Sunday, June 7, 2009

hacking or stealth?? exploiting web vulnerabilities....

Internet security has always been a favourite of mine.

One question most commonly asked by the wannabe-hackers is “how can i hack into an email account”. Most of them have visions of doing it matrix style and think hacking is cool stuff and u can be a hacker easily. What they don’t realise is the fact that u need to be a damn good programmer if u want to know the hacking basics. U need to be proficient in c, c++, perl, dos, networking and a number of other technologies. U need to know abt the web vulnerabilitites and u need to learn how to exploit them.and u need a powerful computer and a strong server (may be even two or three) to execulte several orders. Even then it wud be difficult. You cant just hack in. U need to recon, find a backdoor, get info, get out and do all these without leaving an information trail. Hacking into google’s database, decoding the encryption which by the way is pretty strong, finding the particular username, decoding the strongly encrypted password, and getting out without noticed is quite a task. Stealing the password or luring someone into revealin it is more easy. How many time have u seen the mail telling “hack into any yahoo mail id” and the talk of a 4-5 sentence mail which u need to send to some id and bingo! U reveal ur password and compromise the security of ur account. When i was in teens i liked this idea about being powerful enough to know somebody’s password and get the account details. I got a book by the author “ankit fadia” and was introduced to the term “ethical hacking”. Here are a few stealth methodologies which are usually implemented:
Roughly below mentioned techniques are used to hack into any email account.
1. Shoulder Surfing:
Ever saw people taking a sneak peak at ur comp while u r typing ur password? Well.. hello welcome to the world of shoulder surfers. They sneak in to you and try to figure out ur passwords. If u r a newbie or ur typing speed is dreadfully slow u better practise typing atleast ur passwords with a fast speed. Another useful trick is to use a combination of alphanumeric characters.
2. Locally stored passwords
Most of us find it convenient to check the “remember me on this computer”. Some times while surfing on a shared comp we don’t even bother to check if the box is unchecked or not. Wen u click on the option to allow browsers to remember ur passwords, then an adversary having access to ur system can locate the registry key associated to the password which may be saved in either clear type or encrypted form.
3. Brute Forcing
Well this wont work in today’s scenarios as most applications are invulnerable to brute-force attack. But a couple of pages which may not be like the reset password form where after answering the secret question the application will show you the new reseted password (instead of mailing them to secondary account). A Suggestion is that always have a secondary account configured.
4. Sniffing
Sniffers are the tools that capture packets flowing on Ethernet wire and are freely available on net. An attacker can use this in combination with MitM (Man-in-the-middle) attack to capture the packets on LAN. As an end user I am not aware of any solution that can applied from my side to protect myself from MITM attack. A tip-off is that if you receive certificate alert for websites certified by well-known CAs(Certification Authority like Verisign etc.) then you may be under attack.
5. Keylogger/Trojans
Simplest way is gifting the victim with a game (a trojan) and make him plan it. While the user unaware of the malicious program running behind, has already fallen prey to it. All his key strokes can be logged and emailed to the attacker periodically. A suggestion is that daily update your antivirus and anti-spyware programs. Just updating is not enough. Do periodic scans. A local firewall like Zone-alarm will add on to your system security. And never accept files from unknown (or suspiciously known) users. Scramblers, anti keyloggers and keylogger detectors are useful tools against this attack. Most updated AVs can detect these key loggers. My suggestion would be to use an updated AV and a good spyware software.
6. Phishing
This is a very common form of attack. An attacker has to build up a clone login page of targeted site and entice victim to log into it. Once the victim enters his login credentials, it will be mailed to the attacker. From user point of view always check the URL in address bar before logging in. For web Developers, u can always use any anti-phishing technique like sign-in seal (Yahoo has implemented it). This can help end users to identify if the site is genuine of fake. This solution can’t be applied in case where the attacker has implemented phishing technique along with DNS Spoofing (Metasploit PoC)
7. Social Engineering
Wanna hack human brains? This is the option for u. This is the most effective technique of all. This exploits the human psyche and tendency to gain profit without investment. The only solution to it is end-user education. This can be as simple as directly asking “Please give me your password” till to an example describe here. This is a well-known example. Most of you might have seen the below mail or document saying that (for eg.) Yahoo has a vulnerability and anyone’s password can be obtained by following the below steps. Any time you see an E-Mail that says forward this on to '10' (or however many) of your friends, sign this petition, or you'll get bad luck, good luck, you'll see something funny on your screen after you send it, or whatever, it almost always has an E-Mail tracker program attached that tracks the cookies and E-Mails of those folks you forward to. The host sender is getting a copy each time it gets forwarded and then is able to get lists of 'active' E-Mail addresses to use in SPAM E-Mails, or sell to other spammers. Even when you get emails that demand you send the email on if you're not ashamed of God/Jesus..... that's E-mail tracking and they're playing on our conscience. These people don't care how they get your email addresses - just as long as they get them. Also, emails that talk about a missing child or a child with an incurable disease - "how would you feel if that was your child"....E-mail Tracking.... huh!!!
A typical example would be:
• Log in to your own yahoo account. Note: Your account must be at least 30 days old for this to work.
• Once you have logged into your own account, compose an e-mail to: hack_other_acc@yahoo.com (actually attacker’s email id)
This is a mailing address to the Yahoo Staff. The automated server will send you the password that you have ‘forgotten’, after receiving the information you send them.
• In the subject line type exactly: password retrieve.
• On the first line of your mail write the email address of the person you want to hacking.
• On the second line type in the e-mail address you are using.
• On the third line type in the password to YOUR email address (your OWN password). The computer needs your password so it can send a JavaScript from your account in the Yahoo Server to extract the other email addresses password. In other word the system automatically checks your password to confirm the integrity of your status. Remember you are sending your password to a machine not a man. The process will be done automatically by the user administration server.
In addition to above message, there are sometimes few more additional steps requested by the attacker in order to boil the victim down to send the attacker his account name and password.
Well remember that there is no such Yahoo or any account bot which can help you retrieve passwords of other’s account. There are even some others who claim that they have a tool to do. This tool actually asks you to login into your account first through that tool and once you try logging in (Boom they now have you password) it will throw some junk error like application crashes or so to avoid making victim suspicious of the act. There are lot more to this section that even a book can be written.
8. Web Vulnerabilities.
Well there are some insecure application codings which can be exploited to get the passwords/sessions of other users. These are but bit difficult to exploit or by the time you try exploiting, Yahoo or Gmail might have patched it. the vulnerabilities can be Xss, SQLi, CSRF or the recently hyped click-jacking and surfjacking. Heard about google sandbox?? Till recently this was a great tool used to hack into orkut accounts. However the bug has now been fixed and only developers get access to the sandbox tool.
There are lot more to the lists. There may be some that might not have been patched because they may not have been disclosed yet and can be categorized as private vulnerability (known to very few hackers).
9. Javascript and web tools:
Ever imagined that ur scrapbook on orkut is another tool for hackers? Javascript can be embedded into ur scrapbook and u will never even know that ur account is being tracked.

So the best rulebook says...”Be careful and Beware!!!”

No comments: