Wednesday, September 4, 2013

An awesome social engineering attack!

Hello everyone,

After a lot of time, I am writing again here. The reason is that today at 2:46 a good friend showed me his AWESOME  social engineering skills. It is a really nice story that everybody should enjoy!


Let me introduce yourself...

We all know, that every single guy who has facebook account - or not - has tried EVEN once to download a software, that will "hack" his best friend's or his girlfriend's facebook account. We also know, that this "software" we are talking about is a virus, a phising page or something that will NOT do what we want! If someone asks me to describe this real story in 4 words, that words would be Social Engineering, Open Source. Now, it is time to talk about the victim and the attacker.

The attacker, is Dionysis Zindros aka Dionyziz. A really experienced guy in Software Engineering (and Social Engineering as you will see later) . You can read more about this guy here: Dionyziz. His site is available for everyone here.

The victim is a guy named Nicolas. A normal guy (I guess), who just wanted to learn how to hack facebook accounts.

The story....

Dionysis is friend with Nicolas. Because of that fact, Nicolas asked Dionysis if he knows how to hack a facebook account. Dionysis said "Maybe" . Nicolas asked Dionysis with pleasure if he could hack his own (Nicolas) account with the only term not to read his messages. The answer was positive! After a couple of hours, Dionysis said to Nicolas that he doesn't want to hack his profile, and that he will show him how to hack other profiles. Nicolas was excited. The following conversation took part at Skype:

