453 total views, no views today
Businesses spend billions of dollars annually on software and hardware to block external cyberattacks, but a shocking number of these same organizations shoot themselves in the foot by poking gaping holes in their digital defenses and then advertising those vulnerabilities to attackers. Today’s post examines an underground service that rents access to hacked PCs at organizations that make this all-too-common mistake.
Makost[dot]net is a service advertised on cybercrime forums which sells access to “RDPs”, mainly Microsoft Windows systems that have been configured (poorly) to accept “Remote Desktop Protocol” connections from the Internet. Windows ships with its own RDP interface built-in; to connect to another Windows desktop or server remotely, simply fire up the Remote Desktop Connection utility in Windows, type in the Internet address of the remote system, and enter the correct username and password for a valid user account on that remote system. Once the connection is made, you’ll see the remote computer’s desktop as if you were sitting right in front of it, and have access to all its programs and files.
Makhost[dot]net sells access to thousands of hacked RDP installations. Prices range from $3 to $10 based on a variety of qualities, such as the number of CPUs, the operating system version and the PC’s upload and download speeds.
Makost currently is selling access to more than 6,000 compromised RDP installations worldwide. As we can see from the screen shot above, hacked systems are priced according to a combination of qualities of the server:
city, state, country of host;
administrative or regular user rights;
operating system version;
number and speed of computer processors;
amount of system memory;
network download and upload speeds;
NAT or direct
KrebsOnSecurity was given a glimpse inside the account of a very active user of this service, an individual who has paid more than $2,000 over the past six months to purchase some 425 hacked RDPs. I took the Internet addresses in this customer’s purchase history and ran WHOIS database lookups on them all in a bid to learn more about the victim organizations. As expected, roughly three-quarters of those addresses told me nothing about the victims; the addresses were assigned to residential or commercial Internet service providers.
But the WHOIS records turned up the names of businesses for approximately 25 percent of the addresses I looked up. The largest group of organizations on this list were in the manufacturing (21 victims) and retail services (20) industries. As I sought to categorize the long tail of other victim organizations, I was reminded of the Twelve Days of Christmas carol.
twelve healthcare providers;
ten education providers;
eight government agencies;
seven technology firms;
six insurance companies;
five law firms;
four financial institutions;
two real estate firms;
and a forestry company (in a pear tree?)
How did these companies end up for sale on makost[dot]net? That is explained deftly in a report produced earlier this year by Trustwave, a company which frequently gets called in when companies experience a data breach that exposes credit card information. Trustwave looked at all of the breaches it responded to in 2012 and found — just as in years past — “IP remote access remained the most widely used method of infiltration in 2012. Unfortunately for victim organizations, the front door is still open.”
The report continues:
“Organizations that use third-party support typically use remote access applications like Terminal Services (termserv) or Remote Desktop Protocol (RDP), pcAnywhere, Virtual Network Client (VNC), LogMeIn or Remote Administrator to access their customers’ systems. If these utilities are left enabled, attackers can access them as though they are legitimate system administrators.”
Source: Trustwave 2013 Global Security Report
“Would-be attackers simply scan blocks of Internet addresses looking for hosts that respond to queries on one of these ports. Once they have a focused target list of Internet addresses with open remote administration ports, they can move on to the next part of the attack: The number 2 most-exploited weakness: deafult/weak credentials.”
In case the point wasn’t clear enough yet, I’ve gathered all of the username and password pairs picked by all 430 RDP-enabled systems that were sold to this miscreant. As evidenced by the list below, the attackers simply needed to scan the Internet for hosts listening on port 3389 (Microsoft RDP), identify valid usernames, and then try the same username as the password. In each of the following cases, the username and password are the same.
Some of these credential pairs even give you an idea of the type of organization involved, the employee account that was compromised (“intern,” “techsupport,”); the purpose of the hacked system (“payroll”, “fax,” “scanner,” “timeclock”); even the geographic location of the compromised PC within the organization (e.g., “front desk,” “conference room,” “garage”). Incredibly, some of the systems appear to be named after actual security features or backup devices (“symantec,” “sonicwall,” “sophos”):
If you’ve read this far, I hope it’s clear by now that the easiest way to get your systems hacked using RDP is to pick crappy credentials. Unfortunately, far too many organizations that end up for sale on services like this one are there because they outsourced their tech support to some third-party company that engages in this sort of sloppy security. Fortunately, a quick external port scan of your organization’s Internet address ranges should tell you if any RDP-equipped systems are enabled. Here are a few more tips on locking down RDP installations.
Readers who liked this story may also enjoy this piece — Service Sells Access to Fortune 500 Firms — which examined a similar service for selling hacked RDP systems.
