Checkmate » Hacks

Social Engineering & “Influence”, by Dr. Cialdini

K K Mookhey — Thu, 03 Jun 2010 07:10:40 +0000

Over the past few years, we have completed a number of social engineering tests as part of advanced penetration testing at various organizations. Coincidentally, I recently read an excellent book called “Influence – the Psychology of Persuasion” by Dr. Robert Cialdini.and realized that it has some excellent lessons for anyone wanting to guard themselves from social engineering attacks.

Dr. Cialdini’s book is an excellent coverage of what he calls “compliance professionals” – people engaged in hard-core door-to-door selling such as second-hand car salesman, multi-level marketing (read Amway) professionals, etc. He talks about the following 6 techniques adopted by these professionals to convince people to buy things they were never going to buy in the first place. The same techniques can also afford the social engineer easy access to information, and it is worthwhile for information security professionals to examine what the other breed of “compliance professionals” is up to!

1. Reciprocation: We are hard-wired to respond to a favor, often not in direct proportion to the size of the favor done to us. One such example given by Cialdini is the aid given in 1985 by Ethiopian Red Cross to earthquake victims in Mexico as repayment of aid given by Mexico when Ethiopia was invaded by Italy, way back in 1935! For the original news article click here.
Practical exploitation:
We used this technique to deadly effect by inducing a systems administrator to disclose highly confidential information about their set up after providing him with lots of study material for the upcoming CISA exam.

2. Commitment and Consistency: Once we have made a choice or taken a stand, we will encounter personal and inter-personal pressures to behave consistently with that commitment.
Practical exploitation:
During one such test, we posed as auditors and started interviewing the system administrators. After a couple of days of helping us out with information, they led us to the other departments in the organization and further facilitated our “audit”. It was only on the 5th day that someone raised an alarm, but during the first few days once the personnel had hard-wired themselves into co-operating with us, they just went all the way, without even checking our credentials!

3. Social Proof: One means we use to determine what is correct is to find out what other people think is correct. The principle applies especially to the way we decide what constitutes correct behavior.
Practical exploitation:
This is most simply exploited during a social engineering test by leveraging the power of social networking sites such as LinkedIn and Facebook. An attractive enough profile with other members of your organization linked to it is highly likely to make you add it to your network as well, with no clue as to the profile’s veracity.

4. Liking: Few people would be surprised to learn that, as a rule, we most prefer to say yes to the requests of someone we know and like.
Practical exploitation:
Our most successful attempts have involved sending our more likeable people across asking for help or requesting for information to complete a “college project”. These individuals are usually well-groomed, smart, personable, and possess decent levels of charm or naivete to get the other person to comply.

5. Authority: The famous Milgram experiments show the power of authority in comparison to all the other factors listed here. The real culprit is our inability to resist the psychological power wielded by the person in authority.
Practical exploitation:
We have seen this work in numerous ways by faking authority letters purporting to come from some government agency or from the managing director of the company. A lot of the times the recipient will simply comply with the request. The same effect is seen when depending on which car one is in, and how one is dressed, the security guard at the gate will adjust his level of obsequiousness.

6. Scarcity: Collectors of everything from baseball cards to antiques are keenly aware of the influence of the scarcity principle in determining the worth of an item.
Practical exploitation:
One of the most common tactics is to build time pressure. The scarcity of time often makes people comply with requests in violation of their policies and their own common sense. We have used this on numerous occasions be it with a security guard or with a system or network administrator.

For other interesting social engineering experiments, search for “the real hustle” on YouTube for the BBC program that shows how as humans we easily fall prey to the smart hustler who sweet-talks his or her way into social engineering us.

Hacking Microsoft Windows 2003 Server with Microsoft SQL Server 2005

TAS — Tue, 08 Dec 2009 05:30:53 +0000

This post is a complete switch over from my previous post on phishing modus operandi. A little background on the hack. I was doing an assessment of a financial application; the objective was to evaluate the security of the complete infrastructure on which the application will be hosted once it goes live. As oppose to the routine list of findings this particular hack took the limelight. It was system compromise with Administrator access to the system. Yeah!

