and you need to be made aware of them to finally

use them – constructively or creatively. We want to show you what has been perhaps

hidden so far from you.

I hope that our magazine achieves in helping and supporting you with your daily

tasks. We always aim at providing the most up to date issue by presenting modern

hacking techniques often required and sought out by everyone in the respected areas.

In this issue our lead article on Hacking ASLR and Stack Canaries on Modern Linux

(p. 20) looks at overcoming stack canaries on Linux systems which should prove to be

quite appealing to the advocates of stack canaries in operating systems, as the author

details a proof of concept that bypasses the protection mechanism.

On the other hand we have solutions related to computer forensics which can be

discovered by reading the next two articles on page 12 entitled Windows Timeline

Analysis written by Harlan Carvey, the first part of a three-part series, and on page 38

the article entitled My ERP Got Hacked by Ismael Valenzuela. The article by Valenzuela

is the second part of his article presenting a practical explanation and hot tips on how

to investigate and analyze the digital evidence found during the course of a computer

forensics investigation. As we all know, computer forensics is a very interesting field

and I think that you will enjoy the articles on this subject.

For all of you who want to hack at passwords and learn how to do so can read the

article on brute-forcing passwords on page 46 ( First Password Shooters written by Tam

Hanna).

If you are a fan of Java and Javascript (not really Java) then you need to read

the related articles. The first one is a really interesting article on how to hack JSONP

mashup entitled Mashup Security written by Antonio Fanelli and the second one is

RSA & AES in Java written by Michael Schratt. Staying up to date and secure with

Web 2.0 and what drives it is always important on what the Internet has evolved to and

the second article will be interesting for all of you who want to know more about the

encryption and decryption of files and any issues you may come across.

In this Hakin9 issue you will find 8 articles. I think that this issue of the Hakin9

magazine will give you some good feedback and fresh ideas in various areas.

Moreover, if you have any ideas for topics that you would like to see us cover in up

coming issues, please let us know. So keep the mails coming in!

Kind Regards

Hakin9 team

en@hakin9.org .

I t is an amazing thing that when we start looking for new challenges or ideas, it turns

CONTENTS

team

BASICS

Editor in Chief: Ewa Dudzic

ewa.dudzic@hakin9.org

Executive Editor: Monika Świątek

monika.swiatek@hakin9.org

12 Windows Timeline Analysis

HARLAN CARVEY

Timeline analysis has long been used in a number of disciplines in

order to place a series of categorized events within an understandable,

progressive context. This can be very important and telling during computer

forensic examinations, as events can be ordered in time and be used to

illustrate a progression, or a cluster, of activity. Harlan shows you basic

information about timeline analysis as well as the new information in order

to update and advance the use of timeline analysis in computer forensic

examinations.

Editorial Advisory Board: Matt Jonkman, Rebecca

Wynn, Rishi Narang, Shyaam Sundhar, Terron Williams,

Steve Lape, Peter Giannoulis, Aditya K Sood, Donald

Iverson, Flemming Laugaard, Nick Baronian, Tyler Hudak

DTP: Ireneusz Pogroszewski , Przemysław Banasiewicz,

Art Director: Agnieszka Marchocka

agnieszka.marchocka@hakin9.org

Cover’s graphic: Łukasz Pabian

CD: Rafał Kwaśny

rafal.kwasny@gmail.com

Proofreaders: Konstantinos Xynos, Ed Werzyn, Neil

Smith, Steve Lape, Michael Munt, Monroe Dowling, Kevin

Mcdonald, John Hunter, Michael Paydo, Kosta Cipo, Lou

Rabom, James Broad

Top Betatesters: Joshua Morin, Michele Orru, Clint

Garrison, Shon Robinson, Brandon Dixon, Justin Seitz,

Matthew Sabin, Stephen Argent, Aidan Carty, Rodrigo Rubira

Branco, Jason Carpenter, Martin Jenco, Sanjay Bhalerao, Avi

Benchimol, Rishi Narang, Jim Halfpenny, Graham Hili, Daniel

Bright, Conor Quigley, Francisco Jesús Gómez Rodríguez,

Julián Estévez, Chris Gates, Chris Grifin, Alejandro Baena,

Michael Sconzo, Laszlo Acs, Benjamin Aboagye, Bob

Folden, Cloud Strife, Marc-Andre Meloche, Robert White,

Sanjay Bhalerao, Sasha Hess, Kurt Skowronek, Bob Monroe,

Michael Holtman, Pete LeMay

16 Analyzing Malware – Introduction to

Advanced Topics

JASON CARPENTER

In the final part of this series in analyzing malware, Jason tells you a little

about more advanced topics such as polymorphic and metamorphic code,

as well as hiding in ADS. This will be a brief introduction to these topics to

familiarize you with them, so you can recognize them in the wild. At the end

there will be references to get more information on these topics.

Special Thanks to the Beta testers and Proofreaders who

helped us with this issue. Without their assistance there

would not be a Hakin9 magazine.

ATTACK

Senior Consultant/Publisher: Paweł Marciniak

CEO: Ewa Łozowicka

ewa.lozowicka@software.com.pl

Production Director: Andrzej Kuca

andrzej.kuca@hakin9.org

Marketing Director: Ewa Dudzic

ewa.dudzic@hakin9.org

Circulation Manager: Ilona Lepieszka

ilona.lepieszka@hakin9.org

20 Hacking ASLR & Stack Canaries

on Modern Linux

STEPHEN SIMS

These methods have been privately known and publicly disclosed by

Stephen and multiple other researchers over the years, but not in great

detail. The methodology attempts to demonstrate examples of modern

hacking techniques during conditional exploitation. In this article, Stephen

will demonstrate methods used to hack stack canaries and Address Space

Layout Randomization (ASLR) on modern Linux kernels running the PaX

patch and newer versions of GCC.

