Download at WoWeBook.Com Hacking: The Next Generation Download at WoWeBook.Com Download at WoWeBook.Com Hacking: The Next Generation Nitesh Dhanjani, Billy Rios, and Brett Hardin Beijing • Cambridge • Farnham • Köln • Sebastopol • Taipei • Tokyo Download at WoWeBook.Com Hacking: The Next Generation by Nitesh Dhanjani, Billy Rios, and Brett Hardin Copyright © 2009 Nitesh Dhanjani. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://my.safaribooksonline.com). For more information, contact our corporate/institutional sales department: (800) 998-9938 or corporate@oreilly.com. Editor: Mike Loukides Production Editor: Loranah Dimant Copyeditor: Audrey Doyle Proofreader: Sada Preisch Indexer: Seth Maislin Cover Designer: Karen Montgomery Interior Designer: David Futato Illustrator: Robert Romano Printing History: September 2009: First Edition. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc. Hacking: The Next Generation, the image of a pirate ship on the cover, and related trade dress are trademarks of O’Reilly Media, Inc. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information con- tained herein. TM This book uses RepKover™, a durable and flexible lay-flat binding. ISBN: 978-0-596-15457-8 [M] 1251474150 Download at WoWeBook.Com Table of Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix 1. Intelligence Gathering: Peering Through the Windows to Your Organization . . . . . . 1 Physical Security Engineering 1 Dumpster Diving 2 Hanging Out at the Corporate Campus 3 Google Earth 5 Social Engineering Call Centers 6 Search Engine Hacking 7 Google Hacking 7 Automating Google Hacking 8 Extracting Metadata from Online Documents 9 Searching for Source Code 11 Leveraging Social Networks 12 Facebook and MySpace 13 Twitter 15 Tracking Employees 16 Email Harvesting with theHarvester 16 Resumés 18 Job Postings 19 Google Calendar 21 What Information Is Important? 22 Summary 23 2. Inside-Out Attacks: The Attacker Is the Insider . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Man on the Inside 26 Cross-Site Scripting (XSS) 26 Stealing Sessions 27 Injecting Content 28 Stealing Usernames and Passwords 30 Advanced and Automated Attacks 34 v Download at WoWeBook.Com Cross-Site Request Forgery (CSRF) 37 Inside-Out Attacks 38 Content Ownership 48 Abusing Flash’s crossdomain.xml 49 Abusing Java 51 Advanced Content Ownership Using GIFARs 54 Stealing Documents from Online Document Stores 55 Stealing Files from the Filesystem 63 Safari File Stealing 63 Summary 69 3. The Way It Works: There Is No Patch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Exploiting Telnet and FTP 72 Sniffing Credentials 72 Brute-Forcing Your Way In 74 Hijacking Sessions 75 Abusing SMTP 77 Snooping Emails 77 Spoofing Emails to Perform Social Engineering 78 Abusing ARP 80 Poisoning the Network 81 Cain & Abel 81 Sniffing SSH on a Switched Network 82 Leveraging DNS for Remote Reconnaissance 84 DNS Cache Snooping 85 Summary 88 4. Blended Threats: When Applications Exploit Each Other . . . . . . . . . . . . . . . . . . . . . . 91 Application Protocol Handlers 93 Finding Protocol Handlers on Windows 96 Finding Protocol Handlers on Mac OS X 99 Finding Protocol Handlers on Linux 101 Blended Attacks 102 The Classic Blended Attack: Safari’s Carpet Bomb 103 The FireFoxUrl Application Protocol Handler 108 Mailto:// and the Vulnerability in the ShellExecute Windows API 111 The iPhoto Format String Exploit 114 Blended Worms: Conficker/Downadup 115 Finding Blended Threats 118 Summary 119 5. Cloud Insecurity: Sharing the Cloud with Your Enemy . . . . . . . . . . . . . . . . . . . . . . . 121 What Changes in the Cloud 121 vi | Table of Contents Download at WoWeBook.Com Amazon’s Elastic Compute Cloud 122 Google’s App Engine 122 Other Cloud Offerings 123 Attacks Against the Cloud 123 Poisoned Virtual Machines 124 Attacks Against Management Consoles 126 Secure by Default 140 Abusing Cloud Billing Models and Cloud Phishing 141 Googling for Gold in the Cloud 144 Summary 146 6. Abusing Mobile Devices: Targeting Your Mobile Workforce . . . . . . . . . . . . . . . . . . . 149 Targeting Your Mobile Workforce 150 Your Employees Are on My Network 150 Getting on the Network 152 Direct Attacks Against Your Employees and Associates 162 Putting It Together: Attacks Against a Hotspot User 166 Tapping into Voicemail 171 Exploiting Physical Access to Mobile Devices 174 Summary 175 7. Infiltrating the Phishing Underground: Learning from Online Criminals? . . . . . . . 177 The Fresh Phish Is in the Tank 178 Examining the Phishers 179 No Time to Patch 179 Thank You for Signing My Guestbook 182 Say Hello to Pedro! 184 Isn’t It Ironic? 189 The Loot 190 Uncovering the Phishing Kits 191 Phisher-on-Phisher Crime 193 Infiltrating the Underground 195 Google ReZulT 196 Fullz for Sale! 197 Meet Cha0 198 Summary 200 8. Influencing Your Victims: Do What We Tell You, Please . . . . . . . . . . . . . . . . . . . . . . 201 The Calendar Is a Gold Mine 201 Information in Calendars 202 Who Just Joined? 203 Calendar Personalities 204 Social Identities 206 Table of Contents | vii Download at WoWeBook.Com Abusing Social Profiles 207 Stealing Social Identities 210 Breaking Authentication 212 Hacking the Psyche 217 Summary 220 9. Hacking Executives: Can Your CEO Spot a Targeted Attack? . . . . . . . . . . . . . . . . . . . 