|
Unconventional Access
(My way into the Advanced Steganography pages)
|
Advanced Steganography
|
|
23 September 1998
|
by
Gary Benson
|
|
 |
Courtesy of Fravia's page of
reverse engineering
|
slightly edited
by Fravia+ |
fra_00xx
980923
Gary Benson
0100
AS
|
Well, well, well... I have already received 4 essays about the 'stats' trick, yet
this one seems to me the most complete (and interesting) one, since it carries
a "methodoligcal" approach that could indeed be used for many other sites on the
web.
As a matter of fact I left the stats on in order to increase the number
of people accessing the advanced page... yet, judging from my logs, only a tiny
part of my readers have been smart enough to make use of it...
I'll leave
the stats way open for another while, and there's no fear that the web will
change much... the 'slow tide' effect means that only one third of the
potential hackable sites (quite a lot) will have taken any counter-measure against $
this by September 1999 (one year)!
Gary Benson's essay is both important and instructive... Enjoy!
|
|
|
There is a crack, a crack in everything
That's how the light gets in
| |
|
Rating
|
( )Beginner (x)Intermediate ( )Advanced ( )Expert
|
|
This essay is rated beginner, as I don't think it would be too hard for anyone to
follow. Some of the tools used were Unix ones, but I have explained them, and there
are equivalants on most platforms.
Not really an essay on steganography, as that is not how I solved it. There is, after
all, more than one way to skin a cat!
Unconventional Access
(My way into the Advanced Steganography pages)
Written by Gary Benson
This file describes how I got the list of 'secret' files from the stegonated GIF,
and then how I got into the advanced steganography page.
Website download utility.
C Compiler.
http://www.Fravia.org/_ad__st_.htm
The world's leading site for reverse engineering!
The Hunt for the Secret Files
I have always been interested in cryptanalysis (and steganalysis, if that is a word),
and so after coming across the Steganography Starting page I decided to have a go at
the two 'tests'.
I have looked at Hide and Seek before, so I decided to try that one again (better the
devil you know...)
It seems to be a very fast program, and since the number of keys is small I decided to
use a 'brute-forcing' approach. The fact that it only outputs a file when the
password is correct is another boon to the cracker, as the file does not even need validating.
The 'Press a key to continue' bit had to go, and so I created a file containing just a space,
and passed that to its stdin. Lovely.
The program I wrote is shown below - in this case, 24 minutes later, I had a result.
/*****************************************************************************************
** You will need to create a one byte file called AKEY.TXT for the keypress when it **
** says 'press a key to continue'. My file just held a space... **
** The output produced was: **
** **
** RESULT: **
** seek <akey.txt crackme.gif out.txt 4575 **
** **
** Start: Mon Sep 07 19:46:29 1998 **
** Finish: Mon Sep 07 20:10:54 1998 **
** **
** Which is 187 tests per minute on a P200 under W95. **
*****************************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#define IN_FILE "crackme.gif"
#define OUT_FILE "out.txt"
main()
{
char command[256];
FILE *fHandle;
time_t start,finish;
int i;
time(&start);
for(i=0;i<10000;i++)
{
sprintf(command,"seek <akey.txt %s %s %04d",IN_FILE,OUT_FILE,i);
printf("\n%s\n",command);
system(command);
fHandle=fopen(OUT_FILE,"r");
if(fHandle)
{
time(&finish);
fprintf(stderr,"RESULT:\n %s\n\n",command);
fprintf(stderr,"Start: %s",ctime(&start));
fprintf(stderr,"Finish: %s",ctime(&finish));
fclose(fHandle);
exit(0);
}
}
return(0);
}
The best way to run this is NOT as you may think, ie. run it under DOS. One of W95's (only)
redeeming features is that it caches the disk for you, which doubled the speed of the crack.
It makes a pig's ear, however, of changing the screenmode all the time, so it is best if you
make the DOS-Prompt full-screen before you run it. It is probably a good idea to turn the
monitor off as well! The program should compile under any ANSI C compiler, and is invoked as:
brute >log.txt
My conclusion is that Hide and Seek is vulnerable to any attack where the number of keys
can be reduced, ie: dictionary attacks. Ok, so my setup only managed 187 checks per
minute, but seek.c could be rewritten so that it keeps the gif in memory and performs the
checks on that. The speed-up from eliminating loading the program, loading and decompressing
the image, etc, etc, could bring this to 500 or maybe 1000 checks per minute. For people using
strong passwords, this will be less of a problem, but how many (L)users out there think that
their logon name is a good password!