542 total views, no views today
Bypassing Seagate ATA Security Lock
Here’s a common story when it comes to password retrieval: guy sets up a PC, and being very security-conscious, puts a password on his Seagate hard drive. Fast forward a few months, and the password is, of course, forgotten. Hard drive gets shuffled around between a few ‘computer experts’ in an attempt to solve the problem, and eventually winds up on [blacklotus89]‘s workbench. Here’s how he solved this problem.
What followed is a walk down Hackaday posts from years ago. [blacklotus] originally foundone of our posts regarding the ATA password lock on a hard drive. After downloading the required tool, he found it only worked on WD hard drives, and not the Seagate sitting lifeless on his desk. Another Hackaday post proved to be more promising. By accessing the hard drive controller’s serial port, [blacklotus] was able to see the first few lines of the memory and the buffer.
Two hours and two Python scripts later, [blacklotus] was able to dump the contents of his drive. He then took another Seagate drive, locked it, dumped it, and analyzed the data coming from this new locked drive. He found his old password and used the same method to look for the password on the old, previously impenetrable drive. It turns out the password for the old drive was set to ’0000′, an apparently highly secure password.
In going through a few forums, [blacklotus] found a lot of people asking for help with the same problem, and a lot of replies saying. ‘we don’t know if this hard drive is yours so we can’t help you.’ It appears those code junkies didn’t know how to unlock a hard drive ether, so [blacklotus] put all his tools up on GitHub. Great work, and something that didn’t end up as a Hackaday Fail of the Week as [blacklotus] originally expected.
439 total views, no views today
This guide is meant to show how easy it is to hack wireless networks if the proper security measures are not in place. First I will show how to hack a WEP or WPA/WPA2 Network and then I will give tips on how to avoid getting hacked.
This is important information in our techno-savy culture. If your wireless network is compromised you can be liable for any illegal activity on it. There are numerous stories of child pornographers and black-hat hackers using other peoples wireless networks.
NOTE: Hacking your neighbors or anyone else’s Wifi without their permission is ILLEGAL. Be smart!
Step 1What you Need
What you Need
-A Computer. (A Laptop works best)-A Wireless Card capable of packet injection.
-If your laptop wireless card can’t do packet injection you can purchase a wireless adapter such as the Netgear WG111 v2 for around $8-$12 on eBay.
-A Live installation of BackTrack either on a CD or USB stick.
-BackTrack 5 Can be found Here
-Create a Live USB Install Here
Step 2Hack WEP
WEP is the predecessor of WPA and has been hacked for the past 5+ years yet people continue to use it. With the instructions below we can crack WEP in under 15 minutes.You can crack WEP from the command line but there is an easy GUI interface in backtrack which makes it a much less painful experience for those who are scared of command prompts.
1. Boot into BackTrack
2. Click on the Backtrack applications menu -> Backtrack -> Exploitation tools -> Wireless exploitation -> WLAN Exploitation -> gerix-wifi-cracker-ng (This will open up the GUI interface seen in the picture).
3. Go to the configuration menu and select the wireless interface wlan0
-Click on Enable/Disable Monitor Mode (this will put the wireless card into monitor mode).
-Select the newly created mon0 interface.
4. Now click on the WEP tab at the top of the window.
-Click on “Start sniffing and logging” and leave the terminal open.
-Once the wireless network you want to crack* shows up (it has to be WEP encryption of course) select the WEP Attacks (with clients). *note that the PWR has to be high enough to work so the closer you can get, the better.
-There you click on “Associate with AP using fake auth”, wait a few seconds and click on “ARP request replay”.
5. Once the Data number reaches over 10,000 you are ready to try (if the data is coming fast wait until 20 or 30,000 to be safe) and crack the key, but don’t close any windows yet.
-Go to the cracking tab and click on “Aircrack-ng – Decrypt WEP password” under Wep Cracking.
It will take a few seconds to minutes to crack the password and then you are good to go.
Step 3Hack WPA/WPA2
At least WPA and WPA2 are safe right? Wrong. WPA and WPA2 are both crackable but the time it takes to crack depends on the strength of their password.-Boot into BackTrack
-Open up Konsole which is a command line utility built into BackTrack. It is the Black Box in the Lower-Left Hand Corner (See Image).
We will now be entering the following commands into the command line noted by Bold as well as explanations as to what they do:
-The following commands stop the wireless interface so you can change your mac address, this is important because your mac address is a unique identifier so faking one is a good idea if you are accessing a network you don’t have permission to. (which by the way I wholly condemn)
airmon-ng stop wlan0
ifconfig wlan0 down
macchanger –mac 00:11:22:33:44:55 wlan0
airmon-ng start wlan0
-Now we will put the airodump-ng tool into monitor mode, this will allow us to see all of the wireless networks around us (See the first Picture).
Now choose the network you want to hack and take note of the BSSID, and the Channel it is one as well as the ESSID. The PWR has to be fairly high to be able to hack it, this is determined by how close you are to the wireless router. The closer you are, the better.
