Re: [Full-disclosure] Facebook from a hackers perspective
Great history, excellent method. Thanks! -Mensaje original- De: listbou...@securityfocus.com [mailto:listbou...@securityfocus.com] En nombre de Adriel T. Desautels Enviado el: Jueves, 12 de Febrero de 2009 13:24 Para: pen-test list CC: Untitled Asunto: Facebook from a hackers perspective For those interested, here is our latest blog entry. For the past few years we've (Netragard) been using internet based Social Networking tools to hack into our customer's IT Infrastructures. This method of attack has been used by hackers since the conception of Social Networking Websites, but only recently has it caught the attention of the media. As a result of this new exposure we've decided to give people a rare glimpse into Facebook from a hackers perspective. Lets start off by talking about the internet and identity. The internet is a shapeless world where identities are not only dynamic but can't ever be verified with certainty. As a result, its easily possible to be one person one moment, then another person the next moment. This is particularly true when using internet based social networking sites like Facebook (and the rest). Humans have a natural tendency to trust each other. If one human being can provide another human with something sufficient then trust is earned. That something sufficient can be a face to face meeting but it doesn't always need to be. Roughly 90% of the people that we've targeted and successfully exploited during our social attacks trusted us because they thought we worked for the same company as them. The setup... Facebook allows its users to search for other users by keyword. Many facebook users include their place of employment in their profile. Some companies even have facebook groups that only employees or contractors are allowed to become members of. So step one is to perform reconnaissance against those facebook using employees. This can be done with facebook, or with reconnaissance tools like Maltego and pipl.com. Reconnaissance is the military term for the collection of intelligence about an enemy prior to attacking the enemy. With regards to hacking, reconnaissance can be performed against social targets (facebook, myspace, etc) and technology targets (servers, firewalls, routers, etc). Because our preferred method of attacking employees through facebook is via phishing we normally perform reconnaissance against both vectors. When setting up for the ideal attack two things are nice to have but only one is required. The first is the discovery of some sort of Cross- site Scripting vulnerability (or something else useful) in our customers website (or one of their servers). The vulnerability is the component that is not required, but is a nice to have (we can set up our own fake server if we need to). The second component is the required component, and that is the discovery of facebook profiles for employees that work for our customer (other social networking sites work just as well). In one of our recent engagements we performed detailed social and technical reconnaissance. The social reconnaissance enabled us to identify 1402 employees 906 of which used facebook. We didn't read all 906 profiles but we did read around 200 which gave us sufficient information to create a fake employee profile. The technical reconnaissance identified various vulnerabilities one of which was the Cross-site Scripting vulnerability that we usually hope to find. In this case the vulnerability existed in our customer's corporate website. Cross-site scripting (XSS) is a kind of computer security vulnerability that is most frequently discovered in websites that do not have sufficient input validation or data validation capabilities. XSS vulnerabilities allow an attacker to inject code into a website that is viewed by other users. This injection can be done sever side by saving the injected code on the server (in a forum, blog, etc) or it can be done client side by injecting the code into a specially crafted URL that can be delivered to a victim. During our recent engagement we used a client side attack as opposed to a server side attack . We chose the client side attack because it enabled us to select only the users that we are interested in attacking. Server side attacks are not as surgical and usually affect any user who views the compromised server page. The payload that we created was designed to render a legitimate looking https secured web page that appeared to be a component of our customer's web site. When a victim clicks on the specially crafted link the payload is executed and the fake web page is rendered. In this case our fake web page was an alert that warned users that their accounts may have been compromised and that they should verify their credentials by entering them into the form provided. When the users credentials are entered the form submitted
Re: [Full-disclosure] Facebook from a hackers perspective
- Original Message - From: Adriel T. Desautels Sent: Thursday, February 12, 2009 6:23 AM Subject: Facebook from a hackers perspective Lets start off by talking about the internet and identity. The internet is a shapeless world where identities are not only dynamic but can't ever be verified with certainty. As a result, its easily possible to be one person one moment, then another person the next moment. This is particularly true when using internet based social networking sites like Facebook (and the rest). http://www.unc.edu/depts/jomc/academics/dri/idog.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook from a hackers perspective
