password hacking done easy - quotium · 11 of 26 - password hacking done easy - nov 2006 ... july...

Copyright © 2006. All Rights Reserved to Hacktics Ltd.

Password Hacking Done EasyPassword Hacking Done Easy

Ofer Maor | CTOOfer Maor | CTO

November 2006November 2006

2006 Nov - Password Hacking Done Easy -2 of 26


AgendaAgenda

� Introduction to the Modern Password Hacking

� Client-Side Threats

� Password Theft Demo

� Real Hacking Stories

� Questions & Answers



About HackticsAbout Hacktics

� Security Services Company

� Provides wide range of services with focus on the application security field.

� Relies on vast experience in application level penetration testing and secure development

Hacktics offers unique expertise in the technology and

methodology of application security, together with out of the box thinking abilities and a keen understanding of the operational patterns of Hackers.


Introduction to Modern HackingIntroduction to

Modern Hacking



OverviewOverview

� Today, most organizations create, use and externalize distributed applications implementing business processes.

� The increasing numbers of such applications attracts more hackers to this space

� In the past few years we see an increase in indirect attacks by taking over relevant clients and performing password theft



Modern AttacksModern Attacks

� Not just script kiddies – professional hackers create actual exploits

� Target the organization’s core business operations rather than technology

� Used by attackers with specific agenda (criminals, industrial espionage, etc.).



Client-Side HackingClient-Side Hacking

� Attempts to attack clients of the attacked system in order to obtain passwords, thus gaining access through the “back door”

� Client side attacks can include

� Phishing

� Trojans

� Complete Takeover


Client Side HackingClient Side Hacking



Trojans/MalwareTrojans/Malware

� Malicious software that is installed on the client computer

� Installation is either done by taking advantage of user’s lack of awareness or by utilizing various exploits

� Trojan can perform any task in the system and allow the attacker to control it



PhishingPhishing

� One of the most widely used attacks in the last 2 years

� A mockup site is created, and users are convinced to access it rather than the original site

� The user then logins to the mockup site, thus providing the username and password to the attacker



Scripts Injection/XSS AttacksScripts Injection/XSS Attacks

� Most common web application vulnerability

� Used to bypass browser security in order to launch malicious scripts in the right context

� Performs an HTML injection of a JavaScript or VBScript on returning data

� Allows attacker to steal cookie information, steal data, execute operations on behalf of user, perform advanced phishing, etc.


Demo…Demo…


Real Hacking StoriesReal Hacking Stories



MySpace XSS/JavaScript WormMySpace XSS/JavaScript Worm

� Emerged on October 2005

� First Script Based Worm in the Wild

� Took advantage of a script injection (persistent XSS) vulnerability in MySpace

� Create by a non malicious user wanting to add more friends…



MySpace XSS/JavaScript WormMySpace XSS/JavaScript Worm



The MySpace WormThe MySpace Worm

� Utilized Persistent XSS

� Script was sent via a private message

� Once invoked:

� Added samy (original creator) to friends list

� Changed personal description to “most of all, samy is my hero”

� Redistributed to all friends

� Reached over 1 MILLION MySpace users in less than 24 Hours



MySpace Fiasco Not Over…MySpace Fiasco Not Over…

� Many new XSS Vulnerabilities Since

� December 2005 - Critical MySpace Vulnerabilities Leave Every Active Account Exploitable

� April 2006 - MySpace.com - Intricate Script Injection Vulnerability

� June 2006 - Making money with MySpace bulletin system!

� July 2006 – MySpace Hack Spreading



PayPal XSS Identity TheftPayPal XSS Identity Theft

� Used XSS to create an advanced Phishing scam stealing hundreds of users accounts credentials

� The XSS vulnerable page was used to redirect to a phished site (original URL was valid, making it harder to detect)

� Took advantage of a vulnerability in PayPal reported two years earlier!



PayPal XSS Identity TheftPayPal XSS Identity Theft



SuperPhishing AttacksSuperPhishing Attacks

� New Age of Phishing – Solves user awareness problem

� One of the most organized online attacks ever to be seen

� Organized Russian group attacking tens to hundreds of thousands of users of over 400 online banks



SuperPhishing: The AttackSuperPhishing: The Attack

� Malware installed on attacked PC

� Works as a root-kit and creates hooks into the Internet Explorer DLLs

� When a site in the malware’s database is accessed by the user – traffic is redirected to phishing site

� Site then gathers login credentials as well as other user information



SuperPhishing: The InfectionSuperPhishing: The Infection

� Uses effective infection

� Infection can be done through various mechanisms:

� Direct machine exploitation

� Browser vulnerabilities

� Mail vulnerabilities

� Infection takes advantage of 0-day attacks!



SuperPhishing: MultiLayer MarketingSuperPhishing: MultiLayer Marketing

� Make Cash Now!

� No more natural spread

� Users spread malware for cash

� A unique instance of the malware is created for each distributing user

� User gets paid 500$ for every 1000 hosts

� Organization is superb – sales and support ICQ contacts are available


SummarySummary



SummarySummary

� Client-side password theft is one of today’s most significant security threats

� Enterprises must therefore take the appropriate measures to provide password security

� Such solutions include centralizes SSO, SSL/VPN and Tokens as well as PC protection


Thank YouThank You

Q & AQ & A

[email protected]@hacktics.com

password hacking done easy - quotium · 11 of 26 - password hacking done easy - nov 2006 ... july...

Documents