Aprils Fools

Posted: October 30, 2008 in kd-team archive, papers
Tags: , , , , ,

A archive article from the old website. We pull a technical joke on a colleague of ours.

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+This is a little Disclaimer for if you havn’t read the one on our site. +
+The tools and tutorials KD-Team develops and publishes are only ment for +
+educational purpose only.WE DO NOT encourage the use of this tools and +
+tutorials for mailicious purpose.We learned a lot during the development of them +
+so we hope you also learn and don’t just use it without any brains. +
+We take completly NO responsability for any damage caused by them nor +
+are we or our isp responsible for what you do with them. +
+Greetz: KD-Team +
+http://www.kd-team.com +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Aprils Fools

KD-Team also LOVES jokes.

Thanking the following persons:
pointdxtr,Skalion

It’s a bit a late paper but ohwell it’s before the next 1st of april so it may be even usefull.
Only reason for late making of it is cause of work thingies.

1) Preface

This paper is about a co-worker at the office who challanged kd-team for a nice play.

2) The Start

A ordinary day at the office, in holland that means rainy lotsa work and the usual chitchat.
The conversation was headed towards what exactly would be strong but user friendly passwords. Our co-worker was like that his
password was safe enough to resist a bruteforce, and we where like mneh impossible every password has got it’s limit. So the
discussion was headed towards that he trusted his password so much that he was kinda try to hack my hotmail you’ll see it ain’t
gonna work.
Offcourse we accepted that challange the rules where as follow.

– No tempering with his machine
– No attempts outside working hours
– Not allowed to use msn to bruteforce
– No using the hotmail password retrieve or secret question thingie

So with this we loaded up are guns and kimatrix and me started to discuss how we are gonna handle this.

3) Preparing the attack

So concidering the above things there where several possiblities we had:

– Social Engineer him
– Hoping he used the hotmail password in other places for example work server
– Sniffing the password(only problem: HOW??? since it’s a SSL connection, maybe with IE ssl bug which allows it.)

Looking at the above possibilities we came to the conclusion that using only one of the above mentioned methods would be, useless
since he is kinda paranoid when it comes to security and watches very carefully when talking about sensitive things.

So we decided to go for “the perfect” combo.

We would start with simple social enginering just continuing the password discussion and try to find out if he uses his password,
in more then 1 place, what his idea is of a strong password and making him confiddent that “we will loose the challange”.

Knowing this there was 1 last tactical thing we needed to take care off. He expecting the attack was gonna come direct from us.
So to take care of this we asked another co-worker to help out a hand.

4) Attack Planning and Details

So now that we had information we begon to setup the complete thing.

– instructing the co-worker on the key question he had to make and how he must distract the victem.
– Ourself talking bullshit about sniffer and exploits to get the victem distracted even more
– The technical attack itself
We choose to just save his password clean and easy.
How? Well the easy , dirty and old way.
First of all we ripped the page from http://www.hotmail.com with a simple “Save as webpage”
We put it on our work server and tested it internally to see if it worked and all images where correct.
Then we adjusted the tags to point to a JSP page also on our server which would handle the received parameters.
As you all know we did the arp poisoning paper and that’s exactly what we used in this situation. We setup cain and able
arp poisoned the network and then dns redirected http://www.hotmail.com to our server.

5) Executing the attack

We started with letting the co-worker do his thing on the victim the results where pretty interesting.

– He used the same strong password for some things
– He indeed believed we would fail since the hotmail login moment is SSL encrypted.
– He did not use his strong password on our work servers

Now that we knew this we started to make false alarms. Very lame but effective:
– Pinging his machine with a ping of death just to alert his firewall
– Talking a bit loud so that it seemed we didn’t know he hears it about, sniffing and exploits
– Acting suspicious so he thought we where all day long bussy with hacking his hotmail.

After having him a bit paranoid. We run the attack on him.

kimatrix send him a email with work related info, then excusing himself for using the wrong email.
I redirected hotmail to our server.
Voila we got him :D
At least we thought :( cause he used his msn to log into hotmail and well our redirection sucked since for some odd reason,
his msn did a request to a different url. AAARGHHHH
But don’t fear let’s call in Backup Plan.
This was a long shot but it worked.
Just asked him to enter his hotmail the normal way to see a report of the things we tried. He asked why not use msn to do that,
I just challanged him with: “what you afraid we hack you now after giving up”. Now we DID have him.

He went to the normal http://www.hotmail.com page which redirected to our server.
He entered his details and submitted it.
Our JSP received them and then displayed a white page with the text: OWNED centered on it.
He was like OMG FUCK then he realised the actual login procedure was SSL so he said mneh you just redirected last part.
So to proove us wrong he did it again and when he looked at his IE he saw there was no SSL icon.
At that moment me kimatrix and our co-worker where ROFL very loud. He then confirmed that we had the password.

6) Danger

Now just 1 more thing about this joker. In a situation where the attackers actually want to harm this is very powerfull,
since all they need to do is fake the ssl connection which is not hard:

victim -> http://www.hotmail.com -> redirect server with SSL -> forward request to real http://www.hotmail.com
| Fake certificate | | real ssl connectoin |
_______________________________________ __________________________________

With the above setup you can even make it more complex for the real paranoid victim.
You can trick about 70% of the users to enter theire password and since you forward the request to
hotmail they won’t notice anything if you want to be save do a simple redirect with wrong password.
That way he thinks he made a typo and then just proceeds to login. Only thing you need is to deactivate
the dns redirecting after you got his credentials.
There are more possibilities but we think you have enough fantasy to think of the perfect way so that the
victim doesn’t notice a thing.

7) Conclusion

Was real nice to pull a prank like this.We learned a lot from it.
We want to thank pointdxtr and skalion for theire cooperation and beeing sportive about the whole thing.
So the conclusion was that his password was very strong: 12 chars and alpha-numeric + weird characters.
BUT
the weak part of it was , he trusted so much on it that if som1 ever would take his password he would be lost,
since everything can be accessed with it.
He now uses different 12char long passwords for every important thing he has.
Just mad memory this dude has got :|

Just remember all, you can never be paranoid enough about security.

Greetz,

KD-Team

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s