ad

Hacking and Cracking

Hacking and Cracking


NSA is Hacking Pakistan's Internet Infrastructure, Here's How?

Posted: 11 Apr 2017 02:32 PM PDT




There have been multiple reports leaked from various sources about NSA hacking into Pakistan's Internet infrastructure ranging from Core Routers to Pakistan Telecommunication Green Line Communication Network in order to intercept Pakistan's civilian and military leadership communication. In October last year, a group called "Shadow Brokers" leaked comprehensive list of servers that were hacked as part of NSA's operation. The list revealed several hosts of multinet (mpkhi-bk.multi.net.pk, ns1.multi.net.pk) were compromised as well as and micronet (tx.micro.net.pk) now part of Nayatel.

There may be various motives for NSA hacking into Pakistan's internet infrastructure, intercepting and monitoring the traffic maybe one of the reasons. However, there is more to it. As per various leaks from Edward Snowden reveals couple of NSA's deadliest weapons and most notable being quantum-insert attacks.  As per one of the leaked documents confirms this attack was being utilized in order to infect a target located in Miran Shah.



Quantum Insert Attacks

Quantum Insert Attacks are an example of Man on the Side Attacks which require precise positioning of attackers rogue servers (Monitor/Shooters) in order to win a race against legitimate servers to deliver malicious content. The success probability of this attack relies upon the placement of the server. The closer the malicious servers are placed to the target the more of chances of it winning the race against the legitimate servers.

For instance, if a user based in Pakistan surfs Facebook.com, the PTCL or multinet being ISP would be technically closer to the target than the legitimate Facebook servers which has more probability of winning the race and delivering the malicious content. This happens to be one of the major reasons why NSA hacked into Pakistan's ISP in order to be technically closer to the target, hence increasing attack probability.

How Quantum Insert Attack Works?

Quantum Insert Attacks are not new; they are a type of TCP hijacking attacks that have existed in one form or another. In order to understand TCP hijacking attack, we have to understand how three-way handshake works.

TCP being a connection-oriented protocol requires sender/receiver to establish a three-way handshake. If you type Facebook.com in your browser, one of the first steps browser takes is to perform a DNS query to find out the IP address associated with Facebook.com, the query returns 66.220.159.121. The client will then establish a TCP/IP three-way handshake to server 66.220.159.121.

The following diagram illustrates how TCP/IP three-way handshake works:





ref:http://ipcisco.com/wp-content/uploads/TCPHeader/7_3wayhandshake_requestdata.jpg


i) Host A sends a packet with SYN flag, along with it, it also generates and sends a random ISN (Initial Sequence Number) i.e. 1293906975 along with an ACK=0.

ii) Host B, upon receiving the SYN, responds with SYN, ACK with its own random sequence number 3455719727 and increments Host A's sequence number by 1 and sends it back with ACK=1293906976

iii) The host A finally completes the three-way handshake by incrementing Host A's sequence number by one and sending back.

From above process, it is evident that for establishing three-way handshake both client and server will generate a random 32 bit sequence number from which it will start counting the segments transmitted.

Host B will only accept the segments from Host A when correct SEQ/ACK number is transmitted. In case, if an attacker obtains sequence numbers used for establishing session, they will be able to craft TCP packets containing the sequence number and using spoofing IP address it will make the receiving system believe that the segments have appeared from a legitimate host. This is known as TCP Hijacking

When the legitimate packet arrives afterwards, it will be discarded as it will have duplicate sequence number. One critical condition for its success is that the response from the malicious server must arrive before the legitimate response from the webserver, due to this very reason the placement of malicious server is critical for the success of this attack. From the document mentioned above, it was clear that the success ratio for the malicious response to arrive before the legitimate response based in Pakistan was approximately 48%.


From the above demonstration by Fox-it, it is clear that Quantum-Insert Attack requires two crucial components; the first is the monitor which sits and passively collects session information and feeds it to the shooter. The shooter then using the sequence/ACK number hijacks the session and tries to inject the malicious content into the TCP stream before the legitimate response.

As discussed before, placement of the monitor/ shooter is extremely crucial as they have to be near to the target and this happens to be one of the major reasons why NSA is particularly interested in hijacking ISP's for better placement of their monitor/shooter in order to win race against legitimate web-servers to inject malicious content.

Putting Pieces Together

1. NSA has hacked into various Internet Service Providers in order to deploy its passive traffic collection sensors or monitors around internet backbone.

