Torture-Proof Authentication

26 February 2020

Authentication is one of the biggest problems of security since the beginning of the internet. In most cases, we are using passwords for authentication. But it usually causes problems since people are using weak passwords, reusing the same passwords on different platforms or simply giving them away with phishing scams. Not only for websites/applications, we were also using them to unlock our mobile phones. However, companies like Apple provided more user-friendly authentication options such as Touch ID and Face ID where you can unlock your phone with your biometric data.

Authentication with biometric data is cool, but I’m not really a big fan of that. It’s easy to put someone’s finger on their iPhone by force. It’s a great risk for people who are living under oppressive regimes or criminals who want to negotiate after being captured.

What about regular passcodes. It’s something that’s only available in your mind. But this doesn’t mean that you are not at risk. They can torture you to get that passcode, and eventually, you will give up.

What do we need then? We need an authentication mechanism that can’t be captured even by the torture. Assuming that we will compromise under torture, this mechanism should aware that we are under stress.


An Introduction to Arcade Security

25 December 2019

TL;DR This article contains my experiences on testing amusement arcade’s security. I found a DoS vulnerability on Intercard devices. An attacker can take down entire arcade machines by using this vulnerability.

Me and my girlfriend love to spend hours in local arcades. I always wanted to know how their network works and are they secure or not. But I couldn’t find a comprehensive article about it. I decided to test them by myself.

Learning The Fundamentals

In most of the arcades, you need to have their magnetic stripe card. You need to go to the cashier and say how much credit you want. After that, she gets a random card from the stack, swipes it at a machine, presses some buttons on the screen and gives the card.


Serving Django App Statically at The Lowest Cost Possible

02 November 2019

Two months ago, I was planning to publish a mobile app for both Android and iOS devices. However, I didn’t know how to code mobile apps natively. I found that there is an app type called “Webview” in which you just prepare a mobile friendly website and serve it inside the app. That was cool. So I coded the web application with Django framework. I just need to install it to a server, set a domain name and go. But what if I have thousands of active users in the future, how much resources will I need. Also, what if my competitors conduct DDOS attacks, will I have time or budget to deal with it? Answer was no. So I need some alternative methods.

Basically, web application were doing following things:

The first thing came into my mind was using a serverless architecture. I’m a big fan of that concept. It reduces the cost, attack surface, maintenance struggles. I coded few AWS Lambda functions before, for 10-15 users. But when I calculated the cost of thousands of users, it wasn’t cheap as I thought. Lambda+API Gateway would cost higher than $40 per month.

I’m also big fan of static websites. It reduces the cost and attack surface much higher than the serverless architecture. For example, I’m publishing this blog statically via AWS S3 by using Jekyll framework. Since my Django app has no user interaction, I thought maybe I can serve it as a static website as well.

I researched it a lot, tried couple of open source projects but no luck. I always encountered problems. There was no stable solution for converting a Django app to a static website. So I decided to make my own process. After some trials, my old friend httrack was the most stable solution.


An Empire Module to Detect PII Data in Office Documents

29 October 2019

I coded an Empire module which detects PII data in given Office documents. You can access to the pull request of mine which includes the module from here: https://github.com/BC-SECURITY/Empire/pull/4

Or, you can get the powershell script alone in here: https://gist.github.com/utkusen/03c8ff388e76d45c1ec79580772d8a78


Generating Personalized Wordlists with NLP For Password Guessing Attacks

12 August 2019

TL;DR

I coded a tool named Rhodiola which can analyze data about a target (for example target’s tweets) and detects most used themes in there and builds a personalized wordlist for password guessing. It’s an experimental project for creating a new approach for password guessing attacks.

Introduction

Passwords are our main security mechanism for digital accounts since the beginning of the internet. Because of that, passwords are one of the main targets of attackers. There are couple of major ways that an attacker can use to find a target’s password. The attacker can prepare a phishing website to trick a target into entering their passwords to a rogue website. Or, an attacker can conduct a password guessing attack through brute forcing. Password guessing attacks can be described in two main categories: online attacks and offline attacks.

Online password guessing attack is where the attacker sends username/password combinations to a service like HTTP, SSH etc. and tries to identify the correct combination by checking the response from the services. An offline password guessing attack is usually conducted against hashed forms of passwords.The attacker has to calculate a password’s hash with a suitable cryptographic hashing function and should compare it with target hash. For both online and offline attacks, the attacker usually needs to have a password wordlist. Most of the web applications have password complexity rules where users have to use at least one number, upper/lower case letters and a special character. Also there are lot’s of precautions such as IP blocking, account freezing etc. Therefore, reducing the number of trials is very important for attackers.