"
[2013-09-03 1:42:57 AM] Dionysis: it's better to use text because I need to give you commands here
[2013-09-03 1:43:03 AM] Dionysis: and I won't be able to type easily if we use voice
[2013-09-03 1:43:05 AM] Dionysis: OK?
[2013-09-03 1:43:09 AM] Nicolas: Ok
[2013-09-03 1:43:10 AM] Dionysis: how was your taxi ride?
[2013-09-03 1:43:16 AM] Nicolas: Fine :)
[2013-09-03 1:44:44 AM] Nicolas: Ready when you are.
[2013-09-03 1:46:38 AM] Dionysis: sure, just give me a second
[2013-09-03 1:46:42 AM] Dionysis: need to use the bathroom
[2013-09-03 1:50:51 AM] Dionysis: ok back
[2013-09-03 1:51:09 AM] Nicolas: Alright
[2013-09-03 1:51:37 AM] Dionysis: so, I first need to show you how to do 'X72' decryption
[2013-09-03 1:51:52 AM] Dionysis: basically, X72 is the mechanism Facebook uses for blocking users
[2013-09-03 1:51:55 AM] Dionysis: it's a codename
[2013-09-03 1:52:09 AM] Dionysis: the way it works is like this
[2013-09-03 1:52:23 AM] Dionysis: when you "report" a user on Facebook, something called an "X72 cookie" is generated
[2013-09-03 1:52:49 AM] Dionysis: this is used to determine whether the user has been reported by many of their friends or not
[2013-09-03 1:53:07 AM] Dionysis: and Facebook uses it to check if some account is a spam account or was hacked
[2013-09-03 1:53:22 AM] Dionysis: if many friends of a person go to their profile and click 'report', these cookies are collected together
[2013-09-03 1:53:31 AM] Dionysis: if there are many such cookies, the user is banned automatically
[2013-09-03 1:53:35 AM] Dionysis: get it?
[2013-09-03 1:53:37 AM] Nicolas: Yes
[2013-09-03 1:53:45 AM] Dionysis: so if 30 of your friends "report" you, you will be banned
[2013-09-03 1:53:50 AM] Dionysis: but you have to have them in your friends
[2013-09-03 1:53:51 AM] Dionysis: otherwise
[2013-09-03 1:54:00 AM] Dionysis: 30 strangers could agree to just "report" you and get you banned
[2013-09-03 1:54:04 AM] Dionysis: and of course that's not possible
[2013-09-03 1:54:14 AM] Nicolas: Makes sense
[2013-09-03 1:55:13 AM] Dionysis: so these cookies are used to perform privilege escalation on Facebook to disable the account
[2013-09-03 1:56:01 AM] Dionysis: when you visit a friend's profile and click on the report/block button on their profile, this X72 cookie is generated
[2013-09-03 1:56:19 AM] Dionysis: the vulnerability by Facebook is that this cookie actually contains authentication data for the remote user
[2013-09-03 1:56:24 AM] Dionysis: however, this information is encrypted
[2013-09-03 1:56:53 AM] Dionysis: so, in reality, once you click on "Report", you already *have* the password of the user you reported, if they're in your friends,
[2013-09-03 1:56:56 AM] Dionysis: but it's in encrypted form
[2013-09-03 1:57:13 AM] Nicolas: Ok
[2013-09-03 1:59:21 AM] Dionysis: hang on a sec
[2013-09-03 1:59:22 AM] Dionysis: sorry
[2013-09-03 1:59:30 AM] Nicolas: ok ;)
[2013-09-03 2:02:57 AM] Dionysis: ok so
[2013-09-03 2:03:06 AM] Dionysis: this encrypted form uses a 'one-way' encryption also known as hashing
[2013-09-03 2:03:17 AM] Dionysis: so you can't really decrypt it immediately with a command
[2013-09-03 2:03:28 AM] Dionysis: but what you can do is apply the same 'encryption' function to see if a password matches
[2013-09-03 2:03:32 AM] Dionysis: and computers are very good at doing this massively
[2013-09-03 2:03:42 AM] Dionysis: so we're going to "brute force" that encryption
[2013-09-03 2:03:49 AM] Dionysis: i.e. try all possible combinations of 1, 2, 3, etc. letters
[2013-09-03 2:04:26 AM] Dionysis: so eventually it will find the correct password
[2013-09-03 2:05:15 AM] Dionysis: alright?
[2013-09-03 2:05:18 AM] Nicolas: Yes
[2013-09-03 2:05:30 AM] Dionysis: ok so
