Crack me

Don’t hate the hacker, hate the code.

These are some excerpts from a presentation I gave at a ladies who linux meetup in San Francisco. 

***************************

I have always really enjoyed puzzles and games. Building forts, making indestructible cars from k’nex, rock climbing, even backpacking and trying to figure out how to make a fire in the pouring rain with only one match. There are so many things in our daily lives that force us to think critically and break apart a bigger problem into a bunch of smaller, more manageable problems. My love for puzzles was one reason why I wanted to explore the tech world. What I assumed and what I have found to be true is that the tech world is really just a giant playground of puzzles. So since I have you all right here, I thought we could do a little puzzle here together.

If you recall, our topic for the evening is security. Less than two weeks ago I moved into a new place on Treasure Island. I share a house with a few others who I didn’t know previously. My sister happened to be in town for the weekend, so on Friday night I picked up the keys to the space, dropped off a handful of things and headed up to Napa to meet her and some friends for a few days. I didn’t think much of it. When I got back I started to move the rest of my things in. I got up to my room and quickly realized that a brand new pair of running shoes I had just purchased two days previous were missing, along with a few things I had purchased from IKEA. weird right? I didn’t want to assume the worst, so I checked my car for the shoes, but to no avail. Why am I telling you about my stolen shoes? I am supposed to be talking about security. I’m telling you this story because when I first thought about security, I dove right into the deep. I started researching the seven layers of OSI, about TCP vs UDP, network mapping and the list goes on. But I just told you all, I’m a beginner – I have no experience with any of those things – and the story of my shoes reminded me of some very basic fundamentals of security. When we think of security, we often go right for the hard stuff and forget about the basics. When I moved into my new space, It’s not that I should have been overly cautious or paranoid about the living situation – but I should have taken precautions to better set myself up for success. All I really needed was a simple lock on my door.

Security does not need to be complicated, you just have to make sure you cover your bases. Make sure to password protect your accounts, cell phone, and computer. Don’t use the same password for multiple things (although I’m pretty sure we are all guilty of this one).  Make sure to use two-step verification for important logins like work emails, online banking, etc. Before you worry about the deeper levels of security, make sure you have taken care of the basics.

So – on to our little puzzle.

The is a copy of this project on github under Holberton school – so you are all welcome to clone it and try it yourself at home. Check it out here.

Before we start, I am going to open up a VM. Since we don’t know what exactly these files could contain, we want to protect ourselves by doing all this little puzzle on a VM. Things are a little more contain on a VM.

vagrant up

vagrant ssh

First I am going to clone it from github – you can see that there are a few files in this repo, we are only going to be dealing with a.out tonight, but feel free to explore the others on your own time, each one increases in difficulty and not all are solvable.

Change directory to our newly cloned repo.

cd don_hate_the_hacker_hate_the_code 

Check to see what files are here

ls

README.md a.out     crackme   crackme2  crackme3

I am going to make a copy of a.out because I know from experience that if we try to execute the program with the wrong password the file will delete itself – that feature was built into the program.  So I am going to save us time and hassle .

cp a.out ladies.exe

Now we have ladies.exe

ls 

README.md  a.out      crackme    crackme2   crackme3   ladies.exe

Okay – we are all set up to start cracking. If you haven’t guessed it already, we are going to be attempting to crack the password to this file. Like I mentioned earlier, this first one is pretty easy and if you want a challenge you can try any of the others.

First thing we want to do is to gather some information about the file we are dealing with – it’s a simple command

file  ladies.exe

We can learn a lot about our puzzle at hand by learning about the file type.

ladies.exe: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, not stripped

We can see that it is ELF which means it is in an executable and linkable format – and even that it’s not stripped.

If someone wanted to cover their tracks a little bit better, they could have stripped the file.

nm ladies.exe

You get somethig that looks like this.

0000000000601058 B __bss_start

0000000000601058 b completed.6973

0000000000601048 D __data_start

0000000000601048 W data_start

0000000000400550 t deregister_tm_clones

00000000004005c0 t __do_global_dtors_aux

0000000000600e18 t __do_global_dtors_aux_fini_array_entry

0000000000601050 D __dso_handle

0000000000600e28 d _DYNAMIC

0000000000601058 D _edata

0000000000601060 B _end

When you use nm, you are listing the symbols from object files. You can strip that infomration quite easiy though. Run these commands and see what happens.

strip ladies.exe

nm ladies.exe

file ladies.exe

Now if we wanted to know a little more about the file type, despite the fact that we are the ladies who linux, we all need a man in our lives. Just man file to find out a bit more about the file command.

man file

Okay, so we have gathered some information about our file. What’s next…? Run the file?

