Friday, December 20, 2013

This is PLBURLF03


No, seriously.

It is.


Really.

Keep searching.

Thursday, August 29, 2013

PoTTY v0.63 RELEASED!

v0.63
On August 6, 2013 the PuTTY Team posted an update that included some pretty serious bug fixes.  You might recall that PoTTY never made it to v.062 except in a private build for my own use.  In fact, after my wife got sick in January 2012 (long story) it was left to languish just before it was ready to ship.

And in a few messages to brl I got the impression that obfuscated-openssh (which I like to call oossh) was something of a dead-end, since anyone who really wanted to stop you could just block all encrypted communications.

I had to agree.  But, hey, I don't live in $OPPRESSIVE_REGIME, and I still have a need to evade deep packet inspection and the bugs fixed in v0.63 seemed pretty bad.  And I know there are at least a few PoTTY users out there, so I decided to crank out a new version come Hell or high water.  And much to my surprise I nailed it faster than I thought I could.

At this time, the whole PoTTY Suite is ready to rock.  The final nail in the shipping crate remains to be hammered.  And that is the download page on mrhinkydink.com.  I want to whack that out this weekend and make it available by September 1st.

So this isn't an official announcement.  It's just a teaser.

Against my better judgement, I ran with Microsoft's VCE 2012 compiler.  V0.61 was made with VCE2008 (or was it 2005?) and the ill-fated v0.62 with VCE2010.  I figured "Why not?"  I soon learned why not and in the process had an epiphany on why Simon & the PuTTYnaughts still use VC++ 6.0: it's compatible with everything.

If I had my way, I'd still be using VC++ 5 (which I paid for in 1997).  But I never get my way.  That's just my karma.  The Universe hates my gutz.

So PoTTY works, but if you are using anything less than WINXP SP2 you will get a "not a valid Windows executable" error when you try to run it.  Nothing that VCE 2012 shits out will run on anything less than Vista unless you use a "Platform Toolset" of  "v110_xp" in your project's configuration.

That was disappointing because the default toolset (v110) seems to run a lot faster.

Seems to.

So if you're never looking back, you might want to recompile the whole damned thing in "pure" VCE 2012.  Do a benchmark.  Let me know what happens.  I ain't got time for that shit.

I'm only up to Windows 7, so I can't test it on Windows 8.  Maybe it won't run there either.  Dunno.

One of the hardest parts of upgrading (???) PuTTY source code to PoTTY is going through all the code and replacing "u" with "o".  For the most part this is purely cosmetic branding.  In some places if you do this you will break compatibility.  I think it's important to change the executable names, even if this breaks your scripts, but Pageant (Pogeant) needs to know about it.

The biggest compatibility break—had I done it—would have been making Pottygen create "PoTTY certs" instead of "PuTTY certs".  I tried.  Without that "u" in the cert file PoTTY and PuTTY are no longer interchangeable, and I want PoTTY to be able to function side-by-side with PuTTY.

In general, at least.

By changing pscp, psftp, and plink,  to oscp, osftp, and plonk you can't accidentally use the PoTTY versions.

I've never big a big fan of sftp, but in testing I discovered I liked osftp quite a lot, especially when the remote server is a cygwin oosshd server.  A lot.  Much easier to use at the command line than scp.  Great opportunities for data exfiltration there.

Which got me to thinking (again) about "WinoSCP", which would be an obfuscated version of WinSCP.

Also... 64 bit version?  Not sure.  I think I ran across a deal killer with that when I was working on v0.62.  That would be interesting, but the point of doing it eludes me.  If it ain't broke, et cetera.

And right now, it ain't broke.

UPDATE


Yes, it's out there.  Since the fork was solidly stuck into the code and everything was uploaded to the site, I tried to make a 64 bit version.  The first hurdle was to recompile OpenSSL for "WIN64A", which took quite a bit of dicking around, which included downloading the Win 7 DDK (I was missing "ml64.exe" for some reason).  Once that was finally done, I recompiled and it worked, but I'm not sure of what I have now.  I don't think it's "really" 64 bit, just some sort of mutant 64/32 bit code that won't run on a 32 bit system.