The Hunt for the Advanced Pages
How to go about getting onto the advanced pages? Well, first I read the essays by
Jean Flynn and Mrf and, as I had already
been considering a dictionary attack, decided to download the entire site and make my
dictionary. I used wget, a Unix program, with the following command line:
wget -r -l 0 -H -D www.Fravia.org,Fravia.org -A htm,html,txt http://Fravia.org
The options, for those of you who are interested, mean this:
| -r -l 0 | - Recursive, infinite levels, |
| -H -D www.Fravia.org,Fravia.org | - Only get files from these hosts, |
| -A htm,html,txt | - Only retrieve text and html files. |
Well, this went pretty well until it encountered a circular link somewhere, but at this point
I had downloaded over 30Mb of text, which should make a decent starting point 8o) . Curious as to
what I actually had my hands on, I decided to have a look at what was there. Below is the listing
as it appeared on my screen - it may not make much sense now, but all will be revealed ...
123456.htm 123dos.htm 160593.htm 1azazel1.htm 4surreal5.htm
Epiclo.htm Jon__2.htm THCU99.htm _ad__st_.htm _pri_ca!.htm
_sar_no_.htm _utomba1.htm aca100.htm aca200.htm aca300.htm/
aca400.htm academy.htm/ accessmy.htm acpnet.htm advanced.htm
adynts.htm aesc_adc.htm aescu2.htm aescul3.htm aescul5.htm
aescul6.htm aescula.htm aescune1.htm aescures.htm aitor003.htm
aitor1.htm aitor_45.htm altF4j_a.htm altf4cjw.htm altf4jav.htm
animadei.htm anonico.htm anonma2.htm as65pp1.htm asmedit1.htm
assemlin.htm astonish.htm ath_sta1.htm athevica.htm august.htm
awards.htm banda2.htm banda7.htm banda_56.htm bandane2.htm
bandnov1.htm bayu3.htm bayu_2.htm bayunn2.htm bbdrlan2.htm
bbnag1.htm billboar.htm bin/ birdy2.htm blackbo.htm
blueman1.htm body.htm botstart.htm bouche.htm boyd1.htm
bozo1.htm breathi.htm caligo1.htm caligo2.htm canterbu1.htm
capedcr.htm capri_dr.htm casmw652.htm censors.htm chine2.htm
chineee1.htm chown.htm civetta.htm claris.htm clito.htm
cocktail.htm compro2.htm conself2.htm cookie.htm corel1.htm
coriolan.htm corporate.htm coumes.htm couninte.htm crack_C1.htm
crack_C2.htm crack_me.htm crackpp.htm crashme.htm crlvent7.htm
crook.htm crunchi1.htm crunchi2.htm crunchi3.htm crunchi4.htm
crunchi5.htm crushed1.htm crymaco.htm cubus2.htm cybercu1.htm
cynapp1.htm danadd1.htm daq1.htm daq2neu.htm daqnew.htm
daqtod.htm dark1.htm datapi1.htm datapi2.htm deja.htm
dev_pap2.htm dimit_12.htm dllshow1.htm dong_mad.htm donglink.htm
donjo2.htm dphman1.htm dphman_p.htm dpquake2.htm drfuh5.htm
drlan1.htm drlan52.htm dukeess.htm dynam_1.htm dyroady.htm
edi1.htm ediadste.htm emasnat.htm enemy.htm entra.htm
entran.htm entropy1.htm epic2.htm epiclo_4.htm essaynb.htm
ether1.htm eudorauk.htm fabian2.htm fantc1.htm fetch_de.htm
fetch_se.htm filemon1.htm filemon2.htm filemon3.htm filemon4.htm
filemon5.htm flip2syn.htm flip_sl.htm flipne2.htm flippe3.htm
flipper1.htm flipvb1.htm fly___01.htm footste.htm footste2.htm
footthun.htm formamus.htm fp_dong1.htm fp_dosna.htm fp_melti.htm
fp_palmt.htm frarul1.htm fraruler.htm fravgif.htm freepag.htm
frogdigi.htm frognew.htm frogpr3.htm frogprin.htm frogtem1.htm
fstiuf.htm ft4tom.htm fuhrba.htm fuhrba_3.htm general.htm
gif/ gimp1.htm gnew1.htm goindown.htm going.htm
gtsiren.htm hackm1.htm hackmo1.htm hal_oper.htm halva_3.htm
hcu98_3.htm heatmiz1.htm help.htm heres002.htm heres004.htm
heres1.htm history.htm howto1.htm howto2.htm howto31.htm
howto32.htm howto41.htm howto42.htm howto51.htm howto61.htm
howto81.htm howto82.htm howto91.htm howto92.htm howto93.htm
howtoa.htm howtoc3.htm howtosea.htm hr_ferr1.htm hs2l_22.htm
hs3.htm hunt_00a.htm hunt_01a.htm hunt_02a.htm hutch1.htm
hutch28.htm hutch_61.htm hutch_65.htm hutchif1.htm hutquest.htm
hutsting.htm iceext1.htm iceman.htm iceman1.htm icons/
ideale.htm ideale1.htm ideale2.htm ideale3.htm ideale4.htm
ideale5.htm iebug2.htm images/ incubus.htm ind_tra1.htm
index.htm index.html indian1.htm info.htm int13asm.htm
