So, why exactly is facebook following my private message links?

Earlier today I was chatting with someone on facebook chat and I wanted their IP, so I sent them an enticing link, and waited to see them show up in my web logs.
The link that I sent was to a file called taxStuff.doc which doesn't actually exist on my server, but should give me a nice "File does not exist" message with their IP.

So I said a few things in the private message to make the link enticing, then paste in the link, while tailing the httpd log file. The trap is set.
 ... and bam, I get 2 hits.

 [Mon May 06 18:10:13 2013] [error] [client x.x.62.182] File does not exist: /var/www/html/MYSERVER/taxStuff.doc
[Mon May 06 18:14:40 2013] [error] [client 173.252.73.112] File does not exist: /var/www/html/MYSERVER/taxStuff.doc

Wait, why 2 hits? Well, let's do a whois on that second IP:

~$ whois 173.252.73.112

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#


#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=173.252.73.112?showDetails=true&showARIN=false&ext=netref2
#

NetRange:       173.252.64.0 - 173.252.127.255
CIDR:           173.252.64.0/18
OriginAS:       AS32934
NetName:        FACEBOOK-INC
NetHandle:      NET-173-252-64-0-1
Parent:         NET-173-0-0-0-0
NetType:        Direct Assignment
RegDate:        2011-02-28
Updated:        2012-02-24
Ref:            http://whois.arin.net/rest/net/NET-173-252-64-0-1

OrgName:        Facebook, Inc.
OrgId:          THEFA-3
Address:        1601 Willow Rd.
City:           Menlo Park
StateProv:      CA
PostalCode:     94025
Country:        US
RegDate:        2004-08-11
Updated:        2012-04-17
Ref:            http://whois.arin.net/rest/org/THEFA-3

OrgAbuseHandle: OPERA82-ARIN
OrgAbuseName:   Operations
OrgAbusePhone:  +1-650-543-4800
OrgAbuseEmail:  domain@facebook.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN

OrgTechHandle: OPERA82-ARIN
OrgTechName:   Operations
OrgTechPhone:  +1-650-543-4800
OrgTechEmail:  domain@facebook.com
OrgTechRef:    http://whois.arin.net/rest/poc/OPERA82-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

A little more testing, and it looks like whenever someone clicks a link from a facebook private message, facebook kindly attempts to go and get the resource too. Now you might be thinking that this is facebook doing their prefetching thing, so they can show you a thumbnail of what someone is sending you. Doesn't look like it. Unfortunately, the hit comes as soon as someone clicks the link, not before. 

Now it just doesn't seem right that when I'm trying to be all creepy on facebook, that facebook gets creepy back. I mean, guys, can you please leave the invasions of privacy to those of us leveraging your site to creep on others.

And now I'm sitting here thinking of all the ways this "feature" could possibly be abused. I wonder how big of a file I can get them to request from me.... I wonder if someone could make facebook send a flood of HTTP gets to the Pentagon.... hmmm

#################
EDIT, MORE INFO
So, looking at a packet capture of the get request, facebook hands us a URL:

Well that was nice of them. Let's check out what that page is.

That makes sense. It does seem to be broken to me though, considering the hit only comes when the user clicks the link... kind of defeats the purpose of a preview. And hey, facebook isn't being as creepy as I suspected. All is well on the internet again, and the only one creeping your facebook is me.

Being a good internet citizen

A large percentage of breaches are discovered by having a third party mention to you that you're insecure. I would estimate it to be well over 50%.
Because of that, when I come across things that are vulnerable I typically try to let the company know so they can fix it. Most of these are simple things that are indexed by google that were not meant to be public (see this post on google hacking).

I sometimes get responses, but typically do not. The most common response is a simple thank you email. I've had less nice responses as well, such as people angrily demanding to know what my intentions were. No good deed goes unpunished.

Recently I sent an email to a company to let them know they had a misconfiguration that makes every file on their box viewable (with the permissions of the httpd user) by the entire world. Looked kind of like this:

Plus, everything on their box had been indexed by google. Imagine your backups and config files being freely down-loadable and searchable on google!

Even worse, there wasn't just one domain hosted on this vulnerable box...a reverse lookup of the IP showed that the server was hosting 576 domains!


So I sent them a simple email:

Attention Information Security,
I saw this site on google, and happened to notice that you appear to have a sym link in your document root that points back to / allowing access to your entire system through the webserver.
For example, your passwd file SHOULD NOT be publicly viewable.
http://XXXXXXXXX.com/x.txt/etc/passwd

Please let me know if you have any questions.
Thank you,

I received a response from them, which included this:

It's worth noting that /etc/passwd does not contain any sensitive information, and that although we do not widely publish our configuration, we do not generally consider it to be sensitive as it is relatively trivial to reverse-engineer by experimentation and observation. We conduct regular reviews of our platform's security and take extensive measures to ensure that our servers stay secure.

Huh. Okay.

Note: Names have been redacted to protect the ignorant.

All, I noticed a tweet by HD Moore today giving a shout out to this post written last week by Ed Skoudis. Very good read. Here's a link and an excerpt:

http://pen-testing.sans.org/blog/pen-testing/2013/04/08/when-offense-and-defense-become-one

"at sufficiently advanced technical levels, offense and defense sometimes merge and become one. Offensive techniques can be used to achieve defensive ends; defensive means can be used to achieve offensive ends; and, sometimes, the inherent technical skills of offense and defense are actually identical."


