Saturday, April 5, 2014

How does idle scan work?

        Idle scan, also called as 'Zombie scan' or 'Side channel attack' is a technique of port scanning. It is termed to be very stealthy or totally blind port scan. This is because the attacker's actual IP address is never disclosed to the target being scanned. The scan takes place indirectly through a zombie host. The attacker need not have control over zombie at all. However there is one condition for any host to act as a zombie -- it should be idle. That means, the 'zombie' host should not be talking on the network when the scan is being done. It should not have any connections already open which are sending or receiving packets. Otherwise the scan will be unsuccessful. Why is that so.. we'll see in a short while.

        Idle scan exploits the "Identification" field in IP header (IPID). It is based on the fact that this IPID is incremented by 1 for each packet that a host sends. Although many modern operating systems are immune from this attack (they randomize the IPID field), there are still other network-connected devices like printers which implement the bare essential TCP/IP. Idle scan also makes use of the TCP 3 way handshake - the standard "SYN" - "SYN/ACK" - "ACK" pattern -  and also the way open and closed ports react differently to the "SYN" packets. An open port will respond to a "SYN" TCP packet with a "SYN/ACK", while a closed port will respond with an "RST". Also remember that an unsolicited "RST" is not entertained, it is simply ignored with no reply.

        Okay, with that covered, now we'll see what exactly happens when an idle scan takes place. Note that we need to have address of a "zombie" host which is idle. 
See the above diagram, the sequence of incidents that take place are as follows:

  • Attacker first sends a TCP SYN packet to the Zombie which is up and idle i.e. not talking on the network.
  • The zombie replies with a SYN/ACK, in turn, disclosing its IPID value in this packet.
  • The attacker notes down this IPID value, which in this case, is 100. (Actual IPID's are much larger, considering the 2 byte size of this field)
  • Attacker then sends spoofed TCP SYN packet to the victim, with source IP of the Zombie. (in this case, it is 10.10.10.20). This SYN request is to the port which is to be scanned. 
Following till now? Here onward, there are two cases, either the port on the victim is open or closed. 

Case - I (Victim port is open):


  • If the port is open, the victim will send a SYN/ACK to the zombie (because the source ip in the SYN packet was spoofed to be zombie's).
  • Zombie will go like, "hey 10.10.10.30, we didn't have any connection open" and reply back with an RST (Hence, incrementing its IPID by 1)
  • After some time (usually, milliseconds) attacker will again send a SYN packet to the zombie.
  • But the zombie was expecting an "ACK" since it had sent "SYN/ACK" to the attacker earlier. So, it will send an "RST" packet back to the attacker, with IPID incremented by 1 (Now to 102).
  • The attacker now goes "Aha! The first IPID was 100 and now it is 102. That means that zombie must have sent one packet (IPID: 101) in between, to the victim. This packet must have been a TCP RST, because victim had sent to him, a SYN/ACK which zombie wasn't expecting! And since victim sent him a SYN/ACK. The victim's port is open! Yay!". Notice the kind of reverse thinking that goes into here. We trust that zombie must not have sent any other packet except for its "RST" reply to the unsolicited "SYN/ACK" that it got from victim.
That's why it is important to have a zombie that is not talking! The situation will be more clear when we consider the second case.

Case - I (Victim port is closed):

  • If the port is closed, victim will reply with an RST to the zombie (again, because of the spoofed IP).
  • Zombie is surprised to see an RST from victim when they didn't even have any connection open. Unsolicited RST's are ignored.. so zombie won't reply back to the victim.
  • Again attacker sends a SYN packet to the zombie, or any packet for that matter, it is really interested only in the IPID of the packet that it gets back.
  • From the packet that zombie sends back to the attacker, the IPID is obtained, which in this case is 101.
  • The attacker says, "hmm.. lets see, first IPID was 100 and now its 101. That means zombie didn't send any packet to anyone in between. It implies that it must have either got an RST from victim (port was closed), or nothing at all (port was filtered)! Since the IPID is not incremented in between, the port is either closed or filtered.. in any way not interesting to me!"

Hence, as you can see that idle scan is a very sophisticated kind of scan where the attacker's original IP address is not revealed to the victim. It can also be used to find out the trust relationships between zombies and the victim. Victim or target may react differently to different zombies based on the trust relationship between them, if any. 

Popular port scanning tools like hping and nmap can be used to perform idle scans. The command for nmap goes like this:
user# nmap -Pn -p 80 -sI 10.10.10.20 10.10.10.30
-sI is option for idle scanning followed by the zombie's address. Here, we are scanning for port 80. I am not sure if hping gives you directly such option.. I guess you have to manually note down and compare the IPIDs..

Thank you for reading my article and I hope you found it informative :)

Monday, February 10, 2014

Open Redirector Vulnerabilities

          Open redirector is a type of web application vulnerability. It is very easy to understand and exploit.

