Just a quick post to share some proof of concept code. Some potential phishing scheme against Google Accounts can be deployed by making use of an Open Redirect in Google Apps SSO setup.
This has been reported and marked as WONTFIX by Google, which makes sense since this is one of those rare cases where having such functionality available outweighs the potential risks. Also, it seems they can’t really deploy any reasonable fix.
Despite not explicitly mentioned, I bet they are monitoring that nobody actually does nasty things with this redirect so don’t get any ideas ;)
Proof of concept code is here: http://makensi.es/pocs/ga/gaphis.html
- CSRF Logout user
- Link to access Google Account
- accounts.google.com asks for credentials
- On successful auth, user is redirected to phishing site which alerts the user the wrong password was entered. If the page load is fast enough there is a possibility that the user won’t look at the address bar again.
- User auths again against makensi.es and is then redirected back to accounts.google.com, logging in automatically.
All in all, not a huge issue but some good practical example of malicious Open Redirects.
So Open Redirects debate always comes back again and again across security rooms. I often dig the claim that these should not get real attention since they hardly get used beyond PoCs, but there are still some situations in which they can become a real issue.
Having read a lot lately about hacks making use of open redirectors to accomplish all sorts of cool vuln chaining, I decided to tie up all my loose thoughts in a deck of slides, in the hopes that it can serve as a reference for the current and actual impact of delivering arbitrary redirects to your users.
Also, reveal.js is pretty cool.
While conducting black box security assessments on custom web applications, one wonders if any additional vulnerabilities await in the darkness. A darkness provided by the absence of source code to look at.
Revershal is a dirty script to search for particular formats and combination of known inputs that have been used to derive certain hash strings on custom web applications.
For example lets assume you have a hash and you know it is generated from something like:
string = 'input1 + sep + input2 + sep + input3'
hash = f(string)
From a security standpoint when the hash should not be guessable/predictable by an attacker (for example in a reset password function), at least one of those inputs should be a strong secret (key) known only by the application. However, multiple custom made applications generate hashes in this fashion just using predictable inputs such as email, full name, userid or the timestamp of the instant they are generated. For example:
reset_password_hash = sha512( username + '-' + email + '-' + timestamp )
In this situation, getting knowledge about the particular input format that the hashing function receives is the key to compromising the functionality (reset password in this case)
revershal does just that. Just feed it with your known predictable tokens and a valid hash obtained from the application and it will compute all potential formats, trying to come up with the one that was used.
$ cat test.txt
$ ./revershal.py -t test.txt -s `echo -n "token1.token3.token2" | md5sum | cut -d" " -f1` -g
[*] Guessing algorithm from hash...
[*] [WARNING] Guessing will only look at string length, not valid alphabet
[*] Hash looks like md5
[*] Target hash: 4615f95012f720eb5b23651debab6d78
[*] 3 total known tokens
[*] Total of 147 masks to compute...
[*] SUCCESS with mask: token1.token3.token2
Reading someone else’s code can be fun but usually is a daunting task, particularly when by reading one means searching for flaws.
aramaki is just a grep wrapper to conduct manual security code reviews on huge code bases in a more convenient and efficient manner. This type of reviews usually involves searching for common keywords which may help land your eyes on the interesting parts of the code, from where you can dive in and search on.
Now since just grepping for patterns usually leaves you with some unmanageable text output of several mb’s, aramaki comes handy to help you navigate this mess in a quick and efficient manner.
So, in a nutshell:
- Auditing codebases manually can be daunting
- Usually one searches (greps) for dangerous APIs
- Grep output is hard to manage efficiently
- We want something small that works out of the box on most systems
- No need to install anything else (ack, gui lib…)
- This code snippet is vulnerable, flag it
- This pattern only produces false positives, ignore it
- I need to open this file in my fav editor
- This file should be ignored
- I got tired. I will continue the review later
- Please, resume at the point I left
Of course this is just a quick and dirty hack to make my life easier. You have more expensive and probably better alternatives.
I am recently getting quite carried away about information gathering and open source intelligence in general. Following the publication of the Skip Tracing Framework I have been looking for new ways to extract useful information about particular targets from unexpected sources. It is surprising how much information is available out there just waiting to be discovered.
One of my unexplored grounds was Twitter. Given its insane popularity it can be very well included in traditional reconnaissance proccesses that used to gather people email addresses for various purposes. People now have Twitter accounts and you can sometimes reach them more easily through a @mention than via email. Furthermore, unlike traditional email, Twitter can also reveal special connections between certain individuals which can help to aim better when conducting investigations.
