How To Start | How To Become An Ethical Hacker

Are you tired of reading endless news stories about ethical hacking and not really knowing what that means? Let's change that!

This Post is for the people that:

• Have No Experience With Cybersecurity (Ethical Hacking)
• Have Limited Experience.
• Those That Just Can't Get A Break

OK, let's dive into the post and suggest some ways that you can get ahead in Cybersecurity.

I receive many messages on how to become a hacker. "I'm a beginner in hacking, how should I start?" or "I want to be able to hack my friend's Facebook account" are some of the more frequent queries. Hacking is a skill. And you must remember that if you want to learn hacking solely for the fun of hacking into your friend's Facebook account or email, things will not work out for you. You should decide to learn hacking because of your fascination for technology and your desire to be an expert in computer systems. Its time to change the color of your hat 😀

 I've had my good share of Hats. Black, white or sometimes a blackish shade of grey. The darker it gets, the more fun you have.

If you have no experience don't worry. We ALL had to start somewhere, and we ALL needed help to get where we are today. No one is an island and no one is born with all the necessary skills. Period.OK, so you have zero experience and limited skills…my advice in this instance is that you teach yourself some absolute fundamentals.

Let's get this party started.

•  What is hacking?

Hacking is identifying weakness and vulnerabilities of some system and gaining access with it.

Hacker gets unauthorized access by targeting system while ethical hacker have an official permission in a lawful and legitimate manner to assess the security posture of a target system(s)

 There's some types of hackers, a bit of "terminology".
White hat — ethical hacker.
Black hat — classical hacker, get unauthorized access.
Grey hat — person who gets unauthorized access but reveals the weaknesses to the company.
Script kiddie — person with no technical skills just used pre-made tools.
Hacktivist — person who hacks for some idea and leaves some messages. For example strike against copyright.

•  Skills required to become ethical hacker.

1. Curosity anf exploration
2. Operating System
3. Fundamentals of Networking

*Note this sites

• hackquest.de
• hacktissite.org
• www.trythis0ne.com
• www.hackchallenge.net
• hacking-lab.com

Related links

• Hacker Tools Free
• Pentest Tools Subdomain
• Hacker Tools Apk
• Easy Hack Tools
• Pentest Tools Android
• Pentest Tools Android
• Hacker Tools Linux
• Android Hack Tools Github
• Hacking Tools Software
• Nsa Hack Tools
• Pentest Tools Windows
• Pentest Tools For Ubuntu
• Hack Tool Apk No Root
• Hacking Tools For Beginners
• Nsa Hack Tools
• Hack Website Online Tool
• Free Pentest Tools For Windows
• Pentest Tools Android
• Hacker Tool Kit
• Hacking Tools Name
• Hacker Tools 2020
• Underground Hacker Sites
• Top Pentest Tools
• Hacking Tools Windows
• Nsa Hack Tools Download
• Hacker Tools Apk
• Pentest Tools Find Subdomains
• Hacker Tools List
• Hack Tool Apk No Root
• Pentest Tools Nmap
• Hacking Tools Usb
• Hacking Tools For Windows
• Best Pentesting Tools 2018
• Hacker Tools Mac
• Pentest Automation Tools
• How To Make Hacking Tools
• Ethical Hacker Tools
• Pentest Tools Port Scanner
• Hacking Tools Free Download
• Hacker Tools Github
• Hacking App
• Black Hat Hacker Tools
• Pentest Tools Online
• Hacking Tools Windows 10
• Hacking Tools For Mac
• Kik Hack Tools
• Hacking Tools 2020
• Pentest Tools Find Subdomains
• Hacker Tools Hardware
• Hacking Tools Software
• Hack Tools
• Pentest Tools Port Scanner
• Pentest Box Tools Download
• Hacking Tools 2019
• Pentest Tools For Ubuntu
• Hacking Tools For Mac
• Hacking Tools Name
• World No 1 Hacker Software
• Hacking Tools Name
• Hacker Tools Linux
• Pentest Tools Bluekeep
• Hacker Tools Github
• Hack And Tools
• New Hack Tools
• Ethical Hacker Tools
• Hacking Tools Usb
• Hacking Tools For Mac
• Android Hack Tools Github
• Tools Used For Hacking
• Top Pentest Tools
• Pentest Tools Url Fuzzer
• Hacking App
• Hacker Tools For Pc

How To Spoof PDF Signatures

One year ago, we received a contract as a PDF file. It was digitally signed. We looked at the document - ignoring the "certificate is not trusted" warning shown by the viewer - and asked ourselfs:

"How do PDF signatures exactly work?"