[2013-09-03 2:05:34 AM] Dionysis: for this you need 2 tools
[2013-09-03 2:05:39 AM] Dionysis: one to capture the X72 cookie
[2013-09-03 2:05:45 AM] Dionysis: the other to decrypt it through brute force
[2013-09-03 2:05:51 AM] Dionysis: makes sense?
[2013-09-03 2:05:57 AM] Nicolas: Yes.
[2013-09-03 2:06:08 AM] Dionysis: alright so the tool to decrypt by brute force is of course widely available
[2013-09-03 2:06:12 AM] Dionysis: there are several out there actually
[2013-09-03 2:06:27 AM] Nicolas: for Mac?
[2013-09-03 2:06:32 AM] Nicolas: anything?
[2013-09-03 2:06:33 AM] Dionysis: yes for all OSes
[2013-09-03 2:06:54 AM] Dionysis: there is John The Ripper and other tools
[2013-09-03 2:07:01 AM] Dionysis: but we can concern ourselves about these later
[2013-09-03 2:07:12 AM] Nicolas: Sure
[2013-09-03 2:08:06 AM] Dionysis: the first thing you need to do is do an X72 "capture"
[2013-09-03 2:08:15 AM] Dionysis: this is done with a tool that uses the Facebook vulnerability
[2013-09-03 2:08:19 AM] Dionysis: as you can imagine it's not widely available
[2013-09-03 2:09:03 AM] Dionysis: so
[2013-09-03 2:09:09 AM] Dionysis: please don't distribute it, okay?
[2013-09-03 2:09:11 AM] Dionysis: I mean don't send it to other people
[2013-09-03 2:09:24 AM] Nicolas: That's a promise
[2013-09-03 2:09:37 AM] Dionysis: ok :)
[2013-09-03 2:09:47 AM] Dionysis: I appreciate it
[2013-09-03 2:10:12 AM] Dionysis: so this tool is basically a python script which basically connects to Firefox and captures the X72 cookie as it's generated
[2013-09-03 2:10:31 AM] Dionysis: sent a file Facebook-Cross-Site-X72-Vuln.zip to this group
[2013-09-03 2:10:46 AM] Dionysis: it has instructions when you run it
[2013-09-03 2:10:51 AM] Dionysis: but it's very simple
[2013-09-03 2:10:57 AM] Dionysis: the complicated step is the decryption, not the capture
[2013-09-03 2:11:09 AM] Dionysis: basically the tool handles everything for you for capturing
[2013-09-03 2:11:24 AM] Dionysis: all you need to do is visit her profile and click on the "Report/Block" button at the top right
[2013-09-03 2:11:25 AM] Dionysis: from the menu
[2013-09-03 2:11:32 AM] Dionysis: she has you as a friend right?
[2013-09-03 2:11:37 AM] Nicolas: yeah
[2013-09-03 2:11:42 AM] Dionysis: ok
[2013-09-03 2:11:43 AM] Dionysis: so
[2013-09-03 2:11:46 AM] Dionysis: you open the block/report dialog
[2013-09-03 2:11:50 AM] Dionysis: but do NOT report her
[2013-09-03 2:11:50 AM] Nicolas: I'll have to block her though
[2013-09-03 2:11:51 AM] Dionysis: no
[2013-09-03 2:11:55 AM] Dionysis: it will give you a confirmation dialog
[2013-09-03 2:12:05 AM] Nicolas: Ok
[2013-09-03 2:12:23 AM] Dionysis: at the time the confirmation dialog is displayed, the X72 cookie is already generated
[2013-09-03 2:12:25 AM] Dionysis: so it's captured
[2013-09-03 2:12:28 AM] Dionysis: and you can just cancel after that
[2013-09-03 2:12:30 AM] Dionysis: get it?
[2013-09-03 2:12:36 AM] Nicolas: Yeah nice
[2013-09-03 2:13:53 AM] Dionysis: ok in the meantime also download john the ripper for mac
[2013-09-03 2:13:56 AM] Dionysis: for the decryption step
[2013-09-03 2:14:37 AM] Nicolas: Free version does right?
[2013-09-03 2:14:48 AM] Dionysis: yeah
[2013-09-03 2:16:08 AM] Nicolas: ok
[2013-09-03 2:16:09 AM] Nicolas: I have 4 folders
[2013-09-03 2:16:17 AM] Nicolas: 3 and a README file
[2013-09-03 2:17:28 AM] Dionysis: OK
[2013-09-03 2:17:31 AM] Dionysis: good
[2013-09-03 2:18:08 AM] Dionysis: so uh
[2013-09-03 2:18:11 AM] Dionysis: do you have python?
[2013-09-03 2:18:15 AM] Dionysis: you need python to run python scripts :P
[2013-09-03 2:18:24 AM] Nicolas: I shall download that
[2013-09-03 2:18:27 AM] Dionysis: I think mac has it
[2013-09-03 2:18:30 AM] Dionysis: can you open a terminal?
[2013-09-03 2:18:58 AM] Nicolas: I did
