There are many variants of pharming. Here , in this article, I demonstrate one that is very easy to pull off by a beginner to moderate level attacker.
The attack leverages the fact that most ADSL modems run an http server for configuration, which is not secured
Most of the time, a guy from the phone company comes and installs the ADSL modem, and the user is all set. What they dont tell you is that you need to change the default password on your ADSL modem immediately.To drive home my point, I thought it better to put on my bad guy hat, and get to work.Please note that no actual breakin was attempted on any of the systems, and that information is provided for educational purposes only.
Assumptions:
You know how to set up a DNS and a HTTP server, and have your computer on the internet ( You will need to DMZ your own system if you are behind a ADSL router, and open up your firewall )
You know how to set up a gateway and enable IP forwarding on it.
Step 1: Reconnaissance
The first step is of course a reconnaissance attempt to find potential victims. I run a quick check for the world visible IP address my router has. I am lazy , so I simply visit showmyip.com. It shows me xxx.xxx.191.16
Not surprisingly, I am in my isp's address block.I just take a small sample of 255 systems in my vicinity, whose IP would be in the range xxx.xxx.191.1 to xxx.xxx.191.255
Now I need to find out which all DSL modems in this range are systems with default password.
I know that my ISP uses Beetel ,DLink and Huawei modems , which generally have admin as id and passwords range from 1234, password, admin,utstar.So, I write a program ( uses libcurl) which spawns 30 threads and tries each IP in the range with the default id and password.A scan of the 255 addressess takes me 3 minutes and shows me 14 open DSL modems
.The systems with 200 as HTTP response code will accept the default id and password (See figure below )
Here is a screenshot of my system discovery code ( He he he, the actual code that does the recon is not shown )
Click to enlarge: Code screenshot
If you have a dedicated system and unlimited data transfer, you can probably run this whole day to scan thousands of IP addresses.
Step 2: Preparing for the attack:
Now I need to decide what I want to do with these open systems. There are just too many things one can do with this. The possibilities ...I will explain later. For now, lets just say I want to grab those user's email id and password. For this, I can set up my own DNS, and put in authoritative entries for gmail, hotmail,yahoo, whatever I fancy. For all other domains, I simply forward them to my ISP's DNS. This is how it will work.
Click to enlarge: normal steady state DSL in operation
Once I have set up my DNS, I also need to put up a webserver to server those pages.
So, two major cavaets here are ,
1. To setup a DNS server
2. To setup a webserver with a DataBase at the backend to grab the user id and passwords
Step 3: The attack:
Though this step can be completely automated with scripts, or C programs,I do this manually with one single system, just as a matter of example:
The schematic of a DNS hijacking attack is shown below
So I login to this person's DSL modem, and point his DNS to my DNS server .And would you believe it??Thats all I need to do to grab this persons internet.
Logging in to the victim's router
Altering the DNS address
So that was easy, you could harvest a ton of stuff this way. But this doesnt give you much.So additional stuff can I try??Ummm..why not intercept ALL his traffic ?How ??Thats easy...set up your system to be gateway and do an IP forwarding
But then I want his whole system. Not just the traffic.Umm..OK, put his system on the DMZ. That way he is out in the open. I let nmap take shot at identifying what OS he os running, pull out a bunch of exploits and throw at this system , and presto...I have his computer.
But what will I do with his computer ? Will think about that later
No comments:
Post a Comment