We are quite familiar with the security of message formats like XML and JSON. But nobody had an idea, how PDFs really work. So we started our research journey.

Today, we are happy to announce our results. In this blog post, we give an overview how PDF signatures work and on top, we reveal three novel attack classes for spoofing a digitally signed PDF document. We present our evaluation of 22 different PDF viewers and show 21 of them to be vulnerable. We additionally evaluated 8 online validation services and found 6 to be vulnerable.

In cooperation with the BSI-CERT, we contacted all vendors, provided proof-of-concept exploits, and helped them to fix the issues and three generic CVEs for each attack class were issued: CVE-2018-16042, CVE-2018-18688, CVE-2018-18689.


Full results are available in the master thesis of Karsten Meyer zu Selhausen, in our security report, and on our website.

Digitally Signed PDFs? Who the Hell uses this?

Maybe you asked yourself, if signed PDFs are important and who uses them.
In fact, you may have already used them.
Have you ever opened an Invoice by companies such as Amazon, Sixt, or Decathlon?
These PDFs are digitally signed and protected against modifications.
In fact, PDF signatures are widely deployed in our world. In 2000, President Bill Clinton enacted a federal law facilitating the use of electronic and digital signatures in interstate and foreign commerce by ensuring the validity and legal effect of contracts. He approved the eSign Act by digitally signing it.
Since 2014, organizations delivering public digital services in an EU member state are required to support digitally signed documents, which are even admissible as evidence in legal proceedings.
In Austria, every governmental authority digitally signs any official document [§19]. In addition, any new law is legally valid after its announcement within a digitally signed PDF.
Several countries like Brazil, Canada, the Russian Federation, and Japan also use and accept digitally signed documents.
According to Adobe Sign, the company processed 8 billion electronic and digital signatures in the 2017 alone.

Crash Course: PDF and PDF Signatures

To understand how to spoof PDF Signatures, we unfortunately need to explain the basics first. So here is a breef overview.

PDF files are ASCII files. You can use a common text editor to open them and read the source code.

PDF header. The header is the first line within a PDF and defines the interpreter version to be used. The provided example uses version PDF 1.7. 

PDF body. The body defines the content of the PDF and contains text blocks, fonts, images, and metadata regarding the file itself. The main building blocks within the body are objects. Each object starts with an object number followed by a generation number. The generation number should be incremented if additional changes are made to the object.

In the given example, the Body contains four objects: Catalog, Pages, Page, and stream. The Catalog object is the root object of the PDF file. It defines the document structure and can additionally declare access permissions. The Catalog refers to a Pages object which defines the number of the pages and a reference to each Page object (e.g., text columns). The Page object contains information how to build a single page. In the given example, it only contains a single string object "Hello World!".

Xref table. The Xref table contains information about the position (byte offset) of all PDF objects within the file.

Trailer. After a PDF file is read into memory, it is processed from the end to the beginning. By this means, the Trailer is the first processed content of a PDF file. It contains references to the Catalog and the Xref table.

How do PDF Signatures work?

PDF Signatures rely on a feature of the PDF specification called incremental saving (also known as incremental update), allowing the modification of a PDF file without changing the previous content.

 

As you can see in the figure on the left side, the original document is the same document as the one described above. By signing the document, an incremental saving is applied and the following content is added: a new Catalog, a Signature object, a new Xref table referencing the new object(s), and a new Trailer. The new Catalog extends the old one by adding a reference to the Signature object. The Signature object (5 0 obj) contains information regarding the applied cryptographic algorithms for hashing and signing the document. It additionally includes a Contents parameter containing a hex-encoded PKCS7 blob, which holds the certificates as well as the signature value created with the private key corresponding to the public key stored in the certificate. The ByteRange parameter defines which bytes of the PDF file are used as the hash input for the signature calculation and defines 2 integer tuples: 
a, b : Beginning at byte offset a, the following b bytes are used as the first input for the hash calculation. Typically, a 0 is used to indicate that the beginning of the file is used while a b is the byte offset where the PKCS#7 blob begins.
c, d : Typically, byte offset c is the end of the PKCS#7 blob, while c d points to the last byte range of the PDF file and is used as the second input to the hash calculation.

