ClubHack Magazine Issue January 2012

Issue 24 – Jan 2012 | Page - 1

Issue 24 – Jan 2012 | Page - 3 which does not contain any user specificOne Link Facebook information. The link mentioned above is generated byCan Facebook accounts be hacked? Is it be Facebook by its URL shortening feature.possible to access your account without your The original link behind this shorten URLpermission and without knowing your looks likeusername and password? Unfortunately http://m.facebook.com/story.php?share_id―YES‖ is the answer. =xxxxxxxxxxxxxxxx&mlid=xxxxxxxxxx&l=x xxxxxxxYes it is possible and that too with a singlelink, a link which can bypass all the This is the link generated for your sharedauthentication and security mechanism content on Facebook, so whenever someoneimplemented by Facebook for user security comments on your shared content this linkand privacy. No need of username, is generate and sent to your registered cellpassword, no checkpoint, and neither any phone number with the comment made.geo-location restriction, most importantly Here ―share_id‖ is the unique id of the sharethere is no active session created, so a user content, ―mlid‖ is the unique numeric id ofwill never be able to know that someone the Facebook and ―l‖ is the 8 character longaccessed his/her account. random string, combination of numbers and alphabets in both caps. To make this linkWhat we need is just a key, a random working one need to know only the value ofcombination that can hit the lock and open ―mlid‖ and the ―l‖, the value of ―share_id‖it for you. One of the most interesting link does not matter for this.looks like http://fb.me/xxxxxxxxxxxxxx,where series of ―x‖ are the 14 digit random And there is one more type of the link, thiskey with numbers and alphabet in both is the link generated when someonecaps, here targeting this particular link can comments on your photo or comments on abe more beneficial as it can harvest many photo after your comment or tag you in aaccounts. This is the only link generated by photo. The link looks likeFacebook with its URL shortening feature

Issue 24 – Jan 2012 | Page - 4http://m.facebook.com/photo.php?pid=xxx receive a notification by SMS and this willxxx&id=xxxxxxxxxxxxxxxx&mlid=xxxxxxxx contain this link. Here we simply cannotxx&l=xxxxxxxx neglect the threat of social engineering as the link is on your cell phone and anyoneHere ―pid‖ is the unique id of the photo on who can access your phone can also accesswhich the comment is made or tagging is your account.done, ―id‖ is the unique Facebook user id ofthe user who made the comment or tagged Facebook now fixed it a bit, earlier one keyyou in, or we can say that it is the Facebook (―l‖) was used repeatedly for two weeks, butuser id of the user due to whose action this now it is fixed to expire after every use. Herelink and notification is generated, ―mlid‖ fact is that very few users user this link so itand ―l‖ are the same as they were in the would not expire for those unused links.previous mentioned link. Only ―mlid‖ and The only way by which one can prevent―l‖ are needed for the link to work and the his/her account from being accessed thisremaining two can be any random value. way is by not opting for receiving theThen as the link discusses first is the notification by SMS or if already registeredshortened for of the link generated for the then by opting out from this service, i.e. toshare content, the same is true for this link, avoid it totally.but the shortened for look slightly different A full disclosure can be read herehttp://fb.me/p/xxxxxxxxxxxxxxx.yyyyyyyy http://withanand.blogspot.com/2011/12/fa cebook-security-bypassed-with-just.htmlHere series of ―x‖ is the same as the ―id‖ in with a video demonstration.the long URL and ―y‖ as the value of ―l‖A question arises what can be done usingthis particular method to hack and accessthe account? Here a hacker can run a scriptto check all the possible combinations for asuccessful entry and can get the access tomillions of random Facebook accounts andif lucky may even get the access to MarkZuckerberg‘s profile, seems scary, well thisis just the tip of the ice berg.This link is generated by Facebook itself forthe convenience of those users who choose Anand Pandeyto receive the notification by SMS on their anandkpandey1@gmail.comcell phone and it will give them direct access Anand Kishore Pandey, has just beginto their account without the need or his journey in the world of cyber securityentering username and password every time and works as an Associate Consultant into view who commented or liked etc. Every K R Information Security Solutions andtime someone comments on your photo, or is responsible to conduct Vulnerabilityon your link, tag you in or comment after Assessment, Penetration Testing andyour comment on a photo or link you will ISO 27001 Implementation.

