Tuesday, March 18, 2014

Distributing a bot. The "hackers" and the hackers.

It is known that a computer can be infected with malicious software and become a bot/zombie [1]. Bot means robot. And robots - most of them - listen to their inventors. When your computer becomes a bot, it performs tasks around the Internet without you having any clue. A network of bots is called botnet. Hackers use a botnet to spread a virus, perform web attacks that need more computer power, spy computers, send spam emails etc. Here is a list with the Top Banking Botnets of 2013.


 Treat this article as a source of knowledge and entertainment and not as a "how to" tutorial.
                           
Here are some methods a hacker would follow so as to distribute his bot successfully:

  • I) Distributing on LAN networks.


As soon as the attacker is inside the network everything is simpler. As Kevin Mitnick mentions on his book The Art Of Intrusion, when a hacker breaks into a network, it's really hard to kick him out. The most common scenario is the one that the attacker performs an Arp Poisoning attack [2] and afterwards force you to download his malicious file. Pretty easy. A couple of tools ( e.g: SET, Ettercap, Arpspoof ) and the job is done. Physical access ( e.g: School Networks, Offices), is still an option that would infect about 10-30 computers. I remember, watching a hacking documentary where some guys burned their bot into a CD and left it outside a building. It worked. A careless employee inserted the CD in his office computer!
  

  • II) Distributing with torrents.
Attackers, sometimes deceive the Internet users by exploiting their needs. Most users prefer downloading their products rather than paying for them. Piratebay and Kickass Torrents are sometimes their first choices. So, the scenario is that a hacker downloads a well-known software, (e.g: Photoshop Pro, Microsoft Office, Avast Pro ) from a X BitTorrent tracker and replaces the key generator program with his malicious file, his bot. After all, he uploads the edited torrent on a popular BitTorrent tracker and just waits for the downloads. The botnet will be surely increased, as there a lot of people who will turn their firewall off if you say so, and continue their "program" installation.


  • III) Distributing on Youtube. 
Youtube has been always a target for hackers who want to distribute their malicious files. This happens, because a large amount of people search for key generators,  hacking tools (Facebook, Gmail and Google hacking tools), or simple download links for a Pro version of their favorite tool. Curiosity combined with anger sometimes, - especially when their girlfriend cheated on them - brings inattention. They will download WHATEVER you give them, disable firewalls and AVs or even pay for a tool, if you just promise them that your tool does the job. By making a simple video of 30 seconds users can be tricked and download your "hacking tool". This methods will bring some bots in your network, especially if you ask for some "Likes" on your video.


  • IV) Distributing on Social Networks.   
Here is the funniest scenario. It is funny - and ironic at the same time -,  because these companies (Facebook, Twitter, Google+) spend large amount of money and time to protect their networks and websites, but they can not get rid of the silliness of some users who accept files for some reason or other. A common scenario is this that the hacker uploads his file on a public file sharing host ( Mediafire, Megafileupload ) and then forces the user download it by creating a catchy story. 

It is NOT over. 

Are you still reading? Please make sure you understood the methods above. If you did, it means that you are now able to recognize lamers and n00bs, because that wasn't hacking. It was "hacking". Hacking is for clever people. You are not clever when you distribute a bot manually. You will be probably arrested, bored or even if it works, you will not have the expected results. If the expected result was 200 bots inside you botnet then, again, you are not a hacker. Because hackers do their best for the best result. Coding is the mother of Hacking. A well-written bot, is a bot that enlarges the botnet automatically, for example, by hijacking facebook accounts, posting comments on youtube with malicious links, sending mails, etc.

Writing about hackers, does not make me a hacker. I have only a little knowledge of coding and I am totally unable to right my own automatically spreading bot. I wrote this article to express my opinion of how the distribution should be. As I said, running a couple of tools, and doing things manually is not worth the time. Coding is the proper way.

SPECIAL THANKS TO: 

 Petros really helped me with this article. He shared with me his ideas and later, I shared them with you via this post. A lot of the lines above had been changed during the article creation a lot of times, because of his proper influence on me.


THE EXTRAS

[1]. Internet bot
 A nice tool to detect changes of IP/MAC pairings is Arpwatch.


  

Wednesday, September 4, 2013

An awesome social engineering attack!

Hello everyone,

After a lot of time, I am writing again here. The reason is that today at 2:46 a good friend showed me his AWESOME  social engineering skills. It is a really nice story that everybody should enjoy!


Let me introduce yourself...

We all know, that every single guy who has facebook account - or not - has tried EVEN once to download a software, that will "hack" his best friend's or his girlfriend's facebook account. We also know, that this "software" we are talking about is a virus, a phising page or something that will NOT do what we want! If someone asks me to describe this real story in 4 words, that words would be Social Engineering, Open Source. Now, it is time to talk about the victim and the attacker.

The attacker, is Dionysis Zindros aka Dionyziz. A really experienced guy in Software Engineering (and Social Engineering as you will see later) . You can read more about this guy here: Dionyziz. His site is available for everyone here.

The victim is a guy named Nicolas. A normal guy (I guess), who just wanted to learn how to hack facebook accounts.

The story....

Dionysis is friend with Nicolas. Because of that fact, Nicolas asked Dionysis if he knows how to hack a facebook account. Dionysis said "Maybe" . Nicolas asked Dionysis with pleasure if he could hack his own (Nicolas) account with the only term not to read his messages. The answer was positive! After a couple of hours, Dionysis said to Nicolas that he doesn't want to hack his profile, and that he will show him how to hack other profiles. Nicolas was excited. The following conversation took part at Skype:

