It’s that time of the year again folks when security experts release the most...
Check our NEW ARTICLE about ” Classified information Uncovered”. Here you can read pieces of an article. Full version soon in our new Hakin9’s edition.
Author: Andreas Venieris
“Classified information Uncovered”
What you will learn
• How cyber-criminals can scan a site in order to collect classified information.
• How easy is to get classified company data in order to perform industrial espionage.
• What are the common mistakes web administrators make that expose confidential information to unauthorized users.
• What are the countermeasures we can take in order to avoid be embarrassed when we‘ll see some of our private pictures on a… Facebook page!
What you should know
• Google advance search operators and crawling techniques.
• Elementary knowledge on web servers’ setup
• Knowledge of CMSs (WordPress, Joomla, etc.).
• Elementary knowledge of SQL (DML, DDL instructions)
• General knowledge of PHP Shells and backdoors
Internet is an ocean of data and knowledge: Pictures, documents, sounds, emails, opinions, arguments, etc. I could continue the above sentence writing a lot more words but I would prefer to put them all in a… ZIP, and call it: Communication or better “World_Communication”!
This deep ocean requires special mechanism for a human in order to handle it. One of the most usual such mechanisms is the well-known search engine machines that one of them is (surprise – surprise) Google. The search engine can be seen as the interface between us and the enormous volume of data on the Internet. By knowing the exact method that we can search for something is (sometimes) the only way to find it. According to this, sometimes it is possible to extract information so personal or so classified that one can feel really scary. Don’t forget that whistleblower Edward J. Snowden used just a low-cost crawler to Best N.S.A. (http://goo.gl/SWBAiI). Thus, one can interrogate itself:
• How safe is the internet?
• How safe is our personal information?
As you already know, a chain is as strong as its weakest link, and in this case the weakest link is the human factor. The above questions can be easily transformed to the equivalent: Can we get personal information of other people or classified corporate data by using only a search engine or a web crawler? Well, let’s see, and at the end of this article, you will be the first to give the answer.
Methodology, Equipment & Actions
Internet is full of locked doors, but their keys are also somewhere out there… So, the problem is not if they exist but how you can find them.
Google will be our tool. No cheating, no exploits, no scanning for open ports. Nothing illegal or… “semi-Illegal”!
In this article I am going to extract sensitive data by playing two specific actions:
Action I: Impersonation and “p0wn” server
I will “borrow” some other’s personality and I will be him. This is a very old technique, known as impersonation, used from about 1500 a.D. (http://is.gd/f3ha). By counting on the forgetfulness or ignorance of some administrators, I am going to search for specific SQL backup files. Many administrators put the site backup on a web access directory. This is a terrible mistake since web directories can be accessed by anyone! On the other hand, a web directory can be secured by limited public access to nobody or to specific users. But, several times, this is not the case.
A well-known google dork (http://goo.gl/ezE2zc) that is used by most of the “searchers” is the following:
intitle:”index of backup” .sql.gz
This will return all sites that allow directory listing (big mistake!!), their name is “backup” and contains the string “.sql.gz.”, that is a compressed SQL file. After a few tries in the google result page, I came to this page (Picture 1).
SQL Backup files of the current server… publically accessible!
I download and open the first file shown in the Picture 1. Since it is a SQL backup file, in contains Data Manipulation Language instructions as well as Data Definition Language instructions. Some very important and classified information is available, as you can see in Picture 2.
WordPress database users and passwords…
As you can see, we are talking about the user’s table of a WordPress CMS. First and best is the administrator user. The password is encrypted with MD5. What I have to do now is to crack this password. There are many methods to crack an MD5 password: You can create a program, you can use online services or both. I will use a combination of the above methods. I create a Perl program that works as a bot: It prompts the user for an MD5 hash and it queries some on-line sites for the corresponding original string or a collision. The results of the specific MD5 cracking procedure are shown in Picture 3.
Password has been cracked in a few seconds
The password chosen by administration was too weak: 6 lower-case letters and a minus ‘-‘. Weak passwords have very high probability to be already cracked and uploaded to such MD5-cracker sites.
Now-days, such sites (shown on Picture 3) do not exist anymore, but always new ones appear. http://www.md5online.org/ is one of them. Currently has a database of about 365,999,911,000 hashes!
Let’s return to our main objective: I have the password of the administrator in clear text (picture 3). This means that (since we have a WordPress CMS) the administrator page is located under the admin web directory. I just jump into the admin page, enter the credentials and “voila”: I am in, as administrator (picture 4).