intrud.htm io13.htm it_winr2.htm j_ridcul.htm jackos_1.htm
jackrev.htm jakkaja_1.htm javaco1.htm javas1.htm javascri.htm/
javat_11.htm javdevio.htm javfurther.htm javhelp1.htm javpass1.htm
javpassp.htm jcrweb1.htm ji_mboji.htm jimbob.htm jjpes__1.htm
jon1.htm jonah1.htm jonencr.htm jongamcr.htm jonla_13.htm
jonne1.htm jungle1.htm kenpatch.htm kent_com.htm kk_cunei.htm
kovi1.htm koxpara.htm lan002.htm lan003.htm lanpat.htm
legal.htm links.htm linux2.htm littlejo1.htm littlejo2.htm
logs/ lonelyha.htm lophtrev.htm lordthu1.htm mad_963a.htm
maddon_1.htm madlas1.htm madmasu.htm malamirc.htm mammo_29.htm
mammo_ot.htm mammon1.htm mammop5.htm mammosep.htm marigbox.htm
marigo_2.htm marigold.htm mark1.htm marlbo2.htm marycri1.htm
misu1.htm mmstory.htm modernze.htm monitor.htm mre2.htm
mrf_steg.htm mrjadev.htm mrwho_67.htm muster.htm myown511.htm
natz-1.htm natz51.htm natz_mp2.htm ne_khab1.htm netles2.htm
neto3.htm neto_01.htm netpatch.htm netscan3.htm new_0101.htm
new_anor.htm new_archi.htm new_kha.htm new_what.htm newbies.htm
newbyes.htm newuni.htm noanon.htm/ noose1.htm nop1.htm
nscekey.htm ntsnocra.htm ntworker.htm octatta.htm oldiegoo.htm
omar.htm oncmc.htm orc.htm/ orctric1.htm origin_1.htm
other1.htm othetut.htm ourtool.htm ourtools.htm ozyma1.htm
packers.htm pageadvi.htm pagemill.htm pain1.htm pain2.htm
panthe.htm pape.htm papers.htm paulwils.htm pdffing.htm
pepper1.htm pepper2.htm pepper3.htm phony.htm pipoman1.htm
piq.htm plushm_2.htm pluslazy.htm pna1.htm pna2.htm
pna3.htm popja2.htm popja_51.htm pranks1.htm private.htm
pro_rcg.htm pro_syn.htm progcor.htm project0.htm project1.htm
project2.htm project3.htm project4.htm project5.htm project6.htm
project7.htm project8.htm project9.htm projunpa.htm prophe2.htm
prophe_1.htm protecti.htm pwd.htm q_tsr601.htm q_tv0601.htm
quine1.htm quine_21.htm quine_51.htm quine_h1.htm qvsnatc.htm
ragica1.htm razzcripp.htm razzia.htm razzia2.htm razziak2.htm
rcg_cmsp.htm rcg_vxd2.htm rcgcd.htm rcgcut1.htm rcgeudo.htm
rcglotus.htm rcgreve1.htm rcnewht.htm readmo.htm real_geo.htm
realicra.htm reality1.htm realmu1.htm reanews.htm rebodila.htm
redla1.htm reszist2.htm reveinfo.htm rezel1.htm rezget_1.htm
rezi-aes.htm rezide7z.htm reziedi1.htm rezilin.htm riddcd1.htm
riddcd2.htm rizla.htm rizlac.htm roadyde.htm robinsta.htm
rude45.htm/ rudebo21.htm rudeboy.htm rules.htm rundus2.htm
rundus4.htm sales1.htm salinas.htm salt0001.htm sandma1.htm
sanity1.htm saruma1.htm scniscni.htm sdzero.htm sealight.htm
sear0198.htm sear0397.htm sear0698.htm sear0796.htm sear1197.htm
sear1296.htm search.htm search7.htm searengi.htm searmyst.htm
sel32sol.htm septem.htm shadow1.htm/ shampa1.htm shellex.htm
siceinst.htm silicos1.htm siuL.htm siuldre2.htm siulflex.htm
siulha2.htm siulin1.htm siulinux.htm siullin2.htm slaves.htm
smartc_2.htm smartdr.htm smutemai.htm snatch1.htm snatch_2.htm
snatch_22.htm snatfo.htm snicke1.htm snikkel.htm snippets.htm
snooty2.htm solution.htm solutions/ sourcer7.htm special.htm
spirit_1.htm sprayasm.htm spyder_4.htm stalker.htm stalking.htm
stats/ stegaad.htm stego.htm sth1.htm sticky.htm
stone1.htm strain99.htm student.htm students.htm stupi7.htm
sublimi.htm surrsea1.htm surrsea2.htm surrsea3.htm swann.htm
sykojava.htm sync.htm sync2.htm syncche.htm syncms1.htm
syncsol.htm tamimons.htm taskman1.htm taskman2.htm tek1.htm
tekles1.htm teraphy.htm timelock.htm tom_devi.htm tom_furt.htm
tools.htm trurlvcl.htm tryfravi.htm twd_aeo.htm twd_ms_.htm
twdms98.htm twdrcg.htm twdwdas.htm uedilas.htm ueditcrk.htm
ultrae2.htm underje.htm underta1.htm undtron1.htm uninstms.htm
useful.htm uvessa1.htm uvessa_2.htm vb_frog.htm vbzero.htm
vga1.htm vicever2.htm vicevers.htm vizion1.htm vizion2.htm
vournt.htm vuctut01.htm vxdbasic.htm what_new.htm whatdika.htm
whoson.htm wi_birdy.htm wi_frog.htm wi_frog2.htm wi_igno.htm
wi_rcg.htm wi_rcg2.htm win98tut.htm winasm_0.htm winasm_1.htm
withles1.htm wlcmaz.htm wrapper.htm wuzat.htm wyatt_vb.htm
