Existe sin embargo una oportunidad de mejora en algunos de estos dominios, que según ciertas condiciones, podrán presentar problemas de servicios como interrupción en el acceso a sitios web y fallas en los sistemas de correo.

El análisis fue realizado sobre un total de 16.470 176.868 dominios colombianos, en donde 10.023 77.129 se encuentran configurados adecuadamente, 6.148 96.713 sin respuesta, y 299 3.026 no cumplen con las exigencias técnicas del estándar.

El siguiente listado contiene los dominios colombianos afectados por el cambio en los sistemas DNS:

https://github.com/sinfocol/dnsflagday-colombia/blob/master/affected-domains.txt

This scheme is secure while none or just one channel is compromised. We are going to focus on clipboard protection, the following section from KeePass TCATO FAQ was removed after the bug was reported and rejected:

The old way

Clipboard protection is heavily based on the old clipboard viewer chain from Windows, the diagram shows the windows message flow in the viewer chain, the flow must be followed by all the applications that want to listen to clipboard changes. The operating system sends a message to the first window, then each window is required to pass the message to the next one until there is no window left:

Here comes into play the Clipboard Event Blocker from KeePass, it first calls SetClipboardViewer to add himself as the first window in the viewer chain, and then when the WM_DRAWCLIPBOARD message is received it blocks this message from being passed to the next window:

There are two ways to bypass this protection:

Add a window to the viewer chain after KeePass protection is executed
Use newer API functions to listen to clipboard changes

The new way

A clipboard listener was introduced in Windows Vista as a new way to listen to clipboard changes, developers are encouraged to use the system-mantained clipboard format listener instead of the old one. The operating system is now responsible for sending the message to each window, preventing the flow to be blocked by applications:

KeePassLogger

Using the new clipboard listener and a standard keylogger we can retrieve the content of both channels and reassemble the secret. The next video shows a proof of concept for the "specialized" keylogger:

Source code

KeePassLogger source code:
KeePassLogger github repository

With this feature a new tab is enabled in General configuration for each machine:

When the user sets a password, a new element called Property is added to the HardDisk element inside the machine configuration:

The KeyStore is encoded using Base64, and it contains the information needed by the machine to verify the password each time the user wants to start a machine or change its password.

I made a tool called VBOXDIECracker as a proof of concept to crack weak passwords used in this new feature of VirtualBox, you can download it from:

https://github.com/sinfocol/vboxdie-cracker/

Following is a detailed explanation of how this new feature works:

KeyStore Format

First, we need to identify in someway the fields within the decoded keystore:

0000h: 53 43 4E 45 00 01 41 45 53 2D 58 54 53 32 35 36  SCNE..AES-XTS256
0010h: 2D 50 4C 41 49 4E 36 34 00 00 00 00 00 00 00 00  -PLAIN64........
0020h: 00 00 00 00 00 00 50 42 4B 44 46 32 2D 53 48 41  ......PBKDF2-SHA
0030h: 32 35 36 00 00 00 00 00 00 00 00 00 00 00 00 00  256.............
0040h: 00 00 00 00 00 00 40 00 00 00 12 02 78 97 DA CB  ......@.....x—ÚË
0050h: 3A 4C 4F EE F4 87 62 9D 68 A0 73 00 20 D9 B5 DE  :LOîô‡b h s. ÙµÞ
0060h: 74 94 40 8C 7A F9 9A F0 82 89 20 00 00 00 27 B5  t”@Œzùšð‚‰ ...'µ
0070h: 01 C3 16 F4 9F C2 96 B2 FE 32 85 57 35 16 73 81  .Ã.ôŸÂ–²þ2…W5.s.
0080h: AC 20 9F D1 C0 C8 3E 5E 41 B6 6F F3 C3 5A D0 07  ¬ ŸÑÀÈ>^A¶oóÃZÐ.
0090h: 00 00 8A 8F 4A 94 83 7E EC 1B B4 D6 9A 2E 7C 9F  ..Š J”ƒ~ì.´Öš.|Ÿ
00A0h: FA DC 5E 65 95 36 DF 45 A8 1C 46 66 2C F6 6B E9  úÜ^e•6ßE¨.Ff,öké
00B0h: 5E 58 D0 07 00 00 40 00 00 00 EA A5 55 F2 73 AE  ^XÐ...@...ê¥Uòs®
00C0h: AF 9F 11 57 12 8F D1 C3 51 7D 7C AE F4 3E C9 AA  ¯Ÿ.W. ÑÃQ}|®ô>ɪ
00D0h: A5 40 69 17 CD 13 72 C5 76 8C F8 85 7C 56 59 67  ¥@i.Í.rÅvŒø…|VYg
00E0h: 31 8C E1 81 24 0F C1 43 95 6E C2 FA C3 C4 EF 0E  1Œá $.ÁC•nÂúÃÄï.
00F0h: 62 9C 18 82 5D F2 28 E7 1E C2                    bœ.‚]ò(ç.Â