According to the specification, it is recommended to sign the whole file except for the PKCS#7 blob (located in the range between a b and c).

Attacks

During our research, we discovered three novel attack classes on PDF signatures:

1. Universal Signature Forgery (USF)
2. Incremental Saving Attack (ISA)
3. Signature Wrapping Attack (SWA)

In this blog post, we give an overview on the attacks without going into technical details. If you are more interested, just take a look at the sources we summarized for you here.

Universal Signature Forgery (USF)

The main idea of Universal Signature Forgery (USF) is to manipulate the meta information in the signature in such a way that the targeted viewer application opens the PDF file, finds the signature, but is unable to find all necessary data for its validation.

Instead of treating the missing information as an error, it shows that the contained signature is valid. For example, the attacker can manipulate the Contents or ByteRange values within the Signature object. The manipulation of these entries is reasoned by the fact that we either remove the signature value or the information stating which content is signed.
The attack seems trivial, but even very good implementations like Adobe Reader DC preventing all other attacks were susceptible against USF.

Incremental Saving Attack (ISA)

The Incremental Saving Attack (ISA) abuses a legitimate feature of the PDF specification, which allows to update a PDF file by appending the changes. The feature is used, for example, to store PDF annotations, or to add new pages while editing the file.

The main idea of the ISA is to use the same technique for changing elements, such as texts, or whole pages included in the signed PDF file to what the attacker desires.
In other words, an attacker can redefine the document's structure and content using the Body Updates part. The digital signature within the PDF file protects precisely the part of the file defined in the ByteRange. Since the incremental saving appends the Body Updates to the end of the file, it is not part of the defined ByteRange and thus not part of the signature's integrity protection. Summarized, the signature remains valid, while the Body Updates changed the displayed content.
This is not forbidden by the PDF specification, but the signature validation should indicate that the document has been altered after signing.

Signature Wrapping Attack (SWA)

Independently of the PDFs, the main idea behind Signature Wrapping Attacks is to force the verification logic to process different data than the application logic.

In PDF files, SWA targets the signature validation logic by relocating the originally signed content to a different position within the document and inserting new content at the allocated position. The starting point for the attack is the manipulation of the ByteRange value allowing to shift the signed content to different loctions within the file.

On a very technical level, the attacker uses a validly signed document (shown on the left side) and proceeds as follows:

• Step 1 (optional): The attacker deletes the padded zero Bytes within the Contents parameter to increase the available space for injecting manipulated objects.
• Step 2: The attacker defines a new /ByteRange [a b c* d] by manipulating the c value, which now points to the second signed part placed on a different position within the document.
• Step 3: The attacker creates a new Xref table pointing to the new objects. It is essential that the byte offset of the newly inserted Xref table has the same byte offset as the previous Xref table. The position is not changeable since it is refer- enced by the signed Trailer. For this purpose, the attacker can add a padding block (e.g., using whitespaces) before the new Xref table to fill the unused space.
• Step 4: The attacker injects malicious objects which are not protected by the signature. There are different injection points for these objects. They can be placed before or after the malicious Xref table. If Step 1 is not executed, it is only possible to place them after the malicious Xref table.
• Step 5 (optional): Some PDF viewers need a Trailer after the manipulated Xref table, otherwise they cannot open the PDF file or detect the manipulation and display a warning message. Copying the last Trailer is sufficient to bypass this limitation.
• Step 6: The attacker moves the signed content defined by c and d at byte offset c*. Optionally, the moved content can be encapsulated within a stream object. Noteworthy is the fact that the manipulated PDF file does not end with %%EOF after the endstream. The reason why some validators throw a warning that the file was manipulated after signing is because of an %%EOF after the signed one. To bypass this requirement, the PDF file is not correctly closed. However, it will be still processed by any viewer.

