Holy god have I been around awhile. I’m regarded as ancient for disassembling sub7 with windasm. And I’m only 24. That’s the thing about the security scene, it changes so fast. In my years, I have learned a great deal while being a grey hat. I’ve done some good and some bad, after all, I’m only human. This being said, I would like to take the time to discuss some tips and tricks I’ve learned over the years.

Tip 1)

Any “crew” that wants you to join them are a bunch of skiddies that want you to do all the work. No talent in any of them, that’s why they bunch together. Also, being affiliated with a “crew” increases your chances of being blacklisted or worse, busted when one of your ‘members’ does something stupid. Go lone wolf.

 

Tip 2)

If you can’t clear the logs, go ‘public’. Its already a given that you should ALWAYS try and clear your log files when you hack into some system. Failing that, you could always go ‘public’ and by public, I mean reveal access to your site / server / box’s credentials to some script kiddie site or forum. The idea here is to let the logs get cluttered with so much traffic that they (the admins / cops /  whatever) simply overlook your footprints and look to one of the skiddies. Who knows, maybe they’re deface the front page or delete something important and get catch the fire instead.

 

Tip 3)

Never EVER reveal a vulnerability you’ve found to the public. This contradicts tip 2, but applies to code vulnerabilities. If you’ve ever browsed securityfocus or bugtraq or secuania then you’ve probably seen the shitload of bugs people post. This is cancerous. It’s a double edged sword. If the right people see it (a big if since most developers I know havent heard of bugtraq) then they can patch their code and any future boxes you could own will be plugged. If they wrong people see it (which happens most often) then some other lamo will use the bug to exploit hundreds to thousands of other boxes propigating phishing pages, spam, and credit card fraud. Sure it sounds nice to have some ‘street cred’ for finding that bug in that word press plugin, but by posting it on one of the bugtraq sites, you’re causing more harm then help. Don’t be cancer. Save it for yourself.

 

Tip 4)

If you absolutely MUST tell someone about the bug, then keep it between friends. Or if you feel some moral obligation to tell the developers, stay anonymous. I can’t tell you how many people I’ve known who have called or notified companies of bugs only to be threatened with lawsuits or the police (I being one of them). If you send an anonymous letter or email to the company, they will fix the bug (hopefully) and you won’t be in any immediate danger. Don’t expect praise for finding bugs / vulnerabilities. Some developers get pissed off at you for finding flaws in their “artwork”. Fags.

 

Tip 5)

When hacking a website, always check pages in multiple browsers or with different user-agents mimicking other browsers like IE, Mozilla, and Chrome. Many developers today code different pages for different browsers. They even modify their requests to work with different browsers (think ajax).

 

Tip 6)

There’s more than 1 input method when attacking websites. Most scanners check the classic GET request of the querystring and may filter stuff through more vigorously. Be just as aggressive with cookie variables, POST variables, and even you’re user-agent. I used to stroll around from site to site with the user-agent “evil1 was here” just hoping to confuse some admin peeking at the server statistics.

 

Tip 7)

Most malware you encounter today is encrypted or packed. This is to elude longer most of the popular antivirus programs. I for one do not have an antivirus program and have not had one in years, but that’s beside the point. When you’re suspicious of an executable when doing your malware research and aren’t sure if they program is malicious, try and open the program with 7zip or LordPE to peek at its executable sections. If you see funny looking sections such as randomised names like .u4y89yr then the exe is probably packed and this should raise a red flag. The classic sections you’ll always see which are no big deal are:

.text // code

.code // code

.data //  initialized variables

.idata // more variables

.rsc //  resources

If you see .upx1 then the program is packed with UPX, a free open sourced packer you can get off of source forge. Oh and if you do a dumpbin of the executable and see suspicious functions like calls to winsock when the program is supposed to be a notepad, then it’s probably malware.

 

Tip 8)

All software is “free”, its just a matter of if you want to deal with the copy protection scheme or not. I’m always weary of any and all keygen programs since they mostly contain malware these days. Its not that hard to break the protection of an application yourself. Just get acquainted with olly.

 

Tip 9)

All the good vulnerabilities in compiled languages have not been weeded out yet. When I get bored, I browse through old and new software for the old classic vulnerabilities and I still find them. The buffer overflow is far from dead. Same with the format string. If you’re feeling daring, go check out morrrowind’s scripting engine.

 

Tip 10)

Video games are a hotbed for vulnerabilities and opportunity. DirectX is still coded primarily in C++ as are many graphics engines. For fluency its a good bet the rest of the game was made in C++ as well. Go ahead, peek through the binary with a disassembler. You’ll never know what you’ll find.

 

Without getting too technical or perhaps to save the best for a later blog post, that’s all I have for now. Use these tips well.