Training session 36: Too much trust
Theyre not just trusted hosts, but trusted sources
Have you ever thought to yourself, now how the hell did that computer get hacked? Was that really possible? This just doesnt make sense, that computer only had a single unvulnerable service, it cant have been hacked...
Apart from the extensive use of 0day exploits to hack into seemingly invincible systems, it really doesnt seem possible for many hacks to have taken place. However, you are sadly mistaken, the system is only as secure as paranoia of its users. Everyone has heard of trusted hosts and how they can be used to break into computer systems, but there is a larger scope than this. That is why i call them trusted sources.
One of the most famous hacks on record (not necessarily the most impressive) was the one done by Mitnick to hack into Tsutomu Shimomura's 'secure' box. This was done by Mitnik first disabling the client box, and then spoofing his own connection to make it appear that he was the client, from here he could easily do what he want as he was now a trusted source. Now, not everyone is vulnerable to this, and it can also be an extermely dificult excercise these days to perfom, but the principals and ideas behin it can be used in many situations.
Here is a situation that will truly show you how to hack hotmail. I can already hear all the kiddies yelling for joy. Although gaining root access on the server is pretty damn tricky, the average kiddie wishes to gain access to a friend, enemy or girlfriends email account for reasons of all types of bullshit. Anyway, lets set the situation up a little: Hacker wants to break into targets email account, now target isnt stupid enough to give any people their password. This would theoretically stop most people straight away from gaining access.
Lets look at what happens when target attempts to login to hotmail with their all important password. Target walks to their computer, and sits down to use it. Next they connect to the internet and request hotmails login page. Then after receiving it, they send their password to hotmail to authenticate themselves. They are now logged in. So you ask, where is the vulnerability in the situation? Lets break the process down further and discover the trusted sources:
So from here we have the following trusted sources between the target and hotmail:
Hop number 1
Hop number X
Generally 'X' would be roughly atleast 10. That means there are atleast 11 trusted sources inbetween the target and hotmail. The target has unwillingly just trusted their password to a number of total strangers. If any single one of these targets was to be hit by the hacker, then they would gain the targets password through simple packet sniffing.
This case was just to give you an idea of how bad trust can be, but it probably still doesnt explain how to hack the unhackable. Let us take a real target and see how it may be flawed. Cyberarmy is an excellent example, but how would you gain access? Well here is how the system was once setup to the public:
ca-pr.info ca-osi.org ca-cia.org zzine.org exploitresearch.net
These at one point were the main domains of Cyberarmy, but i can garauntee you that hacking a single target is not going to gain you access to the main domain, so how is it possible to hack the main page? Here is the major list directly off the main site:
The CyberArmy - C/O: Commander in Chief scanjack
X/O: ViceCinC wa1800z
X/O: ViceCinC Wang
Ret. CinC Chawmp
CyberArmy University - Gen SHEPHERD
CyberArmy Privacy Commision - Gen Tacheon
Open Source Institute - ViceCinC barnseyboy
Special Operations - Gen zifnab
Ready Response - ViceCinC Wang
CyberArmy Public Relations - Mar CHi
CyberArmy Intelligence Agency - Gen Leto
CyberArmy IRC - Gen wewalkin
CyberArmy Exploit Research - Gen Goldfish
Internal Command - Mar axem
CyberArmy Services And Support - Gen Goliath
Thats a total of 18 people who run the sites as admins. However, they do not all have access to the main domain, infact only scanjack and one or two more have it. Also the password system randomly generates new passwords for the accounts on a regular basis.
The first thing is to pick a target host, then play with it and see if we can somehow exploit it. The newest host in the list is actually ca-osi.org, the open source insutute of cyberarmy. The guy who runs it (barnseyboy) aint too bad a bloke. After a bit of research into the site, we find the following people appear to have priveledged rights to the server:
So now we have a couple more sources for the tree. You can easily do a search on google for sites that these individuals visit, and from there gain even more sources. The target for example may be www.shnonline.com, the owner being ofcourse 'shn'.
After a bit of exploration of the website, we discover shn doesnt care to much about it and doesnt know how to update software that well. We find that his messageboard is vulnerable to a six month old vulnerability, and shn is too lazy to fix it. So ofcourse we break into the site and head straight for the password files. On inspection, the MD5 hashes it stores contains a damn long password, so brute forcing is useless. At this point many would give up, but you have to remember that shn would obviously beleive that his OWN site is a trusted host, so therefore it would be quite easy after already having access to make the login scripts save plain text passwords to a seperate file. After the necessary changes are made, a week later shn logs in to check his messageboard and BAM! we now have his plaintext password and he is none the wiser. From this point shn probably doesnt care to much, what the hell is anyone going to do with shnonline.com? Absolutely nothing, however we now try his password on ca-osi.com and find..... IT WORKS!
Thats right, we have now broken the trust barrier of one individual to gain access to another host. Now, ca-osi just so happens to be another one of them php nuke sites, and since shn is an admin, we can just click a few buttons and download the user database. What goodies would you expect to find in the database? Well here are some possible examples:
merryb email@example.com Federal Marketing Manager
Wim firstname.lastname@example.org http://www.abrsecurity.com
ieetglue email@example.com http://www.exploitresearch.net
daijo firstname.lastname@example.org http://www.sionhq.com
gabbana email@example.com http://www.zzine.org
elybis firstname.lastname@example.org http://www.getroot.net
rayzorx email@example.com www.rayzorx.com
(These are just general addresses that were gathered from around the net)
From this small list, there is a high possiblity we could get ourselves a few web server, .edu accounts and various other interesting things. The average database will contain all types of juicy information, and guess what, you would have just violated around 500 peoples trusted sources in one go. As you can see from this, you could now use the new information, and the trusted source itself to gain more and more access to the systems. From there im sure you could find a way to gain access to one of the leaders personal computer, and from there easily log their password to access the main website. If you are wondering this was ONLY a case study, not an actual hack.
Heres another quick case study of how totally stupid most people are. Everyone knows the problems that exist in smtp to allow people to somewhat forge mail, but not many people even consider how it could also become a powerful trusted source. I garauntee that if you were to receive an email from your girlfriend or best mate that didnt look sus, you would happily open it and not even realise youve just installed a trojan on your box.
Trusted sources come into everything, you dont have to think much to find them. It all really just turns into a mass ammount of social engineering. A target is only really as secure as the ammount of effort the hacker puts into breaking it. The same applies to most situations in life, your house key doesnt protect from someone running a car through the door does it? No it doesnt, it only stops the casual burglar with not much intent....