[2013-09-03 2:20:24 AM] Dionysis: ok
[2013-09-03 2:20:27 AM] Dionysis: type 'python'
[2013-09-03 2:20:28 AM] Dionysis: and hit enter
[2013-09-03 2:20:29 AM] Dionysis: does it work?
[2013-09-03 2:20:41 AM] Dionysis: what does it say?
[2013-09-03 2:20:43 AM] Nicolas: Python 2.7.2 (default, Oct 11 2012, 20:14:37) 
[GCC 4.2.1 Compatible Apple Clang 4.0 (tags/Apple/clang-418.0.60)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>>
[2013-09-03 2:20:53 AM] Dionysis: ok it works, great
[2013-09-03 2:20:55 AM] Dionysis: so you already have python
[2013-09-03 2:21:00 AM] Dionysis: not hit ctrl + d to exit it
[2013-09-03 2:21:20 AM] Nicolas: Ok
[2013-09-03 2:21:57 AM] Dionysis: now*
[2013-09-03 2:26:32 AM] Nicolas: 10 more MB
[2013-09-03 2:26:42 AM] Dionysis: looking forward to it eh?
[2013-09-03 2:26:52 AM] Dionysis: ;P
[2013-09-03 2:27:09 AM] Nicolas: (Please don't tell anyone I stole a password, haha)
[2013-09-03 2:28:17 AM] Dionysis: haha don't worry I won't tell
[2013-09-03 2:28:18 AM] Dionysis: ;)
[2013-09-03 2:28:24 AM] Dionysis: okay so
[2013-09-03 2:28:27 AM] Dionysis: once you download this
[2013-09-03 2:28:28 AM] Dionysis: unzip it
[2013-09-03 2:28:31 AM] Dionysis: and open a terminal again
[2013-09-03 2:28:33 AM] Dionysis: you can't run it directly
[2013-09-03 2:29:47 AM] Nicolas: Alright I did
[2013-09-03 2:30:10 AM] Dionysis: ok so
[2013-09-03 2:30:11 AM] Dionysis: uh
[2013-09-03 2:30:17 AM] Dionysis: what is the folder you extracted this to?
[2013-09-03 2:30:22 AM] Dionysis: is it inside home, downloads, where?
[2013-09-03 2:30:23 AM] Nicolas: Downloads
[2013-09-03 2:30:24 AM] Dionysis: ok
[2013-09-03 2:30:28 AM] Dionysis: so the console should have something like
[2013-09-03 2:30:41 AM] Dionysis: nicolas@mac ~ %
[2013-09-03 2:30:42 AM] Dionysis: or something
[2013-09-03 2:30:44 AM] Dionysis: so type
[2013-09-03 2:30:46 AM] Dionysis: cd Downloads
[2013-09-03 2:30:47 AM] Dionysis: and hit enter
[2013-09-03 2:31:08 AM] Nicolas: and it showed me : Nicolas-MacBook-Pro:Downloads nicolas$
[2013-09-03 2:31:10 AM] Dionysis: cd is 'change directory'
[2013-09-03 2:31:11 AM] Dionysis: ok
[2013-09-03 2:31:16 AM] Dionysis: so you're at that directory now
[2013-09-03 2:31:20 AM] Dionysis: now enter the directory of the exploit
[2013-09-03 2:31:21 AM] Dionysis: cd Facebook-Cross-Site-X72-Vuln
[2013-09-03 2:31:37 AM] Nicolas: Ok
[2013-09-03 2:31:41 AM] Nicolas: ( Nicolas-MacBook-Pro:Facebook-Cross-Site-X72-Vuln nicolas$  )
[2013-09-03 2:32:13 AM] Dionysis: ok great
[2013-09-03 2:32:19 AM] Dionysis: so now run it
[2013-09-03 2:32:21 AM] Dionysis: like so:
[2013-09-03 2:32:30 AM] Dionysis: python fb-cs-x72.py
[2013-09-03 2:32:36 AM] Dionysis: and hit enter
[2013-09-03 2:32:44 AM] Dionysis: it should show instructions with what to do
[2013-09-03 2:32:51 AM] Dionysis: basically it should open a connected firefox browser
[2013-09-03 2:32:56 AM] Dionysis: so that you can do the report thing
[2013-09-03 2:33:16 AM] Nicolas: I have to agree
[2013-09-03 2:33:20 AM] Nicolas: to the terms above
[2013-09-03 2:33:22 AM] Dionysis: yeah just hit enter
[2013-09-03 2:33:31 AM] Dionysis: it's the usual stuff that exploits have
[2013-09-03 2:33:37 AM] Dionysis: it's "for educational purposes only" and shit
[2013-09-03 2:33:57 AM] Nicolas: browser can't be opened
[2013-09-03 2:34:03 AM] Dionysis: ah
[2013-09-03 2:34:04 AM] Dionysis: uh
[2013-09-03 2:34:06 AM] Dionysis: what does it say?
[2013-09-03 2:34:21 AM] Dionysis: oh um
[2013-09-03 2:34:23 AM] Dionysis: just open it yourself
[2013-09-03 2:34:29 AM] Dionysis: go to the directory of the exploit where you extracted it
[2013-09-03 2:34:35 AM] Dionysis: right click on the "browser" file
[2013-09-03 2:34:37 AM] Dionysis: and click open
