Unconventional Access
(My way into the Advanced Steganography pages)

Advanced Steganography
23 September 1998
by Gary Benson
Courtesy of Reverser's page of reverse engineering
slightly edited
by reverser+
fra_00xx
980923
Gary Benson
0100
AS

Well, well, well... I have already received 4 essays about the 'stats' trick, yet this one seems to me the most complete (and interesting) one, since it carries a "methodoligcal" approach that could indeed be used for many other sites on the web.
As a matter of fact I left the stats on in order to increase the number of people accessing the advanced page... yet, judging from my logs, only a tiny part of my readers have been smart enough to make use of it...
I'll leave the stats way open for another while, and there's no fear that the web will change much... the 'slow tide' effect means that only one third of the potential hackable sites (quite a lot) will have taken any counter-measure against $ this by September 1999 (one year)!
Gary Benson's essay is both important and instructive... Enjoy!
There is a crack, a crack in everything That's how the light gets in
Rating
( )Beginner (x)Intermediate ( )Advanced ( )Expert

This essay is rated beginner, as I don't think it would be too hard for anyone to follow. Some of the tools used were Unix ones, but I have explained them, and there are equivalants on most platforms.

Not really an essay on steganography, as that is not how I solved it. There is, after all, more than one way to skin a cat!


Unconventional Access
(My way into the Advanced Steganography pages)
Written by Gary Benson


Introduction

This file describes how I got the list of 'secret' files from the stegonated GIF, and then how I got into the advanced steganography page.

Tools required

Website download utility.
C Compiler.

Target's URL/FTP

http://www.fravia.org/_ad__st_.htm

Program History

The world's leading site for reverse engineering!

Essay

The Hunt for the Secret Files

I have always been interested in cryptanalysis (and steganalysis, if that is a word), and so after coming across the Steganography Starting page I decided to have a go at the two 'tests'.

I have looked at Hide and Seek before, so I decided to try that one again (better the devil you know...)

It seems to be a very fast program, and since the number of keys is small I decided to use a 'brute-forcing' approach. The fact that it only outputs a file when the password is correct is another boon to the cracker, as the file does not even need validating. The 'Press a key to continue' bit had to go, and so I created a file containing just a space, and passed that to its stdin. Lovely.

The program I wrote is shown below - in this case, 24 minutes later, I had a result.


/*****************************************************************************************

** You will need to create a one byte file called AKEY.TXT for the keypress when it 	**

** says 'press a key to continue'. My file just held a space...				**

** The output produced was:								**

**											**

** RESULT:										**

**  seek <akey.txt crackme.gif out.txt 4575						**

**											**

**  Start: Mon Sep 07 19:46:29 1998							**

**  Finish: Mon Sep 07 20:10:54 1998							**

**											**

** Which is 187 tests per minute on a P200 under W95.					**

*****************************************************************************************/



#include <stdio.h>

#include <stdlib.h>

#include <time.h>



#define IN_FILE		"crackme.gif"

#define OUT_FILE	"out.txt"



main()

{

	char command[256];

	FILE *fHandle;

	time_t start,finish;

	int i;



	time(&start);

	for(i=0;i<10000;i++)

	{

		sprintf(command,"seek <akey.txt %s %s %04d",IN_FILE,OUT_FILE,i);

		printf("\n%s\n",command);

		system(command);

		fHandle=fopen(OUT_FILE,"r");

		if(fHandle)

		{

			time(&finish);

			fprintf(stderr,"RESULT:\n %s\n\n",command);

			fprintf(stderr,"Start: %s",ctime(&start));

			fprintf(stderr,"Finish: %s",ctime(&finish));

			fclose(fHandle);

			exit(0);

		}

	}

	return(0);

}



The best way to run this is NOT as you may think, ie. run it under DOS. One of W95's (only) redeeming features is that it caches the disk for you, which doubled the speed of the crack. It makes a pig's ear, however, of changing the screenmode all the time, so it is best if you make the DOS-Prompt full-screen before you run it. It is probably a good idea to turn the monitor off as well! The program should compile under any ANSI C compiler, and is invoked as:

brute >log.txt

My conclusion is that Hide and Seek is vulnerable to any attack where the number of keys can be reduced, ie: dictionary attacks. Ok, so my setup only managed 187 checks per minute, but seek.c could be rewritten so that it keeps the gif in memory and performs the checks on that. The speed-up from eliminating loading the program, loading and decompressing the image, etc, etc, could bring this to 500 or maybe 1000 checks per minute. For people using strong passwords, this will be less of a problem, but how many (L)users out there think that their logon name is a good password!

