使用Facebook访问客户端.

释放双眼,带上耳机,听听看~!

Using Facebook To Pwn A Client,利用Facebook为客户提供服务,Netragard用Facebook赢得公司员工的信任并扭转局面的账户,对感兴趣的人来说,这里是我们最新的博客文章。在过去几年中,我们(Netragard)一直在使用基于互联网的社交网络工具入侵我们客户的IT基础设施。这种攻击方法从社交网站的概念开始就被黑客使用,但直到最近才引起媒体的注意。由于这次新的曝光,我们决定让人们从黑客的角度难得一瞥Facebook。我们先来谈谈互联网和身份。互联网是一个无形的世界,在这个世界上,身份不仅是动态的,而且永远无法得到确定的验证。因此,很容易在某一时刻成为一个人,然后在下一时刻成为另一个人。这在使用基于互联网的社交网站如Facebook(以及其他网站)时尤其如此。人类有相互信任的自然倾向。如果一个人能给另一个人提供“足够的东西”,那么信任就获得了。“足够的东西”可以是一个面对面的会议,但并不总是必要的。在我们的社会攻击中,约有90%的目标和成功利用的人信任我们,因为他们认为我们和他们在同一家公司工作。设置。。。Facebook允许用户通过关键字搜索其他用户。许多facebook用户的个人资料中都有他们的工作地点。有些公司甚至有facebook群组,只有员工或承包商才被允许加入。所以第一步是对那些使用facebook的员工进行侦察。这可以通过facebook或者Maltego和pipl.com这样的侦查工具来实现。侦察是军事术语,指在攻击敌人之前收集有关敌人的情报。关于黑客攻击,可以对社交目标(facebook、myspace等)和技术目标(服务器、防火墙、路由器等)进行侦察。因为我们通过facebook攻击员工的首选方法是通过网络钓鱼,所以我们通常会对这两种载体进行侦察。当设置理想攻击时,有两件事很好,但只需要一件。首先是在我们的客户网站(或其服务器)中发现某种跨站点脚本漏洞(或其他有用的漏洞)。该漏洞是不需要的组件,但很好(如果需要,我们可以设置自己的假服务器)。第二个组件是必需的组件,这是为我们的客户工作的员工发现facebook配置文件(其他社交网站也一样)。在我们最近的一次交战中,我们进行了详细的社会和技术侦察。通过社会调查,我们确认了1402名员工,其中906名使用facebook。我们没有阅读所有906个人资料,但我们确实阅读了大约200个,这给了我们足够的信息来创建一个假的员工资料。技术侦察发现了各种漏洞,其中之一是我们通常希望找到的跨站点脚本漏洞。在这种情况下,脆弱性存在于我们客户的公司网站上。跨站点脚本(“XSS”)是一种计算机安全漏洞,在没有足够的输入验证或数据验证功能的网站中最常见。XSS漏洞允许攻击者将代码注入其他用户查看的网站。这种注入可以通过在服务器上保存注入的代码(在论坛、博客等中)在服务器端完成,也可以通过将代码注入精心编制的URL(可以传递给受害者)在客户端完成。在我们最近的交战中,我们使用客户端攻击,而不是服务器端攻击。我们选择客户端攻击是因为它使我们能够只选择我们感兴趣攻击的用户。服务器端攻击不像外科手术,通常会影响查看受损服务器页的用户。我们创建的负载旨在呈现一个看起来合法的https安全网页,该网页似乎是我们客户网站的一个组件。当受害者单击精心编制的链接时,将执行负载并呈现假网页。在本例中,我们的假网页是一个警告,警告用户他们的帐户可能已被泄露,他们应该通过输入提供的表单来验证他们的凭据。输入用户凭据后,表单会将其提交到http://www.netragard.com,并由我们创建的自动工具提取。在有效负载创建和测试之后,我们开始构建一个易于信任的facebook个人资料。因为大多数目标员工都是20到40岁之间的男性,我们决定最好是成为一名非常有魅力的28岁女性。我们通过搜索谷歌图片找到了一张合适的照片,并将这张照片用于我们伪造的Facebook个人资料。我们还使用从真实的员工facebook个人资料中收集的组合故事,在个人资料中填充了有关我们工作经历的信息。完成后,我们加入了客户的facebook群组。加入不是问题,我们的请求在几小时内就被批准了。在被接纳为集团成员后的20分钟内,合法的客户员工就开始要求我们的友谊。除了入站请求之外,我们还发出了数百个出站请求。我们的朋友名单增长很快,包括经理、高管、秘书、实习生,甚至承包商。收集了几百个朋友后,我们开始聊天。我们的谈话基于与工作相关的问题,我们可以从合法的员工档案中收集这些问题。经过三天的转换和分享链接,我们把我们精心制作的链接发布到我们的facebook个人资料中。链接的标题是“省略了,你看到了吗,我想我们被黑了!”果然,人们开始点击链接并验证他们的凭据。具有讽刺意味的是,我们拿到的第一套证书,首先属于雇用我们的人。我们使用这些凭据来访问web vpn,从而使我们能够访问网络。事实证明,这些证书还允许我们访问网络上的大多数系统,包括Active Directory服务器、主机、泵控制系统、检查点防火墙控制台等。游戏结束后,Facebook的黑客攻击再次奏效。在测试期间,我们确实对客户的整个基础设施进行了评估,但是为了清楚起见,评估的结果被排除在本文之外。我们还为客户提供了一个独特的解决方案,以应对社交网络威胁。自2008年初以来,他们已经实施了该解决方案,并报告了4次其他的社会渗透尝试。社交网络所带来的威胁影响着每一个企业,所描述的攻击方法具有极高的成功率。请在博客上留言。Adriel T.Desautels ad_lists@netragard.com——订阅我们的博客http://snosoft.blogspot.co,网络安全教程Using Facebook To Pwn A Client,