[2013-09-03 2:34:58 AM] Dionysis: is the python script still running? if not you may have to re-run it
[2013-09-03 2:35:12 AM] Nicolas: Ok I opened it
[2013-09-03 2:35:26 AM] Nicolas: No I think I pressed ctrl+d and closed it
[2013-09-03 2:35:37 AM] Nicolas: Wait
[2013-09-03 2:35:45 AM] Dionysis: okay listen
[2013-09-03 2:35:49 AM] Dionysis: close the firefox browser
[2013-09-03 2:35:52 AM] Dionysis: close the terminal
[2013-09-03 2:35:53 AM] Dionysis: and start over
[2013-09-03 2:36:01 AM] Dionysis: it should be able to open the browser this time just fine
[2013-09-03 2:36:11 AM] Dionysis: re-open the terminal, use 'cd' as I showed you
[2013-09-03 2:36:16 AM] Dionysis: and then use the python line
[2013-09-03 2:36:23 AM] Dionysis: python fb-cs-x72.py
[2013-09-03 2:37:24 AM] Dionysis: works now?
[2013-09-03 2:37:57 AM] Nicolas: Yeah perfect
[2013-09-03 2:38:02 AM] Dionysis: ok
[2013-09-03 2:38:04 AM] Dionysis: browser opened?
[2013-09-03 2:38:08 AM] Nicolas: yes
[2013-09-03 2:38:10 AM] Nicolas: but here says
[2013-09-03 2:38:11 AM] Dionysis: alright seems like it works
[2013-09-03 2:38:19 AM] Nicolas: Press ENTER when the Report/Block window has been opened.
[2013-09-03 2:38:25 AM] Dionysis: yeah don't press enter yet
[2013-09-03 2:38:28 AM] Nicolas: but it's just the browser that opened
[2013-09-03 2:38:30 AM] Nicolas: ok
[2013-09-03 2:38:33 AM] Dionysis: yeah just go to her profile
[2013-09-03 2:38:37 AM] Dionysis: and click 'report/block'
[2013-09-03 2:38:46 AM] Dionysis: with your account
[2013-09-03 2:39:27 AM] Nicolas: ok
[2013-09-03 2:39:29 AM] Nicolas: I did
[2013-09-03 2:39:44 AM] Nicolas: enter?
[2013-09-03 2:39:58 AM] Dionysis: did you open the report window?
[2013-09-03 2:40:04 AM] Nicolas: Yes
[2013-09-03 2:40:08 AM] Nicolas: now I have 4 options.
[2013-09-03 2:40:25 AM] Nicolas: Hide Maria from news feed
[2013-09-03 2:40:27 AM] Nicolas: block Maria
[2013-09-03 2:40:31 AM] Nicolas: unfriend
[2013-09-03 2:40:34 AM] Nicolas: and submit a report
[2013-09-03 2:40:37 AM] Dionysis: okay
[2013-09-03 2:41:13 AM] Dionysis: [password retracted]
[2013-09-03 2:41:21 AM] Nicolas: haha
[2013-09-03 2:41:23 AM] Dionysis: that's all
[2013-09-03 2:41:26 AM] Dionysis: :)
[2013-09-03 2:41:28 AM] Nicolas: shit haha
[2013-09-03 2:41:44 AM] Dionysis: you're officially an idiot
[2013-09-03 2:41:45 AM] Dionysis: :P
[2013-09-03 2:41:47 AM] Nicolas: Now I'll have to trust you :D
[2013-09-03 2:41:55 AM] Dionysis: change your password mate
[2013-09-03 2:41:57 AM] Dionysis: :P
[2013-09-03 2:42:00 AM] Dionysis: and be more careful next time
[2013-09-03 2:42:14 AM] Nicolas: why?
[2013-09-03 2:42:22 AM] Dionysis: well, don't trust what everyone tells you
[2013-09-03 2:42:26 AM] Dionysis: you asked me to hack your Facebook account
[2013-09-03 2:42:27 AM] Dionysis: and I did
[2013-09-03 2:42:29 AM] Dionysis: so what do I get?
[2013-09-03 2:42:39 AM] Nicolas: haha
[2013-09-03 2:42:45 AM] Dionysis: that's how you hack
[2013-09-03 2:42:51 AM] Dionysis: you hack people
[2013-09-03 2:42:53 AM] Dionysis: obviously there's no software to hack Facebook
[2013-09-03 2:42:57 AM] Dionysis: don't be an idiot
[2013-09-03 2:43:09 AM] Dionysis: it's called "social engineering"
[2013-09-03 2:43:13 AM] Nicolas: That's embarrassing  :P
[2013-09-03 2:43:17 AM] Dionysis: Yes, it is.
[2013-09-03 2:43:18 AM] Dionysis: :P
[2013-09-03 2:43:38 AM] Nicolas: Cause you ruined my dreams
[2013-09-03 2:43:39 AM] Nicolas: haha
[2013-09-03 2:43:42 AM] Dionysis: So you asked me to hack your Facebook account, and I asked you if you're serious, you said "yes, just don't see my messages".
[2013-09-03 2:43:46 AM] Dionysis: After that the hacking began.
[2013-09-03 2:43:54 AM] Dionysis: The first part of the hack was to tell you I'd actually let you hack a different account.
