Saturday, July 28, 2012

How I can reset your Email password? An MITM based Social Engineering (Phishing)attack!



This article of mine was first published on iViZ Security Blog!
Here is the actual article

http://www.ivizsecurity.com/blog/penetration-testing/how-i-can-reset-your-gmail-password-an-mitm-based-social-engineering-attack/

-----------------------------------------------------------------------------------------------------------------------------
Hacking email account is probably something which intrigues all of us. Phishing is an example of social engineering techniques used to take advantage of human ignorance. It allows unscrupulous people to exploit the weaknesses in web security technology.Here we will discuss about an advanced way which can be used to perform an advanced automated phishing attack.

Attack Strategy:
As cyber awareness is increasing day by day,number of failed phishing attempts is also increasing. Most of the Internet users goes through few check before entering critical information like user name password in an web form.This approach is a kind of an indirect phishing attack.Here instead of asking victims directly their user name and password attacker will put some challenges to victim which Google or any other email service provider gives us while trying to reset the password of his/her Email account. When victim solve those challenges we will take the solution of those challenges from victim and submit it to actual server and successfully reset password in an automated manner. These challenges can be related to answering security questions or SMS based password reset.

Attack Strategy at a Glance:




Setup:
Here our main intention is to abuse the same password reset functionality of various email service providers in a smarter and automated manner.We will use selenium and its Python WebDriver api to automate this entire process.Selenium is a software testing framework for web applications. Selenium can automate browser locally or remotely. http://seleniumhq.org/.) We will write a custom selenium web server in python and a dynamic fake survey form in PHP. The fake survey form will communicate with selenium web server using its custom APIs in back end(using PHP curl or something similar thing).


Execution:

Step 1: Start the custom Selenium Server

First we will start our custom selenium web server and host the fake survey form to any hosting service provider supporting PHP and PHP Curl. And we will send the link of that fake survey from to victim.

After the server is started this custom selenium web server will be always monitoring the victim’s activity. When victim visits the fake survey form its will inform the selenium web server through PHP curl that victim has opened the page.

Step 2: Send the custom form to the target

Create a fake registration form of anything you like form which will ask the user for the email id. You can create a new interesting free coupon for restaurants, free download etc. When the victim user will enter his/her email id our the custom web server will try to recover the password of that entered email id received from fake survey from using selenium webdriver api automatically. As selenium is quite fast it will take maximum 5 to 6 seconds.

Step 3: Automatically initiate the recovery password reset process

Almost all well known web mail providers (e.g. Google Yahoo etc.)uses some anti automation techniques (Captcha)in these type of critical steps. And those captchas are not very easy to crack by human being also so trying to crack those with available OCR engines will be waste of time.So human effort is must to break those captcha. How? We have a trick for that also.

Step 4: Send back the captcha/secret question/any challenge to the user to break

After detecting an anti automation on page, our selenium web server will extract the captcha from password recovery form and ask the victim to solve the same captcha.When the victim will solve the captcha it will take that answer and submit the actual captcha form.BINGO!

When captcha is cracked it will face the first security question(if its available), then it will extract the first security question from actual password recovery form and add the question in the survey from with other fake questions to make the survey form bit more realistic.

Step 5: Send the user response to Gmail and reset the password

When the victim will answer that question it will instantly take that answer and submit it in actual password recovery from.We expect that the victim will answer the security questions correctly.

After that when it will face the second security question and it will treat this in the same manner. When its done upto this level it will change the account password to our desired one automatically.

Abusing SMS/Email Based Password Recovery system using the same technique:

SMS/Email Based Password Recovery system can also be abused using the same technique. If we consider gmail then it will be like when out custom selenium web server will detect that there is not option from Security question in password recovery from of target email account it will go for SMS based password recovery option. Generally google’s web application discloses the the last two digits of given phone number and it will send the SMS to that phone. Our custom selenium web server will also do the same. It will directly extract the last two digit from recovery form and send it to victim. The phishing from is designed is such a way that it will say something like this

“Hey you have to go through a verification process to download this software package. Please enter your mobile no.We will send a verification code through Google to that number”.

Luckily Google sends the password recover code through SMS very poorly. It will just send a sms like

“Your Google Verification Code is :123456”.


Within a second after entering the mobile number our selenium web server will submit the mobile number and the victim will receive the password reset code from Google. As currently no indication is present in that SMS sent by Google that its a very critical code not like other verification code, so its very obvious for a general Internet user to trust the application and share the password reset code.

In the next step it will ask for the received code and after getting the code our selenium server will do the rest part which is changing the password.

Video Demo:

Conclusion:

As password recovery sections are very critical, service providers maintain very strict session information in these areas. Automatically passing these sections is very tough by sending http requests using any scripting languages. If some thing goes wrong it will entirely destroy the session so chances of attack getting failed is very high.If we consider gmail the application is very much dynamic so parsing java scripts from http response and getting required values is very much difficult.

A Very Basic Custom Selenium Web Server Code Used in this Demo:


Saturday, July 21, 2012

HTTP to HTTPS Proxy Tunnel using Python



From title you might think that its a useless piece of code.But let me tell you its not.I dint write this to timepass.A a pretty much good automated SQLi tool called Havij(Hope you guys are already familiar with) forced me to write this. Not exactly but its a kind of an external plugin for the tool Havij(Free Version).

Havij is an automated SQL Injection tool.No doubt its a great tool for doing automated SQL injection.But one problem with this tool is its not fully free! :(
The free version also has many great features but one problem I have faced while using this free version that is,it does not allows users to scan/run database enumeration on sites which uses SSL (https://) :(

So to overcome this limitation I have decided to write a proxy for it. But this proxy is not like most common http proxies. This proxy can be used to scan a ssl enabled site using Free Version of Havij.
Suppose you wanna try SQLi on "https://www.target.com/search.php?name=debasish" using Havij.So when you try to fire a scan using Havij you get an error like 
"Havij Free does not allow https://".blah blah ....

So to overcome this limitation what you have to do is :

  1. Configure your Havij Free to use a http proxy 127.0.0.1:8080 while scanning.
  2. Run this python script.(It will start a proxy server on port 127.0.0.1:8080)
  3. In the target field of Havij instead of entering "https://www.target.com.search.php?name=debasish" you need to add "http://www.target.com/search.php?name=debasish".So when you start scanning through havij the proxy script will do following:

       3.1. Take plain http request(SQLi request) from Havij.2
       3.2. Create a SSL connection to target.3
       3.3. Forward the same request received from Havij to target server.
       3.4. After receiving the response from server through secure shell it will feed the response to Havij.

This proxy is not suitable for web browsing. You will face some problems. Normal request/response generally used for SQLi it can handle. But one bad thing about this script is,it will make the speed of you SQLi process bit slower. It has the ability to handle gzip compressed response.

So here is the code: Enjoy SQLi on SSL sites using Havij Free!I dint test it much, so let me know if it is not working properly.