Download at WoWeBook.Com
Hacking: The Next Generation
Download at WoWeBook.Com
Download at WoWeBook.Com
Hacking: The Next Generation
Nitesh Dhanjani, Billy Rios, and Brett Hardin
Beijing
•
Cambridge
•
Farnham
•
Köln
•
Sebastopol
•
Taipei
•
Tokyo
Download at WoWeBook.Com
Hacking: The Next Generation
by Nitesh Dhanjani, Billy Rios, and Brett Hardin
Copyright © 2009 Nitesh Dhanjani. All rights reserved.
Printed in the United States of America.
Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472.
O’Reilly
books
may be purchased for educational, business, or sales promotional use. Online editions
are also available for most titles (). For more information, contact our
corporate/institutional sales department: (800) 998-9938 or

Editor: Mike Loukides
Production Editor: Loranah Dimant
Copyeditor: Audrey Doyle
Proofreader: Sada Preisch
Indexer: Seth Maislin
Cover Designer: Karen Montgomery
Interior Designer: David Futato
Illustrator: Robert Romano
Printing History:
September 2009:
First Edition.
Nutshell
Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of
O’Reilly Media,
Inc. Hacking: The Next Generation, the image of a pirate ship on the cover, and related
trade dress are trademarks of O’Reilly Media, Inc.
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as
trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a
trademark claim, the designations have been printed in caps or initial caps.
While every precaution has been taken in the preparation of this book, the publisher and authors assume
no responsibility for errors or omissions, or for damages resulting from the use of the information con-
tained herein.
TM
This book uses RepKover™, a durable and flexible lay-flat binding.
ISBN: 978-0-596-15457-8
[M]
1251474150
Download at WoWeBook.Com
Table of Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix

1.
Intelligence Gathering: Peering Through the Windows to Your Organization . . . . . . 1
Physical Security Engineering 1
Dumpster Diving 2
Hanging Out at the Corporate Campus 3
Google Earth 5
Social Engineering Call Centers 6
Search Engine Hacking 7
Google Hacking 7
Automating Google Hacking 8
Extracting Metadata from Online Documents 9
Searching for Source Code 11
Leveraging Social Networks 12
Facebook and MySpace 13
Twitter 15
Tracking Employees 16
Email Harvesting with theHarvester 16
Resumés 18
Job Postings 19
Google Calendar 21
What Information Is Important? 22
Summary 23
2. Inside-Out Attacks: The Attacker Is the Insider . .
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Man on the Inside 26
Cross-Site Scripting (XSS) 26
Stealing Sessions 27
Injecting Content 28
Stealing Usernames and Passwords 30
Advanced and Automated Attacks 34

v
Download at WoWeBook.Com
Cross-Site Request Forgery (CSRF) 37
Inside-Out Attacks 38
Content Ownership 48
Abusing Flash’s crossdomain.xml 49
Abusing Java 51
Advanced Content Ownership Using GIFARs 54
Stealing Documents from Online Document Stores 55
Stealing Files from the Filesystem 63
Safari File Stealing 63
Summary 69
3. The Way It Works: There Is No Patch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Exploiting Telnet and FTP 72
Sniffing Credentials 72
Brute-Forcing Your Way In 74
Hijacking Sessions 75
Abusing SMTP 77
Snooping Emails 77
Spoofing Emails to Perform Social Engineering 78
Abusing ARP 80
Poisoning the Network 81
Cain & Abel 81
Sniffing SSH on a Switched Network 82
Leveraging DNS for Remote Reconnaissance 84
DNS Cache Snooping 85
Summary 88
4. Blended Threats: When Applications Exploit Each Other . . . . . . . . . . . . . . . . . . . . . . 91
Application Protocol Handlers 93
Finding Protocol Handlers on Windows 96

Finding Protocol Handlers on Mac OS X 99
Finding Protocol Handlers on Linux 101
Blended Attacks 102
The Classic Blended Attack: Safari’s Carpet Bomb 103
The FireFoxUrl Application Protocol Handler 108
Mailto:// and the Vulnerability in the ShellExecute Windows API 111
The iPhoto Format String Exploit 114
Blended Worms: Conficker/Downadup 115
Finding Blended Threats 118
Summary 119
5. Cloud Insecurity: Sharing the Cloud with Your Enemy . .
. . . . . . . . . . . . . . . . . . . . . 121
What Changes in the Cloud 121
vi | Table of Contents
Download at WoWeBook.Com
Amazon’s Elastic Compute Cloud 122
Google’s App Engine 122
Other Cloud Offerings 123
Attacks Against the Cloud 123
Poisoned Virtual Machines 124
Attacks Against Management Consoles 126
Secure by Default 140
Abusing Cloud Billing Models and Cloud Phishing 141
Googling for Gold in the Cloud 144
Summary 146
6. Abusing Mobile Devices: Targeting Your Mobile Workforce . . . . . . . . . . . . . . . . . . . 149
Targeting Your Mobile Workforce 150
Your Employees Are on My Network 150
Getting on the Network 152
Direct Attacks Against Your Employees and Associates 162

