» MITM

Todos for this week …

carrumba — Mon, 06 Dec 2010 09:32:05 +0000

G’morning.

I’ll spend my time this week on a new tool for MITM attack on HTTP layer. This asks for (Win)Pcap skills which I still don’t really posses even after some days of black belt ninja Pcap-Training. Maybe the basics to build a sniffer and parse the packet data are there but it’s not enough yet to digg deeper.

And to conclude this post … In case you havn’t notice : today is the 6. December. As an advice from a traumatised, santa damaged adult :
If you see this guy wandering around don’t hesitate. Steal his peach!

Have a good week …

OpenProxy PERL script

carrumba — Wed, 13 Oct 2010 12:04:23 +0000


Tool name :	OpenProxy

Description :	OpenProxy is a small PERL HTTP proxy server script. It listens on the well known proxy ports and waits for incoming requests. The idea behind this script is to filter out the interesting traffic like HTTP/FTP authentication data and eavesdrop connections where the HTTP proxy is used for cloaking purpose (IRC).

Tested on :	Linux/PERL v5.8.8

Feedback :	In case you encounter any problems with the tool, you have suggestions to improve it, or you tested it with a Windows version i’ve not yet tested please drop me an email.

Downloads :	Version 0.1 – Source

The man in the middle

carrumba — Sat, 28 Aug 2010 19:28:03 +0000

The last weeks I was tinkering around on an old HTTP proxy skript I wrote about one year ago. This script doesn’t contain any rocket science skills and you have the same or probably even more functionality with any other HTTP proxy. Implementing the server in PERL allows me to extend, modify and adjust it according the required needs. I wanted to analyse the traffic caused by people who want to be anonymised and are sitting behind an identity obscuring proxy server, to find out what they are (bots, scripts, humans), what they do and why they want to obscure their identity.
In this post you find an houerly updated statistic from the data collected during two days and some addintional info about what this statistic wants to tell us.

Generated on

October 13 2010 13:11:26

Total requests	1115784

Proxy port	Total requests
8000	277183
8080	265029
3128	573559

Basic HTTP authentication

About 90% of the clients using the Basic HTTP method try to authenticate on servers with pornographic content. And most of these authentication requests belong to a login hacking attack and don’t contain valid user credentials.

Among all these login hack requests we find also successful login attemps. Mostly these authentication requests were typed in by humans and not by scripts and they didn’t authenticate on a porn server. If we filter out all these login hacking attempts we get a hand full of valid user accounts.

Requests	URL
1570	www.fetishliza.com
1478	members.teamskeet.com
1116	www.southern-charms3.com
611	sexstationtv.com
516	members.korny.adultbouncer.com
509	southeastsoles.com
449	nudesandnature.com
449	strapon-hell.com
388	www.humiliatrix.com
339	www.young-goddess.com
239	members.glamour.cz

HTML GET authentication

With the GET login requests we encounter a similar situation as with the Basic HTTP authentication. Most of the requests belong to login hacking attempts. Many of these attempts are executed on yahoo servers as they probably don’t identify automated login atempts as Google does. If you browse through the logs and ignore the sites with more than 2 or 3 requests chances are good you find valid requests typed by a humans.

Requests	URL
928	195.122.131.36
178	one-cpm.fr.nf
169	195.122.131.24
158	n4.login.re3.yahoo.com
132	login.korea.yahoo.com
117	195.122.131.30
102	l10.member.sp1.yahoo.com
101	login.india.yahoo.com
99	login.vip.kr3.yahoo.com
97	l16.member.sg1.yahoo.com
96	l09.member.tw1.yahoo.com

HTML POST authentication

The POST requests don’t really differ from the GET login requests. Ignore the sites with many login atempts and focus on the others with only a few requests. Also here you will probably stumble on valid user account data.

Requests	URL
2312	209.222.7.232
1087	174.140.154.23
718	209.222.7.235
580	hotfile.com
522	megaporn.com
496	79.143.184.247
372	209.222.148.141
327	174.140.154.12
165	174.140.154.18
147	174.140.154.14
106	m.upcoming.yahoo.com

Most active clients

We have not yet linked the clients to the servers or URLs and a reverse lookup of a client is mostly not possible. With help of a WhoIs lookup we can at least find out the clients country code and determine which countries have the most actives clients.

