spl0it.org

Social Engineering Framework for Attacking Clients

Jabra — Sat, 25 Oct 2008 04:21:43 GMT

Phishing attacks are easily performed against a single target. What if you want to automate and easily setup a client based attack against a list of targets??

As always, my solution was Perl.

I setup a custom YAML configuration file to make things a bit easier for daily usage.

http://spl0it.org/files/SEF/config.yaml

# YAML:1.0
# email is sent here
to: email_addresses.csv
# email is sent from this address
from: test@aol.com
# email subject
subject: "Email Subject"
# email type ( text or text/html )
type: text/html
# msg body file
msg: email_body.txt
# number of seconds to wait before next email
wait: 5
# prepend the first name to the email body
name: yes
# add custom signature from file
sig: yes
# signature file
sig_file: sig
# add an email attachment
attachment: yes
# path to file attachment
attachment_file: /tmp/test.jpg
# name of file attachment
attachment_file_name: funny.jpg
# type of attachment
attachment_file_type: image/jpg

The most important aspect is the email_addresses.csv which contains the full name of the target then a comma and the email address.

Example:

John Smith,john_smith@domain.com

I have even added the ability to:
* add an attachment
* append the first name to the email body
* add a signature to the bottom of the email body taken from a file
* wait X seconds between sending each email
* text or html email formats

http://spl0it.org/files/SEF/email.pl

Let me know what you think.

Regards,
Jabra

Twitter'ing from the command-line

Jabra — Tue, 14 Oct 2008 23:52:53 GMT

I'm not really into Twitter, but I decide to see how hard it would be to write a command-line client. Net::Twitter made it easy at 13 lines.

http://spl0it.org/files/twitter.pl

Regards,
Jabra

The impact of Redirects

Jabra — Tue, 14 Oct 2008 00:08:56 GMT

I would like to clarify the impact of URL redirects in this posting. First put yourself in the shoes of an attacker with a specific organization as the target. So where to start? Well, first we need to decide if we are going to attack IPs or users. Since it is generally known that the People are always the weakest link in an environment, we will start there. Now we can use a few tricks to enumerate all the email addresses of the target organization. One common method is to use public GnuPG/PGP key servers and search for employees who have their public key listed on one of the key servers. If you're like me, you would just script this process already.

Another method is using web services to enumerate a listing of employees for the organization. There are tons of web services related to social networking in the corporate environment. My favorites for this task are Spoke and Linkedin. Once we have a listing of employees, we can determine the scheme that is used in building email addresses. One example is a combination of the first character of the first name and the last name:

Ex: Bob Smith -> bsmith@domain.com

Once we have the knowledge of a listing of employees, a domain (ARIN will give us this easily, if it isn't obvious) and the email scheme, we can build an email list for all the employee names we have gathered using some Perl.

((Reference: http://spl0it.org/blog/index.php?entry= ... 103-224033 ))

Now, that we have the email addresses, we can exploit their trust in a common website. I mean we could even send the user the link without any explanation at all, but it depends on how creative we want to be.

((Reference: http://spl0it.org/blog/index.php?entry= ... 012-200242 ))

This allows us to send the users to the attacker's server, where we can have something like Metasploit, BeEF or another form of client based attack payload waiting for them.

Here is a video of BeEF on Backtrack 3 that includes some of the basic attacks that can be used.

http://spl0it.org/files/vids/bt3-beef.avi

To sum this up, we have now have a method to attack an organization without even needing to perform a single external vulnerability scan.

Cross-Site Scripting is a great attack vector, when we know that the organization we are attacking is vulnerable. However, if we need to start attacking users and Cross Site Scripting isn't an option, we can just use a commonly mis-trusted website with a redirect vulnerability. We can even use xssed.com to look for vulnerabilities in websites the target organization may trust, perhaps their partner's website?

Regards,
Jabra

Redirects in abundance on Image search pages

Jabra — Mon, 13 Oct 2008 00:02:42 GMT

I have discussed the impact of URL redirects in a previous posting, and I'm really shocked of how easy it was to find numerous instances of redirects in common search engines.

I noticed the issue when a friend of mine posted a link on IRC of an image that he found using the image search on google. As a security professional I didn't see a normal link, all I saw was a URL redirect.