Subscription:

Email: subscription_support@hakin9.org

Publisher: Software Press Sp. z o.o. SK

02-682 Warszawa, ul. Bokserska 1

Phone: 1 917 338 3631

www.hakin9.org/en

Print: ArtDruk www.artdruk.com

Distributed in the USA by: Source Interlink Fulfillment

Division, 27500 Riverview Centre Boulevard, Suite 400,

Bonita Springs, FL 34134, Tel: 239-949-4450.

Distributed in Australia by: Gordon and Gotch, Australia

Pty Ltd., Level 2, 9 Roadborough Road, Locked Bag 527,

NSW 2086 Sydney, Australia, Phone: + 61 2 9972 8800,

30 Mashup Security

ANTONIO FANELLI

Mashups will have a significant role in the future of Web 2.0, thanks to one

of the most recent data interchange techniques: JSON. Antonio describes

JSON data interchange format and he also presents JSONP technique for

mashups as well as shows you how to inject JavaScript with JSONP.

Whilst every effort has been made to ensure the high quality

of the magazine, the editors make no warranty, express or

implied, concerning the results of content usage.

All trade marks presented in the magazine were used only

for informative purposes.

All rights to trade marks presented in the magazine are

reserved by the companies which own them.

To create graphs and diagrams

we used program by

Cover-mount CD’s were tested with AntiVirenKit

by G DATA Software Sp. z o.o

The editors use automatic DTP system

38 My ERP Got Hacked – An Introduction to

Computer Forensics, Part II

ISMAEL VALENZUELA

Part II of this article continues illustrating in practice the methods,

techniques and tools used to investigate and analyze the digital evidence

found during the course of a computer forensic investigation. You are finally

getting closer to know if there was any unauthorized access to the Web-

based Enterprise Resource Planning (ERP) server. Ismael, in his article, will

illustrate how to investigate security breaches and analyze data without

modifying it, how to create event timelines and how to recover data from

unallocated space and how to extract evidence from the registry and how

to parse windows event logs.

Mathematical formulas created by Design Science

MathType™

ATTENTION!

Selling current or past issues of this magazine for

prices that are different than printed on the cover is

– without permission of the publisher – harmful activity

and will result in judicial liability.

DISCLAIMER!

The techniques described in our articles may only be

used in private, local networks. The editors hold no

responsibility for misuse of the presented techniques

or consequent data loss.

4 HAKIN9 5/2009

CONTENTS

46 First Password Shooters

TAM HANNA

The core difference between Central Processing Units (CPU’s) and

Graphics Processing Unit (GPU’s) is in the name: while the first is a

CENTRAL processing unit, the latter ones go by the nickname GRAPHICAL

processing unit. Many graphical tasks can be parallelized well and consist

of simple operations; all current architectures are designed for performing

hundreds of very simple tasks at the same time rather than having one or

two cores which can do everything reasonably well. Tam shows you how to

crack passwords for fun and profit.

REGULARS

06 In brief

Selection of short articles from the IT

security world.

Armando Romeo &

www.hackerscenter.com

ID Theft Protect

DEFENSE

08 ON THE CD

What's new on the latest hakin9.live CD.

hakin9 team

52 RSA & AES in JAVA

MICHAEL SCHRATT

Cryptography is used for hiding information. The term cryptography

itself represents several algorithms like Symmetric-key cryptography,

Asymmetric-key cryptography (also called Public-key cryptography), but

also Cryptosystems and Cryptanalysis. Today, Michael introduces to you

cryptographic functions written in JAVA, specifically RSA & AES. For those

of you who do not know RSA and AES, he covered some of the better

descriptions in the link section at the end of the article.

10 Tools

Wireshark

Mike Shaffer

History Killer Pro 3.2.1

Michael Munt

64 ID fraud expert says...

The Underworld of CVV Dumping,

Carding and the Effects on Individuals

and Business and Ways to Prevent it

Julian Evans

58 AV Scanner 101

RYAN HICKS

Over the past two decades antivirus technology has evolved considerably.

The changing nature of threats has driven research and development

in order to combat the flood of new malware. While there are different

approaches to scanning technology, certainly different vendors make

distinct architectural and implementation decisions, there are certain

commonalities that are present in most modern antivirus scanners. Ryan

gives you an overview of the history of scanning technology, a description of

the most common techniques, and illustrate potential future developments.

70 Training Review

VTE Training

James Broad

72 Emerging Threats

It's All About Reputation

Matthew Jonkman

74 Interview

An interview with Andrey Belenko

Ewa Dudzic

76 Interview

An interview with Ilya Rabinovich

Ewa Dudzic

78 Interview

An interview with Alexandre Dulaunoy &

Fred Arbogast

Ewa Dudzic

Code Listings

As it might be hard for you to use the code listings printed in the magazine, we decided

to make your work with Hakin9 much easier. We place the complex code listings from the

articles on the Hakin9 website ( http://www.hakin9.org/en ).

82 Upcoming

Topics that will be brought up in the

upcoming issue of Hakin9

Ewa Dudzic

5/2009

HAKIN9

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: