Difficulty: Medium

Theyre not just trusted hosts, but trusted sources

Creator: m101
Have you ever thought to yourself, now how the hell did that
comuter get hac!ed" #as that really ossible" This just
doesnt ma!e sense, that comuter only had a single
unvulnerable service, it cant have been hac!ed$$$
%art from the e&tensive use of 0day e&loits to hac! into
seemingly invincible systems, it really doesnt seem ossible for
many hac!s to have ta!en lace$ However, you are sadly
mista!en, the system is only as secure as aranoia of its
users$ 'veryone has heard of trusted hosts and how they can
be used to brea! into comuter systems, but there is a larger
scoe than this$ That is why i call them trusted sources$
(ne of the most famous hac!s on record )not necessarily the
most imressive* was the one done by Mitnic! to hac! into
Tsutomu +himomura,s ,secure, bo&$ This was done by Mitni!
first disabling the client bo&, and then soofing his own
connection to ma!e it aear that he was the client, from here
he could easily do what he want as he was now a trusted
source$ -ow, not everyone is vulnerable to this, and it can also
be an e&termely dificult e&cercise these days to erfom, but
the rincials and ideas behin it can be used in many
situations$
Here is a situation that will truly show you how to hac!
hotmail$ . can already hear all the !iddies yelling for joy$
%lthough gaining root access on the server is retty damn
tric!y, the average !iddie wishes to gain access to a friend,
enemy or girlfriends email account for reasons of all tyes of
bullshit$ %nyway, lets set the situation u a little: Hac!er
wants to brea! into targets email account, now target isnt
stuid enough to give any eole their assword$ This would
theoretically sto most eole straight away from gaining
access$
/ets loo! at what haens when target attemts to login to
hotmail with their all imortant assword$ Target wal!s to their
comuter, and sits down to use it$ -e&t they connect to the
internet and re0uest hotmails login age$ Then after receiving
it, they send their assword to hotmail to authenticate
themselves$ They are now logged in$ +o you as!, where is the
vulnerability in the situation" /ets brea! the rocess down
further and discover the trusted sources:
Target--Computer--ISP--Hop1--Hop2..HopX--Hotmail Domain
+o from here we have the following trusted sources between
the target and hotmail:
Their computer
The ISP
Hop number 1
...
Hop number X
1enerally ,2, would be roughly atleast 10$ That means there
are atleast 11 trusted sources inbetween the target and
hotmail$ The target has unwillingly just trusted their assword
to a number of total strangers$ .f any single one of these
targets was to be hit by the hac!er, then they would gain the
targets assword through simle ac!et sniffing$
This case was just to give you an idea of how bad trust can be,
but it robably still doesnt e&lain how to hac! the
unhac!able$ /et us ta!e a real target and see how it may be
flawed$ Cyberarmy is an e&cellent e&amle, but how would you
gain access" #ell here is how the system was once setu to
the ublic:
www.cyberarmy.com
ca-pr.info ca-oi.org ca-cia.org !!ine.org e"ploitreearch.net
These at one oint were the main domains of Cyberarmy, but i
can garauntee you that hac!ing a single target is not going to
gain you access to the main domain, so how is it ossible to
hac! the main age" Here is the major list directly off the main
site:
## Structure#
The Cyber$rmy - C%&# Comman'er in Chief can(ac)
X%&# *iceCinC wa1+,,!