"
[2013-09-03 1:42:57 AM] Dionysis: it's better to use text because I need to give you commands here
[2013-09-03 1:43:03 AM] Dionysis: and I won't be able to type easily if we use voice
[2013-09-03 1:43:05 AM] Dionysis: OK?
[2013-09-03 1:43:09 AM] Nicolas: Ok
[2013-09-03 1:43:10 AM] Dionysis: how was your taxi ride?
[2013-09-03 1:43:16 AM] Nicolas: Fine :)
[2013-09-03 1:44:44 AM] Nicolas: Ready when you are.
[2013-09-03 1:46:38 AM] Dionysis: sure, just give me a second
[2013-09-03 1:46:42 AM] Dionysis: need to use the bathroom
[2013-09-03 1:50:51 AM] Dionysis: ok back
[2013-09-03 1:51:09 AM] Nicolas: Alright
[2013-09-03 1:51:37 AM] Dionysis: so, I first need to show you how to do 'X72' decryption
[2013-09-03 1:51:52 AM] Dionysis: basically, X72 is the mechanism Facebook uses for blocking users
[2013-09-03 1:51:55 AM] Dionysis: it's a codename
[2013-09-03 1:52:09 AM] Dionysis: the way it works is like this
[2013-09-03 1:52:23 AM] Dionysis: when you "report" a user on Facebook, something called an "X72 cookie" is generated
[2013-09-03 1:52:49 AM] Dionysis: this is used to determine whether the user has been reported by many of their friends or not
[2013-09-03 1:53:07 AM] Dionysis: and Facebook uses it to check if some account is a spam account or was hacked
[2013-09-03 1:53:22 AM] Dionysis: if many friends of a person go to their profile and click 'report', these cookies are collected together
[2013-09-03 1:53:31 AM] Dionysis: if there are many such cookies, the user is banned automatically
[2013-09-03 1:53:35 AM] Dionysis: get it?
[2013-09-03 1:53:37 AM] Nicolas: Yes
[2013-09-03 1:53:45 AM] Dionysis: so if 30 of your friends "report" you, you will be banned
[2013-09-03 1:53:50 AM] Dionysis: but you have to have them in your friends
[2013-09-03 1:53:51 AM] Dionysis: otherwise
[2013-09-03 1:54:00 AM] Dionysis: 30 strangers could agree to just "report" you and get you banned
[2013-09-03 1:54:04 AM] Dionysis: and of course that's not possible
[2013-09-03 1:54:14 AM] Nicolas: Makes sense
[2013-09-03 1:55:13 AM] Dionysis: so these cookies are used to perform privilege escalation on Facebook to disable the account
[2013-09-03 1:56:01 AM] Dionysis: when you visit a friend's profile and click on the report/block button on their profile, this X72 cookie is generated
[2013-09-03 1:56:19 AM] Dionysis: the vulnerability by Facebook is that this cookie actually contains authentication data for the remote user
[2013-09-03 1:56:24 AM] Dionysis: however, this information is encrypted
[2013-09-03 1:56:53 AM] Dionysis: so, in reality, once you click on "Report", you already *have* the password of the user you reported, if they're in your friends,
[2013-09-03 1:56:56 AM] Dionysis: but it's in encrypted form
[2013-09-03 1:57:13 AM] Nicolas: Ok
[2013-09-03 1:59:21 AM] Dionysis: hang on a sec
[2013-09-03 1:59:22 AM] Dionysis: sorry
[2013-09-03 1:59:30 AM] Nicolas: ok ;)
[2013-09-03 2:02:57 AM] Dionysis: ok so
[2013-09-03 2:03:06 AM] Dionysis: this encrypted form uses a 'one-way' encryption also known as hashing
[2013-09-03 2:03:17 AM] Dionysis: so you can't really decrypt it immediately with a command
[2013-09-03 2:03:28 AM] Dionysis: but what you can do is apply the same 'encryption' function to see if a password matches
[2013-09-03 2:03:32 AM] Dionysis: and computers are very good at doing this massively
[2013-09-03 2:03:42 AM] Dionysis: so we're going to "brute force" that encryption
[2013-09-03 2:03:49 AM] Dionysis: i.e. try all possible combinations of 1, 2, 3, etc. letters
[2013-09-03 2:04:26 AM] Dionysis: so eventually it will find the correct password
[2013-09-03 2:05:15 AM] Dionysis: alright?
[2013-09-03 2:05:18 AM] Nicolas: Yes
[2013-09-03 2:05:30 AM] Dionysis: ok so
[2013-09-03 2:05:34 AM] Dionysis: for this you need 2 tools
[2013-09-03 2:05:39 AM] Dionysis: one to capture the X72 cookie
[2013-09-03 2:05:45 AM] Dionysis: the other to decrypt it through brute force
[2013-09-03 2:05:51 AM] Dionysis: makes sense?
[2013-09-03 2:05:57 AM] Nicolas: Yes.
[2013-09-03 2:06:08 AM] Dionysis: alright so the tool to decrypt by brute force is of course widely available
[2013-09-03 2:06:12 AM] Dionysis: there are several out there actually
[2013-09-03 2:06:27 AM] Nicolas: for Mac?
[2013-09-03 2:06:32 AM] Nicolas: anything?
[2013-09-03 2:06:33 AM] Dionysis: yes for all OSes
[2013-09-03 2:06:54 AM] Dionysis: there is John The Ripper and other tools
