Category Archives: idea

LSB new twist : text based Stegnograph

Today i am going to discuss about a simple twist in existing Stegnography and text base data hiding techniques. While creating challenges for Preconference hacking challenge “HACKIM” for nullcon conference. we cameup with text based LSB hiding challenge as crypto challenge part 5. today i am releasing tools i used to encoding and decoding such values.

The basic prremise behind the tool is the simplest Image based Stegnographic technique where data is hidden in the least significant bit of the Pixel. Here we implemented the same principle on a normal text. The difference in both is in case of the image there is very less distortion and original image is looks pretty much the same however in text implementation the text looks a lot different.

Example

text to hide = a

binary of text to hide = 01000001

So for this we need a cover of size = 8char

lets assume the cover is abcdefgh

We will replace the LSB of each character with one bit of the text which we need to hide. starting from HSB to LSB of text.

S.No Text binary converted Binary Final Text
1 a 01100001 01100000 `
2 b 01100010 01100011 c
3 c 01100011 01100011 c
4 d 01100100 01100100 d
5 e 01100101 01100100 d
6 f 01100110 01100110 f
7 g 01100111 01100110 f
8 h 01101000 01101001 i

now this new text could be send across

final text becomes `ccddffi

Now as we can see the text is changed a lot however the important thing to remember is first and formost the cover is extracted and is most easily available.

by just random variation of 1 and 0 you can get the actual value.

Here is an funny tip

Make your envelop text something interesting so that focus shifts on the envelope rather then the variation in data.

For the above task to be simplified i wrote simple encode and decode scripts as listed below. (Scripts are at there crude level’s right now may improve on them if the need arises.)

Encode

#License : GPL2
#License File : http://www.gnu.org/licenses/gpl-2.0.html
import sys
Key="CoDe"
Cover="Secret is hidden at /home/anant/"
km=""
if (len(Key) * 8) == len(Cover):
	print "Original : " + Cover
	for k in Key:
		km += bin(ord(k))[2:].zfill(8)
	sys.stdout.write("Conceled : ")
	i=0
	for c in Cover:
		y=bin(ord(c))[2:].zfill(8)
		s = list(y)
		s[7]=km[i]
		i+=1
		sys.stdout.write(chr(int('0b' + "".join(s),2)))
	print ""
else:
	print "Invalid Cover Size : " + str(len(Cover)) + " : " + str((len(Key) * 8))

Decoding

#License : GPLv2
#License URL : http://www.gnu.org/licenses/gpl-2.0.html
import sys
crypt="Rebrdt!ir!iheeeo at .inld/an`ot/"
cnt=0
decode=list()
#print len(crypt)
if (len(crypt) % 8) == 0:
	for c in crypt:
		y=bin(ord(c))
		decode.append(y[len(y)-1])
		cnt = cnt + 1
		if (cnt % 8 == 0):
			sys.stdout.write(chr(int('0b' + "".join(decode),2)))
			decode = []
else:
	print "Invalid Input"
print " "

Hope people might find some use of this somewhere..

Database protection Techniques : a different prespective

Tips for Db Security

Disclaimer : This post keeps in mind the web frontends and web applications based attacks on DB Servers in mind.

  1. Any Userid used for web application connectivity should be clipped to specific ip addresses that could be localhost in case of same server usage for Db and App server. If two separate servers are used then clip the user id (s) with the application server ip address / hostname. Keep a strick log of who access the id and when.

  2. 1st entry in user /password data base should be a dummy entry with zero privilege and could be used to act as honeypot too.

  3. Default accounts to be removed / blocked.

  4. User Input validation should be a 3 step process.

    1. Web Page / Client Side validation : Jscript.

    2. Server (Application) : OWASP ESAPI or custom functions ocould be used.

    3. DB: use PL/SQL functions to strip input data.

  5. Another good utility to keep in mind is DBA_USERS_WITH_DEFPWD : contains list of users with default passwords, and with 11g all default accounts are locked.

  6. Web application developers should be provided with 3 different user level access to be used inside web application.

    1. Read Access : user with access to select query only.

    2. Write access: User with select update and delete access

    3. App_mod : access to write access plus drop and trunk.

Developers need to make sure the proper user access is used as and when required.

Note : I know a large number of developers might start crying on this that this will increase their headache but then in long run this could turn out to be a life saver.

Please share your opinion is this a good approach, is it going to help you. What do you thing should be added to this.

Tips for Db Security

  1. Any Userid used for web application connectivity should be clipped to specific ip addresses that could be localhost in case of same server usage for Db and App server. If two separate servers are used then clip the user id (s) with the application server ip address / hostname

  2. Web application developers should be provided with 3 different user level access to be used inside web application.

    1. Read Access : user with access to select query only.

    2. Write access: User with select update and delete access

    3. App_mod : access to write access plus drop and trunk.

Developers need to make sure the proper user access is used as and when required.

Note : I know a large number of developers might start crying on this that this will increase their headache but then in long run this could turn out to be a life saver.

  1. 1st entry in user /password data base should be a dummy entry with zero privilege and could be used to act as honeypot too.

  2. Default accounts to be removed / blocked.

  3. User Input validation should be a 3 step process.

    1. Web Page / Client Side validation : Jscript.

    2. Server (Application) : OWASP ESAPI or custom functions ocould be used.

    3. DB: use PL/SQL functions to strip input data.

  4. DBA_USERS_WITH_DEFPWD : contains list of users with default it.

    1. 11 g : all accounts will be locked and expiered byt default.

protection wordpress username enumeration

After my last post exploiting username enumeration i have looked deep and found a simple workaround to patch your blog for this vulnerability till wordpress has something to add to it.

I am right now using a wordpress plugin : Redirections
https://wordpress.org/extend/plugins/redirection/

Inside the plugin page which comes under : tools -> redirections

Add a new rule with following settings.

Source url : ^(.*)/?author=(.*)
target url : /
Reg Exp : Yes
Match : url only
Action : Redirect to url

and Add Redirection

all done… just try any url with ?author=no

now this url will be redirected back to your main page effectively nullifying the effect of user name enumeration.