Clubhack Magazine Issue February 2012

Issue 25 – Feb 2012 | Page - 1

Issue 25 – Feb 2012 | Page - 2

Issue 25 – Feb 2012 | Page - 3 command prompt on his/her (attacker’s)Exploiting Remote machine. In this case of normal payload, the limitation for an attacker is that, once theSystem without session is expired or shell is terminated, attacker can’t execute commands in remote machine (victim computer).This whiteBeing Online paper demonstrates new type of payload by using which attacker can execute command in remote machine (victim system) without actually directly connecting to victimIntroduction machine and also fooling Antivirus, Firewalls etc.This paper demonstrates unique kind ofcommunication technique between attackermachine and victim machine during the My Methodexploitation of any victim system. Usually,while an attacker exploits the remote system In general scenario, if attacker gets remoteand gets the remote command prompt command prompt and execute command in(remote shell), attacker is only able to the current session then there is directexecute commands till the session from the communication (connection) betweenremote machine is opened (established). attacker and victim machine. But by usingWhile exploiting the system in a normal this paper’s mechanism we can preventway, attacker and the victim system both direct communication (connection) betweenshould be online, if attacker wants to attacker and victim. For this, we use anexecute some commands in remote machine intermediate server (zombie) that should be(Victim Machine). This paper would up and running all the time (24x7). In ourdemonstrate how an attacker can attack a case, we use this zombie as an email serviceremote victim without being online like Gmail, Yahoo, msn etc. So the whole(attacker may or may be online AND victim system works as explained below.may or may not be online). Attacker infects remote system with anHistory Executable, which can be infected by one ofDuring the exploitation of vulnerable the below mentioned methods:remote system (victim system) by anattacker, after vulnerability injection, 1. By autorun.infattacker sends payload and gets remote 2. During Metasploit Exploitation

Issue 25 – Feb 2012 | Page - 4 3. Physical access of victim systemNow once Executable is upand running in the remotemachine (Victim Machine),when the victim connects tothe internet then it first checksthe instruction set in Gmailinbox by an attacker. Now let’ssay if an attacker wants toexecute command ‘ipconfig’ inremote machine (victimmachine) then attacker has tosend email with subject‘ipconfig’ to his own emailaddress . Because theusername and password isalready encrypted in the Executable file inthe victim machine (remote machine ), and Attacker Proxy  Email Serviceas victim comes online , that executable file Victimautomatically logs in your Gmail accountand reads all command instructions which (Tor, Anonymizers) (Gmail, Yahoo, etc.)is loaded by attacker. (Proxy Case Scenario)It executes the commands of attacker’schoice and attaches these results to the Hands-on-Approachattacker’s Gmail account. Attackers simplyhave to download that attachment which Stage Icontains command output from victim Let’s say you have infected remote systemmachine. So there is an email service with this exe and you want account info,(Gmail) between attacker and victim drive info and network info from the remotemachine. That shows, attacker can execute machine (victim machine) then you have tocommand in victim system but there is no send email to your own account (note:direct connection between attacker and which is also listened and shared by injectedvictim machine, and if an attacker uses Tor exe in remote victim machine) with subject(The Onion Router Browser) or containing account_info, driveinfo,Anonymizers for accessing the Gmail networkinfo as shown in the figure on theaccount then attacker never can be caught next page.(no reverse traces). It is something likeAttacker <->email service <->Victim <->.So life cycle will be as shown below:

Issue 25 – Feb 2012 | Page - 5 Anononymizer, VPNs or Any PROXY…. For accessing the attacking Gmail account. 2. No Antivirus can detect the Instruction data because all traffic would come from HTTPS And Antivirus Softwares and Network Intrusion Detection Software Detects simply an outbound connection with GMAIL...! 3. Only a single Gmail account is required. Attacker and victim machine both would be connected toStage II the same account but the attacker knows, and the victim doesn’t!!Now once the email with appropriatesubject is sent to your account, now it’s time Disadvantagesfor remote machine (victim machine) to beonline and fetch the instruction given by Disadvantage is that, if the victim has aintruder (in this approach, “Attacker”). As habit of checking the current connectionsthe victim system comes online, it executes using commands like ‘netstat –n’, then thereappropriate commands of attacker’s need, is a possibility to detect Gmail connectionredirect command output to .data file and when actually there is no browser activity.finally automatically attach this file to your But still it is difficult to detect becauseemail account. Hence, by simply process is running in Hidden mode.downloading this file you will get all thecmd output in attached .data file as shownin below figure.Here in the above figure you can clearly seethat, all required outputs are attached inyour email address!Advantages 1. Advantages are that the attacker is never going to be caught if he/she is using the browser like TOR,