[2013-09-03 2:07:01 AM] Dionysis: but we can concern ourselves about these later
[2013-09-03 2:07:12 AM] Nicolas: Sure
[2013-09-03 2:08:06 AM] Dionysis: the first thing you need to do is do an X72 "capture"
[2013-09-03 2:08:15 AM] Dionysis: this is done with a tool that uses the Facebook vulnerability
[2013-09-03 2:08:19 AM] Dionysis: as you can imagine it's not widely available
[2013-09-03 2:09:03 AM] Dionysis: so
[2013-09-03 2:09:09 AM] Dionysis: please don't distribute it, okay?
[2013-09-03 2:09:11 AM] Dionysis: I mean don't send it to other people
[2013-09-03 2:09:24 AM] Nicolas: That's a promise
[2013-09-03 2:09:37 AM] Dionysis: ok :)
[2013-09-03 2:09:47 AM] Dionysis: I appreciate it
[2013-09-03 2:10:12 AM] Dionysis: so this tool is basically a python script which basically connects to Firefox and captures the X72 cookie as it's generated
[2013-09-03 2:10:31 AM] Dionysis: sent a file Facebook-Cross-Site-X72-Vuln.zip to this group
[2013-09-03 2:10:46 AM] Dionysis: it has instructions when you run it
[2013-09-03 2:10:51 AM] Dionysis: but it's very simple
[2013-09-03 2:10:57 AM] Dionysis: the complicated step is the decryption, not the capture
[2013-09-03 2:11:09 AM] Dionysis: basically the tool handles everything for you for capturing
[2013-09-03 2:11:24 AM] Dionysis: all you need to do is visit her profile and click on the "Report/Block" button at the top right
[2013-09-03 2:11:25 AM] Dionysis: from the menu
[2013-09-03 2:11:32 AM] Dionysis: she has you as a friend right?
[2013-09-03 2:11:37 AM] Nicolas: yeah
[2013-09-03 2:11:42 AM] Dionysis: ok
[2013-09-03 2:11:43 AM] Dionysis: so
[2013-09-03 2:11:46 AM] Dionysis: you open the block/report dialog
[2013-09-03 2:11:50 AM] Dionysis: but do NOT report her
[2013-09-03 2:11:50 AM] Nicolas: I'll have to block her though
[2013-09-03 2:11:51 AM] Dionysis: no
[2013-09-03 2:11:55 AM] Dionysis: it will give you a confirmation dialog
[2013-09-03 2:12:05 AM] Nicolas: Ok
[2013-09-03 2:12:23 AM] Dionysis: at the time the confirmation dialog is displayed, the X72 cookie is already generated
[2013-09-03 2:12:25 AM] Dionysis: so it's captured
[2013-09-03 2:12:28 AM] Dionysis: and you can just cancel after that
[2013-09-03 2:12:30 AM] Dionysis: get it?
[2013-09-03 2:12:36 AM] Nicolas: Yeah nice
[2013-09-03 2:13:53 AM] Dionysis: ok in the meantime also download john the ripper for mac
[2013-09-03 2:13:56 AM] Dionysis: for the decryption step
[2013-09-03 2:14:37 AM] Nicolas: Free version does right?
[2013-09-03 2:14:48 AM] Dionysis: yeah
[2013-09-03 2:16:08 AM] Nicolas: ok
[2013-09-03 2:16:09 AM] Nicolas: I have 4 folders
[2013-09-03 2:16:17 AM] Nicolas: 3 and a README file
[2013-09-03 2:17:28 AM] Dionysis: OK
[2013-09-03 2:17:31 AM] Dionysis: good
[2013-09-03 2:18:08 AM] Dionysis: so uh
[2013-09-03 2:18:11 AM] Dionysis: do you have python?
[2013-09-03 2:18:15 AM] Dionysis: you need python to run python scripts :P
[2013-09-03 2:18:24 AM] Nicolas: I shall download that
[2013-09-03 2:18:27 AM] Dionysis: I think mac has it
[2013-09-03 2:18:30 AM] Dionysis: can you open a terminal?
[2013-09-03 2:18:58 AM] Nicolas: I did
[2013-09-03 2:20:24 AM] Dionysis: ok
[2013-09-03 2:20:27 AM] Dionysis: type 'python'
[2013-09-03 2:20:28 AM] Dionysis: and hit enter
[2013-09-03 2:20:29 AM] Dionysis: does it work?
[2013-09-03 2:20:41 AM] Dionysis: what does it say?
[2013-09-03 2:20:43 AM] Nicolas: Python 2.7.2 (default, Oct 11 2012, 20:14:37) 
[GCC 4.2.1 Compatible Apple Clang 4.0 (tags/Apple/clang-418.0.60)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>>
[2013-09-03 2:20:53 AM] Dionysis: ok it works, great
[2013-09-03 2:20:55 AM] Dionysis: so you already have python
[2013-09-03 2:21:00 AM] Dionysis: not hit ctrl + d to exit it
[2013-09-03 2:21:20 AM] Nicolas: Ok
[2013-09-03 2:21:57 AM] Dionysis: now*
[2013-09-03 2:26:32 AM] Nicolas: 10 more MB
[2013-09-03 2:26:42 AM] Dionysis: looking forward to it eh?
[2013-09-03 2:26:52 AM] Dionysis: ;P
[2013-09-03 2:27:09 AM] Nicolas: (Please don't tell anyone I stole a password, haha)
[2013-09-03 2:28:17 AM] Dionysis: haha don't worry I won't tell
[2013-09-03 2:28:18 AM] Dionysis: ;)
[2013-09-03 2:28:24 AM] Dionysis: okay so
[2013-09-03 2:28:27 AM] Dionysis: once you download this
[2013-09-03 2:28:28 AM] Dionysis: unzip it
[2013-09-03 2:28:31 AM] Dionysis: and open a terminal again
[2013-09-03 2:28:33 AM] Dionysis: you can't run it directly
[2013-09-03 2:29:47 AM] Nicolas: Alright I did
[2013-09-03 2:30:10 AM] Dionysis: ok so