The Hunt for the Advanced Pages

How to go about getting onto the advanced pages? Well, first I read the essays by Jean Flynn and Mrf and, as I had already been considering a dictionary attack, decided to download the entire site and make my dictionary. I used wget, a Unix program, with the following command line:

wget -r -l 0 -H -D www.fravia.org,fravia.org -A htm,html,txt http://fravia.org

The options, for those of you who are interested, mean this:

-r -l 0 - Recursive, infinite levels,
-H -D www.fravia.org,fravia.org - Only get files from these hosts,
-A htm,html,txt - Only retrieve text and html files.

Well, this went pretty well until it encountered a circular link somewhere, but at this point I had downloaded over 30Mb of text, which should make a decent starting point 8o) . Curious as to what I actually had my hands on, I decided to have a look at what was there. Below is the listing as it appeared on my screen - it may not make much sense now, but all will be revealed ...



 123456.htm	123dos.htm	160593.htm	1azazel1.htm	4surreal5.htm 

 Epiclo.htm	Jon__2.htm	THCU99.htm	_ad__st_.htm	_pri_ca!.htm

 _sar_no_.htm	_utomba1.htm	aca100.htm	aca200.htm	aca300.htm/

 aca400.htm	academy.htm/	accessmy.htm	acpnet.htm	advanced.htm

 adynts.htm	aesc_adc.htm	aescu2.htm	aescul3.htm	aescul5.htm

 aescul6.htm	aescula.htm	aescune1.htm	aescures.htm	aitor003.htm

 aitor1.htm	aitor_45.htm	altF4j_a.htm	altf4cjw.htm	altf4jav.htm

 animadei.htm	anonico.htm	anonma2.htm	as65pp1.htm	asmedit1.htm

 assemlin.htm	astonish.htm	ath_sta1.htm	athevica.htm	august.htm

 awards.htm	banda2.htm	banda7.htm	banda_56.htm	bandane2.htm

 bandnov1.htm	bayu3.htm	bayu_2.htm	bayunn2.htm	bbdrlan2.htm

 bbnag1.htm	billboar.htm	bin/		birdy2.htm	blackbo.htm

 blueman1.htm	body.htm	botstart.htm	bouche.htm	boyd1.htm

 bozo1.htm	breathi.htm	caligo1.htm	caligo2.htm	canterbu1.htm

 capedcr.htm	capri_dr.htm	casmw652.htm	censors.htm	chine2.htm

 chineee1.htm	chown.htm	civetta.htm	claris.htm	clito.htm

 cocktail.htm	compro2.htm	conself2.htm	cookie.htm	corel1.htm

 coriolan.htm	corporate.htm	coumes.htm	couninte.htm	crack_C1.htm

 crack_C2.htm	crack_me.htm	crackpp.htm	crashme.htm	crlvent7.htm

 crook.htm	crunchi1.htm	crunchi2.htm	crunchi3.htm	crunchi4.htm

 crunchi5.htm	crushed1.htm	crymaco.htm	cubus2.htm	cybercu1.htm

 cynapp1.htm	danadd1.htm	daq1.htm	daq2neu.htm	daqnew.htm

 daqtod.htm	dark1.htm	datapi1.htm	datapi2.htm	deja.htm

 dev_pap2.htm	dimit_12.htm	dllshow1.htm	dong_mad.htm	donglink.htm

 donjo2.htm	dphman1.htm	dphman_p.htm	dpquake2.htm	drfuh5.htm

 drlan1.htm	drlan52.htm	dukeess.htm	dynam_1.htm	dyroady.htm

 edi1.htm	ediadste.htm	emasnat.htm	enemy.htm	entra.htm

 entran.htm	entropy1.htm	epic2.htm	epiclo_4.htm	essaynb.htm

 ether1.htm	eudorauk.htm	fabian2.htm	fantc1.htm	fetch_de.htm

 fetch_se.htm	filemon1.htm	filemon2.htm	filemon3.htm	filemon4.htm

 filemon5.htm	flip2syn.htm	flip_sl.htm	flipne2.htm	flippe3.htm

 flipper1.htm	flipvb1.htm	fly___01.htm	footste.htm	footste2.htm

