Archive for the 'Python' Category

Instastalk: Using the Instagram API to track users locations

Jan 27 2013 Published by antitree under lulz,OSINT,privacy,Python

Quick blog post — thought it would be funny to make an Instagram script that will download all the locations of a user account. You can find the details on how to use it on Github. Pretty straightforward:

./instagram.py (instagramID) (InstagramAPIToken)

1	./instagram.py (instagramID) (InstagramAPIToken)

You’ll need to sign up for the InstagramAPI which you can do here: http://instagram.com/developer/

And you can find your friend’s InstagramID using this handy tool here: http://jelled.com/instagram/lookup-user-id

Download the code from Github here: https://github.com/antitree/instastalk

Here’s me keeping track of Berticus:

A Case For Spicy Mango

Nov 27 2012 Published by antitree under OSINT,Python,Tor

Spicy Mango is a project that Chris Centore started and presented on at Derbycon this year. It’s difficult to describe completely but in essence, it is an intelligence collection and analysis engine that helps you parse large amounts of data to extract items of interest. For example, say that you wanted to keep track of your nym and how it was used on the net. You could do something like a Google Alert that sends you an email every time “AntiTree” appears in the search engine. With Spicy Mango, you can search multiple sources (such as forums, blogs, news outlets) for relevant data and then carve out what is actionable. You probably don’t want to see Tweets that you sent yourself but you might want to see them referencing your account.

Overview of Spicy Mango

Here’s a quick overview of how the framework is setup:

Modules are used to collect relevant information. Some examples of modules right now are an RSS reader, IRC client, Facebook and Twitter, scraper.
The data collected from these modules is saved into a database
The database provides the back-end to a web interface
The web interface controls how to present the data either High, Medium, or Low relevancy. This is done by searching for keywords in the database and applying a weight based on that keyword.

Some screenshots:

Maltego It Is Not

I’m not going to say that Spicy Mango is an amazing tool that fits into every intel gathering/recon/OSINT job you can think of. In fact, in many ways it starts overlapping with an already mature tool, Maltego. The latest version of Maltego supports “Machines” which is in someways the same idea as Spicy Mango. These machines are a recurring query for live data such as Tweets, Facebook posts, etc and is then collected in the beautiful Maltego interface that tries to visualize relationships between different pieces of intel. Very cool. But not really what I’m personally looking for.

The Best Case Scenarios

At its most usefulness, Spicy Mango would be an intel gathering tool that collects large pools of information from obscure locations on the net, and cuts down on the amount of time needed to find actionable intelligence. It could help be an operation security tool to help notify you of upcoming threats that were discussed over IRC. It could be a persistent stalking machine that keeps track of your friends.

WHY?

The “But, why?” question is the most common one I get when talking with my friends. First, I think that there is not an open-source tool today that aims to do what Spicy Mango tries. In fact, there are a bunch of secretive tools used for operation security and OSINT but we don’t know about them and they’re often a very custom design. Mostly because, the first rule of OPSEC is that you don’t talk about OPSEC.

Secondly, hackers are usually pretty proud about their doxing skills. “I can find your real name and home address in 15 minutes!” Usually they’re not wrong but their skills are based on tools that they’ve developed themselves otherwise they’re just using some site that does the work for them. I would find it interesting if the playing field was leveled so that every person had the same tools to stalk someone. In that case, real skills would have to be developed to excel passed the baseline.

Lastly, (or primarily) it’s fun to hack on. The modules are simple to develop and the code is straight-forward.

Future Opportunities

Since I started to help develop this framework, I’ve thought of some improvements it that would help take it from just a collection engine, to a more serious intelligence tool. I can see an advanced analysis engine that would take it above just keyword searches to support a modular framework in the same way that the collection phase works. I’ve been working on supporting natural language processing to help be able to support n-gram structured searches and implementing spam style text analysis to automatically strip out useless information. This is all based on my goal to better normalize the content that is collected.

Onion Porn: HashedControlPassword

Oct 27 2012 Published by antitree under Crypto,Python,Tor

I love excessively documented things. Design documents, protocols specs…whatever and Tor is one of those projects that I’ve always loved to randomly poke around into. I got sucked into Tor’s source code today and was entertained by the results. Beware, crypto time suck ahead.