Maybe we can read the file and find out more.

emacs ladies.exe

Woof – that’s rough. That’s not going to be of  much help. Welp – I have a few other tricks up my sleeve. How about ltrace.

man ltrace

ltrace is a program that simply runs the  specified  command  until  it exits.   It  intercepts and records the dynamic library calls which are called by the executed process and the signals which  are  received  by that  process.   It  can also intercept and print the system calls executed by the program. – Basically it will show us what library functions are being used in this file. When you use trace,  make sure to use the executable format since it actually executes the program when you run it. 

ltrace ./ladies.exe

__libc_start_main(0x40060d, 1, 0x7fff775943a8, 0x400760

printf(“Usage: %s password\n”, “./ladies.exe”Usage: ./ladies.exe password

)   = 29

puts(“See you next time hacker!”See you next time hacker!

)                = 26

You can see it’s using printf  and puts. But it looks like printf was looking for the file along with a password, so lets try it with a password now.

ltrace ./ladies.exe password

__libc_start_main(0x40060d, 2, 0x7fff451bbfe8, 0x400760

strcmp(“password”, “#cisfun”)                    = 77

strcmp(“password”, “passw0rd”)                   = 63

puts(“Access denied :(“Access denied 😦

)                         = 17

puts(“See you next time hacker!”See you next time hacker!

)                = 26

Now we see that it’s using strcmp – lets checkout what strcmp does…

man strcmp

The strcmp() function compares the two strings s1 an s2. It returns an integer less than, equal to, or greater than zero if s1 is found, respectively, to be less than, to match, or the be greater than s2.

You can see the program comparing the password we put in with two other strings, #cisfun and passw0rd. That gives us a pretty good hint that maybe one of these strings is the password. You can try them both.

Since #cisfun starts with a special character, make sure to include quotation marks around the password when you type it in.

ltrace ./ladies.exe “#cisfun”

__libc_start_main(0x40060d, 2, 0x7fff98524a78, 0x400760

strcmp(“#cisfun”, “#cisfun”)                     = 0

puts(“YES it is fun isn’t is? :)”YES it is fun isn’t is? 🙂

)               = 27

puts(“But this is not the right passwo”…But this is not the right password.

)      = 36

puts(“See you next time hacker!”See you next time hacker!

)                = 26

We get something different that time, but it’s still not right. So go ahead and try the other possibility.

ltrace ./ladies.exe passw0rd

__libc_start_main(0x40060d, 2, 0x7fff70c8f778, 0x400760

strcmp(“passw0rd”, “#cisfun”)                    = 77

strcmp(“passw0rd”, “passw0rd”)                   = 0

puts(“Access granted \\o/”Access granted \o/

)                      = 19

+++ exited (status 0) +++

It looks like it worked!

Okay let’s try something else. In programing, there are always lots of ways of solving a problem. Strings is another tool we can use.

man strings

Okay, strings – print the strings of printable characters in files. That seems like it could be useful. If there is a password in this file, it may be contained in a string.

strings ladies.exe

It looks a little bit different from ltrace. Here you can see some of the strings used in the program.

Usage: %s password

See you next time hacker!

/bin/rm

#cisfun! :);

Try again later

#cisfun

YES it is fun isn’t is? 🙂

But this is not the right password.

passw0rd

Access granted \o/

Access denied 😦

;*3$”

Now – we could write a bash script to brute force the password. We are programmers after all, so why not? This is a short program written by a fellow student at Holberton School.

#!/bin/bash

for passwrd in $(strings ./ladies.exe)

do

 cp ladies.exe tmp2.exe

 ladies=$(./tmp2.exe $passwrd | grep -v “Access denied :(“)

 echo “Trying: $passwrd”

 if [ “$ladies” != ” ]

 then

   printf “\nThe password is: %s\n” “$passwrd”

   exit 0

 fi

done

 

Yet another way to go about this is with assembly code.

objdump -d -j.text -M intel ladies.exe

I am not going to go through the assembly code now for times sake. But essentially you just have to follow one clue to another.
That’s the basics of cracking a password. If you enjoyed this, head on over to Holberton school’s github and try the others.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s