Issue 24 – Jan 2012 | Page - 5 A sample code –SQLMAP – AutomatedSql Injection Testing <?php $id=$_GET["id"];Tool $con = mysql_connect("localhost","db- admin","db-name");Sql injection is one of the most common if (!$con)vulnerability found in web applications {today. Exploiting SQL Injection through die(Could not connect: .manual approach is somewhat tedious. mysql_error());Using flags like ―or 1=1--‖ , ―and 1>2‖ we can }find out if vulnerability is present but mysql_select_db("table-name",exploiting the vulnerability needs altogether $con);different approach. Tools like Sqlmap, Havij $query= "SELECT * FROM table-and Pangolin are helpful in exploiting sql name where id=$id ";injection. echo "<h1>".$query. "</h1>"; $result = mysql_query($query);In this article we will use a sample code while($row =below to showcase how vulnerability can be mysql_fetch_array($result))exploited manually and then by using {Sqlmap tool. echo $row[id] . " " . $row[name]; echo "<br />"; } mysql_close($con); ?>

Issue 24 – Jan 2012 | Page - 6Here we have deployed the application withthe following code and accessed the url:http://localhost/xampp/1.php?id=1Which gives us the data present in db forid=1 For order by 4, data retrieved is error that means there are three columns present in this select query. Now, we would play with the url, to dig more details about database.If we give a single quote(‗) in the end of the We have given url as -query we get below screen with unhandled http://localhost/xampp/1.php?id=1 unionerror message from database. This shows select system_user(), 1, 2fromthere is a possibility of SQL injection. information_schema.schema_privileges— This would give system user of the database.If we add ―or 1=1‖ in the end of URL we getall the data from that row. This shows thatSQL Injection is possible. Similarly, we would find table name, table_schema, columns and data by manipulating the url like given below http://localhost/xampp/1.php?id=1 union select table_name, 1, 2 from information_schema.columns— However, whatever exercise we did to find vulnerability in the web applicationNow let‘s get into exploiting the manually, can be done using SQLMap Toolvulnerability. Our first task is to find in few minutes. To use this tool, you justnumber of columns selected in the query. need a python Interpreter and SqlMap tool.We would find that by adding ―order byid=1,2,3…‖ and so on at the end of the URL. We issue following command - sqlmap.py -u http://localhost/xampp/1.php?id= 1 and lots of information about given web application is retrieved in seconds like:

Issue 24 – Jan 2012 | Page - 7GET parameter ‗id‘ is vulnerable and 3 We would now try to find current database,columns are present in the given table. tables, columns, and data, means, complete surgery of the application. So we can give below command options to find all details about the application. sqlmap.py -u http://localhost/xampp/1.php?id= 1 --current-db It gave the name of current database.Let‘s proceed. We got to know that DBMS isMySql 5.0.11, WebServer is Apache 2.2.17deployed on windows machine. Now, the time is to know all the tables present. sqlmap.py -u http://localhost/xampp/1.php?id= 1 --tables It gave the list of all the tables present in databases.

Issue 24 – Jan 2012 | Page - 8 Shahbaz Shantanu ShuklaFinally, to retrieve all the data present indatabase, following command can be used: Shantanu Shukla and Shahbaz bothsqlmap.py -u work as Systems Engineer, Enterprisehttp://localhost/xampp/1.php?id= Security and Risk Management-Cloud,1 --dump-all Infosys Limited. Shantanu and ShahbazAll the date is retrieved and saved in output did their B.tech in Computer Sciencefolder of sqlmap directory. from Uttar Pradesh Technical UniversityTool has lot more capabilities and can be in year 2010used to perform dictionary attacks, createbackdoor shell etc.So try it out and Happy hacking 

Issue 24 – Jan 2012 | Page - 10

Issue 24 – Jan 2012 | Page - 11Social Networking This is the bright and beautiful side of theand its Application social networking considering the following reasons:Security 1. You get to meet your friends, make more and more friends.Social Networks have been an important 2. Be ―cool‖ in your circle virtuallypart of our life, yes, we tweet for photos we 3. Do things virtually you can‘t in realclick, every moment of happiness, sadness life ( Farming, Gamble, constructionand the news around, we update our status etc.)if we start a relationship or end one, or even 4. Makes you feel the world is small bytravel itinerary and hotel check-ins, movie connecting you to friends andmoments, fun with friends, in fact relatives in any part of the world.everything that we do every moment in ourlife is open to the world we want to share.Play games with friends and make newfriends.