Issue 25 – Feb 2012 | Page - 6ConclusionSo by using above technique, attacker has tosend commands as a subject to his/her ownemail address and then it is fetched andexecuted in victim machine by executablefile running in victim machine. And resultsof that commands are sent back to theattacker’s email account as an attachment.So there is no need to be online for bothattacker and victim. And Anti-viruses andFirewalls going to bypass using thistechnique because Av and Firewall noticethat victim system connects to the Gmail Merchant Bhaumik(not actually connects to attacker machine backdoor.security@gmail.comfor transferring data) and it uses HTTPSencryption of Gmail for transferring the Merchant Bhaumik helps local law-data (no chance of signature based detection enforcement as a Digital Forensicsbecause of HTTPS), so they don’t find any Investigator and is a Student Of Maharajathreats for victim machine, so no security Sayaji Rao University (MSU) Vadodara.alarms! Bhaumik is the developer of “IND 360 Intrusion Detection System.

Issue 25 – Feb 2012 | Page - 7Cain and Abel: The Basics of Address ResolutionBlack Art of ARP Protocol Assume two computers, Computer A andPoisoning Computer B are in a local area network connected by Ethernet cables and network switches. Computer A wants to send aOverview packet to Computer B. Computer A determines that Computer Bs IP address is Cain and Abel is windows based password 192.168.0.5.recovery tool available as a freeware and In order to send the message, it also needsmaintained by Massimiliano Montoro. It to know Computer Bs MAC address. First,supports wide features to recover passwords Computer A uses a cached ARP table to lookvarying from Local Area Network to various up 192.168.0.5 for any existing records ofrouting protocols as well as provides Computer Bs MAC addressintelligent capability to recover cached (00:24:56:e2:ac:05). If the MAC address ispasswords and encrypted passwords using found, it sends the IP packet on the linkDictionary, Brute-Force and Cryptanalysis layer to address (00:24:56:e2:ac:05).If theattacks. cache did not produce a result forIt is a two part program where Cain is the 192.168.0.5, Computer A has to send aGUI of the program, and Abel is windows broadcast ARP message (destinationservice that provides a remote console on FF:FF:FF:FF:FF:FF) requesting an answerthe target machine. for 192.168.0.5. Computer B responds with its MAC addressAn interesting feature of Cain & Abel is APR (00:24:56:e2:ac:05).Computer B may insert(ARP Poison Routing) which allows sniffing an entry for Computer A into its own ARPpackets of various protocols on switched table for future use. The responseLAN’s by hijacking IP traffic of multiple information is cached in Computer As ARPhosts concurrently. It can also analyze table and the message can now be sent.encrypted protocols such as SSH-1andHTTPS.

Issue 25 – Feb 2012 | Page - 8 Working Steps: 1. To start ARP Spoofing, you need to activate the sniffing daemon and the APR daemon. You can do this by clicking on both the "Sniff" and "APR" buttons at the top of the window. 2. Next go to the sniffer tab and right click anywhere inside the tab. You should see a "Scan MAC addresses" option. Click it.How ARP Poisoning WorksThe attacker machine makes use of thestored ARP cache table to re-route or re-direct packets from a target, to an attackermachine, and then forward to the host, thusthe attacker machine “sees” all trafficbetween target and host. First the targetMAC address is established, and then theARP Poison Routing feature “poisons” thecache of the target by forcing a cache updatewith the path re-routed so that the attackermachine forwards traffic to and from host 3. Select the IP range accordingly toand target. The attacker machine can also your local area network and click onobserve packets with a sniffer such as “OK”.Wireshark.Now, I will discuss the steps to sniffpassword of remote computers in a LocalArea Network.Requirements: 1. Download and install Cain & Abel from http://www.oxid.it/cain.html 2. Make sure WinPcap packet capture driver is installed properly. 3. Download and install Wireshark from http://www.wireshark.org/downloa d.html. 4. At least 3 hosts must be present in a network to place an attack.

