Wednesday, October 30, 2013

HTTP Referer Spoofing, don't get confused, don't worry, Block or Avoid

HTTP Referer?
It's an optional HTTP Request Header which can be set to URI to inform the WebServer the source URI which led the client to current URI.

Analytics Benefit:
It's useful for Web content publishers for analysis sake as per which are the web portals that are attractive more visitors to that URI.

Security Benefit:
It has also been seen to be used as an extra layer of check by WebApps to confirm if the requested URI has been accessed via proper channels and respond accordingly.

HTTP Referer Spoofing ?

As other popular spoofing attack this doesn't involve attacker trying to hide their identity.

Here attacker will actually retain and embed their identity into the HTTP Request made to your WebServer. The spoofing in this case happens of is forging a custom HTTP Request with a fake HTTP Referer header added to make the WebServer believe some user is visiting their service by getting the link from attacker's injected referrer URI.

For past sometime I've been viewing a flood of spoofed HTTP referers on the user statistics page.
Here is a screenshot of web statistics page from one of my other blog for span of a month on one of the date-ranges. These are top-chart statistics for reported traffic referrals.

As you can notice... among top 10 referring URLs 5 are spammers, namely

  1. http://r-e-f-e-r-e-r.com/(target-specific-uri)
  2. http://adfoc.us/(some-numeric-id)
  3. http://www.googlecorrection.com/
  4. http://justforlaughsgags.tv
  5. http://smarts-loans.com/

Threat ?

There are potential 2 types of threats which arise from it:
  1. Opening an Infected Website
    Most of these referer spoofing happens to trick the website admin/publisher into thinking a new/dis-respected portal is referring to their content. In some of those cases, out of curosity the site admin/publisher tend to visit the URI mentioned as referer.
    Now if the URI leads to an infected portal, the visit is as safe as the attempt to click on an untrusted link. It might be just an advertisement portal or a generously malware spreading service.
  2. Indirectly triggering WebApp Vulnerability
    This is more of an indirect attack where the site-admin/publisher doesn't need to visit the referer URI but just view it on a weak web-application responsible to show the analytics.
    Now, since anything can be injected into the HTTP Referer Header. Any web-view dealing with the rendering of it or any backend application/database dealing with processing it can fall pray to a cleverly designed referer entry. The attacks possible here have a wide range and depend on the components involved at site-admin/publisher end to analyze it.

Solution ?

Don't be curious of unknown referers.

If building something yourself to analyze these, make sure your own code is safe enough.

Tuesday, May 1, 2012

Snoop internal network data without breaking in, Info is already breaking out.

One day when I was creating a pastie for some DevOps related discussion, and filtering out the organization related data..... it just occurred to what all internal information just gets added with the long logs getting pasted online for help.

someone pasted this on 20-Mar-2012 at pastebin.com
says nothing much except probably 'assanka.com' uses Puppet with PuppetMaster at puppetmaster.virtual.office.assanka.com with 192.168.30.147 as internal IP.

There are loads of paste-ies like it adding to recon for easy latched rooms behind the huge lock web entry gates.

Now, like this pastebin-scrap says hints being generated at some internal machine of Qualigaz's network
so some information about internal network of Qualigaz floating wild in open
[+] Internal IPs in range of 192.168.30.x
[+] is a XEN Virtual Machine
[+] with SELinux Not Enforced
[+] running Debian GNU/Linux 5.0.2 (lenny)
[+] sshrsakey=> AAAAB3NzaC1yc2E.......==
[+] sshdsakey=> AAAAB3NzaC1kc3M.......==

could have a look at http://pastebin.com/haiqVHCN, http://pastebin.com/iFMsYiwC for some funny more out-bursting data.

This was just from very few google search-ed pastebin.com results. Think what a full blown pastebin scrapper would do.

To be safe from such accidents, try to use service like ZeroBin {with 256 bits AES encrypted pastie at server}.

Saturday, March 31, 2012

facebook blocks spam URLs, but there method looks useless

Facebook has a user-security service checking for the spam/malicious nature of URLs posted by its users and blocking those if they belong to Facebook's blacklisted list.
More about it at http://blog.facebook.com/blog.php?post=403200567130

Some important text from the link above:
These automated systems don't just prevent spam and other annoyances. They also protect against dangerous websites that damage your computer or try to steal your information. ..........
Sometimes, spammers try to hide their malicious links behind URL shorteners like Tiny URL or bit.ly, and in rare cases, we may temporarily block all use of a specific shortener. If you hit a block while using a URL shortener, try a different one or just use the original URL for whatever you're trying to share.
These systems are so effective .......... 
In my very recent post on Facebook, I was just trying to post the very awesome Google search link displaying the 3D Graph as a heart
https://www.google.co.in/search?ix=seb&sourceid=chrome&ie=UTF-8&q=sqrt(cos(3*x))*cos(100*y)%2B1.5*sqrt(abs(x))+%2B+0.8+x+is+from+-1+to+1%2C+y+is+from+-1+to+1%2C+z+is+from+0.01+to+2.5
and facebook denied accepting my link saying it belongs to the 'spammy link' section of link url https://www.google.co.in/search.
so actually,
initially just without thinking it from security perspective I converted it to a goo.gl short url
http://goo.gl/Xwhff
and tried that up, and yeah..... it works (that's why I'm writing about it, obviously).