Requests	URL (Country code)
13228	216.245.196.122 (US)
9507	109.87.45.228 ()
8791	109.86.246.136 ()
8349	208.115.219.10 (US)
8278	74.63.192.66 (US)
6032	173.203.240.43 ()
5924	81.24.89.14 (ru)
4247	89.250.157.196 (RU)
3887	221.233.192.72 (CN)
3783	86.62.248.210 (qa)
3582	91.207.6.26 (UA)

Most requested servers

Looking at the servers hostname we can estimate what function a server may has. Considering our top 10 list it is not the typical stuff like mail or news people want to get while sitting behind a anonymising proxy. Instead advertisement seems to be the main reason using an HTTP proxy. You can see as well that Google even behind a proxy is a popular server. But after evaluating the passed search strings the users rather want to check if the proxy server works properly instead of searching stuff on the net. And the wired search strings tell us that the requests were executed automatically by a script and not by humans.

Requests	URL
22276	login.icq.com
17425	www.google.com
16060	ad.yieldmanager.com
14892	content.yieldmanager.com
10282	ad.reduxmedia.com
3078	home.uasar.org.ua
2835	ak1.abmr.net
2220	ad.xtendmedia.com
2176	www.adparlor.com
1995	ad.spot200.com
1972	www.besthitsnow.com

Most requested URLs by a system

When this page was created the most requested URLs were WebBugs, login hack attempts and mainly URLs to ad-servers containing either banners or javascript code that requests banners. The big picture gets clearer and we see that advertisers seem to appreciate the obscuring services of anonymising proxy servers.

Requests	URL
22276	http://login.icq.com:443 …
11911	http://content.yieldmanager.com/ak/q.gif …
1901	http://snandart.com:443 …
1836	http://proxylist.co:443 …
1509	http://www.google.com/intl/de/ads/ …
1476	http://members.teamskeet.com/ …
1363	http://www.google.de/about.html …
1297	http://botmasternet.com/proxy/http/engine.php …
1286	http://www.google.com/accounts/TOS?loc=DE …
1185	http://www.google.com:443 …
910	http://flashsexclips.com/proxy5/check.php …

Most comunicating systems

This overview shows which system likes which server and how often a request was sent from one to the other. The eye-catching thing here is that the source address is mostly located in China or in the USA and the requested server hosts advertisement… images, banners, scripts, etc.

Requests	Source	Destination
5924	81.24.89.14	login.icq.com
4247	89.250.157.196	login.icq.com
3783	86.62.248.210	login.icq.com
3478	81.4.136.2	login.icq.com
3474	216.245.196.122	content.yieldmanager.com
3078	93.126.101.119	home.uasar.org.ua
3026	204.124.183.90	www.google.com
2917	216.245.196.122	ad.yieldmanager.com
2726	62.228.153.82	login.icq.com
2705	173.236.70.187	www.google.com
2636	74.63.192.66	ad.reduxmedia.com

Most called URLs by a system

This overview shows which system likes which URL and how often a URL on a specific server was requested by a particular client system. The situation here is the same as in the paragraph above. The client sits somewhere in the USA or China and the destination server is involved in advertisement.


Requests	Source	URL
5924	81.24.89.14	http://login.icq.com:443 …
4247	89.250.157.196	http://login.icq.com:443 …
3783	86.62.248.210	http://login.icq.com:443 …
3478	81.4.136.2	http://login.icq.com:443 …
2726	62.228.153.82	http://login.icq.com:443 …
2672	216.245.196.122	http://content.yieldmanager.com/ak/q.gif …
1836	173.234.51.29	http://proxylist.co:443 …
1568	74.63.192.66	http://content.yieldmanager.com/ak/q.gif …
1509	208.115.219.10	http://content.yieldmanager.com/ak/q.gif …
1476	187.132.45.238	http://members.teamskeet.com/ …
1238	84.19.161.108	http://snandart.com:443 …

Most called destination ports

As the proxy server supports the CONNECT method clients are allowed to establish a TCP connection to any port. CONNECT is normally used to tunnel HTTPS through a proxy server. Spamers like to use it to SMTP servers and people + bots like this method to connect to IRC servers. This is the reason why beside port 80 and 443 also other, sometimes rather exocit ports, are listed.

Requests	Dest. port
1072189	80 (www)
39426	443 (https)
2730	25 (smtp)
485	6667 (ircd)
153	6112 (starcraft)
123	6668 (ircd)
120	6666 (ircd)
83	7000 (afs3-fileserver)
70	8080 (webcache)
58	33033 ()
48	81 ()
43	6669 (ircd)
29	6665 (ircd)
22	8018 ()
16	12350 ()
15	2866 ()

The bottom line

At the beginning I thought it would be easy fishing user accounts out of the data streams. But after some tests I noticed that the major part of the traffic was automated and related to advertisement in one or another way. There is not much sensitive data to catch. In a second step I tried to redirect all the clients to the Megapanzer web page to see how the traffic load changes and if some users will start browsing the page. But also this Plan didn’t work out as expected.