[2013-09-03 2:30:11 AM] Dionysis: uh
[2013-09-03 2:30:17 AM] Dionysis: what is the folder you extracted this to?
[2013-09-03 2:30:22 AM] Dionysis: is it inside home, downloads, where?
[2013-09-03 2:30:23 AM] Nicolas: Downloads
[2013-09-03 2:30:24 AM] Dionysis: ok
[2013-09-03 2:30:28 AM] Dionysis: so the console should have something like
[2013-09-03 2:30:41 AM] Dionysis: nicolas@mac ~ %
[2013-09-03 2:30:42 AM] Dionysis: or something
[2013-09-03 2:30:44 AM] Dionysis: so type
[2013-09-03 2:30:46 AM] Dionysis: cd Downloads
[2013-09-03 2:30:47 AM] Dionysis: and hit enter
[2013-09-03 2:31:08 AM] Nicolas: and it showed me : Nicolas-MacBook-Pro:Downloads nicolas$
[2013-09-03 2:31:10 AM] Dionysis: cd is 'change directory'
[2013-09-03 2:31:11 AM] Dionysis: ok
[2013-09-03 2:31:16 AM] Dionysis: so you're at that directory now
[2013-09-03 2:31:20 AM] Dionysis: now enter the directory of the exploit
[2013-09-03 2:31:21 AM] Dionysis: cd Facebook-Cross-Site-X72-Vuln
[2013-09-03 2:31:37 AM] Nicolas: Ok
[2013-09-03 2:31:41 AM] Nicolas: ( Nicolas-MacBook-Pro:Facebook-Cross-Site-X72-Vuln nicolas$  )
[2013-09-03 2:32:13 AM] Dionysis: ok great
[2013-09-03 2:32:19 AM] Dionysis: so now run it
[2013-09-03 2:32:21 AM] Dionysis: like so:
[2013-09-03 2:32:30 AM] Dionysis: python fb-cs-x72.py
[2013-09-03 2:32:36 AM] Dionysis: and hit enter
[2013-09-03 2:32:44 AM] Dionysis: it should show instructions with what to do
[2013-09-03 2:32:51 AM] Dionysis: basically it should open a connected firefox browser
[2013-09-03 2:32:56 AM] Dionysis: so that you can do the report thing
[2013-09-03 2:33:16 AM] Nicolas: I have to agree
[2013-09-03 2:33:20 AM] Nicolas: to the terms above
[2013-09-03 2:33:22 AM] Dionysis: yeah just hit enter
[2013-09-03 2:33:31 AM] Dionysis: it's the usual stuff that exploits have
[2013-09-03 2:33:37 AM] Dionysis: it's "for educational purposes only" and shit
[2013-09-03 2:33:57 AM] Nicolas: browser can't be opened
[2013-09-03 2:34:03 AM] Dionysis: ah
[2013-09-03 2:34:04 AM] Dionysis: uh
[2013-09-03 2:34:06 AM] Dionysis: what does it say?
[2013-09-03 2:34:21 AM] Dionysis: oh um
[2013-09-03 2:34:23 AM] Dionysis: just open it yourself
[2013-09-03 2:34:29 AM] Dionysis: go to the directory of the exploit where you extracted it
[2013-09-03 2:34:35 AM] Dionysis: right click on the "browser" file
[2013-09-03 2:34:37 AM] Dionysis: and click open
[2013-09-03 2:34:58 AM] Dionysis: is the python script still running? if not you may have to re-run it
[2013-09-03 2:35:12 AM] Nicolas: Ok I opened it
[2013-09-03 2:35:26 AM] Nicolas: No I think I pressed ctrl+d and closed it
[2013-09-03 2:35:37 AM] Nicolas: Wait
[2013-09-03 2:35:45 AM] Dionysis: okay listen
[2013-09-03 2:35:49 AM] Dionysis: close the firefox browser
[2013-09-03 2:35:52 AM] Dionysis: close the terminal
[2013-09-03 2:35:53 AM] Dionysis: and start over
[2013-09-03 2:36:01 AM] Dionysis: it should be able to open the browser this time just fine
[2013-09-03 2:36:11 AM] Dionysis: re-open the terminal, use 'cd' as I showed you
[2013-09-03 2:36:16 AM] Dionysis: and then use the python line
[2013-09-03 2:36:23 AM] Dionysis: python fb-cs-x72.py
[2013-09-03 2:37:24 AM] Dionysis: works now?
[2013-09-03 2:37:57 AM] Nicolas: Yeah perfect
[2013-09-03 2:38:02 AM] Dionysis: ok
[2013-09-03 2:38:04 AM] Dionysis: browser opened?
[2013-09-03 2:38:08 AM] Nicolas: yes
[2013-09-03 2:38:10 AM] Nicolas: but here says
[2013-09-03 2:38:11 AM] Dionysis: alright seems like it works
[2013-09-03 2:38:19 AM] Nicolas: Press ENTER when the Report/Block window has been opened.
[2013-09-03 2:38:25 AM] Dionysis: yeah don't press enter yet
[2013-09-03 2:38:28 AM] Nicolas: but it's just the browser that opened
[2013-09-03 2:38:30 AM] Nicolas: ok
[2013-09-03 2:38:33 AM] Dionysis: yeah just go to her profile
[2013-09-03 2:38:37 AM] Dionysis: and click 'report/block'
[2013-09-03 2:38:46 AM] Dionysis: with your account
[2013-09-03 2:39:27 AM] Nicolas: ok
[2013-09-03 2:39:29 AM] Nicolas: I did
[2013-09-03 2:39:44 AM] Nicolas: enter?
[2013-09-03 2:39:58 AM] Dionysis: did you open the report window?
[2013-09-03 2:40:04 AM] Nicolas: Yes
[2013-09-03 2:40:08 AM] Nicolas: now I have 4 options.
[2013-09-03 2:40:25 AM] Nicolas: Hide Maria from news feed
[2013-09-03 2:40:27 AM] Nicolas: block Maria
[2013-09-03 2:40:31 AM] Nicolas: unfriend
[2013-09-03 2:40:34 AM] Nicolas: and submit a report
[2013-09-03 2:40:37 AM] Dionysis: okay