After some work we are able to identify each field:

VirtualBox Keystore 010 editor template

The following 010 Editor template could be used as a guide:

The result of running the template:

VirtualBox password storage algorithm

With the identification of the fields within the keystore we can now have an understanding of how the password storage algorithm works, and it is summarized in this way:


# 32 for AES-XTS128-PLAIN64
# 64 for AES-XTS256-PLAIN64
AES_key_length = 32 | 64
-------------------------
AES-password = PBKDF2(algorithm: SHA256,
password: user_password,
salt: random_salt_1,
iterations: 2000,
output_length: AES_key_length)
----------------------------------------------
PBKDF2-decrypted-password = AES_decrypt(key_size: AES_key_length,
mode: XTS,
data: random_data
password: AES-password,
type: raw,
iv: NULL)
-------------------------------------
Stored_hash = PBKDF2(algorithm: SHA256,
password: PBKDF2-decrypted-password,
salt: random_salt_2,
iterations: 2000,
output_length: 32)


The same process is performed each time the user wants to decrypt the machine disk. The stored hash (the one from keystore) is compared with the computed hash (the one from user input) in order to authenticate the user and let him use the machine.

VBOXDIECracker - the tool

With the appropriate format and algorithm we can emulate the password verification of VirtualBox and make a not-so-fast cracker with PHP (sorry guys, I did not find a standard package on python to use AES XTS), it is just a proof of concept, so you can develop another leet tools.

You can download it from this site or browse it from the repository.

This is a sample of the source code showing the main function which is the one who computes the final hash:

And the final output with a recovered password:

$ php VBOXDIECracker.php
VirtualBox Disk Image Encryption cracker

Usage: VBOXDIECracker.php disk_image.vbox [wordlist]

$ php VBOXDIECracker.php Encrypted.vbox wordlist.txt
VirtualBox Disk Image Encryption cracker

[+] Reading data from: Encrypted.vbox
----------------------------------------------------------------
[+] Checking hard disk encryption for: Encrypted.vdi
[+] Hard disk is encrypted
[+] KeyStore encoded string:
        U0NORQABQUVTLVhUUzI1Ni1QTEFJTjY0AAAAAAAAAAAAAAAAAABQQktERjItU0hB
        MjU2AAAAAAAAAAAAAAAAAAAAAAAAAEAAAAASAniX2ss6TE/u9IdinWigcwAg2bXe
        dJRAjHr5mvCCiSAAAAAntQHDFvSfwpay/jKFVzUWc4GsIJ/RwMg+XkG2b/PDWtAH
        AACKj0qUg37sG7TWmi58n/rcXmWVNt9FqBxGZiz2a+leWNAHAABAAAAA6qVV8nOu
        r58RVxKP0cNRfXyu9D7JqqVAaRfNE3LFdoz4hXxWWWcxjOGBJA/BQ5VuwvrDxO8O
        YpwYgl3yKOcewg==
[+] KeyStore contents:
        Header                        454e4353 (SCNE)
        Version                       1
        Algorithm                     AES-XTS256-PLAIN64
        KDF                           PBKDF2-SHA256
        Key length                    64
        Final hash                    12027897dacb3a4c4feef487629d68a0730020d9b5de7494408c7af99af08289
        PBKDF2 2 Key length           32
        PBKDF2 2 Salt                 27b501c316f49fc296b2fe32855735167381ac209fd1c0c83e5e41b66ff3c35a
        PBKDF2 2 Iterations           2000
        PBKDF2 1 Salt                 8a8f4a94837eec1bb4d69a2e7c9ffadc5e659536df45a81c46662cf66be95e58
        PBKDF2 1 Iterations           2000
        EVP buffer length             64
        PBKDF2 2 encrypted password   eaa555f273aeaf9f1157128fd1c3517d7caef43ec9aaa5406917cd1372c5768c
                                      f8857c565967318ce181240fc143956ec2fac3c4ef0e629c18825df228e71ec2
[+] Cracking finished, measured time: 6.13035 seconds
[!] KeyStore password found: 123
----------------------------------------------------------------
[+] Checking hard disk encryption for: New_Disk.vdi
[-] Hard disk is not encrypted

