Skip to main content

Published Article in 2600 Magazine: Take Your Work Home After Work

Below is one of the first articles that I had published. It appeared in the Winter 2014 issue of 2600 Magazine, an awesome magazine that publishes awesome things.
The idea behind the article was to provide an insight into mixing encrypted data into a normal .jpg image and pushing it through a firewall.

Enjoy the read!

gerbil (follow me on Twitter: @gerbil)



Taking Your Work Home After Work.

GerbilByte, 2014

So there I was. I was drafted in to work for a small company (who shall remain nameless, but for this article we will call the company Bumble Bee Internet Security Services) for several months. At the end, as well as a juicy pay-check, I realised that I had written a load of little scripts that I wanted to keep.
I zipped up my folder of goodies to email to myself and encrypted it for obvious reasons then attached it to an internal email to send it.

DENIED!

Bumble Bee Internet Security Services (BBISS from now on) was a company whose email systems were in "lock-down" and they had mega security implemented all over the place, you couldn't even send an email with a swear word without a "digital complaint"! ##...email not sent as it contained the word 'BUM'...!##
Instead I tried to open my Yahoo Mail email account to add it as an attachment as I knew Yahoo Mail wouldn't complain.

DENIED!

I changed the file extension and tried again.

DENIED!

Yahoo Mail didn't complain, but the bloody monitoring system of BBISS bloody well did!!! How frustrating!!!  
##...You are not authorised to send outgoing files of that type...!##
With a bit of a social engineering chat with the systems admin I realised that the monitoring systems blocked ALL encrypted content as it couldn't be scanned, and all .zip, .gz, .exe, .sh, .pl etc. files are also blocked due to..... obvious reasons!
"Hmmmm!" I thought, as I often do in these circumstances. "How do I get around this?"
I went back to my internal email account as I knew my email's signature included the BBISS' logo which was a .jpg.
"Aha!" I thought. For obvious reasons. But due to lock-down I didn't want to use the email systems due to 'tracing' and prevention of any future employment with BBISS. "Are the same monitoring systems used for outbound files?" I wondered.
Going back to my Yahoo Mail account I attached a .jpg to an email and it got uploaded.
BINGO!!!!! :) :) :)
"So what  did you do next Gerb?" I hear you ask.

Part One. Saving The Data.
Well, what I did was a very simple task and very easy to do. Let me talk you though it in steps boys and girls as it will make more sense that way. By the way, despite being an internet security company, BBISS used Windows. For UNobvious reasons. :s
  1. Grab a normal .jgp file from somewhere. I used the .jpg from the internal email signature. Place this in a folder to keep things easy and separate. We will call this file piccy.jpg.
  2. To the same folder, copy the encrypted .zip file. We will call this file scripts.zip.
  3. Open up a cmd (or command, depending on Windows flavour (can I say flavour?)) prompt and cd to the required folder. Then run the following command:
    copy piccy.jpg /b + scripts.zip /b combined.jpg
What have I done here? Well, Microsoft have been really nice and allowed the stringing together of files into a single file using the copy command. I have used this to create a single file that consists of a .jpg file and an encrypted .zip file.
Back to Yahoo Mail.
My next step was to try and attach this file to an empty email.

    ##File uploading......Complete!##
 :) Excellent!!!
The file was now in my draft email and now saved. Logging out of Yahoo Mail then back in allowed me to confirm that my "loaded" .jpg file was there in my Drafts email. Excellent news! :) I didn't even get a single electronic complaint! :)
So what was my next step?

