In this post I will demonstrate one way to sniff weak user credentials as well as images a user viewed in their browser. The set up is an Apache web server running a basic page that requires users to authenticate to view the restricted area of the site. The authentication is done by Apache's Authtype Basic method.
With Wireshark running on the webserver, we access the site from another machine on the network and are presented with the basic login form, dependent on which browser you use.
As you can see, the user inputs his username and password to request access to the protected area of the site.
Once the request is sent, Apache authenticates the user and directs him to the protected area of the site. If we take a quick look at the corresponding packet in Wireshark we can see that the credentials are sent in clear text across the network.
Now that we have acquired the users credentials, lets look at what he did while he was on the site. If you see that the user has requested and viewed images from a web server, Wireshark is able to export those as well.
Click File, Export, Objects, and then HTTP
Wireshark will take any reassembled objects in the HTTP stream and allow you to save them to disk. It is able to save images, documents, executables, and anything else that can be sent over HTTP.
Wireshark is definitely a powerful tool. This is not even scratching the surface of what Wireshark can do. For more of its functionality check out their users guide.
http://www.wireshark.org/docs/wsug_html/
As you can see, sniffing is a powerful attack vector, especially when credentials are not even encrypted when being passed across the network. Moral of the story is, when dealing with sensitive information, make sure that you are using a reliable, encrypted method of communication such as SSL. You never know who could be on your network.
"People designing defenses who have never had them evaluated by a good attacker is kind of like learning one of those martial arts that look more like dancing than fighting. They look nice, but when you get into a fight your dance kungfu isn’t going to help you not get your ass kicked." - Dan Guido
Wednesday, September 28, 2011
Wednesday, September 7, 2011
SQLmap
I was able to play with a mock MySQL database the other day to see if I was able to acquire a specific username and password combination. The database was vulnerable to SQL injection through an online web application that allowed users to view pages through a php script that took a numerical value and passed it straight to the SQL statement. By modifying the number to equal a value that there was not a page for, I inserted an OR statement after that value and was able to redirect the SQL statement from there. After a few initial tests, I saw that the web application was indeed filtering the error messages that the database threw back, therefore I had to use "blind" SQL injection. If you want to know more about blind SQL injection, OWASP has a great page HERE.
After asking the database quite a few "yes or no" questions through SQL statements, I decided to try out some security tools that I had never used before. One of which was a beautiful little tool called SQLmap. After pointing it at the web application, SQLmap began to laugh at my manual attempts to fingerprint the database and enumerate its tables and within minutes it had finished its task. I was floored. How in the world did this thing produce the results that it did in such a short amount of time. Being the kind of person who has to know how things work, I fired up wireshark and watched as SQLmap sent packets faster than I could scroll down. Once it took a breather I filtered through the packets and looked at the SQL statements that it was sending to the application. It looked like SQLmap was using the technique discussed on the OWASP page that enumerates each character individually through true or false statements. If the statement is true the page will return with the correct item as if it were just a simple ID request. If the statement is false, the page will return with some sort of predefined error page. And seeing as though a program is capable of being much smarter and faster in this type of scenario, this is the ideal way to perform a blind SQL injection due to the fact that it saves ALOT of time.
Thanks to SQLmap I was able to acquire the dummy username and password. Needless to say I was highly impressed by this tool and look forward to becoming more skilled with it, as well as learning more about database security.
For a list of SQLmap's features check out their page HERE.
After asking the database quite a few "yes or no" questions through SQL statements, I decided to try out some security tools that I had never used before. One of which was a beautiful little tool called SQLmap. After pointing it at the web application, SQLmap began to laugh at my manual attempts to fingerprint the database and enumerate its tables and within minutes it had finished its task. I was floored. How in the world did this thing produce the results that it did in such a short amount of time. Being the kind of person who has to know how things work, I fired up wireshark and watched as SQLmap sent packets faster than I could scroll down. Once it took a breather I filtered through the packets and looked at the SQL statements that it was sending to the application. It looked like SQLmap was using the technique discussed on the OWASP page that enumerates each character individually through true or false statements. If the statement is true the page will return with the correct item as if it were just a simple ID request. If the statement is false, the page will return with some sort of predefined error page. And seeing as though a program is capable of being much smarter and faster in this type of scenario, this is the ideal way to perform a blind SQL injection due to the fact that it saves ALOT of time.
Thanks to SQLmap I was able to acquire the dummy username and password. Needless to say I was highly impressed by this tool and look forward to becoming more skilled with it, as well as learning more about database security.
For a list of SQLmap's features check out their page HERE.
Tuesday, September 6, 2011
"Supercookies"
I was doing some work with a friend of mine when he told me about a fairly new type of internet monitoring technology he heard about on the Wall Street Journal. Since the WSJ is not the most technically advanced news reporting group out there, I figured that if this new form of monitoring was appearing in an article there than it was not terribly cutting edge, but I had never heard about it. "Supercookies" as they are called seem to be cookies that can take up more space on your hard drive as well as be harder to locate and remove. Supercookies or "Flash cookies" seem to be adobe flash based and the adobe website storage settings for your computer can be accessed here.
fightidentitytheft.com also had some other ways that supercookies can be dealt with as well are more insight into supercookies
Targeted marketing is obviously one of the main reasons companies such as Microsoft, Hulu, and other large companies would use browser tracking methods such as supercookies, but I feel like the line between smart marketing and invasion of privacy is becoming smaller and smaller these days and the dangers of that are not fun to think about.
Say a company were to attain browsing history of an individual who was a doctor and is constantly searching for specific types of diseases or illnesses. If, for some reason, that browsing history were given to that individuals insurance company and the insurance company were to drop him or her for fear that they were possibly getting sick, is that smart business or is it a major breach of privacy? Just food for thought...
Wall Street Journal Supercookie Article
fightidentitytheft.com also had some other ways that supercookies can be dealt with as well are more insight into supercookies
Targeted marketing is obviously one of the main reasons companies such as Microsoft, Hulu, and other large companies would use browser tracking methods such as supercookies, but I feel like the line between smart marketing and invasion of privacy is becoming smaller and smaller these days and the dangers of that are not fun to think about.
Say a company were to attain browsing history of an individual who was a doctor and is constantly searching for specific types of diseases or illnesses. If, for some reason, that browsing history were given to that individuals insurance company and the insurance company were to drop him or her for fear that they were possibly getting sick, is that smart business or is it a major breach of privacy? Just food for thought...
Wall Street Journal Supercookie Article
Subscribe to:
Posts (Atom)