DZHack Event

10403212_1533358333604163_5677862925298417628_n

Computer security is nowadays a hot topic that everyone knows or at least heard about it. In addition, our daily life is closely related to new technologies that are mostly diverted and pirated either affect the privacy of individuals and their property, or to extract sensitive information organizations.

To share professional experiences in the field and to inform users about security risks, ELIT organizes for the first time, a computer security event called “DzHack Event“, which covers the IT community, and specifically those of security information systems (experts, researchers, ethical hacker, whether professional or amateur) around this theme to discuss and share their feedback.

https://www.facebook.com/events/1534059000197343/
http://www.dz-hackevent.elit.dz/en/

Don’t miss it :)

A vulnerability and a hidden admin account all inside “SITEL DS114-W” routers !

Hello, Hope you are doing well everyone ! It has been a long time since my last post, well let’s say I was occupied by some stuff but I’m back with a new discovery :)

As as an Algerian internet consumer, I’m a subscriber at “Djaweb ISP” as I don’t have much choices — let’s not talk about that now and dive into some serious stuff !

I found out the routers shipped by Algerian ISP “Djaweb” are now backdoored with a secret admin account and as it appears they didn’t do a good job in hiding it  … not only that but with a session management vulnerability too !

EXPLORATION :

As usual internet goes down from time to time and we are used to that in Algeria, this time it took long time so I went to restart the modem from the web interface .

VULNERABILITY #1 :

But after restarting it I logged out and kept looking at the “login” page thinking “What if there is a vulnerability inside .. ?” and that’s when the journey started ..

login

As usual, I hooked up “Burp” as a proxy and logged in :

2

“Cookie : SessionID=3″ … too easy to predict !

Now comes Burp “Intruder” functionality, it will allow us to brute force any parameter inside the request body and that’s exactly what we need to brute force the SessionID .

Steps : ( quick tips for Burp )

1- Right click on the request and click “Send to Intruder”

2- Go to the “intruder” tab you’ll see :

Screen Shot 2015-01-04 at 3.23.38 AM

3- Navigate to “Positions”, that’s where we are going to specify the parameter we want to brute force. Leave the “Attack type” to “Sniper”

Screen Shot 2015-01-04 at 3.24.25 AM

4- Go to “payloads” and set the payload type to “Numbers” with :

  • Type : Sequential
  • From : 1
  • To : 100
  • Step : 1

Screen Shot 2015-01-04 at 3.25.10 AM

So in total the app will make 100 requests to the router      

Now with everything set I fired up the intruder attack and …

Screen Shot 2015-01-04 at 3.25.21 AM

We can see that the session #4 is what we had earlier initialized for our access by the web app :

Screen Shot 2015-01-04 at 3.47.24 AM

But when scrolling down we see some weird things :

Screen Shot 2015-01-04 at 3.47.44 AM

Sessions from 40 to 49 are also initialized, I logged off the sessions dropped down .. when logged back in and brute forced the session IDs they appear to be another 10 sessions initialized on another range .

Knowing that the user only require one session to be initialized and it should be hooked to only the user logged in, not any other one, so when the user login to the router other sessions are initialized giving an attacker with a simple brute force access to the router without knowing the password .

This makes up a session management vulnerability .

pwned

The vendor has been notified but without response from them .

VULNERABILITY #2 :

I had a sense that there was more than one vulnerability inside that damn thing … so have gone further, testing every functionality from login to rebooting the modem and while doing that I came up across another weird thing. The thing resides inside the config file.

Step 1 : I saved the config file, while burp is hooked up as usual .

Step 2 : The router give you a “.img” file which when executed under a OSX environment you’ll get :

Screen Shot 2015-01-04 at 7.52.15 PM

As it’s not a valid image to be mounted . I looked into the burpsuite request-response raw data and surprisingly :

Screen Shot 2015-01-04 at 3.49.46 AM

The configuration parameters are saved in a plain text format !!! I inspected every parameter inside until ….. :

Screen Shot 2015-01-04 at 7.57.22 PM

The first two account I did set and the passwords are the ones I specified, but what about that 3rd “admin” account that has a parameter saying “<V N=”BACKDOOR” V=”0x1″/>”, which means “BACKDOOR = YES”