Netragard’s account of using Facebook to earn the trust of a company’s employees and turning the tables on them.

,For those interested, here is our latest blog entry.

For the past few years we've (Netragard) been using internet based
Social Networking tools to hack into our customer's IT
Infrastructures. This method of attack has been used by hackers since
the conception of Social Networking Websites, but only recently has it
caught the attention of the media. As a result of this new exposure
we've decided to give people a rare glimpse into Facebook from a
hackers perspective.

Lets start off by talking about the internet and identity. The
internet is a shapeless world where identities are not only dynamic
but can't ever be verified with certainty. As a result, its easily
possible to be one person one moment, then another person the next
moment. This is particularly true when using internet based social
networking sites like Facebook (and the rest).

Humans have a natural tendency to trust each other. If one human being
can provide another human with "something sufficient" then trust is
earned. That "something sufficient" can be a face to face meeting but
it doesn't always need to be. Roughly 90% of the people that we've
targeted and successfully exploited during our social attacks trusted
us because they thought we worked for the same company as them.

The setup...

Facebook allows its users to search for other users by keyword. Many
facebook users include their place of employment in their profile.
Some companies even have facebook groups that only employees or
contractors are allowed to become members of. So step one is to
perform reconnaissance against those facebook using employees. This
can be done with facebook, or with reconnaissance tools like Maltego
and pipl.com.

Reconnaissance is the military term for the collection of intelligence
about an enemy prior to attacking the enemy. With regards to hacking,
reconnaissance can be performed against social targets (facebook,
myspace, etc) and technology targets (servers, firewalls, routers,
etc). Because our preferred method of attacking employees through
facebook is via phishing we normally perform reconnaissance against
both vectors.

When setting up for the ideal attack two things are nice to have but
only one is required. The first is the discovery of some sort of Cross-
site Scripting vulnerability (or something else useful) in our
customers website (or one of their servers). The vulnerability is the
component that is not required, but is a nice to have (we can set up
our own fake server if we need to). The second component is the
required component, and that is the discovery of facebook profiles for
employees that work for our customer (other social networking sites
work just as well).