ControlPort

Tor is controllable by making socket connections to it’s aptly named “ControlPort” usually on port 9051. The control port is not enabled by default if you’ve just installed Tor on Ubuntu or something, but it is enabled on the Windows packages that use front-ends like Vidalia. Anyways, this gives various third parties the ability to control all aspects of Tor on-the-fly.

There was a 2600 article years ago, about using the control port and it gives a really cool summary of some of the stuff you can do. Create custom circuits, create super long circuits, generate new circuits on demand. If you’ve used Vidalia, this is what it interfaces with.

But what I got sucked into today is the fact that there’s two ways to authenticate with the control port: Cookie, and HashedPassword. (Or none if you don’t care.) . This is what your standard TORRC looks like:
## The port on which Tor will listen for local connections from Tor ## controller applications, as documented in control-spec.txt. ControlPort 9051 ## If you enable the controlport, be sure to enable one of these ## authentication methods, to prevent attackers from accessing it. #HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C

Crypto

Normally you can generate a hashed password for saving in your TORRC file by using the “–hash-password” switch to Tor. But today I wanted to waste my time and see how it’s generated. Thankfully, even though the documentation is a bit outdated, the control spec still goes into some pretty good detail.

https://gitweb.torproject.org/torspec.git/blob/HEAD:/control-spec.txt

Section 5.1 covers authentication and the HashedControlPassword function which looks like this:

If the 'HashedControlPassword' option is set, it must contain the salted
  hash of a secret password.  The salted hash is computed according to the
  S2K algorithm in RFC 2440 (OpenPGP), and prefixed with the s2k specifier.
  This is then encoded in hexadecimal, prefixed by the indicator sequence
  "16:".  Thus, for example, the password 'foo' could encode to:
     16:660537E3E1CD49996044A3BF558097A981F539FEA2F9DA662B4626C1C2
        ++++++++++++++++**^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
           salt                       hashed value
                        indicator

If the 'HashedControlPassword' option is set, it must contain the salted

hash of a secret password. The salted hash is computed according to the

S2K algorithm in RFC 2440 (OpenPGP), and prefixed with the s2k specifier.

This is then encoded in hexadecimal, prefixed by the indicator sequence

"16:". Thus, for example, the password 'foo' could encode to:

16:660537E3E1CD49996044A3BF558097A981F539FEA2F9DA662B4626C1C2

++++++++++++++++**^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

salt hashed value

indicator

I’m all double rainbow on this at first which made me spend more time on it. Se we see the RFC for OpenPGP and how it documents the generation of this hash. And it starts to make sense. I’ll try to explain how I understand it:

OpenPGP’s RFC explains that the S2K (string to key) algorithm takes in a secret value, a specifier (I’ll come back to), an 8 byte salt, a “count” value, and generates a hash. The count value is an encoded hex value that affects how many times the secret is hashed. The salt is just a random 8 byte value. But the specifier dictates the type of S2K and the hashing function to use. It consists of 2 bytes, the first specifies the type of hashing function that will be performed. These options are:

0x00 Simple: A key comes in, a hash goes out

0x01 Salted: A key is salted and then hashed

0x03 Iterated and Salted: A key, and a salt, all hashing the crap out of eachother over and over. This is what Tor uses.

The second byte specifies the hashing algorithm. In the case of Tor, they use SHA1 so this specifier should be 0x02. So putting that together for Tor, we would expect to see the hex encoded version of 32. But you’ll notice in the control-spec, there is no 32 at all but there is a “16:”.

I spent far too long trying to rationalize how 16 fits into the hash but it turns out that Tor does not use the specifier in their implementation of S2K. That makes sense after I think about it since Tor doesn’t need to worry about different hashing algorithms or varied number of hashing iterations. They implement a static password hashing function that uses SHA1 and iterates based on a counter value of 60 which is also static. This is why you’ll always a 60 in the middle of the HashedControlPassword value in the TORRC file.