2. The huge chunk of data is then fed to analysis and co-relation engines such as XKEYSCORE.

3. Based upon the analysis of tools such as XKEYSCORE, a target profile is built, for instance "All TOR/VPN users in a certain area", "all PGP usage in Iran" etc. XKEYSCORE can also be queried for most frequent web searches and most frequently visited websites (HTTP).

4. Once the target has been selected and attack conditions have been identified; attack conditions can be for instance, all users based in F-8 Islamabad browsing http://www.torproject.org/. This information is then fed to monitors who once these conditions are met, would leak information to the shooter which then utilizes Quantum-Insert Attack in order to inject malicious response into HTTP response for http://www.torproject.org/ before the actual response arrives.

5. Once the target is compromised, the post-exploitation phase begins which is aimed at collection information as well as performing lateral movement inside of network.

Detection & Defenses 

1. It is to be noted that HTTPS along with HSTS (Strict Transport Layer Security) would reduce the effectiveness of this attack. IPSEC VPN would also prevent this attack as it encrypts transport/application layer messages.

2. One of the other ways to detect this attack would be to check for TTL (Time to Live) value of the IP Packet. When an IP packet is sent across the network, it sets the TTL value which is decremented by each hop. Since in this case the monitor/shooter would be near to the target, the TTL value of the spoofed packet would be less than the real packet.

3. Since, both the legitimate and malicious packets will arrive with same sequence number. We can create a signature on IDS/IPS to keep track of the segments for same sequence number.

The Hacking Articles

The Hacking Articles


Beware!! socialtrade.biz Scam Exposed !!

Posted: 20 Nov 2016 04:35 AM PST

Of course everyone wants to make easy money at home. Who wants to commute for an hour one way to a job in a major city? The answer is no one. That's why frauds taking advantage of and offering online work to just click some link and make money from doing just daily 10-15 min work. They target definite vulnerable demographic segments of the population, such as the elderly or disadvantaged. And as bad as this gets, they also trick highly educated and Internet savvy people too into believing that they can make money fast on these programs.

Many frauds are taking advantage of this and you may lose your hard earned money.

Guys if you remember in 2011 I also warned peoples about speak asia scam and you know what happened who not believe that this is a scam loses all his hard earned money. Attention!! SpeakAsiaOnline Survey, Be Careful !!!

Socialtrade.biz is also scam and is being nurtured by Educated IT Professionals, promoted by Greedy Elites, who are members up the ladder & have no concern about the fallout & resulting losses to thousands of people down the line.
Observe the below rules and you will know that its fraud.
1.    Rs 5 per click to employee, Rs 5 goes to Employer- Still Employer asks for joining fee, that too, a high sum of 20000 to 50000.
2.    Booster Activation Period - 20 Days; Including holidays, so it comes down to 15–16 Days. Again activation takes 2–3 days. So, It further comes down to 12–13 days. So, You need to add 2 members in 12–13 days to activate booster (Which will enhance your income per day)
3.    Say, if you join and do not add any member down the leg- then - You will be stupidly clicking fake links for around 5 months to get your money back. As company is fraud, it can have money of all those members, who enrolled in last 5 months (& din't spread this virus) on any date either today or next Sunday or say your next birthday.
4.    If you continue spreading it, You may recover your investment ( though Company says - Its not an investment company & that huge joining fee is just a token of appreciation for their kind service of manipulating masses) in 2 months. But, those down the line will have their money stuck in this scam.
5.    So, If you see it now, its like, take the disease but pass it as fast as you can on someone (Actually 2 members) next, down the line.
6.    So, the mantra for Members - Keep spreading the disease, bear risk (& fear) of losing money just for 2 months (if you have done your service of spreading the virus to next 2 fools) and thereafter enjoy fruits of your (fake) attributes as managerial skills, Good Convincing, Risk Bearing blah-blah.
7.    If You are a member or if you become a member, you will follow (or have already trodden that path) Point 6 mentioned above. But, my request, first authenticate the claims put by company. Is clicking paying money or just the money is being circulated from new members to old members? If it looks like a scam, Stop yourself from supporting such scam.
8.    If you are not a member yet, Read again from points 1–5. Then ask yourself whether you are okay after fooling (and looting) poor members (Students/ Job Seekers/ Low earning fellows etc.) down the line. If yes, Go On — Sites like Social trade Biz are for likes of you.