In one of our recent engagements we performed detailed social and
technical reconnaissance. The social reconnaissance enabled us to
identify 1402 employees 906 of which used facebook. We didn't read all
906 profiles but we did read around 200 which gave us sufficient
information to create a fake employee profile. The technical
reconnaissance identified various vulnerabilities one of which was the
Cross-site Scripting vulnerability that we usually hope to find. In
this case the vulnerability existed in our customer's corporate website.

Cross-site scripting ("XSS") is a kind of computer security
vulnerability that is most frequently discovered in websites that do
not have sufficient input validation or data validation capabilities.
XSS vulnerabilities allow an attacker to inject code into a website
that is viewed by other users. This injection can be done sever side
by saving the injected code on the server (in a forum, blog, etc) or
it can be done client side by injecting the code into a specially
crafted URL that can be delivered to a victim.

During our recent engagement we used a client side attack as opposed
to a server side attack . We chose the client side attack because it
enabled us to select only the users that we are interested in
attacking. Server side attacks are not as surgical and usually affect
any user who views the compromised server page.

The payload that we created was designed to render a legitimate
looking https secured web page that appeared to be a component of our
customer's web site. When a victim clicks on the specially crafted
link the payload is executed and the fake web page is rendered. In
this case our fake web page was an alert that warned users that their
accounts may have been compromised and that they should verify their
credentials by entering them into the form provided. When the users
credentials are entered the form submitted them to http://www.netragard.com
and were extracted by an automated tool that we created.

After the payload was created and tested we started the process of
building an easy to trust facebook profile. Because most of the
targeted employees were male between the ages of 20 and 40 we decided
that it would be best to become a very attractive 28 year old female.
We found a fitting photograph by searching google images and used that
photograph for our fake Facebook profile. We also populated the
profile with information about our experiences at work by using
combined stories that we collected from real employee facebook profiles.

Upon completion we joined the group that our customer's facebook
group. Joining wasn't an issue and our request was approved in a
matter of hours. Within twenty minutes of being accepted as group
members, legitimate customer employees began requesting our
friendship. In addition to inbound requests we made hundreds of
outbound requests. Our friends list grew very quickly and included
managers, executives, secretaries, interns, and even contractors.

After having collected a few hundred friends, we began chatting. Our
conversations were based on work related issues that we were able to
collect from legitimate employee profiles. After a period of three
days of conversing and sharing links, we posted our specially crafted
link to our facebook profile. The title of the link was "Omitted have
you seen this I think we got hacked!" Sure enough, people started
clicking on the link and verifying their credentials.

Ironically, the first set of credentials that we got belonged to the
person that hired us in the first place. We used those credentials to
access the web-vpn which in turn gave us access to the network. As it
turns out those credentials also allowed us to access the majority of
systems on the network including the Active Directory server, the
mainframe, pump control systems, the checkpoint firewall console, etc.
It was game over, the Facebook hack worked yet again.

During testing we did evaluate the customer's entire infrastructure,
but the results of the evaluation have been left out of this post for
clarity. We also provided our customer with a solution that was unique
to them to counter the Social Network threat. They've since
implemented the solution and have reported on 4 other social
penetration attempts since early 2008. The threat that Social Networks
bring to the table affects every business and the described method of
attack has an extraordinarily high success rate.

Please leave your comments on the blog.

Adriel T. Desautels
ad_lists@netragard.com
--------------------------------------

Subscribe to our blog
http://snosoft.blogspot.com

人已赞赏
安全工具

<p>传输控制协议的安全性评估.</p>

2020-2-6 3:41:00

安全工具

<p>2009年士兵征集文件.</p>

2020-2-6 3:41:02

0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧
个人中心
购物车
优惠劵
今日签到
有新私信 私信列表
搜索