So obviously humans don’t like to use HTTP proxys which they have to configure somewhere in the browser properties. Either it is to complicated or there is an easier way to use a proxy as web proxies for example. You can find real user traffic but in a very low quantity. Also the Automated traffic originates often from login hacking scripts. A proxy suppressing the clients real identity makes the the attackers feel safer.

The heavy users are the advertisers. They are responsible for the major part of the requests passing the proxy and that sometimes let my inet link collapse. But for what reason actually? Why don’t they connect directly to the destination servers so they don’t rely on an instable and unreliable node in between? After pondering for a while and searching for a plausible answer the only reason I can imagine is to keep the click rate on their advertisements higher than it really is. An advertiser like xapads.com or defaultimg.com can ensure their customers a high amount of clicks and views per day what makes them as an advertisement partner more valuable. Or the customers pay these ads companies according the “Costs per impression” model. Then the clicks are generated by scripts running somewhere on a server in China or in the USA. For example if you have a list containing 1000 proxy servers and your customers pay you $20 CPM, the advertiser “could” earn this money in one day. 20$ * 30 makes 600$ a month. Serving ten customers for 30 days makes a nice amount at the end of the month.
But this is only an assumption. Any better ideas? Suggestions?

Defeating SSL using SSLStrip

carrumba — Tue, 11 Aug 2009 11:32:45 +0000

At BlackHat DC 2009 Moxie Marlinspike demonstrated how to subvert HTTPS with SSLStrip. SSLStrip intercepts HTTP traffic, watches for HTTPS links inside the data stream and maps these HTTPS links to HTTP. Whenever a victim clicks on such a mapped HTTPS link SSLStrip will notice it and act as a HTTP2HTTPS proxy server. All the data is available in cleartext to SSLStrip and an attacker can use this circumstance to his advantage.

If I find the time I will port the SSLStrip features to PERL to merge it with the HTTP proxy script I wrote to observe spam and anonymized traffic.

Here is the SSLStrip 0.4 packet from the local archive on Megapanzer.

This is the link to Moxie’s page.

See SSLStrip in action here :

Nine ways how hackers propagate malware (2 of 2)

carrumba — Wed, 06 May 2009 23:44:05 +0000

In the first part of this series I wrote about the different ways how attackers propagate malware by sending an infectious executable file or an USB memory stick to their victims or let them pick up an infected file in a file sharing network like emule or bittorrent.
In this article, as promised in the first part, I want to explain how to propagate and inject malware by taking over a victims data stream.

There are two ways how to take over a data stream. From the inside of the victims network (LAN) or from the outside (the Internet). Both of these tactics have their advantages, disadvantages and methods how to proceed which I will explain in the following paragraphs. I wont go too deep into details and technical aspects. Otherwise I had to split this article again in a second and a third part because it would blow it up overly. I will explain the technical aspects in an other article independent from this series and will add example tools and source code where possible.

Attacking the victims home LAN

Beside the fact that home Internet routers are generally weaker protected than corporate Internet access appliances one of the weak links in home routers is often the integrated wireless access point. Sometimes the Internet routers are delivered with the WLAN module activated and only protected by the default settings. Other times the owner activates the WLAN himself and chooses an insecure password or an insecure protection standard like WEP or nowadays also WPA has its weakness. If one of these preconditions is the case chances are good an attacker will overcome the protection mechanisms. Once he is connected with the victims local network over the WLAN several not too complicated scenarios exists to take over the data stream.

Method 5 : Taking over the DNS

The Internet doesn’t understand host names like www.megapanzer.com. Instead it uses IP addresses like 194.208.66.33. And because we are to lazy to remember these irritating IP addresses and prefer the significant hostnames instead the DNS maps between this addressing conventions. Everytime you want to connect to the megapanzer server www.megapanzer.com your computer has to ask a DNS server under which IP address this server is reachable. It doesn’t take too much imagination taking over the DNS service in a victims LAN is the key to the power. Once an attacker controls the DNS, for example by injecting faked DNS response, he controls where the data stream is directed. Traffic destined for ebanking.ubs.com can easily be redirected to an attackers server.