Siber Güvenliğin Gelecek 30 Yılı İçin Kehanetler

26 July 2019

Bu yazım, Arkakapı dergisinin 5. sayısında yer almaktadır.

Geleceği tahmin etmek, her sektörde olduğu gibi siber güvenlikte de önem teşkil eder. Gelecekte siber güvenlik sektörünün nereye doğru ilerleyeceğini bilmek şirketler için kar, devletler için stratejik üstünlük anlamına gelir. Bu tip tahminlerde bulunan danışmanlık firmaları dünyada mevcut. Ancak bunların yaptığı gelecek tahminleri, 2-5 yıl gibi kısa vadeli oluyor. Biz ise bu yazıda 30-40 yıllık bir süreçte nereye doğru gidebileceğimizi hayal edeceğiz. Her beş senede bambaşka bir hale gelen teknoloji dünyasında, bu denli uzak geleceği tahmin etmek imkansız görünebilir. Ancak siber güvenlik dünyasında, insanlığın tarihsel süreçte yaşadığı olayların konsantre bir izdüşümünü görmek mümkün. Güvenlik kameralarının ve adli tıbbın olmadığı eski çağlarda suçluların tespit edilmesi çok zordu. 1800’lere gelindiğinde ise adli tıp ilerlemiş, dedektiflik yaygın bir meslek haline gelmişti. Günümüzde ise suçluların tespiti çok daha kolay hale geldi. Bu izdüşüme göre 2018 yılındaki siber güvenlik dünyası, 1800’lerin fiziksel dünyasına benziyor. 1800’lerden sonra yaşanan tarihsel süreci incelersek, siber güvenliğin önümüzdeki 30-40 yıl içinde yaşayacağı değişimleri, biraz hayal gücünün de yardımıyla tahmin edebiliriz.


Rockyou Wordlistindeki Türkçe Parolalarin Tespiti

22 July 2019

Bu seneki araştırmam, parola listeleri (wordlist) ve NLP (Natural Language Processing) üzerine olduğundan, piyasadaki wordlistler ile epey haşır neşir olmuş durumdayım. Bu wordlistlerin de en büyüğü ve kapsamlısı bildiğiniz üzere Rockyou‘dur. Geçenlerde, uzun süredir üzerinde uğraşmadığım Wifi hacking konusunda antreman yapıp bilgimi tazeliyim dedim. Elde ettiğim WPA handshake’lerin bazılarını 8 haneli alphanumeric karakter setiyle kırmak mümkün olurken bazılarını mümkün olmadı. Ben de Türkçe kelimeler içeren bir wordlist arayışına girdim. İnternette sözlük tarzı wordlistler bulunsa da bunlar gerçek kullanıcı parolaları olmadığından bana pek mantıklı gelmedi. Örneğin bir kullanıcı, sözlükte yer alan “sandalye” kelimesini parola olarak kullanmayacaktır.

Bunları düşünürken bir yandan Hashcat’i Rockyou wordlisti ile çalıştırmıştım. Wordlistten herhangi bir ümidim yoktu fakat ne kadar süreceğini görmek istemiştim. Sonuç beni çok şaşırttı. Hashcat, “1907_fenerbahce” parolasının kırıldığını söylüyordu. Küçük bir şaşkınlığın ardından Rockyou.txt içerisinde “fenerabahce” kelimesini arattım. Sonuç beni daha da şaşırttı çünkü içerisinde fenerbahce geçen 44 parola vardı. Diğer kulüplere de baktım. Besiktas 32, galatasaray 63, trabzon 25 kez geçiyordu. İçerisinde karagumruk geçen bile parolalar vardı. Demek ki Rockyou sistemine vakti zamanda çok sayıda Türk kullanıcı da üye olmuş. Bu benim için çok yeni bir bilgiydi. Ben de küçük bir akşam uğraşı olarak Rockyou’nun içerisinde geçen tüm Türkçe kelimelerin sayısını bulmayı hedefledim.


My DEF CON 27 Presentations

04 July 2019

Defcon

I will present my new research&tool at DEF CON 27 in “Packet Hacking Village”, “Demo Labs” and “Recon Village” sections. Schedules are located below. See you in Vegas!

https://www.defcon.org/html/defcon-27/dc-27-demolabs.html#Rhodiola

https://www.wallofsheep.com/blogs/news/packet-hacking-village-talks-and-schedule-at-def-con-27-finalized

https://reconvillage.org/talks.html