Targeted Web Attacks
Targeted Web Attacks
Part 2 of Social Networks the New Fingerd
Author david.kierznowski_at_gmail.com
http://michaeldaw.org
1. Introduction
I recently released an article titled, “Social networks the New FingerD”. This article gave an example of using LinkedIn in passive username enumeration attacks. This article will discuss using Search engines and OpenPGP key servers as additional enumeration resources. None of these ideas are new, but in my opinion require a bit more light, especially when looking at RSnake’s recent XSS Top Vulnerability post
2. Purpose
At the moment XSS attack scenarios are very broad. XSS to create a botnet or propogate a worm etc etc. There is no real direction toward actual focused XSS exploitation. In theory one could own the continent(s) and then filter out specific targets, but lets face it, this is probably not the smartest thing to do.
3. The How?
My initial thoughts on targeted Web attacks “from the Internet” include some of the following ideas:
Backdooring the Company Homepage
Many users have their browser’s default (or startup) page set to the company website. However, this may not work in some cases as internal users often connect to an Intranet website rather then an Internet website. Another solution to this problem may be to backdoor another website associated with the company (i.e. company webmail, or Citrix Gateway).
Information Gathering Attacks
In most cases, specific exploitation requires fore-knowledge of our target. For example, Jane Daw works at company X as a legal secretary. Once this information is known any number of “specific” attacks can be launched. These attacks can occur via HTTP, Email, social engineering and password brute forcing to name a few.
Over the last month, pdp (architect) and I (was that the right way round, can never remember) have been working on backdooring a number of web technologoies. So far our list includes:
* Web Pages
* Flash
* Quicktime
* PDF
* MP3 (Although this uses Quicktime)
So the question still remains, what web resources do we have available to us to passively enumerate users within an organisation?
We have already discussed using Social Networks such as LinkedIn. Two other possibilities are as follows:
* Public Key Servers
* Search Engines
3.1 Public Key Servers
Public key servers allows a single repository for users to store their public keys on the Internet. This allows users to encrypt email between two parties easily without having to hastle the recipient for their public keys.
This service is an excellent resource to enumerate employee details within an organisation.
Example search for google.com using “http://keyserver.veridis.com:11371“:
--snip-- Results 1 - 30 of about 41 for google.com. (0.019 seconds) Key(s) Key ID Size Creation Expiration *hidden* *hidden*@google.com 0x4F79C91B 4096/1024 2006/06/13 2011/06/12 *hidden* *hidden*@google.com 0x8475A4CF 2048/1024 2001/05/07 Never *hidden* *hidden*@google.com 0x9038F60E 2048/1024 2001/02/20 Never *hidden* *hidden*@google.com 0xE617F27A 1024 2005/07/13 2006/07/13 *hidden* *hidden*@inodes.org 0xD02F8773 1024/1024 2000/03/08 Never *hidden* *hidden*@google.com 0x20C9885A 2048/1024 2005/10/12 Never *hidden* *hidden*@red-bean.com 0xEC6B5156 1024/1024 1998/11/09 Never *hidden* *hidden*@google.com 0x4E844EF3 1024 2005/07/27 2006/07/26 *hidden* *hidden*@google.com 0x2349D344 2048/1024 2005/12/06 2007/12/06 *hidden* *hidden*@google.com 0x438046E4 2048/1024 2005/12/12 Never --snip--
3.2 Search Engine
Search engines when used correctly can yield very sensitive information. For more information on this see: http://johnny.ihackstuff.com/.
4. Tools
I was thinking about writing a tool to automate these checks, however, when bouncing it off pdp (architect), I found he had already done the work.
His tool is a little outdated but provides support for both Google and OpenPGP checks. It can be found at the following URL:
http://www.gnucitizen.org/projects/met/