Tuesday, October 14, 2014

Hulu Ad Removal

    One fine October morning I decided to catch up on the latest episode of South Park.  Now that the show is exclusively on Hulu I pointed my browser at the ad riddled domain and off I went.  Now before I go any further allow me to say am not an ad nazi.  One a site such as twitch I will even go as far as to pause ad-block in order to help support the streamer.  Hulu on the other hand infuriates me.  The fact that I have to watch the same pile of ads on my paid account as anyone not logged in makes no sense to me. Anyways, allow me to get to the point.
    It was time to do what I do best, tinker.  I took this as a great opportunity to do something I had been meaning to for quite some time now.  Play with node.js.  I spent the next half hour or so reading up on node and threw together a proxy server.  A special thanks to Peteris Krumins.  His blog entry on node proxy servers was instrumental in this project.  I modified my code to display the url associated with every incoming request and connected.  I loaded up a Hulu video and watched my traffic for a minute.  The first point that became abundantly clear to me is that a very high percent of ads on the page did not come from Hulu's domain.  I added a line to my code ignoring requests coming from outside of Hulu's domain. Another round of testing.  At this point I was blocking all ads on the page but I was still getting ads in my videos a majority of the time.  I went back and looked though my request info on the console of my proxy server.  At this point I noticed that the ads that were playing were coming from a subdomain of Hulu.  I added a check to disregard all requests from the subdomain, restarted my server and ran another test.  Success!  I tested on both windows and mac in chrome and firefox with perfect ad removal.  When I am running though my proxy anytime an ad is about to play it instead quickly flashes the "we are having trouble loading this message from our sponsor" message and then continues to play your video.  The attempt at displaying the ad takes about half a second and then your back into your favorite episode of Castle.
    If you would like the source shoot me an email and we will talk.  I would normally post it here but, it is very easy to recreate and I am not a lawyer.  The last thing I want is Hulu calling me talking about loss of revenue.  At the risk of this getting some very rich people just as mad, here is a link that shows it working.


  Allow me to end with some feedback on detecting the type of ad blocking.  All you would need to do is implement a system that runs a script connecting to an external server.  If the script is able to connect continue to let the video play, otherwise stop the video.  There are many systems such as this you could use and many ways to get each solution accomplished.

  If you want to know more about me or you are looking for someone with my skill set my contact info can be found at atarimaster.us

Monday, July 21, 2014

Pick The World, My Lock Picking Cherry Pop

For my birthday a few months back my roommate picked me up a really nifty portable lockpick kit (http://www.southord.com/Lock-Picking-Tools/Jackknife-Pocket-Lock-Pick-Sets.html).  It took me a month to actually use it but from the moment I picked my first lock I was hooked.  Here is a picture I sent to my roommate/good friend after I got through my first door.  I would give you more detail but I may or may not have had permission to pick this lock.
From this moment on I was hooked. The feeling you get when you pop open a lock without the key is like no other.  Something about getting myself into places I'm not supposed to be has always given me my jollies.  I seem to be addicted to getting into things people try to keep me out of.  Even if all thats in that place is a hot water heater.  I quickly realized that I live in the perfect place for a lockpicker.  In less than a minute walk I can be on an abandoned base full of buildings with deadbolts, standard doorknob locks and padlocks.  It is lockpick paradise. So I strolled out there and out of pure dumb luck I was able to "acquire" a few padlocks to practice on.  Before I go any further I would like to make clear that I have no interest in any sort of illegal activity.  This base has been abandoned for many years and all of the buildings are trashed.  I am white hat all the way and my interest in security is more on the "know your enemy" end. The very first thing I did with these padlocks is remove one of the locking mechanisms and make it a little easier to hold in my lap and practice on. In comes the modified growler.

I got to the point where I can pick though this lock in less than a minute about 85% of the time.  I quickly realized that this was a bit easier to pick than in any real world scenario.  A day later I went to my local hardware store and picked up a handful of locks.  A standard master lock, a miniature master lock, a deadbolt and a standard door lock. I quickly defeated every lock in here and continue to practice on them to this day with the addition of a few others I have acquired in my travels.  The only lock I was not able to get through the first day was the standard door lock.  I then looked at the package and realized this was a pick resistant lock.

Sorry for the upside down picture but I am tarted and took it this way on my phone. Now at this point the hacker in me really kicked in and I was determined to beat this lock.  I was going to look it up online but I decided to try on my own first.  Well I shouldn't say on my own my roommate gave me the advice that helped the most and told me to inspect the key looking for the secret to this "pick resistant" lock.  The first thing I noticed is on every attempt I got a false set on the front tumbler.  I took the key and looked at it and noticed the front tumbler does not get touched by the key.

Keeping this in mind I began picking from the back and was very careful not to touch the front tumbler.  Within a few minutes of playing I was able to get the lock to open.  This was an even more amazing feeling than getting through a normal pin and tumbler lock.  So here is the time where I hand out what little advice I have on lockpicking.  First things first never give up. If a key can open it, you can open it. I also highly recommend giving this pdf a read though.  It was by far the piece that helped me the most and it has tons of great advice(https://evilzone.org/ebooks/(pdf)-lockpicking-detail-overkill-next-level/).  The biggest thing for me was getting used to how little tension you have to apply to pin and tumbler locks.  The best piece of advice I received on the tensioner was to get the entire tip of your finder on it and as far down as possible.  This helps you feel every time a pin sheers.  I was told that if your finger turns white you are applying to much pressure.  You want just enough to turn see the lock turn the slightest bit.  You will be amazed at how little pressure it takes.  I was told that beginners should use more tension in order to feel the pins out better but I found this to not be true.  Thats just me though everyone has a different style.  Lockpicking is like everything else in life.  Practice makes perfect.  Here are some more pictures of my current setup for anyone who is interested.