Trying to ssh to the router with that account :

Screen Shot 2015-01-04 at 8.03.32 PM

Aaaand, IT WORKS !!!

picard-facepalm7

Well, obviously the routers are shipped by the ISP with a backdoor account, and this is the 2nd discovery ! I have built a python script that automate the process of the two attacks :

  • If the user is already logged into the router and have a valid session we can brute force the whole range from 1 to 100 in order to find the other initialized session, and to save time you can chose a step of “10” from 1 to 100 so you’ll only make “10” requests to the router instead of “100” to successfully login .
  • If the attacker is not sure if the user is logged into the account and want to get access then use the backdoor account : Username : admin , Password : 5B80airocon

The vendor has been notified but without response from them .

CONCLUSION :

Routers are becoming the main attack surface for bad hackers, as it’s the entry point for them to take over your network . Make sure your router is secure and doesn’t expose any service ( HTTP, SSH, FTP ) to the wild web .

As usual happy hacking :), for any questions please leave a comment !

Tagged , , , , ,

“Mobilis Algeria” Millions of users at risk

Hello guys,

I’m back with a new post and a new discovery. As I’m a Mobilis GSM subscriber I thought about registering to their online invoice system, I took the steps and I have been provided with access to my account online .

EXPLORING THE WONDERLAND :

When you first login you get this page :

1

You can do some things from here, like viewing/downloading your invoices and canceling the online account, we are mainly interested in the invoices as they contain all information about the target in order to help conduct further attacks on him/her
2

I hooked up burp suite proxy to the browser and I logged in, I was amazed about what I was seeing :o …. this is happening upon login :

3

5

Isn’t that a session initializer ? : /servlet/InitSessionExt?USER=”account_id”&ACCESS=1&INVOICE=”invoice_id”

The “account_id” can be brute forced as it a sequence number, but how can we get the “invoice_id” for the target account if we don’t have access yet ? .. remember the Graph we saw previously ? well it could be our entry point as it reveals all invoices ids for a particular account .

With fingers crossed I tried to pass a “random” ;) account_id

6

wow !! I got all invoices numbers associated to that account :D

And now that I have everything I can pass those paramerters to the “InitSessionExt” using Burp repeater and see if it initilize the session without a password required,

Screen Shot 2014-08-20 at 6.55.52 PM

And ….

7

 

YES ! I’m in (y)

8

A malicious attacker can then use those information to social engineer the help desk guys into doing things to the account like suspending it, I’ll let you work the machine and think about other potential scenarios :)

 

VIDEO POC :

Tagged , , ,

My MSF ( Metasploit Framework ) workshop

MSF workshop

Join the workshop and let me show you how to conduct a penetration testing using Metasploit, take your knowledge to the next level with : Basic exploitation techniques, Armitage, pivoting, post exploitation, pass the hash attack and many more

https://t.co/pKMhf5b15j

HeartBleed – Exploiting the net “CVE-2014-0160″

 

heartbleed

Heartbleed has the potential to be one of the biggest most widespread vulnerability in the history of the modern Internet, at the root of Heartbleed is encryption. The internet has a set of protocols for security and encryption commonly known as “Security Socket Layers” S.S.L and its successor “Transport Layer Security” T.L.S, the most common implementation of SSL and TLS is a set of open source tools known as OpenSSL.

More information are available here : http://thehackernews.com/2014/04/heartbleed-bug-explained-10-most.html

You can test if your website is vulnerable to Heartbleed attack from this website : https://filippo.io/Heartbleed , well I was thinking about creating a tool that would test a list of websites “TOP 1 Million websites in my case” and if the script finds the target vulnerable it send an email to the webmaster telling him that he should fix it !

I have created that tool and its available for download here : https://github.com/MrNasro/heartbleed/

Before using the tool you need to change the following inside “exploit.py” :

fromaddr = ‘sender@email.com’
username = ‘email_username’
password = ‘email_password’
server = smtplib.SMTP(‘smtp.gmail.com:587′)

After the changes just just place the list of CSV domain names into the script directory and run it from the command line : python heartbleed.py

Screen Shot 2014-04-18 at 6.03.03 PM

Tagged , , , , ,

Vault app isn’t that secure !