How they Manipulation users:
• Each member pays a hefty amount of Rs. 57500/- to get membership. 
• The member gets 125 links (are mostly fake) to promote and earn 0. 625 per day, if booster is not activated. (Booster means making 2 members down the leg). 
• 20 days are given to a new member to activate booster. 
• Down the leg, if 2 members join, the one at top of them gets a booster income of Rs. 5000. 
• So, Say, if a new member pays Rs. 57500 and activates booster in next 15 days, the total payment to that member in next 3 months= 15 Days*625 + 50 Days* 1250 = 71875 + 5000 = 76875 
• Say, if 2 new members down the leg do not make any other member, Payment to these 2 members in next 2.5 months = 2*625*50 Days = 62500 
• Money still left with company= 57500*3 —76875 — 62500= 33125 .
• So for 3 members, Company has around 33000 with it, even after around 2.5 months of joining of 2 members down the leg. As shown, the company has done nothing other than just taking money from lower members & giving to higher members. 
• Say, If company has 200000 members on some date, then company would be having 100000 members at the bottom line, who would have joined in last 10-15 days. 
• Money with company from these 100000 members (Considering only new member money for now) = 57,500*1,00,000 = 5,75,00,00,000 (575 Crore) 
• Calculation is very easy now. Payments to those new members in last 10 days= 10*625*1,00,000 = 62,50,00,000 (62.5 Crores) 
• So Company can run away with 500 Crore on the day, when its membership reaches 200000. Some data shows, it already has more than 1 lakh members. Do you still think that its not a SCAM ? 

Why is it spreading so fast then ? 
• Educated persons leading the mission 
• Top members get huge amount, if new members are added fast. 
• Also, Members receive tablets, Laptops etc. if they make some specific no. of members down the leg in limited period. 
• Most important — Observe above carefully. The top member received Rs. 76875 in just 3  months. It means, they recovered their contribution & also made profits (By looting members down the leg). 

socialtrade.bizlisted some legal document for this business but if you check these all documents are for Ablaze Info Solutions which deal in IT Software Solutions work purpose.

Be wary if you have to pay money or supply your credit card number to a company to make money from these type of jobs. Some scammers make big promises with work at home opportunities, but in these you will lose all your hard earned money.

In Multi level Marketing(MLM) concept only those people make money who are at top of chains.

So if you are one of the victim of this scam stop investing your hard earned money in this scam.

Stay Safe....

See below links Devbhoomi news exposed this scam:




Users complains:







Hacking and Cracking

Hacking and Cracking


Whatsapp 4G VIP SCAM - Technical Analysis

Posted: 06 Sep 2016 11:12 AM PDT


This is a short blog post describing about a recent hoax pertaining the WhatsApp 4.0 version. I would like to clearly highlight that there is no such application as 'Whatsapp 4G'. The version promises users  unrealistic features video calling, new whatsapp themes, delete sent messages from both sides etc

The following is how the message is being propagated:


Technical Analysis 

Upon visiting the link you would be taken to a page where you would be asked to invite 15 friends before you can download the version, upon clicking the invite button, it would use WhatsApp scheme (whatspp://) in order send messages to your friends, and hence you would be promoting a hoax on behalf of the scammers:

The entire business logic is based upon the following client side script - http://new-4g-whatsapp.ga/invite.js.

Upon examining invite.js it was discovered that the code sets a cookie and checks if 15 invites have been sent on the client side: 



Once, the counter has reached up to 15 invites or above, you would be redirected to the download link:

From the above source code, if the value of c is greater or equal to '15', window.location.href would be set to "ur" variable which hosts the following download link - http://ta3.co/new-4G-whatsapp/install.php

The installation link seems to be dead, normally in such scams you would be asked to fill in surveys or installing *free apps* which would not be free as they might be shipped with Malware/adwares.


Update (Whatsapp Gold)


A new variation of Whatsapp 4G VIP scam has recently came into notice with name of "Whatsapp Gold", which basically works on the same principle as above. The only thing that has changed the interface design and name.

Hacking and Cracking

Hacking and Cracking


Breaking The Great Wall of Web - XSS WAF Evasion CheatSheet

Posted: 01 Sep 2016 03:07 AM PDT


I think it's mandatory to give back to Security community from where we learn cutting edge techniques and information. Therefore after months of effort i am presenting to you a new WhitePaper titled "Breaking Great Wall of Web" without any strings attached.


Acknowledgements

I would like to thank the Acunetix Team for helping with proof-reading of the document.

Background



The WhitePaper not only contains sophisticated XSS vectors but it aims at also explaining the methodology behind bypassing a WAF.  The previous paper on this subject "Bypassing Modern WAF's XSS Filters - Cheat Sheet" was released 3 years back. A lot has changed and evolved during these years, especially with the advent of ECMA Script a new horizon for evasion/obfuscation have been opened. I have already discussed/demonstrated several techniques presented in this whitepaper in my recent Webcast hosted by Garage4hackers team namely "Bypassing Modern WAF's Exemplified At XSS".