Tweetstars are a recent interesting phenomena. Fake, satirical or just anonymous accounts are becoming more and more popular in Twitter and receiving a lot of fuss even from the media. They sometimes are used to shout about controversial topics or disclose sensitive information. @masaenfurecida is one example of such accounts. This spanish account is getting a lot of attention due to his incendiary tweets about the political and social panorama of Spain.
But who is behind this account? Can we infer that just out of the available open data we have? Can we at least narrow down the ownership to a small group of individuals? Let’s see.
So, where to begin?
We are going to assume the owner of a certain Tweetstar account algo has his own parallel account for unrelated tweeting. If we consider this too much of a stretch, we can at least assume that people closely connected with the owner in some way will have twitter accounts. Now, tweetstars usually have A LOT of followers so finding interesting people in that sea is going to be tough.
What do we know to start with?
Some ground rules:
- Tweetstars usually follow either nobody, a few tenths of people or tons of them. When they follow tenths of people we can probably find some interesting connections following that route.
- Twitter apparently lists the people an account follows in chronological descending order, which means the first people the owner decided to follow are at the bottom (relevant). I am pretty positive about this one, could be wrong though.
- People can follow an account through a public list without actually following it. Tweetstars appear sometimes in lists from people who actually do not follow them.
- Given two twitter accounts, a not-so-obvious connection can be established between them just by comparing who they follow, who follow them, the lists they appear on…
To help conduct this type of investigations a new script was born. It has been coded in a hurry, it is fugly and hardly documented but it gets the job done. Input takes two twitter screen names to display the possible connections found between the two accounts. Since Twitter limits API calls to 150 per hour certain effort has been put to try to cache data and reduce the number of queries as much as possible. Just keep the script open so the cached data don’t go away and keep querying twitter for aditional screen name pairs. You will find Twittego getting the best out of those 150 calls.
The first lead
My first lead came from a friend of mine, who got from a very good source that @masaenfurecida is an account managed by several spanish TV script writers. Gossip should be always taken with a grain of salt but since I did not have any other clue, it was worth the shot.
Searching Twitter for script writers and guilds returns several hub accounts including: @encuentroguion, @fagaguionistas, @guionistasaida, @guonistaszd, @almaguionistas, @sologuion, @guidoitwitt, @tandemguion, @gagsigc. Matching those against @masaenfurecida using Twittego reveals several individuals who besides following @masaenfurecida, also actively follow several of these script writing guilds, festivals and so.
The most prominent of these individuals are @cristaljar, @juanjomoscardo, @galahan, @xcarlosares, @teresadiez, @erreimantada and @oscarbernacer. All very actively connected in this context.
Checking first follows
On the other hand, apparently the owner of @masaenfurecida is somewhat connected to @joseluisgarci. Now since @joseluisgarci is also a Tweetstar, issuing both names to Twittego yields too much noise so we need to carve deeper. How about the first follows of that account? Interesting accounts here include @johntones, @noelburgundy, @frunobulax and @caco3000, the first four. Also, comparing this list with the previous results of the script writing guilds, we get further related accounts such as @cristaljar and @vigalondo.
Googling around a bit
Ok so second Google result for “masaenfurecida” brings you to a forum thread about our tweetstar, started by @johntones, someone who already appeared in the previous step. Although the connection seems obvious, while discussing in the thread about him being the real culprit the connection is explicitly denied. They also point out that several authors could actually be behind @masaenfurecida, but several people seem pretty positive about a connection between the forum and the account. @noelburgundy, who appeared before appears on that thread too, which reveals nothing but means we are at least moving between a very close group of people.
Another quick Google search including the name of the forum (focoforo) reveals some anonymous comment on an article discussing the authorship of @masaenfurecida’s tweets. He claims @vigalondo, @johntones and several other people from @elfocoforo are behind @masaenfurecida. A reply points out how these guys actually denied this connection despite they apparently sell shirts about @masaenfurecida. Intriguing.
Wrapping things up
How about the names that came up while searching for script writers?. Inputting @elfocoforo with previous highlighted previous accounts into Twittego lights the Christmas Tree, making @Vigalondo, @fagaguionistas, @johntones, @joseluisgarci, @cristaljar… and several others appear all over the place.
So, what’s the conclusion? Can we safely point our finger to people like @vigalondo, @johntones, @cristaljar, or people related to @fagaguionistas? Well, probably not, but at least we have found a small network backing up that anon claim from the previous comment.
We have just seen a proof of concept about gathering information just by looking at Twitter connections between people with the help of a tool like Twittego. In this particular case we simply found incidental evidence, but from what I have seen I can assure you there are other cases where this kind of proccess would reveal more info than initially expected.
Experiment with Twittego using different twitter accounts. The results will probably surprise you.
Happy New Year, Sherlocks.