Issue 25 – Feb 2012 | Page - 94. The Progress bar scans and list all This was a basic tutorial on how you can use the MAC address present on the Cain and Abel for ARP Poisoning. subnet. Happy Hacking 5. After the scan, click on the APR sub- tab at the bottom of the window. Himanshu Kumar Das Then click on the icon on the me.himansu@gmail.com top of the window to add host to attack. Himanshu Kumar Das is a6. A following dialog box appears on passionate security admirer. the screen. Select the host you wish Himanshu, a do-it-yourself guy, is to attack. an electronic freak and imagines open source.7. Wait for the victim host to enter his credentials. Click on the passwords sub-tab at the bottom of the window. There you can see all the captured passwords arranged in the group.

Issue 25 – Feb 2012 | Page - 10Firewall 101 The basic characteristics of FirewallsIntroduction include:Today we are exposed to innumerablethreats online. Firewalls act as the first line Hardware Software Firewallof defense for securing our network against Firewallthese threats. Firewall could be a programor a device or group of devices used to It’s a standalone It’s a softwarecontrol the traffic flow. device installed on your computerThe basic principle that Firewall uses tocontrol this communication is ‘Access Complex Relatively easy toRules’. It maintains an access rule table and configurations configure involvedevery time a packet comes in or goes out,Firewall refers to this table. It only allows Consumes physical Consumes CPUauthorized traffic and blocks the unwanted space utilizationpackets. More secured than Less expensive than software firewalls hardware firewallsFirewalls are of 2 types: Mainly uses packet Mainly looks at o Hardware Firewalls. filtering application o Software Firewalls characteristics Mostly network based Mostly host based E.g.: Cisco ASA, E.g.: Symantec EF, SonicWall, etc Checkpoint FW-1 etc

Issue 25 – Feb 2012 | Page - 11 1. Traffic monitoring and reporting. IP: Source IP – 21.22.23.24 Destination IP – 2. Intrusion detection and prevention. 74.75.76.77 3. Packet or Protocol filtering based on user defined rules. Data-link: Source MAC – aa:aa:aa:aa:aa:aa 4. Incorporate VPN gateways (Enterprise Level Firewalls). Destination MAC – Router’s MAC 5. Load balancing & Failover (Enterprise Level Firewalls). Similarly when Google’s server responds to the request, your response packet will look like this:Understanding Firewall operation: Application: www.google.comBefore we get in to how firewalls operate, letus understand the OSI layer and data flow TCP: Source Port –80 Destination Port –E.g.: When you type www.google.com this 27785is what happens: IP: Source IP –74.75.76.77 Destination IP – 21.22.23.24 5: Application Layer. (Web browsers interacts with this) Data-link: Source MAC – Router’s MAC 4: TCP layer. (Contains Source & Destination MAC –aa:aa:aa:aa:aa:aa Destination Port Numbers) We see router’s MAC because router acts as 3: IP Layer. (Contains Source your gateway for interacting with the and Destination IP) external world. So to communicate with any system outside your network, your destination MAC will be that of your router. 2: Data-link Layer. (Contains There are several other things like sequence Source and Destination MAC) number etc, which are not mentioned to maintain the simplicity of the topic. 1: Physical Layer. (Physical Network Connectivity)Before we get in to how firewalls operate, letus understand the OSI layer and data flowE.g.: When you type www.google.com thisis what happens:Example of details at each layer:Application: www.google.comTCP: Source Port – 27785 Destination Port– 80

Issue 25 – Feb 2012 | Page - 12Firewalls can be categorized based on Provided below is an IP packet.their filtering capabilities: Packet Filtering Stateful Filtering• Looks at IP • Does regular address, Port Packet Filtering Numbers & • Maintains info Protocol Type on all existing• Does not pay connections so attention to only data from whether packet existing is a part of connection existing stream is connection allowed• Makes decision solely based on ACLs This is what packet filtering will focus on when looking at an IP Application header. To grant access or not will Filtering depend on the Access List table. • Possesses Deep Packet Inspection functionality • Works in a similar manner to IPS • Possesses ability to classify applications as well apart from packet and stateful filtering This is what packet filtering will focus on when looking at a TCPPacket Filtering: header. To grant access or not will depend on the Access List table.As per the table above we understand howpacket filtering works. However a TCP/IPpacket will provide a clear picture on how [Screenshot below is captured frompacket filtering works Ethereal. It displays TCP & IP details]