Let me explain the real fake door.  The story is most likely only funny to me as I was the one placing the call but I had fun.  A few weeks ago I give my dad a call and explain to him that I want to make a miniature door that I could fit a handful of deadbolts and doorknobs on.  He is a very good carpenter so I usually ask his advice on these types of things.  In comes the suspicion.  Now my parents know that I am into security but they had never heard me bring up lockpicking at this point in time as I have not lived with them for almost a year now.  I explained my new hobby and surprisingly my dad was really into it.  I should explain that my parents took some time to come around to the idea of there son wanting to be a professional hacker.  When I first got in trouble in high school in 2004 for stealing the usernames and passwords of 90% of my schools staff they became very worried about my obsession with gaining access to machines I should not be on.  I feel the need to point out I did not get caught due to my school having a great IT team I was ratted on by someone who I thought was a friend but in reality was jealous I beat him in the who can get the most passwords race.  It was not a race, I won and I won by miles.  I was very lucky that the head of the IT team owed me a favor and decided to keep the incident under wraps as long as I handed over my list of passwords, fixed the hole that allowed me to get all the passwords, and agreed not to repeat my actions.  I think the fact that a single 16 year old was able to break though every (shitty) barrier that an entire team of adult IT professionals had setup embarrassed them a little. The funny part is in these days I was not nearly as good as I am today(still not nearly at my max potential even to this day) and the attack I pulled off was not sophisticated at all.  Over the years my parents realized that I had never have any intention of harming anything or using any of the things I do to harm anyone or anything.  I just strongly feel that the world needs good guys to find the security holes before the bad guys do and that is where us white hats come in.  This was not an easy concept to explain to them as they assumed I was trying to manipulate them but in recent years they have come around.  So back to the story my father and I spent an hour in his wood shop setting up this fake door.  He was all about the project and got more into it than I did.  It was a wonderful thing to see.  Later that day he had me show him the ropes and he actually managed to pick though a master lock.  This was very fun for me to watch and as much as he tried to hide it you could tell he was just as into it as I was.  Thats it for this rant people, thanks for reading!

  If you want to know more about me or you are looking for someone with my skill set my contact info can be found at atarimaster.us

Wednesday, July 16, 2014

XSS/SQL Injection Playground

So here I am finally documenting this two days worth of time not spent at work. One day I had a few hours of free time, something that is rare that this point in my life.  I decided to spend this time working on my cross site scripting and sql injection. I started off with a very basic php script that would mirror whatever I entered into a text box.  I don't feel the need to show this code, if you can't figure out how to write that this isn't the blog for you.  Here is a picture of the very first version:

Very simple and should take no more than 2 minutes to whip together.  I began to inject my submit buttons with malicious onclick functions.  The first things I noticed was that chrome was removing anything I placed after onclick.  Here is the picture of chrome fucking with my inputs:

I attempted my input without quotes around onclick and received the same result.  I tried a few mote things such as replacing < and > with &lt; and &gt; with no luck. Tested on firefox and same code works.  We now know that this is a chrome sanitization.  I began research on chrome sanitization and heavens to betsy I’m not crazy.  Chrome has built in xss detection.  and just as I realize this online I pop open my resources tab in my developer tools almost by accident. Yea I said fucking almost by accident… get over it. As if the computer gods themselves had fat fucked this clue into my hands  another dead giveaway that chrome was interfering .  Here is a picture of my clue:

So I began to keep going at this point and come back to defeating chromes sanitization when I am a little more exploit savvy.  It is now 4:23am and I am about to consume a massive dose of caffeine while continuing to improve my playground.  I added a login system and an emulation of a comment system.  Here is the current picture of my site.

If anyone would like to see the code I have put it on github (https://github.com/smoriarty21/injectionPlayground.git)

My next step was to bypass my login.  I have no input checking or sanitization so this shouldnt be very hard.  I made sure mySQL and my machine in general were up to date.  The first problem I ran into was anything I put into the password input field was md5 encrypted and passed a hash rather than my input.  I removed the md5 and was able to bypass my login with a simple 1’ or ‘1’=‘1.  This is not realistic though as any site that is not encrypting passwords should be shunned to the darkest corner of the internet. I added the encryption back and went to town.  I realized that I would need to implement my injection in the username field and comment out whatever was inserted into the password field.  After a few tries I landed here: ' OR 1 = 1 LIMIT 1 -- ' ] Bam login achieved.  I then went back to playing with xss(cross site scripting(In case your too slow to know what this means yet)).  It would seem that chrome does not filter out anything coming from sql.  I began playing with dumping cookies.  I cloned the google account login page and made a few slight modifications.  I wrote another python script to parse through the html file for links to external images and files, download them locally and re-create the html with the new local links.  I will put all of this on github and link later.  Next it was time to make my google page accept get parameters from the url and pass whatever data it gets to a python CGI script for logging the data.  I injected the code for a submit button(but this can simply be applied to a link or any other object) to pull all cookie data remove semicolons from it as it was breaking my params and pass it to my fake google login page, that page takes the data passes it to the cgi script and then redirects you to the real google login page.  I will continue to improve on this and update in the near future.

  If you want to know more about me or you are looking for someone with my skill set my contact info can be found at atarimaster.us