That is awesome! I am going to add that to the blog post :) On Feb 13, 2009, at 5:41 AM, Michael Painter wrote: - Original Message - From: Adriel T. Desautels Sent: Thursday, February 12, 2009 6:23 AM Subject: Facebook from a hackers perspective Lets start off by talking about the internet and identity. The internet is a shapeless world where identities are not only dynamic but can't ever be verified with certainty. As a result, its easily possible to be one person one moment, then another person the next moment. This is particularly true when using internet based social networking sites like Facebook (and the rest). http://www.unc.edu/depts/jomc/academics/dri/idog.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Adriel T. Desautels ad_li...@netragard.com -- Subscribe to our blog http://snosoft.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook from a hackers perspective
On Fri, Feb 13, 2009 at 10:12 AM, bobby.mug...@hushmail.com wrote: Your transgender technical attack was pioneered and perfected in 2008 by information security expert Eric Loki Hines - why are you taking credit for a lesser version of his groundbreaking work, and insisting on originality? Perhaps he's experienced in transgendered psychology maybe even a transgender himself. Not that there is anything wrong with that. Why are you coming down on him for plagiarizing? Everyone in the security industry with more posts to mailing lists than actual experience conducting real world security work (momand-pop.com's don't count!) is concretely an expert at talking the talk. So why get on his case for using sed? 's:that work:is mines now:g'. Don't be such a troll -- Making no mistakes is what establishes the certainty of victory, for it means conquering an enemy that is already defeated. - Sun Tzu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook from a hackers perspective
Sounds to me like you have a crush on Eric Loki Hines. On Feb 13, 2009, at 10:12 AM, bobby.mug...@hushmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear ATD, Because most of the targeted employees were male between the ages of 20 and 40 we decided that it would be best to become a very attractive 28 year old female. Your transgender technical attack was pioneered and perfected in 2008 by information security expert Eric Loki Hines - why are you taking credit for a lesser version of his groundbreaking work, and insisting on originality? 1. Eric Loki Hines is a security expert and presents at BlackHat http://www.blackhat.com/html/win-usa-01/win-usa-01- speakers.html#Loki 2. Eric Loki Hines updates his linkedin profile http://www.linkedin.com/in/alissaknight 3. Alissa Knight starts softcore pornography site http://www.alissaknight.com 4. Snosoft claims to have invented social engineering. Please give credit where credit is due. I await your response with masterfully baited breath. - -bm On Fri, 13 Feb 2009 09:45:42 -0500 Adriel T. Desautels ad_li...@netragard.com wrote: That is awesome! I am going to add that to the blog post :) On Feb 13, 2009, at 5:41 AM, Michael Painter wrote: - Original Message - From: Adriel T. Desautels Sent: Thursday, February 12, 2009 6:23 AM Subject: Facebook from a hackers perspective Lets start off by talking about the internet and identity. The internet is a shapeless world where identities are not only dynamic but can't ever be verified with certainty. As a result, its easily possible to be one person one moment, then another person the next moment. This is particularly true when using internet based social networking sites like Facebook (and the rest). http://www.unc.edu/depts/jomc/academics/dri/idog.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Adriel T. Desautels ad_li...@netragard.com -- Subscribe to our blog http://snosoft.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAkmVjc4ACgkQhNp8gzZx3sjtogP7BH0DqiXnpd2uJd23WzCb5ywr6DdL rsRcTuR1UExC7LKNnBcEDbcxyO+w+uygxBV2EpoQvi81WQEnTqUOsBuDNCKctNy/L8X7 Lbj76e3u+lx0KcVYwZcl+lPUlVswjV3xuiqMQHcpy3XyMdyqcMsQa2oW0prUXgLjrl/J lW2CbzA= =agYk -END PGP SIGNATURE- -- Thinking of a life with religion? Click here to find a religious school near you. http://tagline.hushmail.com/fc/PnY6qxulxoTwAKHGR31YqHEvinrD0DrkWQo0LWV2XOLex2vtyVhFc/ Adriel T. Desautels ad_li...@netragard.com -- Subscribe to our blog http://snosoft.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook from a hackers perspective
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Attentive Dialtone, Are you suggesting there is something wrong with my feelings for her? - -bm On Fri, 13 Feb 2009 11:28:22 -0500 Adriel T. Desautels ad_li...@netragard.com wrote: Sounds to me like you have a crush on Eric Loki Hines. On Feb 13, 2009, at 10:12 AM, bobby.mug...@hushmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear ATD, Because most of the targeted employees were male between the ages of 20 and 40 we decided that it would be best to become a very attractive 28 year old female. Your transgender technical attack was pioneered and perfected in 2008 by information security expert Eric Loki Hines - why are you taking credit for a lesser version of his groundbreaking work, and insisting on originality? 1. Eric Loki Hines is a security expert and presents at BlackHat http://www.blackhat.com/html/win-usa-01/win-usa-01- speakers.html#Loki 2. Eric Loki Hines updates his linkedin profile http://www.linkedin.com/in/alissaknight 3. Alissa Knight starts softcore pornography site http://www.alissaknight.com 4. Snosoft claims to have invented social engineering. Please give credit where credit is due. I await your response with masterfully baited breath. - -bm On Fri, 13 Feb 2009 09:45:42 -0500 Adriel T. Desautels ad_li...@netragard.com wrote: That is awesome! I am going to add that to the blog post :) On Feb 13, 2009, at 5:41 AM, Michael Painter wrote: - Original Message - From: Adriel T. Desautels Sent: Thursday, February 12, 2009 6:23 AM Subject: Facebook from a hackers perspective Lets start off by talking about the internet and identity. The internet is a shapeless world where identities are not only dynamic but can't ever be verified with certainty. As a result, its easily possible to be one person one moment, then another person the next moment. This is particularly true when using internet based social networking sites like Facebook (and the rest). http://www.unc.edu/depts/jomc/academics/dri/idog.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Adriel T. Desautels ad_li...