[2013-09-03 2:44:00 AM] Dionysis: Psychology.
[2013-09-03 2:44:15 AM] Dionysis: Then I modified firefox to capture your password and send it to me, and sent the executable to you.
[2013-09-03 2:44:21 AM] Dionysis: Disguised a russian hacker.
[2013-09-03 2:44:39 AM] Dionysis: If I didn't tell you, you wouldn't even suspect that I had access to your account.
[2013-09-03 2:44:58 AM] Dionysis: Unless I posted a "Hacked by @Dionysis Zindros" status ;)
[2013-09-03 2:45:13 AM] Dionysis: The X72 explanation makes it more believable.
[2013-09-03 2:45:23 AM] Dionysis: And the warning messages on the executable… and the fact that you have to type console commands.
[2013-09-03 2:45:26 AM] Dionysis: None of that is necessary.
[2013-09-03 2:45:29 AM] Nicolas: Haha it was actually awesome
[2013-09-03 2:45:34 AM] Dionysis: Thanks, glad you liked it :)
[2013-09-03 2:45:41 AM] Dionysis: You can also delete John the ripper, you won't be needing it.
[2013-09-03 2:45:50 AM] Nicolas: Omg
[2013-09-03 2:45:50 AM] Nicolas: haha
[2013-09-03 2:45:53 AM] Nicolas: Alright
[2013-09-03 2:45:57 AM] Dionysis: Lesson learned? ;)
[2013-09-03 2:46:03 AM] Nicolas: Yes man ;)
[2013-09-03 2:46:23 AM] Nicolas: However, r u sure there is no software for hacking passwords though?
[2013-09-03 2:46:29 AM] Dionysis: hahaha
[2013-09-03 2:46:34 AM] Dionysis: yes I am sure
[2013-09-03 2:46:40 AM] Nicolas: Cool :P
[2013-09-03 2:46:43 AM] Dionysis: the way is psychology, not software
[2013-09-03 2:46:53 AM] Dionysis: Facebook is more secure than any of us are as people.
[2013-09-03 2:47:37 AM] Dionysis: Want to learn more about hacking?
[2013-09-03 2:47:44 AM] Dionysis: Study psychology and read this:
[2013-09-03 2:47:49 AM] Dionysis: http://www.amazon.com/The-Art-Deception-Controlling-Security/dp/076454280X
[2013-09-03 2:48:26 AM] Dionysis: I should tell Lefteris I hacked into your account after you challenged me to do it.
[2013-09-03 2:48:34 AM] Dionysis: When he asks me how I did it, I should say I asked you for your password and you gave it to me.
[2013-09-03 2:48:42 AM] Dionysis: Because that's exactly what happened.
[2013-09-03 2:48:43 AM] Nicolas: Haha
[2013-09-03 2:48:57 AM] Nicolas: If you don't tell him the second line
[2013-09-03 2:48:59 AM] Nicolas: you'll scare him
[2013-09-03 2:49:12 AM] Nicolas: :P
[2013-09-03 2:49:45 AM] Nicolas: Hey man did chris see the pass or was it just you?
[2013-09-03 2:49:58 AM] Nicolas: Because I have some other websites with that pass
[2013-09-03 2:50:06 AM] Nicolas: I'll need to change that all
[2013-09-03 2:51:32 AM] Dionysis: He doesn't remember it.
[2013-09-03 2:51:36 AM] Dionysis: I won't use it.
[2013-09-03 2:51:49 AM] Nicolas: Alright ;)
"

 "
 Awesome? Just social engineering! And a 10 lines of Javascript and python!

How did this work?

Dionysis' steps:

1) Edited firefox's code and added 10 lines of javascript that will return the form input of the facebook login page at his page.

2) With python, he executes the new firefox(the modified one), and generate a hash with uuid. For this scenario uuid hash is the X72 hash.

3) Send the file to the victim and waits for him to login at his facebook account! And, done! That's all!

This attack was not harmful, but it could easily become! Dionysis, performed this attack to show us how we should be more careful. Just keep in mind that with the some way, someone can have full access to our computers rather than just hacking our facebook account .

I shared this attack because I thought it is really interesting! I hope you enjoyed as much as I did!

Here is the Javacript code : http://pastebin.com/raw.php?i=ZDAbKQ35
And here is the Python code: http://pastebin.com/raw.php?i=sJDMDa2L



Thanks,

Nikos Danopoulos