Evaluation

In our evaluation, we searched for desktop applications validating digitally signed PDF files. We analyzed the security of their signature validation process against our 3 attack classes. The 22 applications fulfill these requirements. We evaluated the latest versions of the applications on all supported platforms (Windows, MacOS, and Linux).

Authors of this Post

Vladislav Mladenov
Christian Mainka
Karsten Meyer zu Selhausen
Martin Grothe
Jörg Schwenk

Acknowledgements

Many thanks to the CERT-Bund team for the great support during the responsible disclosure.
We also want to acknowledge the teams which reacted to our report and fixed the vulnerable implementations.

Related posts

1. Hack Tools 2019
2. Best Hacking Tools 2020
3. Hacker Tools 2019
4. Physical Pentest Tools
5. Game Hacking
6. New Hacker Tools
7. Hacker
8. Hacker Tools
9. Hacking Tools For Windows 7
10. Hacking Tools Pc
11. What Is Hacking Tools
12. Hacking Tools Free Download
13. What Are Hacking Tools
14. Hacker Tools Software
15. Hacker Tools Free Download
16. Pentest Tools Alternative
17. Pentest Tools List
18. Hacking Tools For Mac
19. Hacking Tools For Windows
20. Hacker Tools Free
21. What Are Hacking Tools
22. Usb Pentest Tools
23. Hack Tools For Windows
24. Hacking Tools For Beginners
25. What Are Hacking Tools
26. Hacker Tools Apk
27. Pentest Tools Linux
28. Hack Tools For Windows
29. Pentest Tools Android
30. Usb Pentest Tools
31. Hacking App
32. Wifi Hacker Tools For Windows
33. Hack Tools Github
34. Hacking Tools Name
35. Hack Tool Apk No Root
36. Hacker Tool Kit
37. Hacking Tools Hardware
38. Pentest Tools Alternative
39. Pentest Tools Subdomain
40. Hacker Tools For Mac
41. Hacker Tools Hardware
42. Termux Hacking Tools 2019
43. Pentest Tools Alternative
44. Pentest Tools
45. Pentest Tools Tcp Port Scanner
46. Hacker Search Tools
47. Hacking Tools Free Download
48. Hack Rom Tools
49. Hacker
50. Hacker Tools For Windows
51. Hacker Tools For Windows
52. Pentest Tools Website
53. Hack Tools 2019
54. Hacker Techniques Tools And Incident Handling
55. Pentest Tools Website
56. Hacker
57. Pentest Tools Find Subdomains
58. Hacking Tools Software
59. Hack Tools
60. Hacking Tools And Software
61. New Hacker Tools
62. Hacker Security Tools
63. Free Pentest Tools For Windows
64. Tools Used For Hacking
65. Hackrf Tools
66. Hack App
67. Pentest Tools For Android
68. Blackhat Hacker Tools
69. Hack Tools Pc
70. Blackhat Hacker Tools
71. Hacking Tools Usb
72. Best Hacking Tools 2020
73. Hacking Tools Online
74. Ethical Hacker Tools
75. Pentest Tools Nmap
76. Hacker Tools For Ios
77. Computer Hacker
78. Github Hacking Tools
79. Hacking Tools For Games
80. Best Hacking Tools 2019
81. Termux Hacking Tools 2019
82. Free Pentest Tools For Windows
83. Hacking Tools Mac
84. Hacking Tools 2020
85. Pentest Tools Find Subdomains
86. Game Hacking
87. Hacking Tools Mac
88. Wifi Hacker Tools For Windows
89. Install Pentest Tools Ubuntu
90. Pentest Tools Port Scanner
91. Hacker Tools For Mac
92. Hack App
93. Pentest Recon Tools
94. Hacks And Tools
95. Android Hack Tools Github
96. How To Make Hacking Tools
97. Best Pentesting Tools 2018
98. Pentest Tools Kali Linux
99. Hacking Tools And Software
100. Hack Tools Download
101. Hacking Tools Free Download
102. Pentest Tools Download
103. Hacker Tools For Pc
104. How To Make Hacking Tools
105. Hacker Tools Github
106. Hacking Tools For Kali Linux
107. Hacking Tools For Windows