The first step is to get the modulus from the PEM file:

N is the product of two Mersenne primer numbers, so the second step is to make a script which is used to find them:

The two prime numbers are: 2²²⁸¹ - 1 and 2²²⁰³ - 1.

We use rsatool.py from ius to reconstruct the private key PEM file (which is used later to decrypt the content of the file using the OAEP padding scheme):

Final step is to decrypt the file:

Your buddy Joey left a USB key with some data he needs your help with. He pulled it from the firewall logs at a 'secure file format'-as-a-Service provider, so he's pretty sure it might be protected or obfuscated somehow.

garbagefile.pcapng.gz

Solution

A PCAPNG file is provided, there we can see some UDP packets where the data is located:

We need to get all the data sent over UDP, we can do it by using tshark:

Each message is composed by two short integers (first one to indicate which is sending the message + second one an incremental ID), and the data itself. I used this script on PHP to separate data from metadata and create bzip files (based on bzip headers found on the dump):

Twenty two files are created, it is time to decompress them using python:

There are only three "corrupted" files:

file 0 invalid
file 8 invalid
file 21 invalid

First file does not contain a bzip header, so it was skipped. Second file is the heaviest (20.8KB) and it is possible the file we are looking for. We are making a guess now, the file seems to have a Zlib header:

It is decompressed properly giving us a base64 encoded file:

iVBgMA0KNH0AAC56SUhqJQAALO0AAC4TCAIudwCpR3DoAC53AXN8MEIAgLkc6S53AAleP1lzLncL
Ey53CxMvd5qcNncAQC4+REF6DwHt83C8BWsCMPB7xwsIBH9SBQojRUGjPbH3OPolxPZlTYIDJj8T
Y3saExvhmNgfMRMLBOHERp5W2MAofwgoM9MqKqxXWL7RyXlvwZnM7FMM997V/ez88Ji+2ffuM2fg
... (cropped)
a0ANOm8oMH4XoMBu9tWlbty/38TVNdQQJ2Cg7jeBgSx0BQYkA6fAjrm700S/OVBO18BAr/YCAyuh
KAUoAr5GFRFAa463QIGvdQMFKH10p+7Xzrv9Hcg5fhegwG72gQItctYoK3F1vmhMZkBF18BAr/YC
AytxCnSJt6DOlaRqyBcnYKDuN4GBLHQF1gZyBnWQMTtmbhygwG72gQItcgYKWtDA/ymC2qJiimhr
73cAAC4+RU5q2UJgrA==

Final result is a PNG file encrypted with XOR using "00 00 2E 77" as key:

Flag

key{03087-08351-27H}

FREAK Attack on restricted colombian domain names

Identifying vulnerable domains

A python script was used to identify in a non-intrusive way the affected Colombian domain names (gov.co, edu.co, mil.co, and org.co):

Results

2975 domain names were tested against the vulnerability, the results are impressive, from 1815 domains that support HTTPS only 46 are affected (it is possible to make a man in the middle attack while the domains is using SSL/TLS):

This is the detail of the results classified by each Third-level domain:

gov.co, 662 not vulnerable, 18 vulnerable.
edu.co, 689 not vulnerable, 15 vulnerable.
mil.co, 58 not vulnerable, 1 vulnerable.
org.co, 360 not vulnerable, 12 vulnerable.

Finally, we got the distribution of the vulnerable Colombian third-level domains:

Heartbleed a year later

One year later the same script and data were used to test the heartbleed vulnerability (Overview of OpenSSL security bug (CVE-2014-0160) on critical Colombian domain names), this is what I found:

Only 2 domain names were found to be free of the Heartbleed vulnerability, 16 are still vulnerable.
177 domain names have implemented HTTPS.
115 domain names were deleted (or DNS A record does not exist).
86 domain names dropped HTTPS support.

