>Aaron says:
>April 5, 2014 at 3:52 pm
>So how’d you sucker Bill into clicking your exploit link? Since you hadn’t yet hijacked his DNS, I presume the link didn’t (couldn’t) actually point to linkedin.>com — shouldn’t his mail client have warned him? (Mine would.)
>>Reply
>>Phikshun says:
>>April 5, 2014 at 5:35 pm
>>See this video by Raphael Mudge[1]. He does a much better job of explaining it than I would. I also had another advantage — Bill and I worked for the same company at the >>time, so I could send the phish to myself to make sure it passed all the filters. This isn't so unrealistic though. An advanced adversary will scour RFPs, public records and >>job postings to learn what protection technologies a company has and attempt to duplicate their environment for testing.
[0]http://disconnected.io/2014/03/18/how-i-hacked-your-router/c... [1]http://www.youtube.com/watch?v=OO_A8NHNBj8
Then I decided to test it, and in fact Gmail does seem to be doing more than that. I ran a two-line script as root from my mail server to send a message with an envelope-sender from my domain (which has a basic SPF txt record in its DNS) and a from: header from LinkedIn, and Gmail spit it back at my return address a moment later saying that it smelled like spam. So, good for Gmail!
But, I don't think this is common behavior, and the article doesn't actually say that the target has a Gmail account.
It pretty much is. The actual settings vary between different mail providers and this is actually more complicated than checking header against sender IP. So everything is possible, but that mail-sending part needs more explanation anyway.
That's an interesting decision for a security-minded person to make though. Do I use gmail as they'll have broad statistical analysis of attack vectors? Or do I use my own mail server which may not have the same features, but is more secure/private in other ways?
Perhaps someone could comment on the possible prison time if an approach like this was taken without the authorization that this person had in advance?
Also it would seem that it would be fairly easy if you are in physical proximity to the target to use social engineering (as opposed to a bump key - opening the front door) to gain physical access to the premises and find the wifi password right under the router. Or plant something on the network that gives you access - you get the picture. Or plant a keylogger that might not be noticed for months. Or drop a USB key (wouldn't work with an infosec guy but maybe if it was mailed to him and it looked like it came from a reliable source it would).
[0] http://sourceforge.net/p/notepad-plus/discussion/1290588
This happens even with software where you would think the manufacturer is aware of this kind of problem. 1Password downloaded updates over HTTP for a long time, then switched to HTTPS and failed to check certificates. When they finally started to check if binaries are signed (Windows provides for that), they didn't change keys so you could downgrade to a previous version that didn't. That is just one application.
Most OS X apps use either the Mac App Store, which signs everything, or Sparkle[0], which last time I used it made it really hard to use it without signing things. It's only stuff from big vendors like Adobe and Microsoft who do custom stuff you can't really trust.
And that's all an attacker needs.
Which is why I'm always wary of installing unsigned software. In such cases I try to check some hashes some way. Obviously if the download page lists them I check against those, but in most cases it's insufficient because that page is not HTTPS. So I always help myself with google, both by googling the filename to find some pages listing a hash, and by googling my own hash (note that Google is accessed with HTTPS).
Suppose I download Putty and am unsure of whether it's the real thing or whether it's a Trojan, e.g. due to someone having hacked my router. I compute the hash of the file and google it: http://lmgtfy.com/?q=44ac2504a02af84ee142adaa3ea70b868185906... . I find many sites saying that's putty.exe. If I didn't, I'd be very suspicious.
>google "44ac2504a02af84ee142adaa3ea70b868185906f"
>see results are mostly "putty.exe"
Three steps, all relatively painless.
I'd also like to know what domain was used for phishing, since you would think an infosec guy would either hover over the button/link before clicking, or get suspicious when he sees his browser load a site that isn't linkedin.com before redirecting.
Edit: Ignore it, I forgot he didn't control the DNS at that point. So this is invalid.
I suppose you could just serve up a fake backdoor program for every *.exe\msi download, and remove the honeypot on the second download? The first download would execute and maybe do nothing (or error) - prompting a second download which led to the real thing.
He likely just enabled them all, or at least enabled several which are likely candidates for his target to download.
Even if the target set his computer to auto-update (or something that did not require admin authentication), wouldn't he have some type of notion that something went wrong during his update?
With the target being an InfoSec guy, I would've imagined he would at least be running some type of network monitoring, like wireshark or little snitch, ESP on his personal computer. Wouldn't he have to authorize the outgoing packets?
Sorry, if I come off analytical to the story...it's a great read...I just want to make sure my networks are locked down. I've even went as far as dedicated networks for my server and home usage, and preventing internal ip addresses from communicating to each other (sucks for airplay).
There is a way of injecting your code into an existing executable so that the executable still works like it did before. Basically your code gets called first and than the original program entry point gets called.
Wouldn't he have to authorize the outgoing packets?
He might have updated this Notepad++ on purpose? He obviously did not know his router was compromised.
I was trying to figure out how he had the key logger sending out it's packets.
Only if it's unsigned (or someone doesn't check the signatures) and it's over HTTP. I can't seem to find it, but someone complained about just how hard it is to get a version of putty that you can at least be sure came from the right domain.
Besides, are there some step-by-step guides/checklists that would help build secure environment for your router/PC?
<form enctype='text/plain' method=post action='http://192.168.1.1/vulnerable'>
<input type='hidden' name="<!--" value="--> <SOAP...>" />
<input type='submit' value="submit" style="position:fixed;top:0;left:0;width:1200px;height:1200px;background:#000;opacity:0;" />
</form>
That said, it would still require the victim to load the fake LinkedIn page (with the wrong domain), which is more likely to look suspicious.
And it would've loaded the router page after the POST (instead of redirecting to LinkedIn), which would definitively signal that something was wrong.
Any hardware recommendations for what I should look in for in a router? Is old better than new? Any particular model that is well supported?
Unless I'm missing something...
I don't know about the vulnerabilities in the Time Capsule router, but from my understanding the only router firmware even remotely worth a look in terms of security would be OpenWRT.
but I figured I should ask this guy, sounds like he knows what he's doing.