Saturday, December 5, 2009

How you can steal log-on credentials from forum based websites using Paros and ngrep

As you can imagine, ngrep would be our sniffer that would parse out the necessary information that we would be looking for. But what is Paros and what is it gonna be used for? Paros is a proxy, but unlike traditional proxies, it allows you to modify certain parameters in http request and reply packets. How we are gonna use it in our demo is to modify the password field of a http POST to input the appropriate password. Confused? Well just follow my demo and hopefully all will be clear.

First we use ngrep (look back at my earlier post for info on using ngrep) to sniff out the important information when the user logs in. Note that sometimes the passwords may be in cleartext or in a md5hash. If the password is in MD5 hash form, we can use online resources to crack them or dont even bother cracking them. Why not just use the hash to login? Is it possible? Yes.. and thats what ill be showing you.

[Note, you would be required to perform some form of man in the middle attack in order to be able to sniff the packets]

Setting up ngrep to sniff:
# ngrep -W byline -d eth0 -q "POST" port 80 //we are sniffing of port 80 for the string 'POST', i.e when a user hits the login button a post would be send to the logon server. '-W byline' makes the output to standard out more readable.

On some other machine [victim machine], login to your favorite forum website and pay attention to ngrep's output. It should have captured the post packet with your username and password. Like i said earlier, sometimes the password is not in plain-text. Sometimes it would be and MD5 hash. Lets see how we can use this hash with Paros proxy.

Lets fire up Paros on the attacking machine.
# java -jar paros.jar

On the attacking machine, open up your web browser and change its network settings to use the proxy on port 8080. Trying browseing to a website to confirm the proxy works. Paros should now have captured traffic.

In the "Trap" tab select "trap request". Now navigate to the same forum website that you've captured info from. On the login form, put in the username that you would have captured and some bogus password and hit the submit button. Notice that the web page is stuck loading and paros is blinking. Lets investigate. Paros has captured the request and is awaiting on some sort of feedback from you. At this point you can see that paros has captured the login request. The username is the right one u typed in and the password is in some encrypted md5 form. Its actually the md5sum to the bogus password you inputed. What we wanna do is take the md5 hash that we captured from the ngrep output, and input it in the paros parameter screen (easier to view it in tabular view). Note you gon need to enter it in two places, the "vb_login_md5password" and "vb_login_md5password_utf". After you've done this, deselct the trap request option and hit the continue button. Guess what has happend............... You've now logged into your victims account.

To help in my above illustration, here's a video illustrating the simplicity of the attack. Note that the user uses a different sniffer to sniff on the wire.


Resources/Good reading:

No comments:

Post a Comment