The TLS heartbeat read overrun (CVE-2014-0160) (also known as The Heartbleed Bug) is the hot topic right now on the information security field. While this publication is not about the technical detail of the bug but some statistics of critical affected Colombian domains, I will show you a big picture of the vulnerability and the results of my research.

If you would like to know more about it, please take a look at the following resources: The Heartbleed Bug, Sean Cassidy's technical analysis, Robert Erbes' technical analysis.

Vulnerability summary

The Heartbleed Bug allows an attacker to read sensitive information contained in the memory of the process which depends on the OpenSSL implementation (OpenSSL from version 1.0.1 to 1.0.1f).

Sensitive information such as user credentials, session IDs, data sent to the server and received by the client, private keys, and anything you can imagine could be found by exploiting this vulnerability.

Affected users are recommended to fix the issue as soon as possible by updating to the latest version of OpenSSL (1.0.1g).

Methodology and results

Restricted Colombian domain names

Using domain name searching methods I was able to get a long-enough list of third-level domains (the list does not include subdomains) which are classified by NIC.CO as restricted user domains, this is, the person who register the domain have to meet certain legal requirements to be able to get a restricted domain name (gov.co, edu.co, mil.co, and org.co).

These domains are used by Colombian government agencies or institutions, Colombian educational sector institutions recognized by the Ministry of National Education, Agencies or institutions of the Colombian Armed Forces, and Companies or nonprofit institutions resident in Colombia.

Evaluation date

Start time: 08/04/2014 - 22:48
Finish time: 08/04/2014 - 23:30

Identifying vulnerable domains

A modified version of the Jared Stafford's python script was used to identify in a non-intrusive way the affected domains (no data was stored or viewed on the test, the script just only show the status of the server).

Results

2612 restricted domain names were tested against the vulnerability (perhaps this is not the total number of valid domain names). There are 1592 domains that are not vulnerable and 252 that are (a total of 1844 domains with HTTPS support distributed on 985 different IPs, and 768 not applicable):

This is the detail of the results classified by each Third-level domain:

gov.co, 602 not vulnerable (51.99%), 70 vulnerable (6.04%), 486 not applicable (41.97%).
edu.co, 639 not vulnerable (68.34%), 104 vulnerable (11.12%), 192 not applicable (20.53%).
mil.co, 17 not vulnerable (25.76%), 42 vulnerable (63.64%), 7 not applicable (10.61%).
org.co, 334 not vulnerable (73.73%), 36 vulnerable (7.95%), 83 not applicable (18.32%).

Finally, we got the distribution of the vulnerable Colombian third-level domains:

Incident handling

08/04/2014 - Start of the security test.
09/04/2014 - colCERT was contacted to coordinate the incident handling and communicate the issue to the affected domains.
10/04/2014 - First contact with colCERT (list of 252 affected domain names was provided), they are taking now all necessary steps to solve the issue on the affected domains.
11/04/2014 - First contact with NIC.CO, they are working together with colCERT to solve the issue on all the affected domains.
08/05/2014 - Start of the security retest.
10/05/2014 - Final update.

En el siguiente enlace puede encontrar la solución para cada uno de lo 23 retos resueltos:

Solución retos de seguridad Campus Party Colombia 2013

En el sitio principal de NULL Life puede encontrar solucionarios a otros eventos organizados a nivel nacional e internacional.

El tablero "final" de puntuación es el siguiente:

Tanto en el juego presencial como en la gráfica se puede evidenciar el juego no limpio, la gráfica con los valores reales queda a consideración de los organizadores.

Debido a esto, y a otros sucesos, el equipo NULL Life, anuncia públicamente que no volverá a participar en este tipo de eventos, a menos que reglas claras y concisas sean establecidas antes del juego, y estas se respeten.