It was last day of our assessment; I had little time on hand before I could wind up for the day. So I thought why not bash the ‘sa’ account. I open the Microsoft SQL Server 2005 Management Studio and try some brute forcing for ‘sa’ account with common passwords, I get errors and disappointments. But this was short lived, it dint take me more than 7 tries to get the combination right. And that opens my way into the system.

Once I was inside, the next step was to use the stored procedure xp_cmdshell. The “xp_cmdshell” extended stored procedure runs operating system commands from within the database engine. You can use the query analyzer or T-SQL code to run the command. Back to the hack, I than open the query analyzer and type the following command

exec xp_cmdshell ‘dir C:\’

Though I was logged in ‘sa’ account (the highest privilege account in SQL server), as expected I get this long error message.

Msg 15281, Level 16, State 1, Procedure xp_cmdshell, Line 1
SQL Server blocked access to procedure ‘sys.xp_cmdshell’ of component ‘xp_cmdshell’ because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of ‘xp_cmdshell’ by using sp_configure. For more information about enabling ‘xp_cmdshell’, see “Surface Area Configuration” in SQL Server Books Online

In short the error means, I cannot use the xp_cmdshell stored procedure to do my hack. Microsoft (MS) has turned this stored procedure OFF in the version above SQL 2000 as a part of the security configuration. The previous versions of SQL Server 2005 had full access to xp_cmdshell turned ON in the default setup. And hence it was easy to do the system compromise. One obvious advantage of disabling the xp_cmdshell is, once a hacker gets access to the SQL server, the system compromise would not become a cake walk. But let’s check out how you can still do cake walk on version above Microsoft SQL Server 2000. Just a little tricky but easy

If you read the error carefully it gives out a lot more than it should. Check the last line of the error message. It says xp_cmdshell can be enabled using the “Surface Area Configuration”. I further Google and get plenty of articles that tell me how to use Surface Area Configuration wizard to enable the stored procedure. They would ideally work but it dint work for me for whatever reason. If you want to enable xp_cmdshell with Surface Area Configuration method on your own system, try the following

Goto Microsoft SQL Server 2005
Configuration Tools > SQL Server Surface Area Configuration > Surface Area Configuration for Feature > Expand the SQL server Instance name > Under Database engine goto xp_cmdshell > Check “Enable xp_cmdshell” and Apply

That’s it, you can have now enabled xp_cmdshell for your own box. You can again run the command mentioned above. You should not get any error now. The image below summarizes this

Fig: Enabling xp_cmdshell using the Surface Area Configuration Wizard

I had to enable xp_cmdshell on the remote system. I open my SQL Server Surface Area Configuration wizard and click on “Change computer” and specify the remote system SQL server instance name (or IP). It popped me with some error. I tried a few time but phew! It does not work for me. It was time, I try something else. I go back and start to find if there was some a command line to do the same thing. Again a few searches and I get my results. You can enable the xp_cmdshell in 4 simple steps.

1) EXEC master.dbo.sp_configure ‘show advanced options’, 1 (ONE means ON, ZERO means OFF)
2) RECONFIGURE
3) EXEC master.dbo.sp_configure ‘xp_cmdshell’, 1
4) RECONFIGURE

sp_configure displays or changes global configuration settings for the current server. And the ‘sa’ account has privileges on this stored procedure. Eh! sp_configure is my key inside the system. So I first enable all the advance options than enable the xp_cmdshell. The image below shows my ‘xp_cmdshell’ in action on the remote system.

Fig: xp_cmdshell in action on victim system

Once I enabled xp_cmdshell, it was time for me to add user. So I type the following commands at the query analyzer console,

1) EXEC xp_cmdshell ‘net user pwnsauc3 h3ll0w0rld$ /ADD’
2) EXEC xp_cmdshell ‘net group Administrators pwnsauc3 /ADD’

In case the remote terminal service is not ON, goto to Start > Run and type service.msc. Right click on the parent node and connect to remote services and use the above username and password. Start the Terminal Services. You can now sit and relax; you are a step away from administrator access to the system. Fire up your remote terminal client and type in the IP and login with the user name and password we created. The images below conclude my hack.