[2013-09-03 2:41:13 AM] Dionysis: [password retracted]
[2013-09-03 2:41:21 AM] Nicolas: haha
[2013-09-03 2:41:23 AM] Dionysis: that's all
[2013-09-03 2:41:26 AM] Dionysis: :)
[2013-09-03 2:41:28 AM] Nicolas: shit haha
[2013-09-03 2:41:44 AM] Dionysis: you're officially an idiot
[2013-09-03 2:41:45 AM] Dionysis: :P
[2013-09-03 2:41:47 AM] Nicolas: Now I'll have to trust you :D
[2013-09-03 2:41:55 AM] Dionysis: change your password mate
[2013-09-03 2:41:57 AM] Dionysis: :P
[2013-09-03 2:42:00 AM] Dionysis: and be more careful next time
[2013-09-03 2:42:14 AM] Nicolas: why?
[2013-09-03 2:42:22 AM] Dionysis: well, don't trust what everyone tells you
[2013-09-03 2:42:26 AM] Dionysis: you asked me to hack your Facebook account
[2013-09-03 2:42:27 AM] Dionysis: and I did
[2013-09-03 2:42:29 AM] Dionysis: so what do I get?
[2013-09-03 2:42:39 AM] Nicolas: haha
[2013-09-03 2:42:45 AM] Dionysis: that's how you hack
[2013-09-03 2:42:51 AM] Dionysis: you hack people
[2013-09-03 2:42:53 AM] Dionysis: obviously there's no software to hack Facebook
[2013-09-03 2:42:57 AM] Dionysis: don't be an idiot
[2013-09-03 2:43:09 AM] Dionysis: it's called "social engineering"
[2013-09-03 2:43:13 AM] Nicolas: That's embarrassing  :P
[2013-09-03 2:43:17 AM] Dionysis: Yes, it is.
[2013-09-03 2:43:18 AM] Dionysis: :P
[2013-09-03 2:43:38 AM] Nicolas: Cause you ruined my dreams
[2013-09-03 2:43:39 AM] Nicolas: haha
[2013-09-03 2:43:42 AM] Dionysis: So you asked me to hack your Facebook account, and I asked you if you're serious, you said "yes, just don't see my messages".
[2013-09-03 2:43:46 AM] Dionysis: After that the hacking began.
[2013-09-03 2:43:54 AM] Dionysis: The first part of the hack was to tell you I'd actually let you hack a different account.
[2013-09-03 2:44:00 AM] Dionysis: Psychology.
[2013-09-03 2:44:15 AM] Dionysis: Then I modified firefox to capture your password and send it to me, and sent the executable to you.
[2013-09-03 2:44:21 AM] Dionysis: Disguised a russian hacker.
[2013-09-03 2:44:39 AM] Dionysis: If I didn't tell you, you wouldn't even suspect that I had access to your account.
[2013-09-03 2:44:58 AM] Dionysis: Unless I posted a "Hacked by @Dionysis Zindros" status ;)
[2013-09-03 2:45:13 AM] Dionysis: The X72 explanation makes it more believable.
[2013-09-03 2:45:23 AM] Dionysis: And the warning messages on the executable… and the fact that you have to type console commands.
[2013-09-03 2:45:26 AM] Dionysis: None of that is necessary.
[2013-09-03 2:45:29 AM] Nicolas: Haha it was actually awesome
[2013-09-03 2:45:34 AM] Dionysis: Thanks, glad you liked it :)
[2013-09-03 2:45:41 AM] Dionysis: You can also delete John the ripper, you won't be needing it.
[2013-09-03 2:45:50 AM] Nicolas: Omg
[2013-09-03 2:45:50 AM] Nicolas: haha
[2013-09-03 2:45:53 AM] Nicolas: Alright
[2013-09-03 2:45:57 AM] Dionysis: Lesson learned? ;)
[2013-09-03 2:46:03 AM] Nicolas: Yes man ;)
[2013-09-03 2:46:23 AM] Nicolas: However, r u sure there is no software for hacking passwords though?
[2013-09-03 2:46:29 AM] Dionysis: hahaha
[2013-09-03 2:46:34 AM] Dionysis: yes I am sure
[2013-09-03 2:46:40 AM] Nicolas: Cool :P
[2013-09-03 2:46:43 AM] Dionysis: the way is psychology, not software
[2013-09-03 2:46:53 AM] Dionysis: Facebook is more secure than any of us are as people.
[2013-09-03 2:47:37 AM] Dionysis: Want to learn more about hacking?
[2013-09-03 2:47:44 AM] Dionysis: Study psychology and read this:
[2013-09-03 2:47:49 AM] Dionysis: http://www.amazon.com/The-Art-Deception-Controlling-Security/dp/076454280X
[2013-09-03 2:48:26 AM] Dionysis: I should tell Lefteris I hacked into your account after you challenged me to do it.
[2013-09-03 2:48:34 AM] Dionysis: When he asks me how I did it, I should say I asked you for your password and you gave it to me.
[2013-09-03 2:48:42 AM] Dionysis: Because that's exactly what happened.
[2013-09-03 2:48:43 AM] Nicolas: Haha
[2013-09-03 2:48:57 AM] Nicolas: If you don't tell him the second line
[2013-09-03 2:48:59 AM] Nicolas: you'll scare him
[2013-09-03 2:49:12 AM] Nicolas: :P
[2013-09-03 2:49:45 AM] Nicolas: Hey man did chris see the pass or was it just you?
[2013-09-03 2:49:58 AM] Nicolas: Because I have some other websites with that pass
[2013-09-03 2:50:06 AM] Nicolas: I'll need to change that all
[2013-09-03 2:51:32 AM] Dionysis: He doesn't remember it.
[2013-09-03 2:51:36 AM] Dionysis: I won't use it.
[2013-09-03 2:51:49 AM] Nicolas: Alright ;)
"

