Category Archives: Hexacorn

The art of cutting corners

Posted on by

I love ROI-driven solutions and this post is about one of them. My personal cybersecurity consulting practice exposed me to many different types of ‘IT security’ jobs over last 13 years and today I will describe one of them…

Nearly a decade ago one of my clients contacted me saying that they got a USB key that belonged to their client, and their client was interested in regaining the access to the device’s content after they forgot the password.

Hmm interesting…

This was not your random USB key, but a removable device that was specifically designed to encrypt its data by default. As an input, I got a forensic ‘image’ of the USB key, plus some basic info about its vendor, and that was it – so I quickly googled around, and immediately realized the company that produced it was out business for a while…

Before I could even begin I was shot down.

To access the content of the device one needed to run their software (that was luckily present on the key in an unencrypted form), provide the password, and then the actual content of the key would be decrypted and mounted as a separate Windows device. I may not be remembering everything as it was, but the bottom line was that I got an image of an encrypted USB key and had to find a way to crack its password.

The software handling the decryption process was a mess. It was on the complexity level of today’s Rust, Go, Nim binaries – written in a language that was not very commonly used, very high-level, lots of dependencies and hard to analyze statically – definitely no dedicated tools to support analysis (I know I am vague, but it was long time ago – it could have been Visual FoxPro or something like this, I really don’t remember!).

After a few hours of static analysis in IDA I threw a towel and decided to take a different approach. I was hoping that a person that was using the encrypted key was using some simple password that is easy to remember.

So, I build a dictionary of popular English words, then ran that weird decryption software, and finally wrote a very rudimentary AutoIt script that would fetch a word from a dictionary text file (dictionary) one by one, save it to a log file in each iteration, then push it to the UI control of that software that was handling the password input, then send a key that would simulate someone pressing an ENTER key…

Luckily, the software didn’t have any anti-brute-force mechanisms built-in so I just let it ran over night. To my surprise, next morning I discovered the password was cracked!

It was a simple 5- or 6- character long English word, if I remember correctly and once I found out I was immediately ecstatic! I quickly relayed the message to my client, they did so to theirs, and we all ended up being happier and richer that day…

Is there a lesson there for us?

YES!

Sometimes stupid solutions work. You don’t need to understand everything. It’s good to be driven by ROI principles. The art of ‘hacking’ is elusive.

Slowing down…

Posted on by

Update

Thank you to everyone who reached out on Twitter and directly; I am overwhelmed by the reaction especially I have not expected it; what was supposed to be a dry and semi-formal post about slowing down turned out to be probably more sentimental than it should.

I just want to say thank you and emphasize that it’s mainly about changing gears – probably research less and go to gym more for starters… In any case, I am fine, and I apologize for making you worry!

Old Post

Everything has its beginning and end. Both events have some pros and cons.

And typically, when you read something like this on the blog, it means it is the game over.

For over last (nearly) 7 years I tried my best to participate and give back to the security community by publishing about ideas, tools, as well as provide an honest critique of security solutions/ideas, and offer lots of research data that was never shared before; all in hope to give the most accurate (yet still mine, and subjective) view on the state of the affairs within our DFIR/RCE world, and offer an alternative to the industry fads, sometimes even idiocy of it, and so prevalent in our biz wishful thinking.

This post doesn’t actually end that. I love IT Security in general, I am still fascinated by it, and I am still a total noob when it comes to it; with a lifelong focus on the reverse engineering, computer forensics, incident response and anything related to this subject really I am here to stay and continue to write. You can’t just walk away from all this.

However…

This post tells you that I am going to slow down.

I am a blue teamer by heart and a red teamer by interest. Recent years brought to us a lot of commoditization in both areas; while 10 years ago you could say we sort of had garage days of DFIR, today we have lots of mature solutions, models and ideas that support our work. And there is not that much need now to provide novelty research either; seriously, lots of things are already known inside out; the large (and no-longer-just-only-AV-oriented) teams that emerged as a result of the last 10 years’ fight against the bad guys provide that additional research on regular, and often daily basis. For a small fish like me it is impossible to compete against it – I realized this around 2 years ago: a single contributor no longer has much place in this field. You need to be a part of a team, you need to collaborate, you need to represent and participate on a slightly different level. I kept going on, because I still had some ideas to talk about. Yet a slow decline of these novelty ideas is what drove me to write this post. I think the time for boutique security shops is over.

As a result I am changing the direction, and while I am saying that: I actually have no idea what that direction is today. Time will tell.

In any case…

Thank you for reading the blog so far, and all the feedback I received over the years. Being referenced by SANS, numerous books, presentations, and being mentioned in chit chats on various forums and platforms is the best satisfaction any security researcher can hope for.

Thank you!!!