Fig: Verify the user addition from command line

Fig: Remote terminal to the victim system

Fig: Verifying the user added to Administrators group

Adios!
Taufiq Ali

A Phishy Story

TAS — Thu, 05 Nov 2009 12:17:40 +0000

Phishing sounds similar to fishing. Fishes are to the volume of internet users today much like fishermen are to phishers. Zillions of fishes falling prey the nets is nothing less compared to internet users being phished through their own in boxes and messengers. Phishers tend to have some personal favorites – personal information, credit cards numbers, debit cards numbers with ATM pins, etc. Though phishing has been around for a long time, it became more prominent back in 2003. You can read more here on the big scams here.

How does it all work?

A typical modus operandi:

1) The Phisher would either go out and buy a phishing kit from the underground channels or create a look alike page himself.

2) He would then need hacked websites or a server where the pages can be hosted. This can also be easily made available. He would pay or trade for a list of hacked websites on IRC channels, underground forums etc. These are some very common sources for such deals. He could also target systems that are vulnerable to a particular vulnerability or weakness in the website – vulnerability in the hosting providers control panel software, exploit for popular CMS like Joomla, 0day vulnerability in web server, etc. A zero-day (or zero-hour) attack or threat is a computer threat that tries to exploit computer application vulnerabilities that are unknown to others, undisclosed to the software vendor, or for which no security fix is available. (ref : http://en.wikipedia.org/wiki/Zero_day_vulnerability)

3) Once the hacked infrastructure is ready it’s time to spam. They would ideally send out emails in large volumes. These emails are crafted to perfection. They would have the company logo, an appealing message in the email; use the CSS as the company that is phished, etc. All this together make it look perfect. It’s like decorating the devils face with cosmetics to make it look innocent. But not to forget the devil under a thin layer of cosmetics. They will have a crafted link and the hyperlink actually pointing to some website where the pages are hosted.

However, the entire process is a gamble. Some may fall prey to their phish nets while others may not. Over the years, phishing scams have grown from simply stealing accounts into much more dangerous criminal intention. Assuming the user is a prey of the phish net, let us understand the ways in which a phisher can harvest the data of the victim. There are various ways in which this can be done.

1) The attacker here uses services of websites that let you send HTML forms embedded in your email. On submit of this HTML form the phished page will redirect you to the legitimate website. This often tricks the user. They don’t realize what just happened. The details entered on the form are then emailed to the phisher’s inbox that is supposed to collect the details. The most common examples where you can see them are when advertising on the internet.

2) Second, the email is scripted in a way that a user is tempted or forced to visit the copied website. The attacker can also use the tactic mentioned above and use services like www.emailmeform.com. Attacker creates an account here and links his entire phished page to use their service to capture the details and then email it to them. This is the most common method used by phishers. Also the pages are scripted in server side programming languages like PHP, .NET, JSP etc. Doing so it does not expose the modus operandi or the attacker’s identity in any way or other details in any way.

3) The third type is where the phishers use nothing like above and instead writes all the output to a predefined file. In this way he needs no email address or anything mentioned above to capture the user details. This is what I am exactly going to write about.

Since I had some time off before I could start with the next takedown, I decided to dig further. Before we begin let me give you a brief about our service and the client. We offer take down services to a large public sector bank. We have a strict timeline defined of 24 hrs for every takedown. Every time a customer or their monitoring reports a phished page we have to takedown the site to protect the loss of financial and other details. While doing takedowns I also get a chance to research on understanding the modus operandi behind the operation. It is very interesting.

I have just started my day checking my email over a cup of coffee. I receive a new email on Tue 11/3/2009 10:22 AM about a phished link being up with the URL and we need to immediately start the takedown. He also sends me a sample email. We did the usual process and the link was down by noon. Have a look at a sample phishing email.