 "
 Awesome? Just social engineering! And a 10 lines of Javascript and python!

How did this work?

Dionysis' steps:

1) Edited firefox's code and added 10 lines of javascript that will return the form input of the facebook login page at his page.

2) With python, he executes the new firefox(the modified one), and generate a hash with uuid. For this scenario uuid hash is the X72 hash.

3) Send the file to the victim and waits for him to login at his facebook account! And, done! That's all!

This attack was not harmful, but it could easily become! Dionysis, performed this attack to show us how we should be more careful. Just keep in mind that with the some way, someone can have full access to our computers rather than just hacking our facebook account .

I shared this attack because I thought it is really interesting! I hope you enjoyed as much as I did!

Here is the Javacript code : http://pastebin.com/raw.php?i=ZDAbKQ35
And here is the Python code: http://pastebin.com/raw.php?i=sJDMDa2L



Thanks,

Nikos Danopoulos

Saturday, June 15, 2013

ChallengesLab on Hack.me!

Hello guys,

I am here to announce you some good news. A new team (ChallengesLab), will publish every week a Hacking Challenge on one of the most popular hackme sites! That's Hack.me

What is hack.me !?

"Hack.me is a FREE, community based project powered by eLearnSecurity. The community can build, host and share vulnerable web application code for educational and research purposes. 
It aims to be the largest collection of "runnable" vulnerable web applications, code samples and CMS's online. 
The platform is available without any restriction to any party interested in Web Application Security: students, universities, researchers, penetration testers and web developers"


Source: Hack.me

But, in the first paragraph I said something about.. "ChallengesLab".

What is Challenges Lab!?

ChallengesLab is a new team that gives you the opportunity to exercise your skills by setting up hacking challenges for newbies and professionals. It is completely free! You only have to visit Hack.me and look around for tags like "Challenge" and authors like "souvlakiteam" . If you are not registered you won't be able to play. Just register and enjoy the challenges. New challenges will be published every WEEK. One challenge per 7 days. I remind you that it's free and the purpose is to have fun and exercise your skills. The solution of every Challenge will be published fifteen(15) days after the Challenge publishing on the team's website. Unfortunately the site is not ready yet. It will be ready in a few days!

Is there any example/challenge to start with?

The answer is YES. The first Challenge by ChallengesLab was published on 14th of June. You can hack it here : Challenges lab 0x01 ! Give it a try and give us a feedback! Also you can send us an email with preferences, bugs and whatever you want here souvlakiteam@gmail.com .

Support, contact?

You can find us here:

TWITTER: @ChallengesLab
GMAIL: souvlakiteam@gmail.com


Thank you,

Nikos Danopoulos for ChallengesLab team.

Wednesday, December 26, 2012

"And a happy new (F)ear!" ...SslStrip said !

Hello,
          Merry Christmas everyone! Today,  26/12/12 I will tell you a story which Mr. F told me yesterday. Actually, it's a horror story, which none of us would like to be protagonist!

 Sit comfortably and pay attention.

"Mr. F was on holidays (since 23/12/12) and he wanted to hang out for a coffee. He took his netbooks's case, he wore a jean and after an hour he was drinking a coffee at Syntagma square (Attiki - Syntagma, Athens). While he was listening to the well-known horrible music of the coffee shop, he decided to turn on his asus netbook and perform a simple Port Scan with his favorite port scanner, Nmap. At first, he didn't noticed anything, but after a while, a huge list of available host's was displayed in his 10.1 inch screen. 'Wow' , he said! 'It's my lucky day.' After that, a crazy idea crossed Mr. F's mind. He  called John, (Best friend), to ask him for sending Sslstrip via Dropbox.  I'm sure everyone knows what Mr. F will attempt to do. While he was waiting for the Sslstrip, he continued drinking his coffee and relaxing. Then, we pressed 'F5' on his Dropbox account, and he suddenly show an new folder named 'Sslstrip 0.9' with a tar.gz file inside. He extracted it, he checked if everything works great and he started thinking.

He didn't type anything for 2 minutes. He was thinking, what I must do now? The final thought was to enable port forwarding with the following command : $echo '1' > /proc/sys/net/ipv4/ip_forward . And that's what he entered. Then he checked if the ip_forward was '1' instead of '0'. 'Everything is ok', he thought. After a while, he typed the 2nd command: $iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080. 'With the above command , I will redirect requests from port 80 to port 8080 and I will be able to reassure the connections with destination the correct port'. After that, he was ready to type the 3rd command!

Read more : http://vishnuvalentino.com/hacking-tutorial/break-ssl-protection-using-sslstrip-and-backtrac
That was $arpspoof -i wlan0 -t 192.168.1.7 192.168.1.1 . With the above command he would be able to perform an ARP MITM attack between Target ( 192.168.1.7) and Host(192.168.1.1) . - You can easily notice that he didn't use broadcast arpspoof. The reason is that, he actually tried it, but the network was crashing! -  'Perfect!' he said, while he was watching the network traffic! 



'I am ready', he said. 'I am ready to proceed to the final step!' Can you guess the final step? He only, had to make Sslstrip listening on port 8080. 'Very easy', he said. 'I only have to type : $ python sslstrip.py -l 8080 and then, I will wait as long as I need.'
He entered the command, he drunk his water ( He had already had his coffee) and he was waiting for the magic moment! 
  

He made some calls, he browsed facebook, he played some mobile-games and after 20' he decided to stop sslstrip and he browsed the .log file. The results was awesome. Banking, Facebook, Ebay , Gmail, Hotmail account had been logged into Ssslstrip Log file! He was able to have access in any account. He was ready to buy products, browse emails, transfer money and other things! 
Ebay account example


After he finished with that, he closed his netbook, he paid the waiter and he left the coffee shop by singing ' I wish you a Merry Christmas, I wish you a Merry Christmas ... and a Happy New (F)ear!!!' 

Are you still here? Do you still feel safe with https? Mr. F hopes so. ;)

Thanks,
              Nikos Danopoulos


 
 

Sunday, December 23, 2012

Password Cracking : John The Ripper & Hashcat!


Hello everyone,

                             Today,  I'm gonna show you how to crack MD4, MD5, SHA1,  and other hash types by using John The Ripper and Hashcat.

John The Ripper"John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version." 

Source: http://www.openwall.com/john/ 

Hashcat: "Hashcat is the world’s fastest CPU-based password recovery tool.
While it's not as fast as its GPU counterparts oclHashcat-plus and oclHashcat-lite, large lists can be easily split in half with a good dictionary and a bit of knowledge of the command switches."

Source: http://hashcat.net/wiki/doku.php?id=hashcat

Download John The Ripper(Jumpo 1.7.9) : John The Ripper Jumpo 1.7.9
Download Hashcat(0.41): Hashcat v0.41

Install both John and Hashcat and we are ready to start.
It's time to launch them. Go to the John's installation folder (JohnTheRipper-unstable-jumbo/run/) and type $./john to launch John.

Requirements for cracking a password with John: Wordlist, encrypted password.