x861.htm x86_1.htm x86dd2.htm x86new1.htm xava_27.htm
xavax1.htm xoa_126.htm xoacuba1.htm xoano_27.htm xoanon.htm
xoanon2.htm xoautow.htm yamato.htm yoshinet.htm zaferdon.htm
zee__4.htm zee_inst.htm zeeida.htm zeeida1.htm zeepdf.htm
zero_rcg.htm zeropdf.htm zipped/
|
The (incomplete) contents of www.Fravia.org
The first thing that struck me was that there were only 15 directories in amongst
nearly 600 files. I checked inside those, but they contained nothing which wasn't
in the main site. I wasn't looking for the actual files, because I presumed that
there would be no links to them from pages this side of the 'fence', merely looking
for clues. I started looking at some of the files, to see what I had, as I was on a
Unix system and was unable to examine Steganos. After several hours of interesting
reading, I came across the file dyroady.htm, at the bottom of which was the following:
You are deep inside Fravia's page of reverse engineering,
choose your way out:
 |
|
|
Back to the entrance |
Back to the devious page |
As you can see if you put your mouse over the left hand picture, it says Yessir, back to the other side of the fence.
Did that mean that this page was on the other side of (another) fence then?
It turned out that I had stumbled across Fravia+'s Devious Java page, on the other side of
a Java sieve. But why?
After some pondering (and some cigarettes) I had the answer. Inside the stats directory
there is an automatically generated access list, saying how many hits each page had had. How many
hits every single page had had. The program that generated the file didn't give a shit
which side of the fence each page had come from, it just listed the lot! When I did the site
download, it had downloaded the access list and then followed every link that was on that,
so that I actually had the advanced page on my hard disk!!! Ten seconds later I had the
page, using the command:
fgrep -l 'advanced steganography' *
(ie. search all files for the string 'advanced steganography'), which produced the following output:
_ad__st_.htm
blackbo.htm
ediadste.htm
fly___01.htm
stego.htm
Fly___01.htm, stego.htm and blackbo.htm could be ignored, as I knew what they were; leaving
_ad__st_.htm and ediadste.htm. Needless to say, _ad__st_.htm was the first one I tried ...
Well, unfortunatly, I was unable to flex my steganographical muscles on this one.
What I have discovered is a new way to break into websites such as this; I never
really considered that kind of attack before (I never considered it anyway until after
I had performed it!). It exposes a new weakness in possibly a large number of
websites (most people turn off the ability to list the directories, but how many think
to disable hitlists).
Whatever, I'm sure Fravia+ will have fixed this loophole in his site and the mirrors before
anyone reads this! Judging by the dearth of advanced steganography essays, it would
seem that this page will be seen by a limited audience, so perhaps some use will be
made of this sneaky trick before the world learns of it!
The problem with steganography is that if the image is well chosen (no continuous tones, where
hidden data will show up as speckling), a good utility and a decent password is used, then the
hidden file will probably remain hidden forever.
Epilogue: I decided to crack the password out of the t_tamra.bmp, as I did not know it.
I had got RC4 source and was busy optimising it for speed when I guessed the password (Doh!).
Annoyingly, it was the reverse of the password I was using for my test file!
Nothing was cracked and nothing was stolen.
(c) 1998 Gary
All rights reversed.
You are deep inside Fravia's page of reverse engineering,
choose your way out:
Back to Advanced Steganography
homepage
links
search_forms
+ORC
students' essays
academy database
reality cracking
how to search
javascript wars
tools
anonymity academy
cocktails
antismut CGI-scripts
mail_Fravia
Is reverse engineering legal?