The email looks so real. It has the logo of the customer and perfect login URL. On hover I found it was actually pointing to some server in Russia. The page ‘retails.html’ simply redirects to the next URL where the phished page is hosted. Have a look at the closing lines of the email below. The phisher uses pressure tactic that will force the user to browse the URL.

Ok I now click and I am now redirected to the URL http://200.119.X.X/retail/login.php. The page looks like this

I then enter some fake details on this page and press the Enter key. I am now redirected to another page called ‘accounts.php’ on the same domain. I quickly check the html source code (view source) of the page to check for the

tag. This is where I would see where the page is going on hitting ‘submit’. I am now redirected to another page hosted on a hacked domain called hxxp://stirileprotv.fnhost.org/bi/ib.php

I go a level up in the URL hxxp://200.119.X.X/retail/login.php and now I see the directory listing. I see 2 files under the retail folder namely ‘login.php’ and ‘accounts.php’. Directory Listing has been common in all my takedowns. They don’t really care for the directory listings. What I also observed, at the bottom of the ‘account.php’ page is more interesting. The page is has an IFRAME with src pointing to http://statanalyze.cn/lib/index.php. This is some malware getting downloaded on victim system.

My anti virus immediately pops up an alert that a malware is getting downloaded. And it immediately blocks it. Coming back to ‘accounts.php’ it asks for my Name, email address, credit card number, ATM pin and expiration date. On entering some fake details I am now redirected to a third domain hxxp://stirileprotv.fnhost.org/bi/ib.php. And from ‘ib.php’ it redirects me to the legitimate page of my client website. I have changed that to hxxp://www.google.com in the code snippet. Aren’t these guys sick of so many re directions? Not really they have a smart modus operandi. They don’t use one domain to complete their operation.

I again go a level up on the http://stirileprotv.fnhost.org/bi/ib.php. What I happen to find is something even more interesting. It had a page ‘ib.php’ under the ib folder and a .txt file. When I tried accessing the file what I find is the actual account details of the people who have fallen prey to the trick with their usernames, credit card numbers, internet banking IDs and passwords. Check file snippet below

I then contact the client to freeze the accounts and get in touch with the hosting providers. I make sure I ask the hosting providers to provide me with the pages as they aid to my research in understanding various modus operandi out on pr0wl. Most of the time they don’t give the pages but this time I was lucky. The tech support guys actually emailed me the contents of the ib folder. Have a look at the php code

Let me explain the code in brief. It opens a stream to a file called x-account-all.txt and then captures the post variables from the URL http://200.119.X.X/retail/accounts.php. The following table explains what each variable means

I thought that was it. I was done with my research. I relaxed a bit and stretched my arms. But hold on readers I recollect that the website was also vulnerable to IFRAME injection. No more research on this malware guys I have colleagues who enjoys this. I will send this to him. Till he comes up with his analysis there are some who have already done it. Check the link below

http://wepawet.iseclab.org/view.php?hash=363c95666cf1e80072656c7b562c4dbb&type=js

http://anubis.iseclab.org/?action=result&task_id=1c109b3e2cc07d1f49168943cc884e1d2

http://www.virustotal.com/analisis/837508d65acc78ec684c0d7a907bea7f49ce223052a18a076240018fc61a0d7f-1257141946

I was still way too itchy to pull down a full stop. I picked some arbitrary entries from the file and picked the ‘ea’ and ‘bb’ field. Why only them? (I got this particular combination after trying out a few) I was able to login to the Yahoo accounts of the victim since the password used was the same for both the accounts. I then checked the spam box and found the email that the victim had received. There were similar emails and to my surprise I found another URL hosting the phished page. Ok guys that’s it, I need to get back to my next takedown immediately  Oh! By the way, this time it is some Windows 2003 server behind some ADSL router running the phished page on a XAMP server. I did RDP to the box, 3389 was found open. I will come back if I find something more interesting.

