getting out of credit card debt.  chained exploits ◦ whitaker, evans, voth; addison-wesley,...

Download Getting out of Credit Card Debt.  Chained Exploits ◦ Whitaker, Evans, Voth; Addison-Wesley, 2009

Post on 19-Dec-2015




0 download

Embed Size (px)


  • Slide 1
  • Getting out of Credit Card Debt
  • Slide 2
  • Chained Exploits Whitaker, Evans, Voth; Addison-Wesley, 2009
  • Slide 3
  • Methods discussed in course are considered illegal Under no circumstances should tools or methods be utilized on any networked system without the explicit written permission of an authorized grantor within that organization Document should be witnessed and should delineate the boundaries of your actions Signed document for this course indicating that you understand and appreciate the nature of the concepts and methodologies
  • Slide 4
  • What is the purpose of instructing these methods and tools? So that you, as a professional, will understand the methods and tools and be able to determine When and how they were leveraged against you Find traces of them during an investigation Pro-actively search and deter an attack
  • Slide 5
  • Attack consisting of several exploits or attacks in order to achieve a goal
  • Slide 6
  • Phoenix (obviously not his real name) is in debt for thousands of dollars to a banks credit card system, and his rate has just gone up to 29% Plans to pay off his debt by hitting the banks system (PDXO Financial) If he uses another persons card to pay off his, itll be noticed Plans to steal cc information and sell it on the black market
  • Slide 7
  • 1. Enumerate the website 2. Enumerate the cc database 3. Get cc info from the website 4. Sell the cc info on the underground market 5. Trash to website (misdirection)
  • Slide 8
  • Uncover as much information about the website as possible Operating system Web server version running RFC 2616 specifies the format of the HTTP responses Some headers returned might contain valuable information regarding the server or site
  • Slide 9
  • Telnet to the website on port 80 (or whatever port the site is on) telnet Once connected Issue the command to receive the sites HTTP header HEAD / http /1.1 [cr] Server type might be revealed Example show HEAD
  • Slide 10
  • Tool developed by the Cult of the Dead Cow Uses Google hacking techniques discovered by Johnny Long ( Checks strings against website to find files containing passwords, vulnerable files, or directories of interest
  • Slide 11
  • PDXO merged Might have development websites running due to changes Checking possible sites might result in bringing up an unprotected web page In this case, the login form
  • Slide 12
  • Is the DB server on the same host as the website? Is MS SQL server used for DB? Default username of SA w/o password? Is the website installed in the default IIS location? inetpub\wwwroot This directory allows for write access This presumes several weaknesses Possible due to page coming from a development site Moral: build security in, even during the development phase of the SDLC
  • Slide 13
  • The ability of a user to craft an SQL or database command from the client side
  • Slide 14
  • The default database is called MASTER Get the names of the databases in the MASTER file select * from master..sysdatabases The database expects a username prior to this command, so we need to fool the database into thinking weve already done this Supply a command terminator character ; before the select command ; select * from master..sysdatabases Prevent another command from being entered after this by adding a comment indicator after the command -- ; select * from master..sysdatabases --
  • Slide 15
  • The difficulty with the sql command is that the output would not return Use osql, which is a command line utility Send the output to a text file Parameters for osql -Uusername -Ppassword (blank if none supplied) -Qenter SQL command and exit -ooutput file specified osql U sa P Q select * from master..sysdatabases o c:\inetpub\wwwroot\output.txt
  • Slide 16
  • osql is a command line utility and needs to be entered at the command prompt Hacker is not at a command prompt Can use an SQL stored procedure which will execute a command exec xp_cmdshell So exec xp_cmdshell osql U sa P Q select * from master..sysdatabases o c:\inetpub\wwwroot\output.txt --
  • Slide 17
  • Phoenix uses the form to submit his SL command to the webserver Webserver passes along the command to the database server for execution w/o verification Text file is written to the webservers document directory Phoenix changes the URL to that of the output file on the server in order to browse the contents Examine the contents and see if there are any databases of interest creditcards C:\Program Files\Microsoft SQL Server\MSSQL\data\creditcards.MDF
  • Slide 18
  • Now that you have the name of the database Get the table names by changing the SQL command select * from creditcards..sysobjects One of the tables is called cardnumbers select * from creditcards..cardnumbers The dumped information will be in the output file on the IIS server Contains names, expiration dates, CVVs, CC numbers, and PINs
  • Slide 19
  • Phoenix uses NNTP client (NewsRover) to check alt.2600 newsgroup Post a message regarding sale of cc info Set up a bogus email address Use spammimmic to disguise a spammed message Looks like a spam message, but those in the know will recover the hidden message using spammimmic Can be passwroded with a password or as phony PGP message, or false Cyrillic text This message is posted to alt.2600 using the phony email address Respondent agrees to pay $12,000 into a Swiss account Phoenixs CC number is one of the many cards sold Phoenix cancels his card
  • Slide 20
  • IIS 5.0 Server MS SQL Server Default username of SA w/o password Hosted on the same host as the website xp_cmdshell stored procedure will be used to overwrite the landing page on the website ;exec xp_cmdshell echo Youve been hacked! > c:\inetput\wwwroot\default.asp --
  • Slide 21
  • Change the default HTTP Response header Do not allow public access to the development sites Do not keep the SQL server on the same host as the IIS server Sanitize / validate user form input Dont put IIS in the default location Make the site read-only Dont keep unnecessary stored procedures Dont use defaults (username / passwords) for the database