Ex: http://images.DOMAIN.com/search?imgref= ... ol_pic.jpg

Google is not the only site with this type of issue, other sites like yahoo, lycos and ask.com have similar issues.

http://images.google.com/imgres?imgurl= ... ://cnn.com
http://images.search.yahoo.com/images/v ... ://cnn.com
http://images.ask.com/fr?q=s&destur ... m&fm=i
http://search.lycos.com/image.php?tab=m ... ://cnn.com

RSnake made a post about redirects in Google back in 2006. One of his examples was the images.google.com link listed above. So I guess the real question is, if these companies know about the issues, why don't they fix them??

Surf with care!

Regards,
Jabra

User Agent Lookup

Jabra — Sat, 04 Oct 2008 21:17:01 GMT

Need to lookup a User Agent and get a description? There has been some discussion about User Agent DBs on the web app sec mailing list recently, so I decided to write up a quick Perl script to utilize an XML User Agent DB.


$ wget http://techpatterns.com/downloads/firef ... itcher.xml
$ perl ua_lookup.pl  "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
Googlebot 2.1 (New version)
$ perl ua_lookup.pl  "Googlebot/2.1 (+http://www.googlebot.com/bot.html)"
Googlebot 2.1 (Older Version)
$ perl ua_lookup.pl  "msnbot/1.0 (+http://search.msn.com/msnbot.htm)"
Msnbot 1.0 (current version)
$

Code can be found at:

http://spl0it.org/files/ua_lookup.pl

You can also modify the code to use the URL instead of grabbing a local copy if you want.

As always, please let me know what you think.

Regards,
Jabra

An awesome game => more Perl!

Jabra — Wed, 24 Sep 2008 04:12:40 GMT

After getting home from an awesome game, I was in the mood to write some more Perl! I found a few more things during the day that I wondered how I was able to go without writing them already. The first is intersection and the second is union. They do exactly what you think they do and keep things very simple, keeping with the UNIX way. "Do one thing, do it well!" Anyways, perhaps I'm just tired but I wasn't aware of a tool that provided the functionality I needed. Therefore, I did what I always do, rolled my own.

$ cat file1 
127.0.0.1
127.0.0.2
127.0.0.3
$ cat file2 
127.0.1.1
127.0.2.1
127.0.3.1
127.0.0.1
$ ./intersect file1 file2
127.0.0.1
$ ./union file1 file2 
127.0.0.1
127.0.0.2
127.0.0.3
127.0.1.1
127.0.2.1
127.0.3.1

The scripts can be found at:
http://spl0it.org/files/intersect.pl
http://spl0it.org/files/union.pl

Let me know what you think.

Regards,
Jabra

Perl Script to Locate any WiFi Router by Its MAC Address

Jabra — Sat, 20 Sep 2008 18:53:17 GMT

So I noticed there is a free services at SkyHook Wireless to get the physical location of wireless router from its MAC address (BSSID)s Therefore, I decided to write up a Perl script since I saw that no one had done it yet.

$ ./bssid-location.pl AABBCCDDEEFF
Longitude: 	12.4225458
Latitude: 	41.850425

The script can be found here.

Regards,
Jabra

GIS + Kismet = Pretty Cool Result!

Jabra — Wed, 17 Sep 2008 03:14:38 GMT

These are three images using some software that I'm finishing up. For now, it lacks in documentation, but I guess a picture is worth a 1000 words!

The more important image is the second, due to the fact it demonstrates what makes the first image. The data is based on extracting information from Kismet and storing it into a database. Once the data is stored, the user is able to generate KML files that can be opened in GoogleEarth.

Let me know what you think.

Regards,
Jabra

TJX Lead Hacker could get life in prison

Jabra — Tue, 16 Sep 2008 03:09:16 GMT

http://arstechnica.com/news.ars/post/20 ... uilty.html

Reminder to use at!

Jabra — Tue, 16 Sep 2008 02:09:11 GMT

At the end of the day I was preparing my things to go home, but I needed to schedule a few scans to execute over night. In the past I have used cron, but it occurred to me that cron isn't the best tool for setting up a single event that does not reoccur. The reason is it isn't as quick as something that can be setup on the command-line. Cron requires you to use "crontab -e" or something. I quickly considered some Perl, but being lazy and short on time I needed another option. Then it occurred to me that I had forgotten about at.

So I reviewed the man page and setup a few tasks and called it a night.


at -f scan.sh 1:00 tomorrow
at -f scan2.sh 2:00 tuesday
at -f scan3.sh 3:00 september 16

Regards,
Jabra