223 Fully Targeted Attacks Versus Opportunistic Attacks 223 Motives 224 Financial Gain 224 Vengeance 225 Benefit and Risk 226 Information Gathering 226 Identifying Executives 226 The Trusted Circle 227 Twitter 230 Other Social Applications 232 Attack Scenarios 232 Email Attack 233 Targeting the Assistant 238 Memory Sticks 239 Summary 240 10. Case Studies: Different Perspectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 The Disgruntled Employee 241 The Performance Review 241 Spoofing into Conference Calls 243 The Win 245 The Silver Bullet 245 The Free Lunch 246 The SSH Server 247 Turning the Network Inside Out 249 A Fool with a Tool Is Still a Fool 252 Summary 253 A. Chapter 2 Source Code Samples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 B. Cache_Snoop.pl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 viii | Table of Contents Download at WoWeBook.Com [...]... is the friend of the next- generation hacker This chapter exposes the techniques used to pit software against software We present the various blended threats and blended attacks so that you can gain some insight as to how these attacks are executed and the thought process behind blended exploitation Chapter 5, Cloud Insecurity: Sharing the Cloud with Your Enemy Cloud computing is seen as the next generation. .. seemed fantastical in the past are now a reality The reasons for this are twofold First, the need for mobility and agility in technology has made the traditional perimeter-based defense model invalid and ineffective The consumption of services in the cloud, the use of wireless access points and mobile devices, and the access granted to contingent workers have made the concept of the perimeter irrelevant... Since information gathering is one of the first steps the attacker may perform, he must take care not to do anything that may alert the target The techniques in this chapter will therefore concentrate on methods that allow an attacker to gather information without sending a single network packet toward the target Information gathered during reconnaissance always ends up aiding the attacker in some... to probe a network without the target’s knowledge since the entire search request and response come from the search engine and not the target The attacker doesn’t leave a footprint since he is not sending information to the target Attackers also use a cached page to view the information, instead of accessing the site directly, which creates another layer of protection for them Google Hacking Numerous... printer cover sheet that exposes the username of the person who requested the print job Even this username on a piece of paper is an important find for an attacker because it helps the attacker understand how the corporation handles usernames (the first letter of the user’s first name, capitalized, appended to the user’s last name, initial-capped) This knowledge gives the attacker an understanding of... and meaningless This issue is further amplified by the increased complexity of and trust placed on web browsers, which when successfully exploited can turn the perimeter inside out Second, the emergence of Generation Y culture in the workforce is facilitating the use of social media and communication platforms to the point where citizens are sharing critical data about themselves that has been nearly... incentive to share as much data as they can; the more data they share, the more they benefit from the social network 12 | Chapter 1: Intelligence Gathering: Peering Through the Windows to Your Organization Download at WoWeBook.Com Facebook and MySpace The popularity of social applications such as Facebook and MySpace has grown exponentially around the world These applications are driving a phenomenal paradigm... college The attacker responds to the email, as requested by Facebook After a few hours, the attacker receives another email describing how to change the password on the account This example shows how easy it is to use the biographical information posted on social applications to break authentication mechanisms Attacks such as this are becoming more frequent and are gaining media coverage During the 2008... the attacker must first perform reconnaissance to gather as much intelligence about the organization as possible In this chapter, we look at traditional attack methods as well as how the new generation of attackers is able to leverage new technologies for information gathering Chapter 2, Inside-Out Attacks: The Attacker Is the Insider Not only does the popular perimeter-based approach to security provide... devastating attacks The impact of the attacks illustrated in this chapter can be extremely devastating to businesses that approach security with a perimeter mindset where the insiders are generally trusted with information that is confidential and critical to the organization Chapter 3, The Way It Works: There Is No Patch The protocols that support network communication, which are relied upon for the Internet . Download at WoWeBook.Com Hacking: The Next Generation Download at WoWeBook.Com Download at WoWeBook.Com Hacking: The Next Generation Nitesh Dhanjani,. Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc. Hacking: The Next Generation, the image of