Method 6 : Acting as default gateway

The computers in an ethernet based LAN don’t communicate by IP their addresses. IP addresses are used in the Internet but not inside a small, ethernet based home LAN. Ethernet is using MAC addresses. So every network adapter connected to a computer was assigned once a unique MAC address by its manufacturer. The computers in a LAN constantly tell each other what MAC address and what IP address they have and they keep this information in their memory for a while. Also WLAN adapters support the ethernet standard and have therefore MAC addresses. The only difference between wired and wireless network adapters is the medium (air and copper) they are using, the first layer in the OSI model. From layer 2 on they work exactly the same way.
This situation allows an attacker to spread wrong information inside a LAN and telling every computer HIS computer is the router that leads to the Internet. Afterwards every computer sends its data packets to the attacker instead to the real Internet router. The attacker takes over the data stream and can do with it whatever he wants. Relaying, modifying, blocking …

To give you an idea how this two examples lead to a successful data injection just imagine you as a victim want to download an executable file via your browser. You click on a specific link and are expecting the browser will download this file. An attacker can intercept your request and instead of sending back the real executable the trojan horse will be injected and disguised to make it look unsuspicious. Even if sceptics think you could check the hash checksum also them know only a small percentage really does it and the check sums are not provided everytime.

Method 7 : Intruding the victims Internet router

As you saw in the previous examples the Internet access router is the central point. These attacks were conducted from the internal part of the network. There is also an external part of the network which attackers can reach and attack over the Internet.
Still a big number of home Internet routers are accessible over the Internet and offer a user interface for administration purposes. Often over HTTP/HTTPS and also Telnet and SSH. But private users are not known for having a IT security policy they have to respect. So you can think of several situations you encounter when connecting to a home router:

The admin interface acces is blocked
The admin interface access is open but unprotected
The admin interface access is open and protected with the default account settings
The admin interface access is open and protected with a new password

These sittuations invite an attacker to invest some time and trying to crack the password by a bruteforce or dictionary attack.
Once this obstacle was overcome by an attacker he has the control over the appliance, the place where all the data passes to and from the Internet. As an example how the stream can be controled by the attacker think of the DNS service from the two previous examples. The attacker can configure the Internet router that way to redirect all the DNS requests to a DNS server that is controlled by the attacker.

Method 8 : Anonymizing proxy server data injection

TOR and I2P, to mention the most famous amongst them, are quite popular anonymizing services. You install the proxy software on your computer, customize your browser a little and you surf the net anonymously. But the anonymizing services have the problem when the data stream reenters the regular Internet again you don’t know if and who is reading or maybe even manipulating your data stream.
At least in the open and anonymizing proxy chains it is an easy game to infiltrate other peoples data stream, to read it, to manipulate it and to inject data they never requested (read here).

Method 9 : DNS cache poisoning

I would consider DNS cache poisoning as a rather esotherical method that maybe worked one day. But then I remember just too good when Dan Kaminsky discovered and published the DNS poisoning vulnerability. But as with TCP/IP spoofing, the Sendmail Debug or CGI/PHF vulnerabilities, it just doesn’t happen anymore.

DNS cache poisoning is a technique to convince for example a big ISPs DNS server, like the one from Bluewin (the biggest access provider in Switzerland), a hostname outside of their domain like ebanking.ubs.com is reachable under the IP address 192.168.1.1. Of course this is the wrong IP address but all the Bluewin users who ask this DNS server for the IP address of ebanking.ubs.com will see this answer. by using DNS cache poisoning an attacker could redirect the data packets from the Bluewin users to a destination of his choice. He controls the stream.

Source : Modifying the hosts entry on Windows

carrumba — Fri, 06 Mar 2009 20:13:15 +0000

Below, you can find a link to the source code with the function(s) to add and remove entries in the Windows hosts file.

panzer_modifyhostsfile.cpp

Source : Change DNS server settings

carrumba — Fri, 06 Mar 2009 19:21:51 +0000

Below, you can find a link to the source code with the function(s) to modify the DNS server settings on a Windows system.

panzer_setdnsserver.cpp

DNS reconfiguration

carrumba — Wed, 04 Mar 2009 16:33:48 +0000

Undeniable the DNS (domain name system) is the Achilles heel of the Internet and the day this system fails, for whatsoever reason, we stuck in deep problems. We had to memorize IP addresses to connect to computers in the network and the situation would become even worse because the world hat to work withouht the HTTP (HyperText Transfer Protocol) virtual hosts we had to use IPv6 addresses (or maybe this situation would kill the world wide webs popularity and the growth of the net had been much smaller). Generally spoken this means : whoever controls the DNS, controls the data stream and has the power. This is the ideal point for attackers to start simple but very effective attacks.

An attacker can replace the DNS server entry by a server that is controlled by himself or modify the hosts file (this file exists on UNIX and Windows). That way an attacker can redirect the traffic for a specific host to a system that is controlled by him and send the requests afterwards to the real system.

This is a typical and straightforward MITM (Man In The Middle) attack. As long as the victim is not using an encrypted connection the attacker can read all the transmitted data and can extract sensitive data like user access credentials or the balance of the bank account.

SOURCE : modify DNS server entry

SOURCE : modify hosts entries