Issue 24 – Jan 2012 | Page - 12 Also considering the other possible reasonsThough there are many reasons for the where social networking sites also form thepopularity and also their good impact on best means for reconnaissance for anyour life yet as everything has its dark side, hacker, with everyone‘s profile online andeven Social Networking is no exception to with every detail to establish your identitythat. or details that could help the attacker in any means. This again, is available very easilySecurity Issues of Social the best easy access to any onesNetworking: information. 1. Spam Social Networking sites have been the best 2. Scam boons for Social Engineers, considering the 3. Identity theft case study of a popular American politician 4. Malicious Apps (not named due to various reasons, however 5. Abuse of Trust a simple Google search may help you find more information) whose email account wasWhy do they work? hacked by just making it out of the information available online made amassObserving the fact that Social Networking news in the world media.sites which now are the best place to findpeople at a single place gives the attackers a Reason?huge attack surface. People gain trust easilyon Social Networking sites, just by a mere Attackers just used the information of herchat and looking at their profile. Trust is available online. Since she was a populareasily gained which requires zero skills of politician attackers only used informationhacking. I can possibly classify these available through sites like Google andreasons as:- Wikipedia to answer the security questions 1. Greed she had for her email accounts. This 2. Ignorance questions the true reach of social 3. Fear engineering making it reach beyond the 4. Easy trust expected limitations. Was being popular a reason for that compromise of the account 5. Curiosity or was that really unsecure? To answer this let us understand what made the hack successful.  Security questions were something that was easily available online The purpose of security question is understood as something which is personal to you and the one only you know about it and no one else in this world.

Issue 24 – Jan 2012 | Page - 13How am I being a regular user Spammingaffected? And now we have the new spammingEveryone on the social network is equally techniques being used. Recently a spam thataffected in one way or the other, either a spread virally on Facebook installed aspam posting all over your wall on facebook extension to the browser and made posts onor either your profile without your notice the friends wall without the users consent.posting all over your friends wall. Most of This is how it looked.them would be embarrassing to you or yourfriends. This spam looked like any other video shared on the wall, using the name of the user whose wall this spam was shared this post looked genuine , however on clicking the link it asks you to install a YouTube premium extension to your browser to view the video. This extension then carried out the work of spamming. Leaving many confused for what was the reason and how to stop this embarrassing spam from coming through their profile. Many believedPopular issues on Facebook their Facebook account was hacked unable to find the reason, on how this wasWe have across many spam issues right continuing.from the time we started using Orkut -starting with the ―New colorful theme‖ spam Applicationsto the ―mobile recharge spam‖ back thoseyears. Many finding interesting games and applications on facebook and also there are other who are annoyed by these requests and posts from these applications. Applications / Games on facebook (which are generally thought to be) are not developed by facebook, rather facebook allows third party developers to host their games and applications on facebook. So it makes a new source for the attackers to build their base for a attacking source. Issues with applications on facebook can be

Issue 24 – Jan 2012 | Page - 14  Innumerable requests and notifications from your friends to join them using that application  Possible Spam or Scam  Possible Fraud.Have you ever cared to look at thepermissions you provide while using anapplication? An average facebook profile is believed toHave you ever noticed what information the have authorized 200 applications withapplication is going to extract from your various access rights.profile. There is a survey which claims that85% users don‘t bother to look at this How do I protect myself?permission request and allow those rightsbelieving it to be a facebook application or Always remember that your actions onlinerather ignorance. on a social networking should be in such a way that it won‘t embarrass the ones you areOther issues come with the addiction to sharing it with or rather land yourself inthese apps or spending real money for such a situation.gaining extra access or unlocking somefeatures in these apps which make no sense  Don‘t establish trust with any friendin our life. on social networking sites until you make sure is actually your friend.It must be already possible that you have  Read the permissions you provideinstalled most of the unwanted apps on your while using an application over thefacebook, just look at your apps setting tab site.and I am sure it will surprise you!  Also make sure the application you are going to authorize is trusted.  Never fall for free stuff unless it is from a valid source. For, example if there would a new facebook theme available then it won‘t be from a