Hi,

Some of us ( like me ) depend on vault to hide and secure their contacts, sms, pics and videos .. I figured out that this app takes sometime to load after the phone is booted, so this really gives us access to protected apps like “Contacts” before it loads !

This is a test video I’ll investigate that behavior and will let you know guys if I find anything in a detailed future post :

HAPPY HACKIN’ :)

Tagged ,

ZynOS – Part 2 ( Taking over the network )

Hello again :)

I’m going to recap from the last post. So what I’m about to demonstrate in this post is the impact that can some attacker cause to your network once he access the router  ..

We have access to the router but our goal is to get a foothold on the remote network, hmm .. we have port forwarding option which is beautiful, what we can do with that is scrap the network pool for internal IPs and forward ports like 445, 139 and try to exploit them from our end. Imagine also a network with 200 machines that will definitely be time consuming .. even if you write a script to automate that what makes you believe that you’re going to actually be able to get meterpreter sessions ?

So .. what’s the solution ?

Hmm, DNS is an interesting thing to look at since we can provide dns IP to the router for the whole network to use !!

Are we talking about DNS intercepting ? Hell yeah :D

Here is a list of the tools we’re going to use :

Dnschef : A dns proxy ( read about it HERE )
Metasploit : How to install ( ubuntu ) HERE
Webmitm : Find out more about it HERE
Burp Suite : It’s available HERE

-Attacking from ubuntu “Metasploit & dnschef & webmitm” running on (IP: 192.168.0.6)

-Burp suite will be running at (IP:192.168.0.10)

First, I’ll explain how I’m going to do the attack :

We’re going to setup our Dnschef proxy

Screen Shot 2014-01-18 at 1.30.27 PM

./dnschef.py –interface 192.168.1.106 –fakeip 192.168.1.106 

–interface : is going to tell dnschef at what interface it’ll listen for .

–fakeip : this hijacks requests by returning this IP as the result for every request

The next step is to lunch webmitm tool that will handle the http requests and responses, from there we’ll tell webmitm tool to forward the traffic to burp suite proxy that will allow us to inject an iframe of Metasploit browser autopwn server.

Screen Shot 2014-01-18 at 1.38.01 PM

We have to configure burp suite so that it handle requests on port 80

Screen Shot 2014-01-18 at 1.40.00 PM

Have to be invisible ..

Screen Shot 2014-01-18 at 1.40.16 PM

Repeat these steps for port 443 to handle HTTPS traffic .

Ok, so everything is ready now .. I’ll have to modify the scripts I provided in the previous post so that we can inject our DNS server .

Screen Shot 2014-01-18 at 1.49.47 PM

This way I injected my ip address as the first DNS server to use on the router and the 2nd one is the one that belongs to google, this way if  we want to stop the attack on the already injected routers by blocking requests made to our DNS server , then the router will automatically proceed to the 2nd server that belongs to google without showing any DNS resolution error on the victim end.

ok, so now we’ll have to lunch the browser autopwn module on metasploit .

PS: I’ll be using port “8080” because webmitm is already using port “80” to forward traffic .

Screen Shot 2014-01-18 at 2.10.54 PM

Screen Shot 2014-01-18 at 2.12.09 PM

it’s loaded and waiting for victims to browse :)

Ok, so from here we’ll have to add the iframe injection to burp suite. So that if it get a response on a page requested by the victim it injects iframe with “http://192.168.0.6:8080/&#8221; that’s listening on Metasploit.

Screen Shot 2014-01-18 at 2.11.33 PM

DEMO :

After injecting my DNS server to the victim router using the scripts, and after setting up everything from dnschef to metasploit . Let’s follow what happens if a victim browse to a website .

Screen Shot 2014-01-18 at 2.18.13 PM

We got 3 meterpreter sessions :D,

DO YOU REALIZE WHAT CAN SOMEONE DO IF HE HACKS INTO YOUR ROUTER WITH SOME VULNERABILITY OR JUST DEFAULT PASSWORDS THAT YOU DIDN’T CHANGE ?

Any questions or comments feel free to contact me. And as always : Happy Hacking :)

Follow

Get every new post delivered to your Inbox.

Join 208 other followers