Issue 25 – Feb 2012 | Page - 13 2. Cannot check the payload (data).Packet filtering will act in the following This makes application filteringmanner: impossible. 1. Block or Accept IP addresses (e.g. A This gave rise to the need of Stateful subnet – 192.168.10.0 / 24) Filtering. 2. Block or accept a particular port (e.g. Port 23 or 445) 3. Block or accept a particular protocol Stateful Filtering: (e.g. TCP or UDP or ICMP) It records the state of all the existing connections i.e. data streams and stores it inBlocking a protocol is never recommended. the memory. Therefore the basis ofE.g. if you block UDP, then you may end up dropping packets is the connection state.blocking DNS requests too. Following are the features of StatefulOverall this method of filtering proved to be Filtering:ineffective due to the following reasons: 1. It looks at the state table – Unlike 1. Cannot keep a track of state of packet filtering which has no track of existing connections (Stateless) connections, this method looks at

Issue 25 – Feb 2012 | Page - 14 the data stream and only packets Application Filtering: which are a part of the stream are This concept is similar to HIPS (Host based allowed. The rest are discarded. Intrusion Prevention System). Application is the top most layers of TCP/IP model (and 2. It clears entries from the state table even OSI model). Usually, anti-virus acts in once the TCP session closes or after at this layer. a few minutes to ensure that the table is clean and does not The mode of operation is looking for unnecessarily waste its memory information in the payload section of the header which other firewalls fail to do.Again, this is not the perfect solution.Fragmentation causes trouble to stateful The basis of blocking or allowing applicationfiltering. depends on the following factors: 1. Cross check with existing database ofFragmentation was allowed to break large signaturespackets in to small fragments for the routers 2. Look for abnormal behavior of aor firewalls that do not support large particular file type (size modificationpackets. or registry edits etc.) In short Application filtering is an intelligent technology that looks for abnormal information within the payload (data) and can block unwanted or suspicious data (application).This is a fragmented packet. Every These firewalls can prevent attacks like:fragmented packet has its own IP header  DNS buffer overflowsand is not reassembled until all the  HTTP based web server attacksfragments arrive at the destination host.  Code hidden within SSL tunnels (https websites) and many moreTCP or UDP is in the 0th fragment  E.g. You can allow access to(Fragment 1). So setting fragment number Facebook, but block games.to 1 instead of 0 will help packet bypass theStateful Firewall. Some older firewalls usedto filter only well-known port numbers i.e.the ones below 1024.One more drawback is that Trojan Horsescan defeat these firewalls if they use NAT(Network Address Translation)

Issue 25 – Feb 2012 | Page - 15This screenshot shows HTTP packetcapture. HTTP works at application layer ofTCP/IP modelApplication filtering in conjunction withlower layer protection is by far the bestcombination to safeguard your network. Allthe Enterprise class firewalls possess thesecapabilities. Sagar Dawda Sagard31@gmail.com Sagar Dawda is Network Security student. Sagar handles Sonicwall firewalls for the company he works for. Sagars ultimate aim is to learn as much as he can about IT security and get in to Forensics (Network Forensics to start with). His dream is to join an intelligence agency and help them solve cases where computers/network was used a part of the crime.

Issue 25 – Feb 2012 | Page - 16 payment sites, online-auction sites, online-Liability of market places and cyber cafes;’. Liability of IntermediariesIntermediaries under Section 79 of the IT Act exemptsthe Information intermediaries from liability in certainTechnology Act cases. The Section reads as – Sec. 79Introduction 1. Notwithstanding anything contained inRecently Delhi high court has summoned any law for the time being in force butGoogle, Facebook and Twitter to remove subject to the provisions of sub-objectionable content from their website sections (2) and (3), an intermediarywithin the prescribed time period failing to shall not be liable for any third partywhich may result into blocking of the information, data, or communicationwebsites in India. So the question which link made available or hosted by him.triggers is What is the liability of the 2. The provisions of sub-section (1) shallintermediaries like Google, Facebook and apply if—Twitter under Indian law? a) the function of the intermediary is limited to providing access toWho is an Intermediary? a communication system over“Intermediary” under Section 2(1) (w). It which information madereads as – available by third parties is transmitted or temporarily“intermediary”, with respect to any stored or hosted; orparticular electronic records, means any b) the intermediary does not—person who on behalf of another person I. initiate thereceives, stores or transmits that record or transmission,provides any service with respect to that II. select the receiver of therecord and includes telecom service transmission, andproviders, network service providers, III. select or modify theinternet service providers, webhosting information containedservice providers, search engines, online in the transmission;