Issue 24 – Jan 2012 | Page - 15 third source rather facebook would itself announce the launch of new themes to its users. While viewing the external links shared on the Social networking site, make sure the URL is valid. In case of a video shared make sure the URL is youtube.com rather than believing the thumbnail it generates. Prajwal Panchmahalkar Panchmahalkar@gmail.com Twitter: @pr4jwal If you look into the above snap you can clearly notice the URL is Prajwal is a Senior Developer at www.youtube.com and also notice Matriux, publishing articles for CHmag the play button present over there, under ―Matriux Vibhag‖ every month. unlike the spam post thumbnail Also a n|u Hyderabad chapter lead. shared earlier Currently pursuing Masters from Texas Stay away from scams/spams that Tech University, USA. A CEH v6 promise to provide some gift or certified. money. Use add-ons like no-script, No-Ads to avoid such scripts. Always install extensions from known sources o Chrome – from chrome store o Firefox – Mozilla add-ons Make sure you use these social networking sites over secured HTTPS Share or post only that information which doesn‘t affect any one or you in general. In fact a simple thought of ―what am I doing?‖ and ―how will this make effect?‖ before every action online can save you from the security issues.

Issue 24 – Jan 2012 | Page - 16Powers of As per the provision Central or State Government or any of its officers for reasonsGovernment under to be recorded in writing, by order, direct any agency of the appropriate Governmentthe Information to intercept, monitor or decrypt or cause theTechnology Act, 2000 same to do any information generated, transmitted, received or stored in any computer resource, if satisfied that it isInternet Censorship is today‘s hot topic with necessary or expedient so –the passage of statements by our HonorableMinisters. But the billion dollars question is  In the interest of the sovereignty or―Can online activities of individuals be integrity of India orcensored/monitored in India?‖  Defense of India or  Security of the State or  Friendly relations with foreign StatesProvisions under the Information orTechnology Act, 2000 (IT Act)  To maintain public order or  For preventing incitement to theSec. 69 - Power to issue directions for commission of any cognizableinterception or monitoring or offence ordecryption of any information  For investigation of any offencethrough any computer resource.

Issue 24 – Jan 2012 | Page - 17The subscriber or intermediary or any hosted in any computer resource for theperson in-charge of the computer resource reasons mentioned above under Sec. 69.shall, when called upon by any agency, Government has passed the Informationextend all facilities and technical assistance Technology (Procedure and Safeguards forto – Blocking for Access of Information by Public) Rules, 2009 to be read with Sec. 69A  Provide access to or secure access to (2). These rules explain the procedure and the computer resource generating safeguards subject to which such blocking transmitting, receiving or storing for access by the public may be carried out. such information; or  Intercept, monitor, or decrypt the The intermediary, who fails to comply with information, as the case may be; or the direction issued under this Section, shall  Provide information stored in be punished with an imprisonment for a computer resource. term which may extend to seven years and also be liable to fine.Further government has also passed theInformation Technology (Procedure andSafeguards for Interception, Monitoring and Sec. 69B - Power to authorize toDecryption of Information) Rules, 2009 to monitor and collect traffic data orbe read with Section 69 (2). These rules information through any computerexplain the procedure and safeguards resource for cyber security.subject to which such interception ormonitoring or decryption may be carried The Central Government may, to enhanceout. cyber security and for identification, analysis and prevention of intrusion orIf the subscriber or intermediary or any spread of computer contaminant in theperson who fails to assist the agency, they country, by notification in the Officialshall be punished with imprisonment for a Gazette, authorize any agency of theterm which may extend to seven years and Government to monitor and collect trafficshall also be liable to fine. data or information generated, transmitted, received or stored in any computer resource.Sec. 69A - Power to issue directions The intermediary or any person in-charge orfor blocking for public access of any the computer resource shall provideinformation through any computer technical assistance and extend all facilitiesresource to such agency to enable them online access or to secure and provide online access to theCentral Government or any of its authorized computer resource generating, transmitting,official for reasons to be recorded in writing, receiving or storing such traffic data orby order, direct any agency of the information.Government or intermediary to block for Government has passed the Informationaccess by the public or cause to be blocked Technology (Procedure and Safeguards forfor access by the public any information Interception, Monitoring and Decryption ofgenerated, transmitted, received, stored or Information) Rules, 2009 which explains the procedure and safeguards for