I still don't get the point.

Tuesday, July 23, 2013

Apologies For My Absence


My lifestyle changed drastically in the last year and a half (long story) and I haven't had a lot of time to update the blog.

I finally approved some very old comments (and cleared out a lot of SPAM).  I do like hearing from you Cameroonian puppy scammers, but why do you guys want German IPs now?  I thought you only hated the Brits.  Now you're going after Germany?  Be careful.  And stop scamming while you're at it.  It's not nice.

I've been thinking about a "Whatever happened to..." article to bring everyone up to speed.  I finally solved the mystery of the disappearing access point and I have formulated my excuses for not updating or promoting PoTTy (there is actually a very good reason).  PoTTy v0.62 (or was it 0.63?) is "tits up and takin' on water".  The last version still works fine.

As for all the proxy requests... sorry but The List just runs and gets what it can get.  The proxy project itself has had a fork in it for quite some time, but I just can't bring myself to shutting it down.  It needs some serious maintenance.  SOCKS proxies have all but disappeared (all those old port 27977 SOCKS proxies were the TDSS rootkit, ya know).  I'm not even sure what happened to the CoDeeN proxies.  Did they kill that project?  Did they figure out my tricks?  I never see any at all, not that I miss them.

Anyway, thanks for all those comments and I'm sorry it took so long to get them approved.

Saturday, March 23, 2013

In what Universe?


I've been seeing these articles about the Korean MBR wiper malware everywhere. Typical of these articles in this one on Wired, which states:

 Contained within that file was a hex string (4DAD4678) indicating the date and time the attack was to begin—March 20, 2013 at 2pm local time (2013-3-20 14:00:00).

My problem: 0x4DAD4678 equals 1303201400 decimal.  That value gives me a date of :

Tue, 19 Apr 2011 04:23:20

Which is the date Skynet went online.

Nice touch.  I like that.  No coincidence there.

For "March 20, 2013 2pm KST" (assuming Korean Standard Time is "local time" in Korea), I get a decimal value of 1363755600 or 0x51494250 hex.

All these articles make the same claim.

Am I doing it wrong?

Tuesday, February 19, 2013

Micro Center Monkey Business?


I've been going to Micro Center for a long time.  More years than you can imagine.  I've had some interesting experiences and been treated in some odd ways.

For instance, several years ago I went into the local retail MC looking for a video card or something.  I was in Full Beard Mode and it was summer so I was wearing sunglasses, shorts, a tee shirt, and my classic pork pie hemp hat.  Everywhere I went I was tailed by an MC associate.  When I looked in their direction, they looked away, but they followed me as I made my way around looking for whatever it was I was looking for.

Not one of them asked if they could help.  Not one of them said "Hello."

I couldn't find what I was looking for and left.  A few minutes out the door, I realized they weren't just being rude.  They thought I was a potential shoplifter, not a customer with cold, hard cash.

Well, fuck that.  That location closed a year or so later.

So anyway Time Marches On...  MC's only retail store is now across town.  iPads are hot.  I check their Web site to see if they have them in stock.  They did, so I chose the "order online, pick up in store" trick.  To do that I had to register with email address, et cetera.  You know the drill.

A couple years after that, I go to pull the same trick.  Their Web site has no record of my account.  The email address draws a blank.  OK, fine.  I'll just go to the store.  When I get there and buy what I wanted, they had me check my information at the register and  there was the email address I had given them for the iPad.

This kind of pissed me off, so when I went back Monday for the Presidents Day sale and they asked me if the information was correct I said no, the email address is wrong.  The guy pulls up the register menu and asks me for the correct address.

I tell him I don't have an email address.  He clears it out.  I went home with my merch: a wireless security cam, an off-brand 802.11N USB NIC (which turned out to have a RaLink chipset!), and a motherboard battery.

Within 24 hours, I get SPAM on the address I told them to delete.

The subject field of the email was "Wireless Security Cameras".  What a coincidence!  I just bought one! 