So, how it works 
the way I could think it works is plainly by matching the URL (except for the GET parameter passed on to it) from the blacklist of the URLs that Facebook maintains for it.



The Problem
to bypass such a system is real real easy... just get a link redirected from any in the batch of URL Shorteners, Page Translaters, Proxy or..... Simple get up a new machine on cloud and get it to bounce the URL back to desired URL.

Even if FB's awesome team succeeds in blacklisting in ever growing services of proxy and url-shorteners.

This technique of theirs wouldn't be able to catch your newly specially launched service before you a some decent response time.



What I think, would solve it
An intelligent security facilitator like Facebook would keep send that blacklist list on client side for several reasons.
So they must be checking the URL post request at their FB-Servers and then responding back with any concerns related to it.

In such a scenario WHY don't they simple get the URL's crawled back to the last URL responding without any HTTP referrer.
Say, the same method I use in webhoudini.appspot.com to fetch the final URL from a short-ened or redirected URL for people requiring validation of a suspicious link.




This way they will never have to blacklist the URL Shortener services or any other valid URL bases for that matter, just to avoid their chance of redirection to malicious links.

Sunday, November 20, 2011

(Adios Censorship, Hola ODDNS) Internet Censorship: state & solution

We are (and have been) living in a dark era of corrupted & controlled information, not because of hackers or e-criminals but due to white collared, bureaucratic Legal Organizations trying to control Internet.

They used to control books in old ages; newspapers since several numerous years and news channels for past few decades. This control was over information available to public.
The more informant they are, the less power Legal Agencies have to guide them on their determined decision.

They started with shutting down (supposed to be) bothering web portals, forcing them to change content and even leak information about their users.
When they found out they can't (without any controversy) dominate all web services around the globe. They started taking DNS servers under control.
 InteXnet CensoXship
Now just for those unsure how controlling DNS servers help.
In easy words... dns server is the service to which you tell the web portal name and guides you with the address format that all networking devices understand and help you reach the destination web server.

So, the problem why DNS Servers can be controlled currently is because of their structure.
DNS Servers have a tree-like hierarchical set-up.
It has few Root DNS Servers at the top, which contain the entire Internet Domain Name registration database and its relative IP. These are maintained by independent agencies, but maximum of those reside in U.S. and few others distributed over globe.
Then there are lower level DNS Servers maintained by Internet Service Providers, some Universities and also some IT organizations. These DNS servers contain a more specific subset of DNS entries specific to the domain requests they mostly serve.
If the queried lower DNS server doesn't have reply to an entry it contacts daddy DNS, retrieves the address and replies.

The thing is, these network address resolvers are very concentrated and dependent. So if these Legal Organization face threat from any newer (or even older) web portal, say www.wiki-still-leaks.org.
Only thing they need to do is block address resolution of that particular (and many more as per required) web portal name.
As you wouldn't be able to resolve network address for that particular website, you would find it offline.

Currently, how non government liked sites (as thePirateBay) handles it is making multiple dns entries.
Recently there was a firefox plug-in ThePirateBayDancing released by mafiaafire, which makes available portal jumping randomly over proxies.

In late 2010, when U.S. blocked WikiLeaks..... ThePirateBay floated around the idea of P2P DNS.
Peter Sunde (PirateBay co-founder) gathered coders to work on it. Cjd working on it, shifted his operations to cjd#irc.

This idea of P2P DNS was picked upon by vinced and put down as namecoin. A decentralized dns service based on Bitcoin. Now, that is the main problem with this..... its based on a money exchange system architecture. You either mine namecoins for a domain name or buy them.

Jimmy Rudolf is out with ODDNS : Decentralized and Open DNS. It removes intermediaries dns servers from the scene removing their crippled dns resolutions.


Monday, October 3, 2011

Social Engineering [from Eden Guide to Hacking >> Active Recon]

Eden Guide To Hacking : https://github.com/abhishekkr/eden_guide_to_hacking
 
Social Engineering
direct link :  https://github.com/abhishekkr/eden_.....  ineering.txt


Most creative non-technical hacker practice known to mankind.
 
a.) It's Art of Communication with People for 'Information Leakage'.