"Consider these examples:

• Endpoint security suites: Have you ever pondered what these tools really are? With their integrated anti-virus, personal firewall, and host-based Intrusion Prevention Systems, they operate at a fairly low-level of most operating systems, hooking all kinds of system calls so that administrators can maintain control of the machine. Wait... that's a rootkit! The only difference between an endpoint security suite and most rootkits is the level of functionality and who controls it: good guy administrators or bad guys. So, we've got a multi-billion dollar segment of the infosec industry that is actually built on selling commercial rootkits, also known as endpoint security suites."

Ed Skoudis is a very dynamic teacher there at SANS, and I recommend his courses to everyone.

Habit 1

I gave a presentation at a conference last year, and someone commented that if I have a blog called "the 7 habits of highly effective hackers", I should probably have a list of 7 actual habits on said blog. I guess that's fair.

So here we go starting with habit 1, which I promise will be the only non-technical habit of the 7.

Habit 1: Effective hackers know that the game they play IS the real world.
In a sentence; Effective Hackers understand the repercussions of their actions.
There's something about computer systems that causes many people to act in a way that they never would in real life. Some of us would never read a stranger's physical mail, yet would feel no guilt whatsoever about reading their email. We make silly excuses to justify why our online world is different than our real world. That person should have changed the default password on their router; they're stupid and deserve it. That company knows their environment/product is insecure, if they wanted to keep me out they'd have fixed it.

Think this one over. Although there's no CVE number for it yet, it is now being reported that human beings are vulnerable to having bricks thrown at their heads. All versions are affected, and easy methods for exploiting this weakness have reportedly been in the wild for some time now....Would anyone think that the public disclosure of this knowledge, would in any way justify them throwing bricks, and hurting others? Are we more justified because they should have known better?

This probably all sounds really preachy. I'm actually not trying to tell you that you should feel guilt for hurting others (that's between you and your own conscience). I AM trying to say you should understand the repercussions of your actions. If you post someone's PII on pastebin, someone, A REAL PERSON, will experience real grief over it. When you gain access to someone's network, it could mean real impact for that organization. Real people could lose their jobs over it. I'm not telling you to care, I'm telling you that you MUST understand.
You must do whatever you do with your eyes wide open. Know and accept all possible impacts of every scan, every exploit, every move.

Okay, gotta go. My shirt just got out of the dryer. I'm sure we're all familiar with MITM (Mythbuster In The Middle).

Thanks, and UtahSAINT Conference 2012

First off, I'd like to thank all those who have build on my proof of concept, Using twitter to build password cracking wordlist. Some of you have seriously taken it to the next level, and I applaud your efforts.

Including, but not limited to:
http://www.digininja.org/projects/twofi.php
http://blog.hacktalk.net/twitscrape/
http://www.damnsecure.org/?p=833
http://www.nathanv.com/2012/07/18/shell-script-use-twiter-and-bing-to-generate-wordlists/
Nicely done, effective hackers.

Now on to the main reason for this post.
I'll be presenting at the UtahSAINT Conference 2012, this upcoming Oct 9-12 in Saint George UT.
My topic will be "The 7 Habits of Highly Effective Hackers: Effective hacking techniques and countermeasures."

Other speakers include:
Kevin Young- whose unique passphrase cracking techniques helped his team take 2nd place at this year's "crack me if you can" contest at Defcon
Miles Johnson- Security Analyst at Utah State University (and my old mentor)
Special Agent Cheny Engtow- of the FBI
And many more...

If you're attending the conference or just in the area, swing by and say hello.
Until next time...

Passively Cable Tapping Cat5

When someone shows off a novel idea/solution they came up with, there are typically about a thousand people who rush in to say "You should have done it this way instead."  Then others who attempt to build on the idea, and make it easier and even cooler. In this post I will attempt the latter.

In the most recent edition of 2600, The Hacker Quarterly, there was a story entitled "BUILDING A CAT-5 CABLE  TAP" that details how to create a passive hardware cable tap using alligator clips. I love seeing stuff like this. The author came up with this idea, made it work, and posted it for all to share.

This past spring while in a server room with a friend/co-worker, we noticed a cable that ran through our cage that belonged to a different group within our company. We joked about cutting it, attaching a RJ45 end to each side, and sticking a hub on it. The conversation progressed to methods for doing this passively, without having to cut the wire. Soon we came to the same idea as the author, and decided we could use alligator clips.

Later on that week I was online reading about wall jacks and decided to give this a try. I picked up a cat5 end for 1.40 at home depot. I stripped a small length of the cat5 outer shielding, and punched the wires down into the wall jack. Make sure you use a tool bit that doesn't cut the wire on one side.







This worked great. The target machine didn't even drop a packet. Basically the exact same thing as using alligator clips, but much less stripping.

My hat is off to the author of the article. I hope you don't mind me expanding a little on your idea.

Cracking the 3.5 Million Password Hashes That Were Redacted

The release of millions of SHA1 hashes from linkedin.com has the internet all buzzing today... but then comes the news that 3.5 million of them have the first 5 characters redacted and replaced with 00000.
Well, if we don't have the entire hash we can't crack them... Oh wait, we still have the remaining 36 characters to do a comparison against.
So let's try this:
First, let's get just the hashes that start with the 00000. Looks like there are 3,521,180.

Now, for each line in our word list (WORDS.txt) lets calculate the SHA1 hash, chop off the first 5 characters, and compare that to our hashes list. If the partial hash is there, echo the password to the screen.
For those that can't see that, the command is:
for i in `cat WORDS.txt` ; do grep -q `echo -n $i | sha1sum |  cut -b6-41` SHA1-0s.txt  && echo $i  ; done



And boom, there are thousands of passwords scrolling down the screen.
Enjoy.