Issue 25 – Feb 2012 | Page - 17 c) The intermediary observes due Information Technology (Intermediary diligence while discharging his guidelines) Rules, 2011 are introduced. They duties under this Act and also are applicable from 11th April, 2011. observes such other guidelines as the Central Government may Features of the rules are as follows prescribe in this behalf. 3. The provisions of sub-section (1) Observing Due Diligence - Rule 3 shall not apply if— Of the said rules has given circumstances a) the intermediary has conspired which if complied satisfies the criteria of or abetted or aided or induced, observing Due Diligence. It reads as – whether by threats or promise 1. The intermediary shall publish the or otherwise in the commission rules and regulations, privacy policy of the unlawful act; and user agreement for access-or b) upon receiving actual usage of the intermediarys knowledge, or on being notified computer resource by any person. by the appropriate Government 2. Such rules and regulations, terms or its agency that any and conditions or user agreement information, data or shall inform the users of computer communication link residing in resource not to host, display, upload, or connected to a computer modify, publish, transmit, update or resource controlled by the share any information that — intermediary is being used to a) belongs to another person and commit the unlawful act, the to which the user does not have intermediary fails to any right to; expeditiously remove or disable b) is grossly harmful, harassing, access to that material on that blasphemous defamatory, resource without vitiating the obscene, pornographic, evidence in any manner. pedophilic, libelous, invasive ofExplanation anothers privacy, hateful, or racially, ethnicallyFor the purposes of this section, the objectionable, disparaging,expression “third party information” means relating or encouraging moneyany information dealt with by an laundering or gambling, orintermediary in his capacity as an otherwise unlawful in anyintermediary. manner whatever; c) harm minors in any way;This provision arises two questions – d) infringes any patent, trademark, copyright or other proprietary  What is the meaning of “observing rights; due diligence”? e) violates any law for the time  What is the time frame to remove being in force; objectionable material from f) deceives or misleads the resource? addressee about the origin of such messages or communicatesTo address these and other issues the any information which is

Issue 25 – Feb 2012 | Page - 18 grossly offensive or menacing in procedures and sensitive personal nature; Information) Rules, 2011. g) impersonate another person;  The intermediary shall publish on its h) contains software viruses or any website the name of the Grievance other computer code, files or Officer and his contact details as well programs designed to interrupt, as mechanism by which users or any destroy or limit the victim who suffers as a result of functionality of any computer access or usage of computer resource resource; by any person in violation of rules i) threatens the unity, integrity, can notify their complaints against defense, security or sovereignty such access or usage of computer of India, friendly relations with resource of the intermediary or other foreign states, or public order or matters pertaining to the computer causes incitement to the resources made available by it. The commission of any cognizable Grievance Officer shall redress the offence or prevents complaints within one month from investigation of any offence or is the date of receipt of complaint. insulting any other nation Note: - The intermediary, on whose These are just features of the rules; full copy computer system the information is of the rules is available at: stored or hosted or published, upon http://mit.gov.in/content/cyber-laws obtaining knowledge by itself or been brought to actual knowledge by an affected person in writing or through email signed with electronic signature about any objectionable information as mentioned above, shall act within thirty six hours and where applicable, work with user or owner of such information to disable such information that is in contravention. Further the intermediary shall Sagar Rahurkar preserve such information and contact@sagarrahurkar.com associated records for at least ninety Sagar Rahurkar is a Law graduate. He is a days for investigation purposes. techno-legal consultant and a Senior Faculty The intermediary shall take all at Asian School of Cyber Laws. Sagar reasonable measures to secure its specializes in Cyber Law, Cyber Crime computer resource and information Investigation, Computer Forensics and contained therein following the Intellectual Property Laws. Sagar teaches reasonable security practices and and provides consultancy to corporates, law procedures as prescribed in the enforcement agencies and education institutes across India. Information Technology (Reasonable security practices and