Los tres ganadores fueron:
1. Everth Gallegos (PerverthsO)
2. Manuel Suárez (Blackubay)
3. Juan Escobar

La descripción del reto todavía se encuentra en el grupo:

El contenido del archivo dota2.txt es el siguiente:

ekFAEUFdTRFQU05RFV9VWEEeE3oTW1VcGFhSF3BHXVdYRR4UWEMXXVJTRl5eXhNC
UVwZRklQUldRU0UZWVEWX04XU1dTQkVTQUMfFXoVV1ZbV1tBF0VWVF4KF1pARhV4
Fl1aXUAURl9VQhZHUVRQQRJAVUFDQFhKW0ddEUBbQ1dGGVdaX1ZDQBNYVlZcEF1W
E1JdS1JXQhBCUVoWehBAUksRHhJAR1teEkBYRxNAUVUXU1VUVlBMElZeGERfUF4K
GVRcURFJVE0QRVlQThNQUkJUGF9YQVRbSRJCRVtbXVcRVRlOXEZcGFtXFkNHRU1a
GhR1Q0UUW1FYTxhRSxJGXlFRQhBXV1RHUl9bXlVLFURSRlcfFEFcUUBRE0BQQxda
XVwQWFEXQFxcVBJHXlBWXRFGRVtDUxFZXllMVVISW1QIExwTcRRYXVJeEEdfUFwQ
QFxcShNMXVpRFkldTBdCXxZVVhdEQVxcEElYRUsTVU1WQl0dElZaUBNZW0MQQFgS
X1VCGU9WQkVBVVVFVEMRVlQWXVdbVl9OVF0QUEwVRV1UEF5ZR1RRFlxRF19IEVRe
WkNGXVdUXRoUZl1VTBZWQFReTRZDWBBfWUNRFFtcU1cZV0RRVVtdUhRbUxRKUUxQ
VlAZR1lfQBoYWlxRUkVDXBhDUVZIEkBSQVMRRE1AVBVAXRRbXBlWV01QVEJWURFV
SxJBX1dcFlhLGXwRVkNTWF1UE15IGF5cQksYV1dXGVxdSkZYV0xUVBVVSxBdVl9b
UFBdXFpNAxhDUVZKElNWREZUWVdYTRNVWFMTUUFCVllDGUNfFlpREVteR0QTSl9R
XFxUVkRFF1BdEkNXQVpcXxJHX19HGhRNXlhXSkYTU0gYRFpWEl5YSlFQEFZeEVxY
WkRNVFtQVRFDXVNOEVpWV18TR1pVFl9XQ1JXFV9fGUJDTUVQAxFTVkEQQFlTVxB6
FVVaGVFWXF1QVRlSUFhRRBdGX1JMFn8XUlUVXVVbQ0ddWU0cEnpBTRlRVxJYV0EY
VFxeVFBFUVdGF1gWRlFNGFJDVlUUQFxWX0FHFw==

Las pistas proporcionadas durante el transcurso de cada día en la semana fueron:
Base64.
Esquema de cifrado perfecto, indestructible, inquebrantable, inmejorable, irrompible, etc... en ciertos casos, cuando es usado de forma correcta.
La primera palabra del texto plano es: "How".
La última pista es: Número E!
Texto plano = b64.decode(dota2.txt) ^ Número E

La última verdadera pista contenía la forma de resolver el acertijo, acertijo que puede ser encontrado en forma de código fuente (Gracias a Juan Escobar por permitirme publicar su código):

El texto plano es el siguiente:

How you have felt, O men of Athens, at hearing the speeches of my accusers, I cannot tell; but I know that their persuasive words almost made me forget who I was - such was the effect of them; and yet they have hardly spoken a word of truth. But many as their falsehoods were, there was one of them which quite amazed me; - I mean when they told you to be upon your guard, and not to let yourselves be deceived by the force of my eloquence. They ought to have been ashamed of saying this, because they were sure to be detected as soon as I opened my lips and displayed my deficiency; they certainly did appear to be most shameless in saying this, unless by the force of eloquence they mean the force of truth; for then I do indeed admit that I am eloquent. But in how different a way from theirs!

Felicitaciones a los ganadores!

This is a screenshot of the tool guessing a password:

The magic is in this piece of code (is5_ReadPAX takes care of the "dirty work"):

You can find the whole source code in the PAXCracker GitHub Project.

You can find too the tool compiled on Windows XP x86, you should download ImgSource DLL from the original source, and copy the library to the same directory of PAXCracker.