Putting It Together: Attacks Against a Hotspot User 166
Tapping into Voicemail 171
Exploiting Physical Access to Mobile Devices 174
Summary 175
7. Infiltrating the Phishing Underground: Learning from Online Criminals? . .
. . . . . 177
The Fresh Phish Is in the Tank 178
Examining the Phishers 179
No Time to Patch 179
Thank You for Signing My Guestbook 182
Say Hello to Pedro! 184
Isn’t It Ironic? 189
The Loot 190
Uncovering the Phishing Kits 191
Phisher-on-Phisher Crime 193
Infiltrating the Underground 195
Google ReZulT 196
Fullz for Sale! 197
Meet Cha0 198
Summary 200
8. Influencing Your Victims: Do What We Tell You, Please . .
. . . . . . . . . . . . . . . . . . . . 201
The Calendar Is a Gold Mine 201
Information in Calendars 202
Who Just Joined? 203
Calendar Personalities 204
Social Identities 206
Table of Contents | vii
Download at WoWeBook.Com
Abusing Social Profiles 207

Stealing Social Identities 210
Breaking Authentication 212
Hacking the Psyche 217
Summary 220
9. Hacking Executives: Can Your CEO Spot a Targeted Attack? . . . . . . . . . . . . . . . . . . . 223
Fully Targeted Attacks Versus Opportunistic Attacks 223
Motives 224
Financial Gain 224
Vengeance 225
Benefit and Risk 226
Information Gathering 226
Identifying Executives 226
The Trusted Circle 227
Twitter 230
Other Social Applications 232
Attack Scenarios 232
Email Attack 233
Targeting the Assistant 238
Memory Sticks 239
Summary 240
10. Case Studies: Different Perspectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
The Disgruntled Employee 241
The Performance Review 241
Spoofing into Conference Calls 243
The Win 245
The Silver Bullet 245
The Free Lunch 246
The SSH Server 247
Turning the Network Inside Out 249
A Fool with a Tool Is Still a Fool 252

Summary 253
A. Chapter 2 Source Code Samples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
B. Cache_Snoop.pl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
viii | Table of Contents
Download at WoWeBook.Com
Preface
Attack vectors that seemed fantastical in the past are now a reality. The reasons for this
are twofold. First, the need for mobility and agility in technology has made the tradi-
tional perimeter-based defense model invalid and ineffective. The consumption of
services in the cloud, the use of wireless access points and mobile devices, and the access
granted to contingent workers have made the concept of the perimeter irrelevant and
meaningless. This issue is further amplified by the increased complexity of and trust
placed on web browsers, which when successfully exploited can turn the perimeter
inside out. Second, the emergence of Generation Y culture in the workforce is facili-
tating the use of social media and communication platforms to the point where citizens
are sharing critical data about themselves that has been nearly impossible to capture
remotely in the past.
The new generation of attackers is aware of risks in emerging technologies and knows
how to exploit the latest platforms to the fullest extent. This book will expose the skill
set and mindset that today’s sophisticated attackers employ to abuse technology and
people so that you can learn how to protect yourself from them.
Audience
This book is for anyone interested in learning the techniques that the more sophisti-
cated attackers are using today. Other books on the topic have the habit of rehashing
legacy attack and penetration methodologies that are no longer of any use to criminals.
If you want to learn how the techniques criminals use today have evolved to contain
crafty tools and procedures that can compromise a targeted individual or an enterprise,
this book is for you.
Assumptions This Book Makes

This book assumes you are familiar with and can graduate beyond elementary attack
and penetration techniques, such as the use of port scanners and network analyzers. A
basic understanding of common web application flaws will be an added plus.
ix
Download at WoWeBook.Com
Contents of This Book
This book is divided into 10 chapters. Here’s a summary of what we cover:
Chapter 1, Intelligence Gathering: Peering Through the Windows to Your Organization
To successfully execute an attack against any given organization, the attacker must
first perform reconnaissance to gather as much intelligence about the organization
as possible. In this chapter, we look at traditional attack methods as well as how
the new generation of attackers is able to leverage new technologies for information
gathering.
Chapter 2, Inside-Out Attacks: The Attacker Is the Insider
Not only does the popular perimeter-based approach to security provide little risk
reduction today, but it is in fact contributing to an increased attack surface that
criminals are using to launch potentially devastating attacks. The impact of the
attacks illustrated in this chapter can be extremely devastating to businesses that
approach security with a perimeter mindset where the insiders are generally trusted
with information that is confidential and critical to the organization.
Chapter 3, The Way It Works: There Is No Patch
The protocols that support network communication, which are relied upon for the
Internet to work, were not specifically designed with security in mind. In this
chapter, we study why these protocols are weak and how attackers have and will
continue to exploit them.
Chapter 4, Blended Threats: When Applications Exploit Each Other
The amount of software installed on a modern computer system is staggering. With
so many different software packages on a single machine, the complexity of man-
aging the interactions between these software packages becomes increasingly com-
plex. Complexity is the friend of the next-generation hacker. This chapter exposes

the techniques used to pit software against software. We present the various blen-
ded threats and blended attacks so that you can gain some insight as to how these
attacks are executed and the thought process behind blended exploitation.
Chapter 5, Cloud Insecurity: Sharing the Cloud with Your Enemy
Cloud computing is seen as the next generation of computing. The benefits, cost
savings, and business justifications for moving to a cloud-based environment are
compelling. This chapter illustrates how next-generation hackers are positioning
themselves to take advantage of and abuse cloud platforms, and includes tangible
examples of vulnerabilities we have discovered in today’s popular cloud platforms.
Chapter 6, Abusing Mobile Devices: Targeting Your Mobile Workforce
Today’s workforce is a mobile army, traveling to the customer and making business
happen. The explosion of laptops, wireless networks, and powerful cell phones,
coupled with the need to “get things done,” creates a perfect storm for the next-
generation attacker. This chapter walks through some scenarios showing how the
mobile workforce can be a prime target of attacks.
x | Preface
Download at WoWeBook.Com