  • You have a 'Victim' identified by now and wanna collect more and more available information related to them.
  • Not just any relevant information, but sensitive details, that Victim or related people handover to you in confidence.
  • You think like a con-artist, assess weakness of your victim & the possibilities of make-believe for them.
  • Then you come up with an entire scenario to pose yourself a reliable savior for your Victim to be saved; a benefactor.
  • And you will find them revealing such discreet and sensitive information so that they can encash the situation to its max. And let you gather all sensitive information that you can.



b.) Example: "The pretend employee loosing access at critical time"

  • You are a management personnel on client location in middle of a very life-changing deal.
  • You need to get some files from your organization's machine or file-share; but can't access them due to firewall policies on either side.
  • If you can't seal the deal, the failure will take away your job and the person refusing you such crucial-moment help.
  • And there are many chances that you'll get the data fetched from your pretended 'Employee', mailed to you.


 
c.) Example: "I'm here to check your Network from Agency"

  • You are at home of your Victim when some family member, hopefully not much security aware is in-charge and pose as the Network Guy from the Telecom Agency they use.
  • Offering new organization customer satisfaction mumble-jumble, you try to get access to check health status of network devices installed there, and more computing devices if possible.
  • Now, if the devices are tweakable without any credential request from the family member there... try that first.
  • If it doesn't work and even they don't have access, then pose as attempting the 'Master Password' so they don't inform the Victim.


d.) For ultimate case studies, read "Art of Deception" by "Kevin Mitnick", the most famous Social Engineering Hacker 'known'.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Friday, September 23, 2011

BEAST beating SSL & TLS :: What You Can do to be Secured

B.E.A.S.T.?
Browser Exploit Against SSL/TLS Tool [B.E.A.S.T.], is the new Javscript utility created by J. Rizzo & T. Duong capable of breaking SSL3.0 & TLS1.0 level protection for HTTPS connections and deciphering the secure connection data.

What It Does?
There have been previous mention of cryptanalysis attacks over
+ SSL3.0
 |   (a Paper 'Analysis of SSL3.0 Protocol' by D.Wagner & B.Schneier in 1999 ), &
+ TLS1.0
 |   (a Paper 'Renegotitating TLS' by Marsh Ray in 2009).
B.E.A.S.T. is a pure exploit tool built over these (or similar) visions.
B.E.A.S.T. is based upon blockwise-adaptive chosen-plaintext attack approach exploited on victim's end via man-in-the-middle attack.

Point-to-Note!
It's a MitM over Browser, javascript injected does all harvesting of plaintext attack (which currently takes around 30 minutes for useful data) and then enables you to break the encrypted session.

Security Measures until F!XED
  1. Use a different browser (totally different, i.e. just not a new instance of same browser but a new browser, as in FireFox & Chrome are different) for browsing your Secured Connection. And a different browser for you general web surfing experience, even any external links from your secured session used browser should be copied and opened in the general web-surfing browser.
  2. It's better if the browser used for secured session is used in Private Browsing Mode.
  3. Don't keep log-in active in any service if you are not using it currently.

Something you should already be doing, if not start now...
Use browser extensions like AdBlock & NoScript, to protect your browser from injected IFrames and infected AdServices which are the major source channel for BEAST also.

To get a more detailed insight at the exploit Paper & Code, get your hands over
http://www.insecure.cl/Beast-SSL.rar

What to do at Server Side
http://isc.sans.edu/diary/SSL+TLS+part+3+/11635

Tuesday, September 13, 2011

Open Intelligence Gathering FOR Passive Reconnaissance FROM "Eden Guide To Hacking"


Open Intelligence Gathering : github.com/abhishekkr.....Open_Intelligence..
FOR 
FROM 
The following content structure is discussed in detail @
https://github.com/abhishekkr/eden_guide_to_hacking/blob/b00ef1502b9f91953f5d734efd4a03c3a0f04002/part1_Hacking_Cycle/chapter4_Reconnaissance/section0_Passive_Recon/article0_Open_Intelligence_Gathering.txt

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~[+] Open Intelligence Gathering
 |
 |[+] What Is Open Intelligence?
 |
 |[+] Legal Documents Got Them
 |
 |[+] Search Engines Sort Them
 |
 |[+] Web Activity Caught Them
 | |
 | |[+] You Blog/Comment
 | |[+] You Socialize
 | |[+] You Subscribe
 | |[+] You Show/Click Ads
 | |[+] Even If You Surf Web
 | |_
 |
 |[+] Automating the Act
 | |
 | |[+] Paterva Maltego CE
 | | |[+] URL
 | | |[+] What it does?
 | | |[+] Example Usage
 | | |_
 | |
 | |[+] The Harvester
 | | |[+] URL
 | | |[+] What it does?
 | | |[+] Example Usage
 | | |_
 | |_
 |_

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~