Abstract 



 Input Validation flaws such as XSS are the most prevailing security threats affecting modern Web Applications. In order to mitigate these attacks Web Application Firewalls (WAF's) are used, which inspect HTTP requests for malicious transactions. Nevertheless, they can be easily bypassed due to the complexity of JavaScript in Modern browsers. In this paper we will discusses several techniques that can be used to circumvent WAF's exemplified at XSS.

This will paper talk about the concepts of WAF's in general, identifying and fingerprinting WAF's and various methodologies for constructing a bypass. The paper discusses well known techniques such as Brute Forcing, Regular expression reversing and browser bugs for bypassing WAF's.

Hacking and Cracking

Hacking and Cracking


Google Chrome, Firefox Address Bar Spoofing Vulnerability

Posted: 15 Aug 2016 11:29 PM PDT

Introduction

Google security team themselves state that "We recognize that the address bar is the only reliable security indicator in modern browsers" and if the only reliable security indicator could be controlled by an attacker it could carry adverse affects, For instance potentially tricking users into supplying sensitive information to a malicious website due to the fact that it could easily lead the users to believe that they are visiting is legitimate website as the address bar points to the correct website.
In my paper "Bypassing Browser Security Policies For Fun And Profit" I have uncovered various Address Bar Spoofing techniques as well as bugs affecting modern browsers.  In this blog post I would discuss about yet another "Address Bar Spoofing" vulnerability affecting Google Chrome's Omnibox. Omnibox is a customized address bar api developed for better user experience such as search suggestions, URL prediction, instant search features so on and so forth.

Technical Details

Characters from languages are such as Arabic, Hebrew are displayed from RTL (Right To Left) order, due to mishandling of several unicode characters such as U+FE70, U+0622, U+0623 etc and how they are rendered combined with (first strong character) such as an IP address or alphabet could lead to a spoofed URL. It was noticed that by placing neutral characters such as "/", "اin filepath causes the URL to be flipped and displayed from Right To Left. However, in order for the URL to be spoofed the URL must begin with an IP address followed by neutral characters as omnibox considers IP address to be combination of punctuation and numbers and since LTR (Left To Right) direction is not properly enforced, this causes the entire URL to be treated and rendered from RTL (Right To Left). However, it doesn't have be an IP address, what matters is that  first strong character (generally, alphabetic character) in the URL must be an RTL character

Logical Order

The following is the logical order of characters in the memory.  Since, Omnibox removes"http://" and displays strings without "http://" prefix.

127.0.0.1/ا/http://example.com

Display Order

The following is the display order of characters after the browser removes the leading "http://", decodes the percent-escaped bytes, and applies the bidirectional algorithm.

http://example.com/‭ا/127.0.0.1

Steps To Reproduce

1) Visit the following link for the vulnerable browser - http://182.176.65.7/%EF%B9%B0/http://google.com/test

2) You would notice that the URL has been flipped from Right to left and the browser displays http://google.com/test/182.176.65.7 while it displays the content from the IP address.



The IP address part can be easily hided specially on mobile browsers by selecting a long URL (google.com/fakepath/fakepath/fakepath/... /127.0.0.1) in order to make the attack look more realistic. In order to make the attack more realistic unicode version of padlock can be used in order to demonstrate the presence of SSL.

Firefox Mobile Address Bar Spoofing CVE-2016-5267

Firefox was also prone to a similar vulnerability, however this did not require IP address to trigger, all it required was is arabic RTL characters, which in this case i provided arabic TLD (عربي.امارات) in order to trigger the vulnerability which resulted in

Proof of concept 

http://عربي.امارات/google.com/test/test/test


As you can see from the above screenshot that the page is hosted on عربي.امارات , however the address bar points to google.com.

Important Note

Variation of similar vulnerability has also been discovered in several other browsers that are still undergoing a fix there i am refraining from disclosing them. Details will be disclosed, once a fix has been landed. 

Fix

RFC 3987 § 4.1 states that "Bidirectional IRIs MUST be rendered in the same way as they would be if they were in a left-to-right embedding.", therefore setting paragraph direction to LTR fixes this issue. This is a known issue and has already been discussed in great detail here.

Credits

I am highly indebted to "Matt Giuca" from the Google Chrome team for his extensive help on this issue and "Tod Beardsley" for handling the disclosure.

Bug Bounty 

The total bounty rewarded for all bugs combined was 5000$.