Part 2. Recovering The Data.
When I got home I opened my Yahoo Mail account, opened the draft email and saved the combined.jpg to a folder on my Ubuntu machine. Back to using REAL computing power! ;)
My task now was to split the file into two: piccy.jpg and scripts.zip. I wasn't actually interested in extracting the .jpg file so I needed a way of extracting the info.zip file which was the second part of the file. Which makes it harder as I didn't know where the start of the second file began!
So how did I go about this? Well....
PERL is a fantastic scripting language that allows you to do ANYTHING. If you don't know PERL, learn it. Seriously, learn it. Your life will be much enhanced once you've learnt it! Trust me on this. ;)
Using PERL, I quickly wrote the following script:

#!/usr/bin/perl
use strict;

my $bytesToIgnore = $ARGV[0];
my $bytesRead = 0;
my $fileName = $ARGV[1];
my $fileOut = $ARGV[2];
if ($#ARGV != 2){
  print "\nUsage:\n    extract.pl <bytes to ignore> <source> <dest>\n\n";
}

print "Extracting $fileOut\nIgnoring $bytesToIgnore bytes from $fileName...\n";

open FILE, "<:raw", $fileName or die "Couldn't open $fileName!";
open FILE2, ">:raw", $fileOut or die "Couldn't open $fileOut!";
binmode FILE;
binmode FILE2;

my ($buf, $data, $n);
while (($n = read FILE, $data, 1) != 0) {
  $bytesRead++;
  if($bytesRead > $bytesToIgnore) {
    print FILE2 $data or die "Error writing $fileOut!";
  }
}

close FILE;
close FILE2;
print "$fileOut has been created.\n\n  *** 2014 GerbilByte ***\n\n";

To run the script you have to run it as follows with the following parameters:

perlscript.pl <image_size_in_bytes> <source_file.jpg> <destination_file.zip>

What the script does is runs down the source file and ignores the first x amount of bytes (x being the file-size parameter, the size of the "real" .jpg image). Once it has skipped these bytes, the rest of the file is then read and copied to the destination file (destfile.zip). This is the one we want! And it works! :)
If the example command above was run to run, then you will end up with a file called destfile.zip. Have a look at it. Open it. Read one of the files in there. Unzip it. Do whatever you want with it! Whatever you do, you will be asked for your password to unencrypt your file! :) That means one thing, you've successfully extracted your encrypted .zip file! :) Well done you. Give yourself a round of applause.
And there you have it. How to take your work home after work. Obviously don't try this with sensitive data or anything as, depending on your employer's rules and work ethics, you will still be liable for disciplinary action or even prosecution, so be wise.
Now go to celebrate by having a beer. Unless you are a kid, in which case have a glass of milk! :)
Enjoy yourself and be safe.

Kind regards,

Comments

Popular posts from this blog

Dissecting WannaCry

Below is  brief overview of the inner workings of WannaCry. It is by no means a complete indepth account of what it does, but the inquisitive will learn a little bit without touching any code debuggers.

Enjoy the read!

gerbil (follow me on Twitter: @gerbil)



Dissecting WannaCry
Hi guys.

Before I continue to bore you to death, just a few points:

Firstly, before you read this page thinking you're going to unlock the mysteries of the world or even find the arc of the covenant, that isn't going to happen.
This page is basically a reformatted version of a text dump, i.e. a few of my notes that I took when I examined WannaCry. And I'm not prepared to write an indepth, detailed account with them notes.
So, that means it contains holes, either because I've missed it, didn't think it relevant (at the time), or because I was too lazy to include it, which is probably the main reason. I am only human after all! Cynics will probably read this document and point and poke at it sayin…

Gain the PIN to ANY bank card

Gain the PIN of ANY debit card.

***DISCLAIMER : I AM NOT HELD RESPONSIBLE FOR ANY DAMAGE, EMBARRASSMENT OR TIME WASTED FROM FOLLOWING OUT ANY OF THE TECHNIQUES DESCRIBED IN THIS ARTICLE***

Some people know me, other people don't.
In a nutshell I am one of those cyber security types, not the type that will find vulerabilities, exploit them then brag about them, but one who will find vulerabilities, then report on them and not brag. After all, I am a penetration tester, it is what I do for a job.
But sometime I may stumble upon a security flaw that I think should be reported to the public, to keep the reader safe and, well, alive.

Enjoy the read!

gerbil (follow me on Twitter: @gerbil)

-----

So, you've pilfered that debit card from your victim and you are seriously strapped for cash.

Well, one way you could go about this would be to take a few trips to the supermarket, buying bits of shopping (under £20) and take advantage of the fucking awful "contactless" chip that most card…