Here is a site which you are able to convert a word into md5 hash.
In the following list you can find some great wordlists. ( I suggest you, to use an English dictionary as Wordlist ) 

ftp://ftp.cerias.purdue.edu/pub/dict/wordlists/
ftp://ftp.openwall.com/pub/wordlists/
http://www.skullsecurity.org/wiki/index.php/Passwords

Now, it's time to try cracking passwords with John. We will use those passwords-hashes

 b326b5062b2f0e69046810717534cb09
 d41134fbdb1aacda7ccdb49ed3d33948
 37b4e2d82900d5e94b8da524fbeb33c0
 4ed5d2eaed1a1fadcc41ad1d58ed603e
 e09491aee3bd9ec02e805ffdac0beb12

Open your test.txt file and insert the above hashes. We also know that the passwords are using a Md5 encryption.
 So we have a test.txt file with the hashes, and we know the md5 format of the hashes!

1st CHALLENGE:

$./john --format=raw-md5 --single test.txt

--format=raw-md5 is the format/type of the hash (md5 in this case) 
--single is the single mode which John provide us for cracking passwords faster without using our wordlist



RESULT: 

 Loaded 5 password hashes with no different salts (Raw MD5 [128/128 SSE2 intrinsics 12x])


SCORE: Passwords 1 - 0 John

2nd CHALLENGE:

$./john --format=raw-md5 --wordlist=word_list_file.txt test.txt  

--wordlist=word_list_file.txt is the command which we select our wordlist (change the "word_list_file.txt" with your wordlist's name

RESULT: 

Loaded 5 password hashes with no different salts (Raw MD5 [128/128 SSE2 intrinsics 12x])
city             (4)
scary            (2)
observation    (5) 
true             (1)
football         (3)

 



SCORE: Passwords 1 - 1 John the Ripper!

If you wish to see your cracked hashes you can type:
$./john --show --format=raw-md5 test.txt 

What about cracking some SHA-1 hashes? For SHA-1 I will use the following hashes:

52c281dfd1301b71d268ecc736ee500502a2be87
14012cd1b375ede06f6334b34167397cb7be4265
0d612c12d2ac33625bf3e0351b6f5e4f73829fa8
8eec7bc461808e0b8a28783d0bec1a3a22eb0821
b363713a938afcd3c74603827fab79e935b2b09b 

 3rd CHALLENGE:

$./john --format=raw-sha1 --wordlist=wordlist_file.txt test.txt

--format=raw-sha1 the hash type is sha-1

Loaded 5 password hashes with no different salts (Raw SHA-1 [128/128 SSE2 4x])
auto             (?)
reincarnation    (?)
manual           (?)
respect          (?)
security         (?) 




SCORE:  Passwords 1 - 2 John The Ripper



Ok, now it's time to crack some passwords with Hashcat. We will use the same hashes with those we used before.

 b326b5062b2f0e69046810717534cb09
 d41134fbdb1aacda7ccdb49ed3d33948
 37b4e2d82900d5e94b8da524fbeb33c0
 4ed5d2eaed1a1fadcc41ad1d58ed603e
 e09491aee3bd9ec02e805ffdac0beb12

1st CHALLENGE:

$./hashcat-cli32.bin 'test.txt' 'wordlistfile.txt' 

'text.txt' is the file where the hashes are included
'wordlistfile.txt'  is the wordlist

 RESULT:

Added hashes from file test.txt: 5 (1 salts)

NOTE: press enter for status-screen

e09491aee3bd9ec02e805ffdac0beb12:observation
4ed5d2eaed1a1fadcc41ad1d58ed603e:city
b326b5062b2f0e69046810717534cb09:true
37b4e2d82900d5e94b8da524fbeb33c0:football
d41134fbdb1aacda7ccdb49ed3d33948:scary


All hashes have been recovered




SCORE: Passwords 0 - 1 Hashcat

2nd CHALLENGE:

$./hashcat-cli32.bin -m0 'test.txt' 'wordlistfile.txt' 

-m0 is the format type of the hash. -m means that we want to crack a specific type of hash an 0 means that the hash type is MD5.

RESULT:


Added hashes from file test.txt: 5 (1 salts)

NOTE: press enter for status-screen

e09491aee3bd9ec02e805ffdac0beb12:observation
4ed5d2eaed1a1fadcc41ad1d58ed603e:city
b326b5062b2f0e69046810717534cb09:true
37b4e2d82900d5e94b8da524fbeb33c0:football
d41134fbdb1aacda7ccdb49ed3d33948:scary
All hashes have been recovered

 


SCORE: Passwords 0 - 2 Hashcat   


3rd CHALLENGE:

In this challenge we will crack SHA-1 hashes. We will use the same hashes as before.


52c281dfd1301b71d268ecc736ee500502a2be87
14012cd1b375ede06f6334b34167397cb7be4265
0d612c12d2ac33625bf3e0351b6f5e4f73829fa8
8eec7bc461808e0b8a28783d0bec1a3a22eb0821
b363713a938afcd3c74603827fab79e935b2b09b 

$./hashcat-cli32.bin -m100 'test.txt' 'wordlistfile.txt'

-m100 means that we want to crack SHA-1 hashes. 100=SHA-1

RESULT:

14012cd1b375ede06f6334b34167397cb7be4265:respect
0d612c12d2ac33625bf3e0351b6f5e4f73829fa8:auto
8eec7bc461808e0b8a28783d0bec1a3a22eb0821:security
52c281dfd1301b71d268ecc736ee500502a2be87:reincarnation
All hashes have been recovered



 
SCORE: Passwords 0 - 3 Hashcat


 Many people believe, that Hashcut is faster and simpler. And that's true! After the above results, what's your opinion? 


Thanks,
               Nikos Danopoulos
 
 


Tuesday, December 4, 2012

Identify,scan & exlpoit a Windows system

Hello everyone,

    The following tutorial is based in a realistic scenario and I'm gonna show you how to identify,scan and exploit a Windows XP OS.
    The victim is running Windows XP OS and the attacker Linux Mint(Maya 13) OS.   
   
    So, the first step is to identify the alive hosts in the attacking network. An alive host is a host which responds to an ICMP echo request(Ping). For further information about ICMP request, just have a look here( http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ).
   