All the details in this post have being changed or rename to protect real identity of our client.

Adios!
Taufiq Ali

Concurrent RDP connections hack – XP

admin — Thu, 26 Mar 2009 16:56:57 +0000

by Toufiq Ali, NII Consulting
Before you read further make sure you back up all the original settings of the registry or set create a restore point of your system. I assume reader know what a windows remote terminal service is. If not please refer to http://en.wikipedia.org/wiki/Terminal_Services

In Windows XP when a remote user tries to connect using the Remote Desktop Connection (RDC) client in Windows XP, the local user is disconnected from his current session forcefully. RDC, unlike Terminal Server Services in Windows 2000, Server 2003 and Server 2008, is designed for only one session at a time.. This excerpt aims at making terminal services functionality of multiple user login from Windows server 2000, windows server 2003 etc in Windows XP. This would be very useful in environment where the network admin often troubleshoots problem on the network using RDC.

Keep reading as the hack unfolds to enable concurrent remote desktop connection sessions support in Windows XP using the following patched files.

Download files.zip from the link given below on the system where you want to enable concurrent RDC connections.

Download files.zip
Windows XP SP1 and SP2: Windows XP RTM, SP1 and SP2.zip

Windows XP SP2: Windows XP SP2.zip

Windows XP SP3: Windows XP SP3.zip

Before you go ahead further, you should be in the safe mode (Press F8 during boot up). If you don’t want to prolong your wait to see this work,

1. goto ‘Start’ > ‘Run’ services.msc
2. Right click on Terminal services & goto Properties.
3. From the startup type drop down choose disable or simply stop the services.
4. Click on apply or Ok & exit the services.msc file.

2. Go to %windir%\System32 and & rename the termsrv.dll to anything that you can remember.
3. Go to %windir%\System32\dllcache & rename the termserv.dll.

4. Copy the downloaded termsrv.dll in the following two locations
1. to %windir%\System32
2. %windir%\System32\dllcache.

Note: when you copy the files Windows will pop up the Windows File Protection dialog box. Click the cancel button & then Yes to keep this copy of the patched file.

5. Now, download and run the concurrent_sessions.bat file. Click yes to add these values to the registry or you can run Registry Editor to manually add the following registry value:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\Licensing Core]
“EnableConcurrentSessions”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“EnableConcurrentSessions”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“AllowMultipleTSSessions”=dword:00000001

6. Click on Start Menu -> Run command and type gpedit.msc,

7. Navigate to Computer Configuration -> Administrative Templates -> Windows Components -> Terminal Services.

8. Enable Limit Number of Connections and set the number of connections to number of concurrent sessions you want to allow

9. Restart the terminal services on that system again. Also enable Remote Desktop from the System Properties’ Remote tab & check for Allow users to connect remotely to this computer.

10. Turn on Fast User Switching in Control Panel -> User Accounts -> Change the way users log on or off.

11. Restart the computer normally.

If the Windows XP computer is connected to a domain, every time you restart your computer Windows will set the value of the regkey “AllowMultipleTSSessions” to “0″. To ensure that multiple or unlimited Remote Desktop connection sessions is allowed in AD domain environment, the value data for “AllowMultipleTSSessions” has to be set to “1″ on system startup. To change the value, run the concurrent_sessions.bat every time the computer is started. Instead, put the concurrent_sessions.bat at C:\Documents and Settings\All Users\Start Menu\Programs\Startup folder.

With the release of Service Pack 2 (SP2) for Microsoft Windows XP, SP2 has introduced a feature that limits concurrent TCP connection attempts that are possible to 10 per seconds. In Service Pack 1 or without Service Pack, there is no limit on concurrent TCP connection attempts. So if you have set the value of “Limit Number of Connections” in step 8 greater than 10 and you happen to run a SP2, you need to apply the patch to override the max limit. You can download the file from the following link.

Just for your information on disassembling the original & patched file following HEX code bits have being changed:

00022A17: 74 75
00022A69: 7F 90
00022A6A: 16 90