 footthun.htm	formamus.htm	fp_dong1.htm	fp_dosna.htm	fp_melti.htm

 fp_palmt.htm	frarul1.htm	fraruler.htm	fravgif.htm	freepag.htm

 frogdigi.htm	frognew.htm	frogpr3.htm	frogprin.htm	frogtem1.htm

 fstiuf.htm	ft4tom.htm	fuhrba.htm	fuhrba_3.htm	general.htm

 gif/		gimp1.htm	gnew1.htm	goindown.htm	going.htm

 gtsiren.htm	hackm1.htm	hackmo1.htm	hal_oper.htm	halva_3.htm

 hcu98_3.htm	heatmiz1.htm	help.htm	heres002.htm	heres004.htm

 heres1.htm	history.htm	howto1.htm	howto2.htm	howto31.htm

 howto32.htm	howto41.htm	howto42.htm	howto51.htm	howto61.htm

 howto81.htm	howto82.htm	howto91.htm	howto92.htm	howto93.htm

 howtoa.htm	howtoc3.htm	howtosea.htm	hr_ferr1.htm	hs2l_22.htm

 hs3.htm	hunt_00a.htm	hunt_01a.htm	hunt_02a.htm	hutch1.htm

 hutch28.htm	hutch_61.htm	hutch_65.htm	hutchif1.htm	hutquest.htm

 hutsting.htm	iceext1.htm	iceman.htm	iceman1.htm	icons/

 ideale.htm	ideale1.htm	ideale2.htm	ideale3.htm	ideale4.htm

 ideale5.htm	iebug2.htm	images/		incubus.htm	ind_tra1.htm

 index.htm	index.html	indian1.htm	info.htm	int13asm.htm

 intrud.htm	io13.htm	it_winr2.htm	j_ridcul.htm	jackos_1.htm

 jackrev.htm	jakkaja_1.htm	javaco1.htm	javas1.htm	javascri.htm/

 javat_11.htm	javdevio.htm	javfurther.htm	javhelp1.htm	javpass1.htm

 javpassp.htm	jcrweb1.htm	ji_mboji.htm	jimbob.htm	jjpes__1.htm

 jon1.htm	jonah1.htm	jonencr.htm	jongamcr.htm	jonla_13.htm

 jonne1.htm	jungle1.htm	kenpatch.htm	kent_com.htm	kk_cunei.htm

 kovi1.htm	koxpara.htm	lan002.htm	lan003.htm	lanpat.htm

 legal.htm	links.htm	linux2.htm	littlejo1.htm	littlejo2.htm

 logs/		lonelyha.htm	lophtrev.htm	lordthu1.htm	mad_963a.htm

 maddon_1.htm	madlas1.htm	madmasu.htm	malamirc.htm	mammo_29.htm

 mammo_ot.htm	mammon1.htm	mammop5.htm	mammosep.htm	marigbox.htm

 marigo_2.htm	marigold.htm	mark1.htm	marlbo2.htm	marycri1.htm

 misu1.htm	mmstory.htm	modernze.htm	monitor.htm	mre2.htm

 mrf_steg.htm	mrjadev.htm	mrwho_67.htm	muster.htm	myown511.htm

 natz-1.htm	natz51.htm	natz_mp2.htm	ne_khab1.htm	netles2.htm

 neto3.htm	neto_01.htm	netpatch.htm	netscan3.htm	new_0101.htm

 new_anor.htm	new_archi.htm	new_kha.htm	new_what.htm	newbies.htm

 newbyes.htm	newuni.htm	noanon.htm/	noose1.htm	nop1.htm

 nscekey.htm	ntsnocra.htm	ntworker.htm	octatta.htm	oldiegoo.htm

 omar.htm	oncmc.htm	orc.htm/	orctric1.htm	origin_1.htm

 other1.htm	othetut.htm	ourtool.htm	ourtools.htm	ozyma1.htm

 packers.htm	pageadvi.htm	pagemill.htm	pain1.htm	pain2.htm

 panthe.htm	pape.htm	papers.htm	paulwils.htm	pdffing.htm

 pepper1.htm	pepper2.htm	pepper3.htm	phony.htm	pipoman1.htm

 piq.htm	plushm_2.htm	pluslazy.htm	pna1.htm	pna2.htm

 pna3.htm	popja2.htm	popja_51.htm	pranks1.htm	private.htm

 pro_rcg.htm	pro_syn.htm	progcor.htm	project0.htm	project1.htm

 project2.htm	project3.htm	project4.htm	project5.htm	project6.htm

 project7.htm	project8.htm	project9.htm	projunpa.htm	prophe2.htm

 prophe_1.htm	protecti.htm	pwd.htm		q_tsr601.htm	q_tv0601.htm

 quine1.htm	quine_21.htm	quine_51.htm	quine_h1.htm	qvsnatc.htm

 ragica1.htm	razzcripp.htm	razzia.htm	razzia2.htm	razziak2.htm

