Moving Along and some New Stuff

So I have been pretty involved with the Google idea lately so I don't really have any new exploits to share with you currently, I just love tweaking the search and of course now I am getting into wget and curl so I will go off on that tangent for a while I am sure. If I do find any new and exciting discoveries I will be sure to post them. I am also moving toward an old but new way of thinking on exploitation. I am certainly no expert in this field, nor have I ever claimed to be, that being said it is not likely that I will discover the next new vulnerabilty or exploit as I just do not have that apptitude. I have also been enrolled in the FSISAC and there are new exploit and vulnerability reports literally every hour. What I do have is a very crafty and unique thought process which allows me to discover or see things that others may not and especially be prepared for the unexpected... And I am ALWAYS thinking, and I do mean ALWAYS. As an example, when I am driving over a bridge I mentally prepare for the possibility that the bridge will collapse and I assess the possible escape paths depending on who is in the car... I usualy crack all of the windows a touch (it is very difficult to break the glass under water) and run through a kind of disaster recovery plan like who will I have to assist in getting out of the vehicle (children, elderly), plan to remove my seat belt on the fall into the water, etc... anyway you get the point. I am sure I am not the only one who does that, but we are in the minority. I guess that infosec is kind of an extention of who I am from way back... I have a history which includes several forms of organized and unorganzied fighting and exploitation just seems to follow that same rational just in a different arena. What I learned from MMA or boxing or whatever is that I am not a master, but I do have my strengths and that is what I need to remember and focus on. Because someone else can do a flying spin kick and I cannot does not mean that I cannot defeat them with a simple brute strenght technique, mental strength or just luck. That being siad I think that I am going to pace myself and focus on MY strengths, not on my weaknesses and see how that plays out in this arena. Just be me which is what we all should do, be ourselves. On a related note I have a new web site that I am promoting so I will post it here. It may be of little interest to you other than a chuckle unless you reside in my neck of the woods. Check it out anyway.... http://fightklub.weebly.com/

Google Google and more Google

So this is nothing really new to the security and hacking world but it is fun none-the-less! By crafting specififc strings using the Google syntax, you can find truly amazing things on the web. Not much else to say here about the 2 screen shots below aside from this: If you do not know how to utilize Google in this way, you had better learn! Below is the cached view of the file, which is why you see the nicely highlighted keywords. This one gives the username, password and the URL (IP). What more could you want???

This next one just gives you the entire load! The username passowrd (in hash, but nothing JTR cannot conquer!) and URL. Isn't this great stuff? The list of availbe search strings is really entirly up to your skill and imagination. I currently have over 1,200 verified strings that produce some type of useful result. Maybe I will put it up here someday.....

Actual Exploit

Here is an exploit that you are sure to find all over the web. I often look at shopping carts from a security perspective, specifically data sanitation. You can find a nearly limitless number of sites that allow you to alter data being submitted back to the server but not all of them have such a lack of re-checking the data you are sending as this particular site. I went the extra mile on this one and took 2 screen shots for validation.



I know that these are kind of small however you can get the idea here. In the above shot, you can see that I have 3 items in the cart. 2 items for $47.99 and 1 for $247.99. I tried to make the change more obvious so I just removed the 2 from the $247.99. Also notice that we are not in an HTTPS session at this point. Ironically or maybe not, I modified the cart prior to this page and changed the quantity from 1 to 2 of the item for $47.99 and it again did not check the price and simply updated the quantity without further use of the intercepting proxy. I added the regular priced item for the comparison. So this part is mostly unimpressive as I mentioned earlier this is quite common on the web. The next stage is the real test as the server must review the data I am asking to pay for in the request which takes me to the check out screen. Of course this site does NOT do that as you can see in the shot below:



So now we can see that I am in a HTTPS session, all safe and secure right??? Pointless... Anyway, I have made it to the final screen to check out, enter my payment method and shipping address and the price has NOT been changed to the correct amount it has remained in the altered state that I have set. The final test would be to complete the order however that is not my intention for obvious reasons. It is possible that they would validate the data during the final confirmation process however it would seem to me that would be VERY unlikely having arrived at this point unchanged. To fully exploit an over sight such as this it should be apparent that you would also need to have stolen someone's identity and credit card info and have a safe delivery point unless you are willing to take a potentially unnecessary risk with an encounter with law enforcement. Doesn't seem worth it for a few hundred dollars however this example exists elsewhere at potentially more lucrative destinations. I did think that a site such as Home Depot, Walmart, Lowe's or other retailers that allow you to purchase the item online and then pick it up at your local store may be a better choice for such a stunt as many of them accept online or "web" orders. If you have ever purchased from at least Home Depot or Lowe's when you go in to sign out an order such as this, your receipt is tiny and the sheet they look at to sign off on your pick up does NOT have the amount paid on it, only the item numbers and quantities being picked up. It would seem to me that no one would catch this at the store during the pick up because they would not be looking for it. Just goes to show that a companies security posture resonates all they down to the lowest link in the chain.

SANS 504 "Hacker Training 2008"

So I recently attended the SANS Security 504 GCIH seminar, a 6 day "boot-camp" style training session on hacker techniques and incident handling. I'm not sure if it is just me but when is the security sector going to finally wake up and start teaching security professionals how to actually defend systems using real scenarios. I guess I complain about this frequently, however this event opened by pointing out that the "bad guys" share information and techniques so the "good guys" also need to do this to keep up with their pace. Well this class sure did NOT do that. I spent 6 long days reviewing very dated material, tools and techniques without any type of environment to try out these "exploits" until the last days lab where they set up this lame network of 2 systems with every hole imaginable. Not to mention that the 6 texts where basically power point slides shows that the instructor just read aloud and went into some minimal detail about the topic. I could have read it myself and received the same training. The real point here is that this course cost $3,100.00 and in my opinion it was not even close. I really expected to get a lot out of this and was sorely disappointed. On the positive side, this is exactly why hacking will be around forever. Courses like this that are "leading edge" for security professionals will do basically nothing in terms of getting a security professional on-par with an attacker. What a joke.