Jump to content




a website for projects


11 replies to this topic

#1 AndreWalia

  • Members
  • 294 posts
  • LocationSt.Louis, MO

Posted 01 January 2013 - 12:58 PM

Hey guys I say what happened on NDF-OS and I was wondering where does he store the account data and stuff (Im not gonna hack it :P) is it just a blank page with a bunch of stuff in source code? Also how would you make it Hacker-free so no body accept for the maker (or not even him) can see the passwords?

#2 GravityScore

  • Members
  • 796 posts
  • LocationLand of Meh

Posted 02 January 2013 - 07:51 AM

Not entirely sure how much you know about web technologies (I don't know too much either :P. Please correct me if I'm wrong on something), so I'll explain everything in quite a bit of detail. Plus, I don't know entirely how the hacker did it - I'm just guessing. Also, not sure if posting this is a good idea - it might give people some ideas :/)

NDFJay used Lua in CC to send HTTP requests (messages over the internet) to PHP scripts of his (PHP is another programming language), to do things like upload/delete/download/update/etc... files.

This PHP script (called sync.php) uploaded any file to his remote FTP server (FTP is an abbreviation for File Transfer Protocol - its basically a server where you can store files like Dropbox) where these PHP scripts were stored (they have to be stored somewhere :P).

What the hacker did was upload another PHP script of his/her own to the FTP server, and then ran that PHP script by visiting in his/her web browser. This PHP script could look through the rest of the files on the FTP server, including the ones that stored the username and password for his MySQL database (which is like a massive table with tables inside of it that store data - including the usernames/pass codes. You can imagine it much like an Excel spreadsheet, with headers, columns, rows, etc... (yes this is an oversimplification)) where the user's accounts (including their usernames, emails, and passwords) were being stored. He/she could then log into the MySQL database and see all of the user accounts, or just get their PHP script to list all of the contents of the database. All he/she had to do was decrypt the returned passwords that were encrypted in MD5 (a type of encryption), then dump the data on the CC forums.

Not a particularly smart thing to do in my opinion. This security flaw could have easily just been shown to NDFJay - the hacker did not have to log into his account and (quoting NDFJay here) "fuck up my profile".

MD5 can be (the simplicity depends on the hash) decrypted using an online decrypter (such as this one). A safer encryption technology is called SHA1 (its supposedly irreversible), which could have been used to encrypt the pass codes. Nothing I think can ever be made hacker-free in my opinion - many precautions can be done to stop hackers from having much success in hacking though - I'm no expert, so you'll have to ask someone else if you want to find out any good ones :P.

An alternative method the hacker could have used is SQL injection.

Ok, I'm not sure if posting this was a good idea - it might give people some ideas. Just remember though - knowing how to do these things is the first step in preventing them.

#3 Leo Verto

  • Members
  • 620 posts
  • LocationOver there

Posted 02 January 2013 - 08:51 AM

View PostGravityScore, on 02 January 2013 - 07:51 AM, said:

MD5 can be (the simplicity depends on the hash) decrypted using an online decrypter (such as this one). A safer encryption technology is called SHA1 (its supposedly irreversible), which could have been used to encrypt the pass codes.
MD5 is supposed to be irreversible too, all those only decrypters just use hash databases which depend on online MD5 encrypters that save the text you encrypted and the hash, the only other way of hacking MD5 I know of is randomly generating passwords and comparing them to the hash but this usually takes a looot of time.

#4 Kolpa

  • New Members
  • 260 posts
  • LocationGermany

Posted 02 January 2013 - 08:58 AM

View PostLeo Verto, on 02 January 2013 - 08:51 AM, said:

View PostGravityScore, on 02 January 2013 - 07:51 AM, said:

MD5 can be (the simplicity depends on the hash) decrypted using an online decrypter (such as this one). A safer encryption technology is called SHA1 (its supposedly irreversible), which could have been used to encrypt the pass codes.
MD5 is supposed to be irreversible too, all those only decrypters just use hash databases which depend on online MD5 encrypters that save the text you encrypted and the hash, the only other way of hacking MD5 I know of is randomly generating passwords and comparing them to the hash but this usually takes a looot of time.
rainbow tabels
also
http://thehackernews...-passwords.html

#5 AliasXNeo

  • Members
  • 23 posts

Posted 02 January 2013 - 11:00 AM

View PostKolpa, on 02 January 2013 - 08:58 AM, said:

View PostLeo Verto, on 02 January 2013 - 08:51 AM, said:

View PostGravityScore, on 02 January 2013 - 07:51 AM, said:

MD5 can be (the simplicity depends on the hash) decrypted using an online decrypter (such as this one). A safer encryption technology is called SHA1 (its supposedly irreversible), which could have been used to encrypt the pass codes.
MD5 is supposed to be irreversible too, all those only decrypters just use hash databases which depend on online MD5 encrypters that save the text you encrypted and the hash, the only other way of hacking MD5 I know of is randomly generating passwords and comparing them to the hash but this usually takes a looot of time.
rainbow tabels
also
http://thehackernews...-passwords.html

Hashcat is better imo.