@netragard.com -- Subscribe to our blog http://snosoft.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAkmVjc4ACgkQhNp8gzZx3sjtogP7BH0DqiXnpd2uJd23WzCb5ywr6Dd L rsRcTuR1UExC7LKNnBcEDbcxyO+w+uygxBV2EpoQvi81WQEnTqUOsBuDNCKctNy/L8X 7 Lbj76e3u+lx0KcVYwZcl+lPUlVswjV3xuiqMQHcpy3XyMdyqcMsQa2oW0prUXgLjrl/ J lW2CbzA= =agYk -END PGP SIGNATURE- -- Thinking of a life with religion? Click here to find a religious school near you. http://tagline.hushmail.com/fc/PnY6qxulxoTwAKHGR31YqHEvinrD0DrkWQo0 LWV2XOLex2vtyVhFc/ Adriel T. Desautels ad_li...@netragard.com -- Subscribe to our blog http://snosoft.blogspot.com -BEGIN PGP SIGNATURE- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkmVoUYACgkQhNp8gzZx3sh9pwP+On15bpAdMXbxMlt//VVFNkt54BT+ QhEoIU1CX2VVZ7AQ9rbdbabAr7zjfq9FFncYflwnlE4c9rU0i6AbIG3ayoBILNmePreN MX+Qr/lv8CJwGQ5+NuTxeZ88ECKxtaOLc56S/HKDceRNSolfuEhEPCOpBJNWl+djAwFp SHxoFa0= =TPVo -END PGP SIGNATURE- -- Start your own international business. Click now! http://tagline.hushmail.com/fc/PnY6qxvJn1zAokeGVNMUqaCkouwf6Aoz3JqEf1r1rUUQTZuHPP6ic/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Facebook from a hackers perspective
For those interested, here is our latest blog entry. For the past few years we've (Netragard) been using internet based Social Networking tools to hack into our customer's IT Infrastructures. This method of attack has been used by hackers since the conception of Social Networking Websites, but only recently has it caught the attention of the media. As a result of this new exposure we've decided to give people a rare glimpse into Facebook from a hackers perspective. Lets start off by talking about the internet and identity. The internet is a shapeless world where identities are not only dynamic but can't ever be verified with certainty. As a result, its easily possible to be one person one moment, then another person the next moment. This is particularly true when using internet based social networking sites like Facebook (and the rest). Humans have a natural tendency to trust each other. If one human being can provide another human with something sufficient then trust is earned. That something sufficient can be a face to face meeting but it doesn't always need to be. Roughly 90% of the people that we've targeted and successfully exploited during our social attacks trusted us because they thought we worked for the same company as them. The setup... Facebook allows its users to search for other users by keyword. Many facebook users include their place of employment in their profile. Some companies even have facebook groups that only employees or contractors are allowed to become members of. So step one is to perform reconnaissance against those facebook using employees. This can be done with facebook, or with reconnaissance tools like Maltego and pipl.com. Reconnaissance is the military term for the collection of intelligence about an enemy prior to attacking the enemy. With regards to hacking, reconnaissance can be performed against social targets (facebook, myspace, etc) and technology targets (servers, firewalls, routers, etc). Because our preferred method of attacking employees through facebook is via phishing we normally perform reconnaissance against both vectors. When setting up for the ideal attack two things are nice to have but only one is required. The first is the discovery of some sort of Cross- site Scripting vulnerability (or something else useful) in our customers website (or one of their servers). The vulnerability is the component that is not required, but is a nice to have (we can set up our own fake server if we need to). The second component is the required component, and that is the discovery of facebook profiles for employees that work for our customer (other social networking sites work just as well). In one of our recent engagements we performed detailed social and technical reconnaissance. The social reconnaissance enabled us to identify 1402 employees 906 of which used facebook. We didn't read all 906 profiles but we did read around 200 which gave us sufficient information to create a fake employee profile. The technical reconnaissance identified various vulnerabilities one of which was the Cross-site Scripting vulnerability that we usually hope to find. In this case the vulnerability existed in our customer's corporate website. Cross-site scripting (XSS) is a kind of computer security vulnerability that is most frequently discovered in websites that do not have sufficient input validation or data validation capabilities. XSS vulnerabilities allow an attacker to inject code into a website that is viewed by other users. This injection can be done sever side by saving the injected code on the server (in a forum, blog, etc) or it can be done client side by injecting the code into a specially crafted URL that can be delivered to a victim. During our recent engagement we used a client side attack as opposed to a server side attack . We chose the client side attack because it enabled us to select only the users that we are interested in attacking. Server side attacks are not as surgical and usually affect any user who views the compromised server page. The payload that we created was designed to render a legitimate looking https secured web page that appeared to be a component of our customer's web site. When a victim clicks on the specially crafted link the payload is executed and the fake web page is rendered. In this case our fake web page was an alert that warned users that their accounts may have been compromised and that they should verify their credentials by entering them into the form provided. When the users credentials are entered the form submitted them to http://www.netragard.com and were extracted by an automated tool that we created. After the payload was created and tested we started the process of building an easy to trust facebook profile. Because most of the targeted employees were male between the ages of 20 and 40 we decided