Hello admin. I am the admin!
It is now time to perform the last step of the plan: To upload a PHP shell on the server and just start search for sensitive information on the server.
To upload a shell on a WordPress CMS is a straight forward procedure that can be implemented in 3 steps:
Step 1: I replace the code of the 404.php file of the template to a code for upload a file (Picture 5).
Change the default 404.php page to a file uploader…
Step 2: I call the 404.php file from my browser and I upload a c99 encrypted shell (Picture 6)
The uploader in action!
Step 3: I restore the original code of 404.php in order to avoid easy detection.
What I have now is a c99 encrypted shell on the server (Picture 4.4). I can surf on any directory I have access and of course download any file I like. In 80% of such cases I can access not only the web directory but to any directory on the disk(s) on the server (from lower level to the root).
A classic c99 encrypted shell on the server
Several negative side-effects can be produced here:
• It is possible to set a backdoor to the server, implement a system shell through backdoor and (depending on the current version of the OS) perform privilege escalation in order to get root access (in case that I do not already have). This means that the whole server can be a zombie.
• I can retrieve (from SQL backup-set) all database users and try to crack their passwords. I have seen so far that more than 50% of common users used the same password for the 90% of their internet activities. This means that there is very high probability (when I have a free text password for the site) to have access to his/her personal email too. Don’t forget that the email itself is required part of the users’ data! I also, have seen that more than 60% of common users used very simple passwords, i.e. less than 9 characters lowercase or uppercase or even only numbers! The hash of such easy passwords has high probability to already exist in many online MD5-crackers.
• After I upload my shell, I will rename it from “c99_encrypted_shell.php” to something less… descriptive, just to avoid detection. I have also seen so far that such encrypted shells it is possible to remain undetected for months and sometimes years! Usually is such cases, a cyber-criminal downloads the whole file-system locally and then perform his/her search quicker and 100% undetected.
Action II: International Sensitive Information
I will play another role now: I am a searcher of classified documents. In this play, I must know (a-priori) what I am going to searching for. My search is not performed randomly. But first, let me re-fresh some definitions. There are three types of sensitive documents used by organizations or governments in most of the cases: Excel, Word and Pdf. In addition, the main classification of documents is publicly known (http://is.gd/185rd) as:
• Top Secret: The higher level of security. The disclosure of such documents can cause very serious damage to the interests of a country or an organization.
• Secret (Secret): The publication of such documents can cause significant damage to the interests of a country or an organization.
• Confidential (Confidential): publication of such documents may damage the interests of a country or an organization.
• Limited (Restricted): publication of such documents may cause undesired effects to the interests of a country or an organization. This classification is not applicable to all countries.
• Unrated (Unclassified): These documents are not rated. Although they cannot be published to everyone, they can be read by someone with no special permissions.
Common methods that used in such attacks are
Using special dorks and the Google search engine machine.
Spying the robots.txt (http://is.gd/18icF) file, in order to check what administration like to hide along with examination of the robot meta tags (http://is.gd/18iPl) of the current page.
There is another document category that seems to be insignificant by the governments. The “declassified” documents. They are documents that used to be classified, but after a period of time (say ten years) they turn to Unrated. I totally disagree with the method of de-classification. Reading top secret documents (even ten years later) can give very important information and… “clues”, about the method that companies or secret services worked or… (even better) still work! Let’s see some examples.
There was a special CIA spy program for the use of the aircraft U-2 as well as its political and the social implications
Conclusions and Countermeasures
As you can see I did not perform any special activity to get all the above info. No exploitation, no port scanning, no damages, nothing illegal. Important and classified information is still out there, that one could say that “they are waiting for you to uncover”.
But, to be serious and to be focused on the real problem I have to say that our data are not yet safe on the internet. There are very few and simple steps that system administrators can take in order to avoid information leakage:
Never put documents in cleat text in publicly accessible directories by internet users.
Putting the documents in non-public folder is one step. The second and equally important step is to allow specific to that have read and write access to these documents. Ideally create a user group for this. The user that used to access your server from the web must not belong to this group.
When possible (ideally always!) encrypt your sensitive information. There are a lot of tools (free included) to do this (http://goo.gl/knd8). Use always strong passwords for your encryption. Use uppercase, lowercase and punctuation when creating a password. Prefer passwords with more than 10 characters long.
Author: Andreas Venieris
If you want to read full version of article check our Magazine and subscribe it NOW!!!