Update to AutoIT Passphrase Info

25 07 2006

I got a couple of questions in the comment box about the AutoIT passphrases.  Here’s an update/clarficiation:

  • The debugger must be attached prior to entering a dummy passphrase, then paused after the error message comes up (at least for ollydbg).
  • This does not seem to work with AutoIt version 3.x.  (Thanks Greg).  It does work on AutoIt version 2.x.

Cracking AutoIT Encryption Passphrases

16 07 2006

Auto IT (http://www.autoitscript.com) is a Windows utility that administrators can use to automate certain tasks, especially those that they have to do on multiple machines (i.e. PC Rollouts). It’s basically just a scripting language. When deploying PCs or performing administrative tasks, an administrator will usually hardcode their passwords into the script so they don’t have to enter it all the time.In order to prevent your passwords from being discovered by curious users, you can “compile” your Auto IT script and encrypt it using a secret passphrase. Auto IT provides a de-compiler for undoing the encryption, but you need to provide that passphrase.

About a year ago, I came across some malware that utilized an Auto IT script that was compiled and encrypted. In order to find out exactly what the malware did, I had to crack open the script. Using the Auto IT de-compiler and a debugger (i.e. OllyDbg), it’s fairly straightforward to find the passphrase:

  1. Launch the de-compiler (Exe2Aut) and attach to it using the debugger.
  2. Choose the Auto IT file to de-compile.
  3. Enter anything for the passphrase.
  4. When you get the error message about entering the wrong passphrase, go to the debugger and pause the process.
  5. Check the stack and you should find the correct passphrase in the stack (in my tests, I”ve found it at location 0012F6BC in the stack). OllyDbg will show this in ASCII.

Once you have the passphrase, enter it into the Auto IT de-compiler and you get the Auto IT source script and you can find exactly what code is doing.

** NOTE: The author of AutoIT has said that their “encryption” is really more of an “encoding” because it’s not secure — so, DO NOT put in Domain Passwords or anything of value in your AutoIT script. A better hacker would surely write a separate program for extracting the passphrase from compiled AutoIT scripts. But in this case that would be overkill considering how easy it is to find the passphrase.

How to Practice Safe Web Browsing

12 07 2006

Here’s the problem:  In the past, most computers connected to the Internet were directly connected.  In other words, another user on the Internet could connect to your machine directly.  This allowed malware to propagate rather quickly, connecting to vulnerable ports created by unnecessary programs running on your machine.  Today, most people utilize some sort of router or firewall.  Even Windows comes with a built-in firewall.  This means that “direct attacks” to your open ports become more difficult.  The attack target turned to “publicly accessible ports” such as web servers, FTP servers, mail servers, etc.  All the while, there was an attack vector that was slowly gaining momentum: client-side attacks – or attacks that require the user to actually do something.  Client-side vulnerabilities became the focus of hackers.  The most common vulnerability released nowadays involve client-side vulnerabilities.  ActiveX, JavaScript, e-mail endusers, etc have become the target.

What this means is that you can have millions of dollars of routers, firewalls, proxies, etc invested in protecting your network (or your home computer), but all you need to do is to open a web page to a compromised or malicious web site and whammo! your computer is hacked.  

Most people practice Safe E-Mail by not opening email from unknown persons or using Anti-Virus software to strip malware from emails.  But I’d venture to guess that 99% of people DO NOT practice safe web browsing.

Safe Web Browsing means that you disable all of the bells and whistles for unknown web sites.  This means the fancy drop-down menus, the scrolling text, the fancy flash sites, etc all go away.  But I want it! you say.  Well, you still can, with a little work.  You need to make use of the ‘Trusted Sites’ in Internet Explorer (I’m sure Firefox and other web browsers have something similar, but if you are not using IE then you can probably figure out how to find them!).  Internet Explorer has several zones available (Click on Tools/Internet Options then click on the “Security” tab).  Most websites are in the “Internet Zone.”  What you need to do is set the Internet Zone to a really high setting (i.e. HIGH) or customize the settings so that JAva, JavaScript and Active X don’t run AT ALL.  Then, set the “Trusted Sites” to “Medium.” 

When you have a website that you use often (i.e. paredes-ohana.org):

  1. Click on Tools/Internet Options then the Security tab.
  2. After that, click on “Trusted Sites” and then click on the “Sites” button. 
  3. Uncheck the “Require server verification…” checkbox. 
  4. Add the site by typing, without the quotes: “*.wordpress.com” in the “Add this Web Site…” field, then click on “Add”. 
  5. Click OK until you close all the windows.
  6. You may need to “Refresh (F5)” the web page if you were looking at it before doing this.

By doing this, you ensure that if you get redirected to a hacker site or happen to click on a bad link (like when Googling), you won’t get whacked by a client-side attack.  SInce most Microsoft products use IE settings, this should help with your other often attacked Microsoft applications too.  It’s more work, but once you start doing it, you’ll get used to it and it will seem natural.  Think of it as clutching your purse or watching your surroundings when you are walking in a bad neighborhood.  You don’t HAVE to do it, but it’s probably best to.