Shlomi Narkolayev

IRANGE - Pays close attention to your valueable items

2011-09-18T04:38:00.000-07:00

This isn't an information security post, but definitely in the personal security field.

I want to present an idea that I have developed with a help from two of my friends, it's called - i-Range.

Unfortunately, I didn't had a time yet to develop this product.

I hope you will enjoy watching the video:

i-Range is a product that gives support in the field of personal security.
His main goal is to protect every day items, which are considered to be valueable.

The product consists of two end points; The Master unit, the user wears, could be a watch or a braclet and the Slave unit which is a tiny sticker, that can be easily glued on any item.

The i-Range will pay close attention to the valueable items such as: wallet, keys, cell phone, laptop, passport, etc.

The user will glue the sticker on the valueable item.
Both end-points constantly communicate with each other wirelessly, while the Slave unit sends the signals and the Master unit receives them.
The user can configure the reception range, which allows the user to change the secure radius.
When an item exits the secure radius, the system immediately and constantly alerts the user by vibrating and beeping to the user.

Linkedin ViewLink and ViewArticle mechanism opens new kind of Phishing attacks

2010-12-13T23:58:00.000-08:00

In this post I'll explain how it's possible to execute Phishing attacks on LinkedIn users while the attacked users will see in the address bar the LinkedIn.com domain.

LinkedIn users allowed to attach links to their posts in linkedIn website.

User that will click on these links will open the links using the LinkedIn ViewLink mechanism that will open the link in a iFrame.

Attackers can upload a regular LinkedIn phishing page and abuse this ViewLink mechanism and fool users and steal their passwords, all they need to is to attach a link to this phishing page in their posts.

I did this POC (proof of concept) today, here is what I got:
Step1:

Step2:

Step3:

So now the poor users need not just to verify the domain on the address bar, they also need to verify they are not entering their credentials on ViewLink or on ViewArticle pages.

SCADA Exploitation - Hacking into national infrastructures

2010-11-17T03:26:00.000-08:00

Hackers find their next target using SHODAN search engine

SHODAN (http://www.shodanhq.com/) is a search engine that allows find specific computers (routers, servers, etc.) using a variety of filters. They grad this "horrible" data from (routers, servers, etc.) 'banners'.

Using this DB, hackers can find SCADA Internet-facing Web interfaces, default passwords for web servers and network devices, IP cameras, vulnerable systems (filtering by IIS 5, windows 200, etc), and many more.

Some interesting SCADA information (took from SHODAN DB):

By the way, Simatic S7 SCADA like mention above, are the same systems that were targeted and penetrated by Stuxnet worm.

Using this information, H4ck3rs can locate these critical national infrastructures systems and try to penetrate them, what can be sometimes very easy.

Here is one nice example:

Here are some default password in use:

Please don't use this data to hack these systems, this is illegal !!

Source-Link-Phishing (A.K.A. TabNabbing) - New technique for phishing attacks

2010-09-22T03:22:00.000-07:00

I would like to demonstrate a new technique that could be used for phishing attacks.

Using this technique, Phishers can more easily fool naive users and steal there login credentials.

Attack scenario:
Let's suppose that a Phisher wants to get some bank's (Or any other "Interesting" online system) users credentials and this bank allows posting links as comments on some pages.
The Phisher just need to post this link: http://shlominar.50webs.com/Source-Link-Phishing.html
and anyone that will click on this link will open new tab and after a few seconds the "Source" tab will be changed to a Phishing page.

I call this technique: Source-Link-Phishing

Demo

Directory Traversal Cheat Sheet

2010-04-06T22:24:00.000-07:00

You can use this cheat sheet for exploiting web servers and application servers for directory traversal.

This is eight level of deep Directory Traversal. There are 880 variants of Directory Traversal attack signatures.

To use this list effectively, you need to replace the "(Filename)" phrase to the desired file - Depending by the attacked web server OS.

Be my guest to suggest more variants to this awesome list.

Enjoy ;-)

Credits to Luca "ikki" Carettoni for this list.

Open the cheat sheet (this will take few seconds to load this long list)

ClickJacking Advertisement

2010-02-19T05:05:00.000-08:00

I want to present you JavaScript scheme that I wrote in recent days.

This demo presents how it can possible to “steal” users clicks and force them to click on your advertisements for example.

Using these advanced methods, the “bad guys” can make a lot of money using PPC (Pay per Click) and other affiliates programs that are very popular in these days.

Here's my online demo (Click here).