The body of the email was junk html and my name repeated over and over and interspersed with the following keywords:

airstrip
ajourise
amnesias
amygdalothripsis
andamentos
Andronicus
anthophyllite
antiegotism
antozonite
apologues
augite
Auroora
bacciform
belue
besets
brownroofed
BSPT
Burghley
cantatrici
catalogistic
chemise
Colin
collars
commissural
connectives
counteracquittance
Crassus
cratchins
crookesite
croyden
Culicinae
dichromasia
diester
disguised
emboldens
emotiometabolic
endoscopies
enriching
equimomental
fallacies
fatallooking
Felicle
fifes
firebolt
fossilizable
fourring
frizzily
geoisotherm
gib
glossologist
Gobian
Goering
goitrogen
goober
Greekdom
guilloche
gymnastic
halisteresis
hinddeck
histozyme
hygienist
intermountain
intersessions
intervocal
irrepair
iwis
Kerekes
kirmew
laertes
lakin
Lderitz
Lehigh
Letreece
lighterage
Loise
lookdowns
magnanime
makutas
marrock
medially
medicolegal
Metz
MOA
monochromic
Mordecai
Muzo
nebulosus
Neopythagorean
Nephila
nicotianin
nipas
nipcheese
nonavoidableness
nonlevulose
nonprobably
nonsufferable
norlandism
oenanthylate
olivebranch
organosiloxane
Osnabr
ossianic
ossifluence
outserving
oxalated
pacay
Pasch
pearceite
Periclymenus
perusable
Petalodontidae
philothaumaturgic
phytolacca
placet
Podostemon
porno
portmote
practically
presifts
pyrologist
queasiest
query
Rappite
reegg
refreeze
refuelling
regrafts
retainability
rigidifies
sanguicolous
saprophytic
schneider
semicomatose
Setifera
Smolan
Sokul
soleil
springheaded
stancher
stirrupless
stoichiometrically
subplat
sunspecs
superlaboriousness
synchroflash
thalassometer
trapezoidal
trumpery
tumblershaped
twelvefruited
twiceright
umist
unautoritied
undeclamatory
underfolded
undramatizable
unduncelike
unfumbling
uniformisation
unlegislated
unshrill
ur
vaginiferous
vicetreasurer
Vinson
wahabi
waitressless
warrenlike
waterproof
weariness
wellanointed
wholefooted
Yazdegerdian

Of course, this stuff was not visible.  Classic SPAM filter avoidance technique, which begs the question, "WHAT THE MOTHERFUCKING FUCK, MICRO CENTER?????"

MC sat on that email address for three or four years.  They never sent anything.

If you get the chance, I encourage you to do the same thing and let me know what happens.

Sunday, February 17, 2013

Building Obfuscated OpenSSH on Last Week's Cygwin Build


I resurrected an old but capable WinXP box for my upstairs office, which is much more comfy than my subterranean lair in the winter time.  Down there I have an old, diskless IBM NetVista box (the one that used to house EXP V) that boots BT5R3 off a USB stick.  Works great for doing laundry—I'm doing a lot of domestic stuff these days for reasons I won't get into—but for extended stays it's just too cold.  Plus the cell phone reception sucks serious ass, so meetings are pretty much out of the question.

After all the Windows updates I decided to update Cygwin as well and since this box has never had Obfuscated OpenSSH (OOSSH, as I like to call it) on it I decided to do a fresh install on that.

Guess what?  No go.  Something has changed and OOSSH won't compile anymore.

After about a week of dicking around I finally found the fix, so I thought I'd share it with you.

After you "git" the code, the first thing you should do is edit clientloop.c and change both instances of


char buf[8192];

... to

char buf[65535];

And rather than get into why you should do this, I'll just remind you that I went on and on about it in the old ProxyObsession blog before it was taken down for a (totally bogus) DMCA violation.  In any case, it doesn't hurt anything and makes certain things possible that aren't possible with smaller buffers.

But the Big Fix should be put into openbsd-compat/openbsd-compat.h.  Right at the top, ahead of all the #includes, put in this line:

#define NOCRYPT

And then it will compile without errors.  Why?  Do a Google  search and you'll probably find the same answer I found.