Either way, brute force != reversing

#6 Kolpa

  • New Members
  • 260 posts
  • LocationGermany

Posted 02 January 2013 - 02:55 PM

i was just responding to him saying it would be taking long since using gpu to crack hashes isn't very time expensive at all

#7 PixelToast

  • Signature Abuser
  • 2,265 posts
  • Location3232235883

Posted 02 January 2013 - 03:01 PM

brute forcing hashes is only needed if you have obtained a hash of the users password and the passwords are hashed serverside

#8 AfterLifeLochie

    Wiki Oracle

  • Moderators
  • 480 posts
  • LocationAfterLifeLochie's "Dungeon", Australia

Posted 02 January 2013 - 08:02 PM

View PostLeo Verto, on 02 January 2013 - 08:51 AM, said:

View PostGravityScore, on 02 January 2013 - 07:51 AM, said:

MD5 can be (the simplicity depends on the hash) decrypted using an online decrypter (such as this one). A safer encryption technology is called SHA1 (its supposedly irreversible), which could have been used to encrypt the pass codes.
MD5 is supposed to be irreversible too, all those only decrypters just use hash databases which depend on online MD5 encrypters that save the text you encrypted and the hash, the only other way of hacking MD5 I know of is randomly generating passwords and comparing them to the hash but this usually takes a looot of time.

MD5 should no longer considered an "encryption" scheme really - simply because it's got a large number of collisions (eg, the strings "apple" and "orange" produce the same hash), and, it's relatively fast to break - simply because of the mathematical nature of the system. Likewise, SHA1 is similar. There are a few knows collisions and mathematical issues in it, and it is breakable - not quite as fast as MD5, by any means, but with tools like JTR and oclhashcat-lite out on the Internet for anyone to use, breaking hashes is a trivial task - a few commands on a bash-console and bam, you're crunching.

Anyone can hire a server from somewhere like Amazon AWS at $10 for however-many-minutes that's worth, with either a monster-CPU or a monster-CUDA enabled GPU. You could absolutely smash out hashes at an insane rate for however long the account is active - the fact of the matter is, MD5 is as secure as CRC32. SHA1 is a little better.

You should also have a read of this article - All the crypto code you've ever written is probably broken.

tl;dr, don't ever do encryption yourself (lul rot13), do your research and choose something wise - or it can come back and sting, badly.

#9 PixelToast

  • Signature Abuser
  • 2,265 posts
  • Location3232235883

Posted 03 January 2013 - 04:27 AM

my diskencrypt program would store the password's hash
i derped hard because the passwords hash is what is used to encrypt / decrypt
:s
never store the has of the password, only the data

#10 D3matt

  • Members
  • 830 posts

Posted 04 January 2013 - 08:35 AM

View PostPixelToast, on 03 January 2013 - 04:27 AM, said:

my diskencrypt program would store the password's hash
i derped hard because the passwords hash is what is used to encrypt / decrypt
:s
never store the has of the password, only the data
If you don't store the hash of the password, how will you know if the password is correct?

#11 BustedEarLobes

  • Members
  • 46 posts

Posted 06 January 2013 - 07:32 PM

View PostGravityScore, on 02 January 2013 - 07:51 AM, said:

Not entirely sure how much you know about web technologies (I don't know too much either :P. Please correct me if I'm wrong on something), so I'll explain everything in quite a bit of detail. Plus, I don't know entirely how the hacker did it - I'm just guessing. Also, not sure if posting this is a good idea - it might give people some ideas :/)

NDFJay used Lua in CC to send HTTP requests (messages over the internet) to PHP scripts of his (PHP is another programming language), to do things like upload/delete/download/update/etc... files.

This PHP script (called sync.php) uploaded any file to his remote FTP server (FTP is an abbreviation for File Transfer Protocol - its basically a server where you can store files like Dropbox) where these PHP scripts were stored (they have to be stored somewhere :P).

What the hacker did was upload another PHP script of his/her own to the FTP server, and then ran that PHP script by visiting in his/her web browser. This PHP script could look through the rest of the files on the FTP server, including the ones that stored the username and password for his MySQL database (which is like a massive table with tables inside of it that store data - including the usernames/pass codes. You can imagine it much like an Excel spreadsheet, with headers, columns, rows, etc... (yes this is an oversimplification)) where the user's accounts (including their usernames, emails, and passwords) were being stored. He/she could then log into the MySQL database and see all of the user accounts, or just get their PHP script to list all of the contents of the database. All he/she had to do was decrypt the returned passwords that were encrypted in MD5 (a type of encryption), then dump the data on the CC forums.

Not a particularly smart thing to do in my opinion. This security flaw could have easily just been shown to NDFJay - the hacker did not have to log into his account and (quoting NDFJay here) "fuck up my profile".

MD5 can be (the simplicity depends on the hash) decrypted using an online decrypter (such as this one). A safer encryption technology is called SHA1 (its supposedly irreversible), which could have been used to encrypt the pass codes. Nothing I think can ever be made hacker-free in my opinion - many precautions can be done to stop hackers from having much success in hacking though - I'm no expert, so you'll have to ask someone else if you want to find out any good ones :P.

An alternative method the hacker could have used is SQL injection.

Ok, I'm not sure if posting this was a good idea - it might give people some ideas. Just remember though - knowing how to do these things is the first step in preventing them.

Could NDF have just added a few lines of code looking for the PHP initiator? It seems simple, though I understand he never expected it... [ex. $lineOfCode = str_replace("<?PHP","<!--REMOVED-->",$lineOfCode) ]

#12 PixelToast

  • Signature Abuser
  • 2,265 posts
  • Location3232235883

Posted 06 January 2013 - 08:00 PM

View PostD3matt, on 04 January 2013 - 08:35 AM, said:

View PostPixelToast, on 03 January 2013 - 04:27 AM, said:

my diskencrypt program would store the password's hash
i derped hard because the passwords hash is what is used to encrypt / decrypt
:s
never store the has of the password, only the data
If you don't store the hash of the password, how will you know if the password is correct?
you store the hash of the output data
then you decrypt the data
if it was an incorrect password then you would be able to detect it
even if you dont encrypt the data with the same algorithm as the password hash
its still more secure to hash the data because its usually more complex than the password





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users