 rcg_cmsp.htm	rcg_vxd2.htm	rcgcd.htm	rcgcut1.htm	rcgeudo.htm

 rcglotus.htm	rcgreve1.htm	rcnewht.htm	readmo.htm	real_geo.htm

 realicra.htm	reality1.htm	realmu1.htm	reanews.htm	rebodila.htm

 redla1.htm	reszist2.htm	reveinfo.htm	rezel1.htm	rezget_1.htm

 rezi-aes.htm	rezide7z.htm	reziedi1.htm	rezilin.htm	riddcd1.htm

 riddcd2.htm	rizla.htm	rizlac.htm	roadyde.htm	robinsta.htm

 rude45.htm/	rudebo21.htm	rudeboy.htm	rules.htm	rundus2.htm

 rundus4.htm	sales1.htm	salinas.htm	salt0001.htm	sandma1.htm

 sanity1.htm	saruma1.htm	scniscni.htm	sdzero.htm	sealight.htm

 sear0198.htm	sear0397.htm	sear0698.htm	sear0796.htm	sear1197.htm

 sear1296.htm	search.htm	search7.htm	searengi.htm	searmyst.htm

 sel32sol.htm	septem.htm	shadow1.htm/	shampa1.htm	shellex.htm

 siceinst.htm	silicos1.htm	siuL.htm	siuldre2.htm	siulflex.htm

 siulha2.htm	siulin1.htm	siulinux.htm	siullin2.htm	slaves.htm

 smartc_2.htm	smartdr.htm	smutemai.htm	snatch1.htm	snatch_2.htm

 snatch_22.htm	snatfo.htm	snicke1.htm	snikkel.htm	snippets.htm

 snooty2.htm	solution.htm	solutions/	sourcer7.htm	special.htm

 spirit_1.htm	sprayasm.htm	spyder_4.htm	stalker.htm	stalking.htm

 stats/		stegaad.htm	stego.htm	sth1.htm	sticky.htm

 stone1.htm	strain99.htm	student.htm	students.htm	stupi7.htm

 sublimi.htm	surrsea1.htm	surrsea2.htm	surrsea3.htm	swann.htm

 sykojava.htm	sync.htm	sync2.htm	syncche.htm	syncms1.htm

 syncsol.htm	tamimons.htm	taskman1.htm	taskman2.htm	tek1.htm

 tekles1.htm	teraphy.htm	timelock.htm	tom_devi.htm	tom_furt.htm

 tools.htm	trurlvcl.htm	tryfravi.htm	twd_aeo.htm	twd_ms_.htm

 twdms98.htm	twdrcg.htm	twdwdas.htm	uedilas.htm	ueditcrk.htm

 ultrae2.htm	underje.htm	underta1.htm	undtron1.htm	uninstms.htm

 useful.htm	uvessa1.htm	uvessa_2.htm	vb_frog.htm	vbzero.htm

 vga1.htm	vicever2.htm	vicevers.htm	vizion1.htm	vizion2.htm

 vournt.htm	vuctut01.htm	vxdbasic.htm	what_new.htm	whatdika.htm

 whoson.htm	wi_birdy.htm	wi_frog.htm	wi_frog2.htm	wi_igno.htm

 wi_rcg.htm	wi_rcg2.htm	win98tut.htm	winasm_0.htm	winasm_1.htm

 withles1.htm	wlcmaz.htm	wrapper.htm	wuzat.htm	wyatt_vb.htm

 x861.htm	x86_1.htm	x86dd2.htm	x86new1.htm	xava_27.htm

 xavax1.htm	xoa_126.htm	xoacuba1.htm	xoano_27.htm	xoanon.htm

 xoanon2.htm	xoautow.htm	yamato.htm	yoshinet.htm	zaferdon.htm

 zee__4.htm	zee_inst.htm	zeeida.htm	zeeida1.htm	zeepdf.htm

 zero_rcg.htm	zeropdf.htm	zipped/

The (incomplete) contents of www.fravia.org

The first thing that struck me was that there were only 15 directories in amongst nearly 600 files. I checked inside those, but they contained nothing which wasn't in the main site. I wasn't looking for the actual files, because I presumed that there would be no links to them from pages this side of the 'fence', merely looking for clues. I started looking at some of the files, to see what I had, as I was on a Unix system and was unable to examine Steganos. After several hours of interesting reading, I came across the file dyroady.htm, at the bottom of which was the following:


You are deep inside reverser's page of reverse engineering, choose your way out:

entrance
advanced page
Back to the entrance
Back to the devious page

As you can see if you put your mouse over the left hand picture, it says Yessir, back to the other side of the fence. Did that mean that this page was on the other side of (another) fence then? It turned out that I had stumbled across reverser+'s Devious Java page, on the other side of a Java sieve. But why?

After some pondering (and some cigarettes) I had the answer. Inside the stats directory there is an automatically generated access list, saying how many hits each page had had. How many hits every single page had had. The program that generated the file didn't give a shit which side of the fence each page had come from, it just listed the lot! When I did the site download, it had downloaded the access list and then followed every link that was on that, so that I actually had the advanced page on my hard disk!!! Ten seconds later I had the page, using the command:

fgrep -l 'advanced steganography' *

(ie. search all files for the string 'advanced steganography'), which produced the following output:

_ad__st_.htm
blackbo.htm
ediadste.htm
fly___01.htm
stego.htm

Fly___01.htm, stego.htm and blackbo.htm could be ignored, as I knew what they were; leaving _ad__st_.htm and ediadste.htm. Needless to say, _ad__st_.htm was the first one I tried ...

Final Notes

Well, unfortunatly, I was unable to flex my steganographical muscles on this one. What I have discovered is a new way to break into websites such as this; I never really considered that kind of attack before (I never considered it anyway until after I had performed it!). It exposes a new weakness in possibly a large number of websites (most people turn off the ability to list the directories, but how many think to disable hitlists).

Whatever, I'm sure reverser+ will have fixed this loophole in his site and the mirrors before anyone reads this! Judging by the dearth of advanced steganography essays, it would seem that this page will be seen by a limited audience, so perhaps some use will be made of this sneaky trick before the world learns of it!

The problem with steganography is that if the image is well chosen (no continuous tones, where hidden data will show up as speckling), a good utility and a decent password is used, then the hidden file will probably remain hidden forever.

Epilogue: I decided to crack the password out of the t_tamra.bmp, as I did not know it. I had got RC4 source and was busy optimising it for speed when I guessed the password (Doh!). Annoyingly, it was the reverse of the password I was using for my test file!

Ob Duh

Nothing was cracked and nothing was stolen.

(c) 1998 Gary All rights reversed.


You are deep inside reverser's page of reverse engineering, choose your way out:


Back to Advanced Steganography

redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_reverser
redIs reverse engineering legal?