Issue 25 – Feb 2012 | Page - 19 dictionaries directory found atIntroduction to /pt/webscanners/skipfish/diction aries/ (to put it simple copy a file fromSkipfish dictionaries/ to the directory of skipfish into skipfish.wl).Skipfish is an active web application Start skipfish from Arsenal or move tosecurity reconnaissance tool written and directory /pt/webscanners/skipfish/maintained by Michal Zalewski (@lcamtuf). and run ./skipfish –h for help.Skipfish is one of the fastest webscannersavailable which spiders using the wordlists,a very powerful web scanningtool with a simpleimplementation. In MatriuxSkipfish can be found in thearsenal under ArsenalFramework  SkipfishWhy Skipfish?Skipfish fast and easy toimplement can perform arobust scan of any websiteproviding a lot of securitytests, like php injection, XSS,format string vulnerabilities,overflow vulnerabilities, fileinclusions and lot morecategorized into high risk, medium risk andlow risk issues. Skipfish also provides A simple way to perform a scan is by usingsummary overviews of document types and the following command:-issue types found; and an interactivesitemap, with nodes discovered through ./skipfish –o /home/matriux/pathbrute-force denoted in a distinctive way. http://www.example.com/Getting started You can replace /home/matriux/path with other desired locations you want.Before starting skipfish make sure youprovide a skipfish.wl wordlist file from the

Issue 25 – Feb 2012 | Page - 20 In certain cases where the certain URLs may logout your session where you can use commands like :- $ ./skipfish -X /logout/logout.aspx ... other parameters... There are also other options with HTTP cookies, authentication which you can find in the skipfish doc or the README file present in the installation directory. Overall skipfish is a very light tool for web scanning and security testing, which provides a lot of features and scan options in a faster way.After the successful scan a report is Referencesgenerated and stored in the output directoryyou specified, open the index.html in a http://code.google.com/p/skipfish/wiki/Skibrowser to view the report generated. pfishDocFollowing is how a sample report looks like. Happy Hacking  Team Matriux http://matriux.com/

Issue 25 – Feb 2012 | Page - 21Testimonials “The effort, organization and teamwork of professionals has made the best Indian Hacking Magazine named: ClubHACKHere are few testimonials from experts, Magazine. Woldwide recognized with largecontributors and readers. assorted content, following an attractive subject for the reader. It is a pleasure work“Club Hack is a journal which is in a league with the talented guys behind ClubHACKof its own... Started in 2010 by a handful of and share knowledge with everyone. Forcommitted members of the ethical hacker many more Editions and Keeping Rocking!”community, it has grown to be a maturepublication with in-depth analysis on the - Maximiliano Solermost useful subjects which are of interest to Security Researcher & Enthusiastdomain professionals. It has a great range incoverage too - from hard core coding to “Over the years, ClubHack Magazine hascyber law.” been doing phenomenal job in spreading security awareness, with the young guns- Lt. Col (Retd) Deepak Rout behind the screen pulling complex chords to India Privacy Lead, Microsoft Corp a melodic song. On this occasion of 2nd birthday, we heartily congratulate entire"For colleagues and information security team and hope that they continue toresearchers around the world, ClubHack illuminate the world with a greater light inmagazine is the face of the growing the coming days.”information security and hackingcommunity in India and the place to be - Nagareshwar Talekarfamiliar with other professionals in India. Founder and Independent SecurityFor Indian readers this is the entry point Consultant at SecurityXplodedand door to get into the information securityfield and hacking scene".- Elad Shapira Security Researcher, Developer & Reverse Engineer“Long live the CHMag magazine!! :) I reallylove this mag and the team which works onthis.”- Samvel Gevorgyan, Managing Director, CYBER GATES

Issue 25 – Feb 2012 | Page - 22

Clubhack Magazine Issue February 2012

by ClubHack on Jun 21, 2012

Accessibility

Categories

Upload Details

Usage Rights

Statistics

Clubhack Magazine Issue February 2012 Document Transcript