Issue 24 – Jan 2012 | Page - 18monitoring and collecting traffic data orinformation.Any intermediary who intentionally orknowingly contravenes the provisions of thisAct shall be punished with an imprisonmentfor a term which any extend to three yearsand shall also be liable to fine.Apart from these provisions the Privacy Act,2011 has also been drafted and is in the finalstages of the passage. The Act has beenenacted to provide Right to Privacy tocitizens of India which is guaranteed underArticle 21 of the Constitution of India. TheAct regulates the collection, maintenance,use, and dissemination of the personalinformation of the citizens of India and also Sagar Rahurkarprovides for the penal action in case of contact@sagarrahurkar.comviolation of such rights. These rules shall beread with the relevant provisions of the IT Sagar Rahurkar is a Law graduate. He isAct. a techno-legal consultant and a Senior Faculty at Asian School of Cyber Laws. He specializes in Cyber Law, Cyber Crime Investigation, Computer Forensics and Intellectual Property Laws. He teaches and provides consultancy to corporates, law enforcement agencies and education institutes across India. He can be contacted at contact@sagarrahurkar.com.

Issue 24 – Jan 2012 | Page - 19

Issue 24 – Jan 2012 | Page - 20Setting up and and simple application to install the LiveGetting started with system.Matriux Krypton Getting Started: If you are installing on Hard Disk Drive,Hi Reader, start from "Step 5".Wish you a very happy and prosperous new Step 1:year from team Matriux. 2011 has been agreat year for us where we along with Start the virtual box and click ―New‖ andCHmag have made it possible to reach you select Operating System as ―Linux‖ andbetter. A special thanks to CHmag team for Version as Debian.making it with us.It has been noticed that due to a custom andspecial installer MID used in MatriuxKrypton, many users are confused on howto get Matriux setup on their Hard disk orVirtualBox, so this month we bring you withhow to setup and get started with MatriuxKrypton, a better way to start 2012. We willalso try to make it possible to keep it easyfor the new *nix users to understand it andget easy with Matriux.MID:Matriux Disk Installer, named MID is an Step 2:installer specially developed by MickaëlSchoentgen in contribution with Prajwal In this step allocate some RAM to be usedPanchmahalkar, inspired by the pureOS by Matriux generally 300MB isversion of Debian installer for the version of recommended, however there were noMatriux Krypton making it more compatible problems even with 256MB

Issue 24 – Jan 2012 | Page - 21Step 3: Step 5:Create a Virtual Hard Disk for the Start Matriux in live mode (for hard diskinstallation (VDI, VMDK is preferred) installation, insert the Disc and boot fromusually more than 6GB is recommended. the CD/DVD in the live mode).Step 4:After these start the Virtual machine, since Step 6:it is the first time it will prompt us so that aDisk Image (ISO image) can be mounted. Type the password as toor when prompted.Browse and locate the ISO image. (From here note that ―toor‖ is the root password for Matriux ).

Issue 24 – Jan 2012 | Page - 22Step 7: Step 10:Open up a terminal and type gparted to Now start the Matriux Installer from thestart the gparted interface. desktop and It should be easy for you now.If it is a new unallocated partition thenDevice > Create Partition (else if it is aused disk space then skip the next step andgo to formatting it).Step 8:Now create the partitions. Format the Step 11:partitions and close gparted. Go ahead and choose the partition that weStep 9: mounted in the earlier steps.Now open a terminal and mount thepartition we just created.mkdir /mnt/matriuxmount /dev/sda1 /mnt/matriux

Issue 24 – Jan 2012 | Page - 23Step 12:If you are having a multiple boot at certainstep you can choose to install the grub.After a couple of basic steps you will findthis – Team Matriux http://matriux.com/That‘s it we are done. Happy hacking For any further details/queries mail @report@matruix.comFollow us at @matriuxtig3r on twitter andhttp://facebook.com/matriuxtig3r

Issue 24 – Jan 2012 | Page - 24

ClubHack Magazine Issue January 2012

by ClubHack on Jun 21, 2012

Accessibility

Categories

Upload Details

Usage Rights

2 Embeds 2

Statistics

ClubHack Magazine Issue January 2012 Document Transcript

http://translate.googleusercontent.com	1
http://www.docshut.com	1