Once you have chosen the wireless network enter the following into the terminal:
This will write capture packets and put them into the “filename” file, we are trying to capture the handshake between the router and wireless connection which will give us the key we need to crack.
airodump-ng mon0 –channel * –bssid **:**:**:**:**:** -w filename
The following step is optional but is highly recommended as it will speed up the process a great deal.
Once “WPA handshake: **:**:**:**:**:**” appears in the top right-hand corner we can move on. If you are having trouble getting the WPA handshake to occur then do step 4.
aireplay-ng -0 1 -a **:**:**:**:**:** -c **:**:**:**:**:** mon0
What this step (4) does is it deauthorizes a wireless connection and trie to re-establish it so it will generate a new handshake to capture. This step ends once you have captured the handshake.
aircrack-ng –w wordlist.lst -b **:**:**:**:**:** filename.cap
Step 5 is now trying to crack the password in “filename.cap” using a list of words, here called “wordlist.lst” you can download a good 200 million word dictionary here (128MB but unzipped is 800MB).
Your computer has to compute the hash value of every password in that list but a computer can go through those 200 million passwords in 6-12 hours.
If the password isn’t found in the dictionary you can try and brute-force the password with this command: (Note this could take a very long time depending on their password strength).
/pentest/password/jtr/john –stdout –incremental:all | aircrack-ng -b **:**:**:**:**:** -w – filename.cap
Step 4Secure Your Own Wireless Network
Secure Your Own Wireless Network
Hopefully you gained some insight into how to not get your own wireless connection hacked:1. Use WPA2 (WPA2-AES) if available and by all means never use WEP.
2. Don’t base your password on a dictionary word. The next section focuses on passwords in general.
3. In your router settings you can usually hide your ESSID (the name of the wireless network) this will add a small layer of security.
4. In your router there is probably a mac-address filtering service where you can specify the mac addresses that are allowed to connect. This will make sure that only your approved devices can connect to your network. (obviously a problem though if you have a guest over and wants to connect to your Wifi).
This entry was posted in Hacks, How to on March 20, 2012 by nertblox.
Post navigation← Transforming Nintendo 64 into Handheld Console aka Grape 64Better Textures for Skyrim →
How to Decrypt, Unpack, and Edit .apk files (Android, Eclipse, APKTOOL) – Easy as Pie
How to install Maxmind’s GeoIP on Ubuntu/Linux for PHP
Easy PHP Calendar that pulls data from MYSQL
Configure HTTPS with Linux
How to install Any Operating System from a Thumbdrive
How to a Print to a Local or Network Printer with PHP and Linux Command Line
How to play your favorite console games online through your browser
Get Youtube Thumbnails with PHP or Html
How to install Pithos Dekstop Client for Pandora
How To: Do a CSS Reset
Speech Recognition with the Raspberry Pi
How to install festival for Linux/Ubuntu
How to fix any Computer
10 of the Most Awesome Windows Shortcuts You Never Knew About
Fix Sound Drivers for Raspberry Pi – Easy
PHP Code for Replacing Characters in a String or Variable
Transforming Nintendo 64 into Handheld Console aka Grape 64
SSH into your Amazon instance with a KeyPair
How to Obtain a Google API Key.
Adding or Subtracting Time to/from MYSQL Formatted Timestamp in PHP
PHP Cookies don’t work on Apple/Mac – Safari and Opera Browsers/iPhone, iPad, iPod Devices – FIXED
How to look at updated access.log or other log files in linux command line
Split PHP String into Multiple Variables Made Easy
How to Setup Apache2 with Virtual Hosts – Easy Tutorial
How to Split an Array into a String with PHP
How to gain Acess to Unprotected Webcams
How to Import a Android Project (.apk file or folders) into Eclipse
Grammatically Correct PHP Title Capitalization Function
How to Install and Setup Apache in Ubuntu
How can I tell what is taking up space on my hard drive?
SOPA Emergency IP list:
How to embed a Flash/Swf File
How to Charge an iPod with fruits.
How to Troll Someone’s Computer
Runs on WP AA Batteries
496 total views, no views today
Using this post, http://edgis-security.org/honeypot/kippo-01-getting-started/ , I have setup a SSH Honeypot with Kippo.
If you want, you can forward traffic from your own servers to mine and see the results of the SSH capture @ http://info.sethleedy.name/kippo/
Use this in your IPTables to forward your own port 22 traffic to mine @ IP
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 22 -j DNAT --to 184.108.40.206:22
iptables -t nat -A POSTROUTING -j MASQUERADE
Change ethernet device to match yours.
Remember to save your iptables for after reboot. iptables-save
Also, you better set this: sysctl net.ipv4.ip_forward=1 OR echo “1” > /proc/sys/net/ipv4/ip_forward
905 total views, no views today