Hacking Citrix and Terminal Server Techniques

2010-02-03T10:08:00.000-08:00

Friend of mine is security consultant and from time to time he's asking my help for hacking Citrix and Terminal Servers.
So I decided to write a list of my hacking techniques that I use in case someone tries to close some registry keys ;-)

I'll try regularly update this list:

Basic shortcuts:

Open file: Ctrl + o
Save File: Ctrl + s
Open New Browser: Ctrl + n, Shift (or Ctrl) + Left Click on link
Browser History: Ctrl + h
Task Manager: Ctrl+Shift+Esc
File manager: Windows + E
Run commands: Windows + R
Utility Manager: Windows + U
Windows search: Windows + F

Open Internet browser:

Press F1 – Click on any URL to open.
Click on help on the language bar.
Windows + U -> Help
Run calc -> Help -> Help Topics -> Mouse right click on the window blue frame -> Jump to URL

Get local files (like cmd.exe):

Printing window (Ctrl + p) -> print to file -> filename=* -> Enter -> and browse to system32
Right Mouse Click (or Shift + F10) -> Save Picture As -> filename=* ->…
View Source -> filename=* ->…

If the right mouse click is forbidden:

Use Shift + F10

Run Command Shell:

Run command.com
Drag other file on cmd.exe or command.com
Shortcut to cmd.exe or command.com
Batch file with: c:\windows\system32\cmd /c (Or /K) any_command
VBS script:

Open file manager using IE:

Favorites -> Drag any folder to browser’s window.

Using office applications:

Insert Picture -> filename=* ->…
Insert Hyper Link - > file://c:\windows\system32\cmd.exe
Insert object -> Create from File -> cmd.exe or command.com
Run VB (or VB Macro).

If you can't run shell:

Rename cmd.exe (or command.com) to applicationName_uCanRun.exe.
Use Debug.exe, using this you can run almost any exe you like. You just need to upload the Assembly code or write by yourself.
Run VB compiler, using office applications.

Hacking the Planet - By TinKode

2010-01-29T00:30:00.000-08:00

This post isn't technological, but still I want point you to TinKode’s recent nice hacks, among them:
NASA - SQL Injection, XSS, SQL Injection (MSSQL),
Army.mil, Yahoo, Kaspersky.

These critical systems recent hacks was executed by one person in less then 2 month.
Cases like these outlines today's systems security reality.

He didn't used any sophisticated attack vectors or any 0-day exploit, just discovered on the right time and on the right place some SQLi and XSS holes.

Don't worry: Secure SDLC (Systems Development Life Cycle) + Good Configured WAF (Web Application Firewall) + Advanced VA (Vulnerability Assessments) and Security awareness may solve this problem ;-)

ClickJacking Facebook

2010-01-15T00:47:00.000-08:00

I discovered that websites like Facebook and many others "protected" websites are vulnerable to ClickJacking attack.
I have informed some mass users websites like Facebook with my findings.

Here is Facebook response:
Our team looked at this. It's standard clickjacking and not unique to Facebook. We're building some additional protections for these types of attacks and reminding people to be cautious of any message, post, or link they find on Facebook or elsewhere on the Internet that looks suspicious.

This demo video presenting how can I fool Facebook users to add applications to their account.

I could write malicious application that steals users personal info or even simple application that build for me a bot net users for malicious purposes like hacking systems for SQL Injections and DDOS attacks.

Using ClickJacking i also could fool users to click whatever I want: adding me as their friend, delete their account, and even open their camera and microphone using flash (Older versions then 10.x), or install Facebook applications that posting their web camera and microphone every time they connected to Facebook - Just use your imagination on what you want others to click on...Transfer to you poker chips???

Here's my online demo (Click here).
Using this demo you can check if your website is vulnerable to ClickJacking attacks. If you were able to click on links and buttons and other active objects in the hidden iFrame - so your website is vulnerable.

Comitari Free - Bullet proof protection against ClickJacking and UI Redressing attacks
Comitari website: http://www.comitari.com/

Find SQL Injection using Google Dorks

2010-01-13T09:18:00.000-08:00

MSSQL:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string
Microsoft Jet Database
VbScript

MySQL:
mysql error
mysql_query
mysql_fetch
mysql_connect

Oracle:
ORA-00921: unexpected end of SQL command

PostgreSQL:
Warning: pg_query(): Query failed: ERROR: Argument
pg_connect
pg_exec
pg_fetch_object
pg_fetch_array

Here are some examples:
inurl:"id=" & intext:"Warning: mysql_fetch_assoc()
inurl:"id=" & intext:"Warning: mysql_fetch_array()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: is_writable()
inurl:"id=" & intext:"Warning: getimagesize()
inurl:"id=" & intext:"Warning: Unknown()
inurl:"id=" & intext:"Warning: session_start()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: pg_exec()
inurl:"id=" & intext:"Warning: mysql_result()
inurl:"id=" & intext:"Warning: mysql_num_rows()
inurl:"id=" & intext:"Warning: mysql_query()
inurl:"id=" & intext:"Warning: array_merge()
inurl:"id=" & intext:"Warning: preg_match()
inurl:"id=" & intext:"Warning: ilesize()
inurl:"id=" & intext:"Warning: filesize()
inurl:"id=" & intext:"Warning: filesize()
inurl:"id=" & intext:"Warning: require()

Defeating Frame Busting Scripts

2010-01-13T08:53:00.000-08:00

One of the most used solutions for ClickJacking is to setup JavaScript in your page that you want to protect, that forbids to be framed.

Here is an example to this script:

Here is how we can bypass this protection:
We need to set the I-Frame tag property by Microsoft's security restriction method.
Using this property we will not allow the JavaScript code inside the I-Frame to execute.

Here is an example:

Some notes:
• This will block running all JavaScript in the I-Frame (It could brake some applications that uses JS).
• This works only for IE and Opera users (So Mozzila and Crome users are protected).