Phishing attacks are easily performed against a single target. What if you want to automate and easily setup a client based attack against a list of targets??


As always, my solution was Perl.

I setup a custom YAML configuration file to make things a bit easier for daily usage.

http://spl0it.org/files/SEF/config.yaml

# YAML:1.0
# email is sent here
to: email_addresses.csv
# email is sent from this address
from: test@aol.com
# email subject
subject: "Email Subject"
# email type ( text or text/html )
type: text/html
# msg body file
msg: email_body.txt
# number of seconds to wait before next email
wait: 5
# prepend the first name to the email body
name: yes
# add custom signature from file
sig: yes
# signature file
sig_file: sig
# add an email attachment
attachment: yes
# path to file attachment
attachment_file: /tmp/test.jpg
# name of file attachment
attachment_file_name: funny.jpg
# type of attachment
attachment_file_type: image/jpg

The most important aspect is the email_addresses.csv which contains the full name of the target then a comma and the email address.

Example:

John Smith,john_smith@domain.com

I have even added the ability to:
* add an attachment
* append the first name to the email body
* add a signature to the bottom of the email body taken from a file
* wait X seconds between sending each email
* text or html email formats

http://spl0it.org/files/SEF/email.pl

Let me know what you think.

Regards,
Jabra

I'm not really into Twitter, but I decide to see how hard it would be to write a command-line client. Net::Twitter made it easy at 13 lines.

http://spl0it.org/files/twitter.pl

Regards,
Jabra

I would like to clarify the impact of URL redirects in this posting. First put yourself in the shoes of an attacker with a specific organization as the target. So where to start? Well, first we need to decide if we are going to attack IPs or users. Since it is generally known that the People are always the weakest link in an environment, we will start there. Now we can use a few tricks to enumerate all the email addresses of the target organization. One common method is to use public GnuPG/PGP key servers and search for employees who have their public key listed on one of the key servers. If you're like me, you would just script this process already.

Another method is using web services to enumerate a listing of employees for the organization. There are tons of web services related to social networking in the corporate environment. My favorites for this task are Spoke and Linkedin. Once we have a listing of employees, we can determine the scheme that is used in building email addresses. One example is a combination of the first character of the first name and the last name:

Ex: Bob Smith -> bsmith@domain.com

Once we have the knowledge of a listing of employees, a domain (ARIN will give us this easily, if it isn't obvious) and the email scheme, we can build an email list for all the employee names we have gathered using some Perl.

((Reference: http://spl0it.org/blog/index.php?entry= ... 103-224033 ))

Now, that we have the email addresses, we can exploit their trust in a common website. I mean we could even send the user the link without any explanation at all, but it depends on how creative we want to be.

((Reference: http://spl0it.org/blog/index.php?entry= ... 012-200242 ))

This allows us to send the users to the attacker's server, where we can have something like Metasploit, BeEF or another form of client based attack payload waiting for them.

Here is a video of BeEF on Backtrack 3 that includes some of the basic attacks that can be used.

http://spl0it.org/files/vids/bt3-beef.avi

To sum this up, we have now have a method to attack an organization without even needing to perform a single external vulnerability scan.

Cross-Site Scripting is a great attack vector, when we know that the organization we are attacking is vulnerable. However, if we need to start attacking users and Cross Site Scripting isn't an option, we can just use a commonly mis-trusted website with a redirect vulnerability. We can even use xssed.com to look for vulnerabilities in websites the target organization may trust, perhaps their partner's website?

Regards,
Jabra

I have discussed the impact of URL redirects in a previous posting, and I'm really shocked of how easy it was to find numerous instances of redirects in common search engines.

I noticed the issue when a friend of mine posted a link on IRC of an image that he found using the image search on google. As a security professional I didn't see a normal link, all I saw was a URL redirect.

Ex: http://images.DOMAIN.com/search?imgref= ... ol_pic.jpg

Google is not the only site with this type of issue, other sites like yahoo, lycos and ask.com have similar issues.

http://images.google.com/imgres?imgurl= ... ://cnn.com
http://images.search.yahoo.com/images/v ... ://cnn.com
http://images.ask.com/fr?q=s&destur ... m&fm=i
http://search.lycos.com/image.php?tab=m ... ://cnn.com

RSnake made a post about redirects in Google back in 2006. One of his examples was the images.google.com link listed above. So I guess the real question is, if these companies know about the issues, why don't they fix them??

Surf with care!

Regards,
Jabra

Need to lookup a User Agent and get a description? There has been some discussion about User Agent DBs on the web app sec mailing list recently, so I decided to write up a quick Perl script to utilize an XML User Agent DB.

$ wget http://techpatterns.com/downloads/firef ... itcher.xml
$ perl ua_lookup.pl  "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
Googlebot 2.1 (New version)
$ perl ua_lookup.pl  "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
Googlebot 2.1 (Older Version)
$ perl ua_lookup.pl  "msnbot/1.0 (+http://search.msn.com/msnbot.htm)"
Msnbot 1.0 (current version)
$ 

Code can be found at:

http://spl0it.org/files/ua_lookup.pl

You can also modify the code to use the URL instead of grabbing a local copy if you want.

As always, please let me know what you think.

Regards,
Jabra