I really needed to find out why 16. There had to be a reason. The most amount of beers that Roger Dingledine consumed in one sitting? The number of times Nick Mathewson was arrested for dealing meth? Someone from the Tor-talk mailing list finally pointed out what I was missing:

if (!strcmpstart(hashed, "16:")) {
 if (base16_decode(decoded, sizeof(decoded), hashed+3, strlen(hashed+3))&lt;0
 || strlen(hashed+3) != (S2K_SPECIFIER_LEN+DIGEST_LEN)*2) {
 goto err;
 }
} else {
 if (base64_decode(decoded, sizeof(decoded), hashed, strlen(hashed))
 != S2K_SPECIFIER_LEN+DIGEST_LEN) {
 goto err;
 }
}

if (!strcmpstart(hashed, "16:")) {

if (base16_decode(decoded, sizeof(decoded), hashed+3, strlen(hashed+3))<0

|| strlen(hashed+3) != (S2K_SPECIFIER_LEN+DIGEST_LEN)*2) {

goto err;

}

} else {

if (base64_decode(decoded, sizeof(decoded), hashed, strlen(hashed))

!= S2K_SPECIFIER_LEN+DIGEST_LEN) {

goto err;

}

16 appears to be describing whether or not it’s base16 as opposed to base64. There’s nothing in the documentation about this and attempts to use a base64 encoded password didn’t work out for me. I’ll have to just leave this alone until someone can tell me more.

Code

Nothing useful really came out of this besides making myself happy diving into some code but I still wanted an actual output of some kind so I rolled my own version of the hashing algorithm in Python.

import os, binascii, hashlib

#supply password
secret = 'foo'

#static 'count' value later referenced as "c"
indicator = chr(96)

#used to generate salt
rng = os.urandom

#generate salt and append indicator value so that it
salt = "%s%s" % (rng(8), indicator)

#That's just the way it is. It's always prefixed with 16
prefix = '16:'

# swap variables just so I can make it look exactly like the RFC example
c = ord(salt[8])

# generate an even number that can be divided in subsequent sections. (Thanks Roman)
EXPBIAS = 6
count = (16+(c&15)) << ((c>>4) + EXPBIAS)  #

d = hashlib.sha1()

#take the salt and append the password
tmp = salt[:8]+secret

#hash the salty password as many times as the length of
# the password divides into the count value
slen = len(tmp)
while count:
  if count > slen:
    d.update(tmp)
    count -= slen
  else:
    d.update(tmp[:count])
    count = 0
hashed = d.digest()
#Convert to hex
salt = binascii.b2a_hex(salt[:8]).upper()
indicator = binascii.b2a_hex(indicator)
torhash = binascii.b2a_hex(hashed).upper()

#Put it all together into the proprietary Tor format.
print(prefix + salt + indicator + torhash)

import os, binascii, hashlib

#supply password

secret = 'foo'

#static 'count' value later referenced as "c"

indicator = chr(96)

#used to generate salt

rng = os.urandom

#generate salt and append indicator value so that it

salt = "%s%s" % (rng(8), indicator)

#That's just the way it is. It's always prefixed with 16

prefix = '16:'

# swap variables just so I can make it look exactly like the RFC example

c = ord(salt[8])

# generate an even number that can be divided in subsequent sections. (Thanks Roman)

EXPBIAS = 6

count = (16+(c&15)) << ((c>>4) + EXPBIAS) #

d = hashlib.sha1()

#take the salt and append the password

tmp = salt[:8]+secret

#hash the salty password as many times as the length of

# the password divides into the count value

slen = len(tmp)

while count:

if count > slen:

d.update(tmp)

count -= slen

else:

d.update(tmp[:count])

count = 0

hashed = d.digest()

#Convert to hex

salt = binascii.b2a_hex(salt[:8]).upper()

indicator = binascii.b2a_hex(indicator)

torhash = binascii.b2a_hex(hashed).upper()

#Put it all together into the proprietary Tor format.

print(prefix + salt + indicator + torhash)

This will generate a hash for the password “foo”. Place the hash in the TORRC file and restart Tor and then you can test like this:

[me@me]# nc localhost 9051 authenticate "foo" 250 OK

External Links

https://gitweb.torproject.org/tor.git/blob?f=src/common/crypto.c#l2829 – the “secret_to_key” method implements most of the OpenPGP standard.
https://gitweb.torproject.org/tor.git/blob?f=src/or/control.c#l1153 – portion of Tor source code that reads in the HashedControlPassword value
https://gitweb.torproject.org/torspec.git/blob/HEAD:/control-spec.txt – the Tor control spec. (Planned to be updated “soon”)
https://gist.github.com/3962751 – my Tor hashing algorithm in Python
http://www.thesprawl.org/research/tor-control-protocol/ – The Sprawl’s article that was posted in 2600 about using the control port for fun and profit