X%&# *iceCinC -ang
.en Penguin
/ar 'imple"
0et. CinC Chawmp
/ar nar)le
Cyber$rmy 1ni2erity - .en SH3PH30D
Cyber$rmy Pri2acy Commiion - .en Tacheon
&pen Source Intitute - *iceCinC barneyboy
Special &peration - .en !ifnab
0ea'y 0epone - *iceCinC -ang
Cyber$rmy Public 0elation - /ar CHi
Cyber$rmy Intelligence $gency - .en 4eto
Cyber$rmy I0C - .en wewal)in
Cyber$rmy 3"ploit 0eearch - .en .ol'fih
Internal Comman' - /ar a"em
Cyber$rmy Ser2ice $n' Support - .en .oliath
Thats a total of 13 eole who run the sites as admins$
However, they do not all have access to the main domain,
infact only scanjac! and one or two more have it$ %lso the
assword system randomly generates new asswords for the
accounts on a regular basis$
The first thing is to ic! a target host, then lay with it and see
if we can somehow e&loit it$ The newest host in the list is
actually ca4osi$org, the oen source insutute of cyberarmy$
The guy who runs it )barnseyboy* aint too bad a blo!e$ %fter a
bit of research into the site, we find the following eole
aear to have riveledged rights to the server:
barneyboy barneyboy5mail.com
Xenic "enicp5yahoo.e
aton aton16675hotmail.com
hn webmater5hnonline.com
pertina" pertina"5completeecom.com
fightgra2ity anon.ymou285e"cite.com
efo efo5ca-oi.com
w,lf w,lf5ca-oi.com
liptop liptop5ca-oi.com
a2ataru a2ataru5ca-oi.com
+o now we have a coule more sources for the tree$ 5ou can
easily do a search on google for sites that these individuals
visit, and from there gain even more sources$ The target for
e&amle may be www$shnonline$com, the owner being
ofcourse ,shn,$
%fter a bit of e&loration of the website, we discover shn
doesnt care to much about it and doesnt !now how to udate
software that well$ #e find that his messageboard is
vulnerable to a si& month old vulnerability, and shn is too la6y
to fi& it$ +o ofcourse we brea! into the site and head straight
for the assword files$ (n insection, the MD7 hashes it stores
contains a damn long assword, so brute forcing is useless$ %t
this oint many would give u, but you have to remember that
shn would obviously beleive that his (#- site is a trusted
host, so therefore it would be 0uite easy after already having
access to ma!e the login scrits save lain te&t asswords to a
seerate file$ %fter the necessary changes are made, a wee!
later shn logs in to chec! his messageboard and 8%M9 we now
have his lainte&t assword and he is none the wiser$ :rom
this oint shn robably doesnt care to much, what the hell is
anyone going to do with shnonline$com" %bsolutely nothing,
however we now try his assword on ca4osi$com and find$$$$$
.T #(;<+9
Thats right, we have now bro!en the trust barrier of one
individual to gain access to another host$ -ow, ca4osi just so
haens to be another one of them h nu!e sites, and since
shn is an admin, we can just clic! a few buttons and download
the user database$ #hat goodies would you e&ect to find in
the database" #ell here are some ossible e&amles:
merryb mbee)man5re'hat.com 9e'eral /ar)eting
/anager
-im abr5pan'ora.be
http#%%www.abrecurity.com
ieetglue ieetglue5e"ploitreearch.net
http#%%www.e"ploitreearch.net
'ai(o 'ai(o5irc-'e2.net
http#%%www.ionh:.com
gabbana gabbana5!!ine.org
http#%%www.!!ine.org
Para'o" 'fayra,,5umail.ucb.e'u
*ooDoo *ooDoomater5ecureroot.com
elybi elybi5getroot.net
http#%%www.getroot.net
oleg o.uru5cuohio.e'u
ray!or" ray!or"5earthlin).net www.ray!or".com
)These are just general addresses that were gathered from
around the net*
:rom this small list, there is a high ossiblity we could get
ourselves a few web server, $edu accounts and various other
interesting things$ The average database will contain all tyes
of juicy information, and guess what, you would have just
violated around 700 eoles trusted sources in one go$ %s you
can see from this, you could now use the new information, and
the trusted source itself to gain more and more access to the
systems$ :rom there im sure you could find a way to gain
access to one of the leaders ersonal comuter, and from
there easily log their assword to access the main website$ .f
you are wondering this was (-/5 a case study, not an actual
hac!$
Heres another 0uic! case study of how totally stuid most
eole are$ 'veryone !nows the roblems that e&ist in smt to
allow eole to somewhat forge mail, but not many eole
even consider how it could also become a owerful trusted
source$ . garauntee that if you were to receive an email from
your girlfriend or best mate that didnt loo! sus, you would
haily oen it and not even realise youve just installed a
trojan on your bo&$
Trusted sources come into everything, you dont have to thin!
much to find them$ .t all really just turns into a mass ammount
of social engineering$ % target is only really as secure as the
ammount of effort the hac!er uts into brea!ing it$ The same
alies to most situations in life, your house !ey doesnt
rotect from someone running a car through the door does it"
-o it doesnt, it only stos the casual burglar with not much
intent$$$$