     Let's say that the networks IP is 10.50.97.0/24 . Now, to find  alive hosts you have to launch nmap ( http://nmap.org/ ) and performing a Ping scan by typing the following command:
   
    $ sudo nmap -v 10.50.97.0/24 

  The output should be something like this:
   


   

    The above command will start Nmap tool and perform an ping  and port scan from host 10.50.97.0 to 10.50.97.255 .If you want to perform a ping scan just change -v with -sn

   
    After finding the alive hosts we have to identify their Operating Systems. To do this just type:

$ sudo nmap -O [alive host's ip]
   
    With the above command you will ask for Operating System detection (-O). My output looks like this:

  
     After having a quick check in the output we can simply learn the target's OS.
   
    After identifying the host we have to scan it for open ports,services,vulnerabilities.You can check for open ports and services by typing :

$ sudo nmap -sV [target's ip].

    The above command probes open ports to determine service information.
   
   
   
   Now, after gathering useful information we are gonna perform a vulnerability scan for identifying open ports, more infos and common vulnerabilities which we are gonna try to exploit  later.
  
   To do this, we have to launch a vulnerability scan with Nessus tool.
  
   Wait a couple of minutes.After vulnerability scan been completed check the report.
  
  
  OK! Here are the infos we have:

  1) Vulnerable Host's Ip
  2) Target's Operating System
  3) Services Informations
  4) Open ports , other information , vulnerabilities
 
  The next step, is to run the Metasploit Framework. With Metasploit we will exploit the vulnerabilities of the target.
  So, after launching Metasploit we should select the exploit we need. (Check  your nessus report for finding your exploit name). In this case, I'm gonna use the "ms08_067" exploit. To do this type in metasploit field  :

  "use exploit/windows/smb/ms08_067_netapi"
 
  'use' is the command which says to metasploit which exploit to use.
 
  Now, type "show options" to see your exploit's options.Fill the empty fields,such as "RHOST" ,"RPORT" etc. Like the following example:


After completing the above step it's time to run our exploit. To do this,  just type "exploit" and wait for the exploit to run.
 
  The following picture is an example of my metasploit session.

 
 

 
  Once meterpreter session is opened you can easily get some screenshots of the target machine by typing
  "screenshot" , show some passwords by typing "hashdump" and other cool thinks!
                                                                     
 
  Have your coffee and enjoy your meterpreter session!
 
  Thanks,
      Nikos Danopoulos

Sunday, November 4, 2012

Dive into netdiscover tool

Hello,hello,

In this tutorial we are gonna talk and make an introduction on the Netdiscover tool.

  What netdiscover is?!?
 
/* Netdiscover is an active/passive address reconnaissance tool, mainly developed for those wireless networks without dhcp server when you are wardriving. It can be also used on hub/switched networks.Built on top of libnet and libpcap, it can passively detect online hosts, or search for them, by actively sending arp requests, it can also be used to inspect your network arp traffic, or find network addresses using auto scan mode, which will scan for common local networks. */ So, that's what the official site of the netdiscover tool says about this
powerful tool. The developer is Jaime Peñalba.Netdiscover is available and you can download it here


So, when you are connected in a local network and you just want to now other host IP's, MAC and other typical information you can simple
run netdiscover via your terminal/konsole in Linux. It's very good, isn't it?

It's time for the "theory" part.
You may saw some unknown words before. Some of them may be "IP", "MAC", "arp requests". Here is the explanation of those words

/*1)Ip: (Internet Protocol) It's the protocol which is used for relaying packets through the internet . Ip also is a protocol on the DoD model at the "Internet Layer"  and transfers data from the host to the destination based on the addresses.*/

/*2)Mac: Mac/physical address/hardware address/ Is a hexadecimal address like which is used for transfering packets to a destination.When
a host wants to send a packet at another host he has to know the MAC address,if he doesn't he has to call an *3)Arp requests. The arp request is a request which asks the MAC address of a host with a specific IP. Then the host with the X IP replies by answering his Mac address.*/

So let's dive into netdiscover tool

In the following scenario I use IP 192.168.1.67,so change my IP with yours.

$1) Type into terminal "$ netdiscover --help" to watch the available commands.Just have a look and we are gonna explain some of them.
$2) For finding other hosts you have to use your interface.My interface is wlan0,type "$ ifconfig" to check yours.
$3) After finding your IP and your interface type "$ netdiscover -i [interface goes here ] " The -i command specifies the interface that we are gonna use.So,by executing this command the netdiscover will show you the available IP's on your network between 192.168.0.0 until 192.168.255.255. But let's see what you will do if you want to use a specific range to scan

$4) For that you have to use the "-r" command.This will scan a given range instead of auto scanning.For example
"$ netdiscover -i [interface goes here ] -r 192.168.2.0/24" that means tha the netdiscover tool will scan between 192.168.2.0 until 192.168.2.255. If you want to scan between 192.0.0.0 and 192.255.255.255 use /8 instead of /16 or /24.

$5) If you have the IP's in a file you can simple use the "-l" command.This command loads the IP ranges that you have written in a file
and then executes a scan against them.

$6) If you wish only to sniff instead of sending something you can use the "-f" command.For example "$ netdiscover -i wlan0 -r 192.168.0.0/16 -p " .This command will just sniff.

$7) Another awesome command is the "-F" with this command you can customize the pcap filter expression.Default is arp.We said about arp's before at /*3)*/

$8) With "-s" command you are able to give the "sleep time" between each arp packet.

$9) You are allowed to customize the number of times to send an arp request with "-c" command.That's helpful when you have package loss

$10) You don't have many time?Just use "-f".That enables the fast mode scan;)

$11) With "-P" you can enable the result printing in a format suitable for parsing by another program

So,as you can see there are many options on netdiscover tool.It's useful and fast!I suggest you you to install it;)

Here are some snaps of the examples i used before...

Here we use the "-f" command for performing Fast scanning...The results are the some,but they are faster;)

Here you can see all the available commands and options on netdiscover tool,by running the "--help" command
In this picture we are using the "-r" command for specific range 192.168.0.0


Thank you,
Nikos Danopoulos