Working:

Open redirect occurs when a page takes a URL as a parameter (through form or anything) and redirects the user to that URL without validation. Here is a sample PHP code which is vulnerable to Open Redirect.
<?php
$vuln = $_GET["url"];
header('Location: ' . $vuln);
?>
          It accepts a GET request parameter called 'url' and redirects the user to the address specified in this parameter. For example, save the above code as "redirect.php" on your local www root directory and access the page from your browser as follows:

http://127.0.0.1/redirect.php?url=http://www.google.com

This page will simply redirect you to the address specified (in this case, google.com) without checking its malicious or not. You can replace www.google.com with any other URL and it will work just fine.

Applications:

Open redirect vulnerabilities are mainly used for phishing. The victim is given a specially crafted link to the open redirector page. This open redirector page gets the malicious link through parameter where it redirects the user to. For example,

http://www.example.com/redirect.php?url=http://www.malicious.com

In this case, example.com is a trusted domain. Innocent users get tricked into believing that the link leads them to example.com (and therefore, it is trusted) whereas in reality, they will get redirected to malicious.com which can have phishing traps waiting for them. 

URL Obfuscation:

From the above link, it is very easy to determine that there is something phishy with the link. The malicious site which this website will redirect to is clearly visible and readable. Hence, there are some techniques of URL obfuscation that can be used to hide this malicious address. Here are few ways of doing so...

  • Directory Traversal
  • Hex Encoding
In directory traversal, you add random directory names in the PATH part of URL such that malicious address is further pushed to the right and victim is likely to ignore that as a part of long and complex link. For example, 
http://www.example.com/security/auth/ODialogue/../../../redirect.php?url=http://www.malicious.com

Hex encoding is a way of encoding characters of a URL into hexadecimal, separated by a % sign. It can completely encode the malicious address present in the URL such that user has no way of knowing which malicious address is there just by looking at the link. For example,
127.0.0.1/redirect.php?url=%68%74%74%70%3A%2F%2F%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D

In this link, I have hex encoded the address "http://www.google.com". It can be, of course, replaced by any other address.

Prevention:

To avoid open redirects, it is necessary to code the redirecting pages in such a way that they will validate the address before redirecting to it. Many websites do this by implementing "trusted redirects" (I dont know the actual name for it. If you do, please mention in comments!). They have a database of trusted web addresses i.e. the addresses which they will trust in redirecting their users to. So whenever the redirect page is called, it checks if the address it got from parameters exists in its trusted database. If it is present, the redirector will happily forward the user to that address. If it is not, they will probably show a warning or take the user back to previous page. This is indeed a good practice but there is a little workaround for it ;)

Bypassing Trusted Redirects:

For as much as I have seen, most of the trusted redirects will only check the domain part of the address that they are forwarding to. If the domain part matches with something in the table of trusted websites, you are good to redirect to. But what if one of your trusted websites has an XSS vulnerability? ;)

With an XSS vulnerability, you are able to replace the current page with any other address you wish. For example, consider the URL:
127.0.0.1/xss.php?search=<script>window.location='http://www.google.com';</script>

It will inject the javascript code into the page which will redirect you to the address specified. (in this case, google.com)

Now consider, what if we pass this exact URL to the open redirect vulnerable page that we discovered earlier? Here is the specially crafted URL.

http://www.example.com/redirect.php?url=http://www.trusted.com/xss.php?search=<script>window.location='http://www.malicious.com';</script>

Here, example.com is our own (assume, reputed) site whose users are going to be phished.
trusted.com is a website whom we trust redirect our users to.
malicious.com is the attacker's phishing page.

When a victim executes above URL, the following actions take place in sequence:

1.   The browser connects to example.com and asks for redirect.php page. It also passes everything after the first "?" sign as parameter.
2.   The redirect.php finds the 'url' parameter along with the value which is "http://www.trusted.com/...".
3.   It finds trusted.com in its own list of trusted sites and happily redirects user to this URL, not bothering to see what the rest of the URL is.
4.   The browser connects to trusted.com and requests xss.php page (which is vulnerable to XSS :P ). It also passes everything after the second "?" sign as parameter.
5.   The xss.php receives the "search" parameter along with the value which is Javascript code to be injected.
6.   Since xss.php is vulnerable, somewhere in its output page (which will be sent to the browser) it will have the value of "search" parameter, which is the injected code.
7.   The browser receives the page with injected code, it starts parsing and loading the page. It comes across the injected Javascript code.
8.   Since there is no way for browser to know that it is injected javascript, it starts executing it.
9.   The execution of window.location... statement will stop loading the current page and instead it will load URL mentioned in the window.location property instead. (This URL is the attacker's malicious page)
10.   The browser finally contacts malicious.com and the malicious page (which is most likely a phishing page) is displayed to the user.
(phew!)

So, as you can see, this is a very sophisticated way of bypassing trusted redirects. The user gets routed from 2 different sites before landing on our malicious page! :D Please note that this works on Firefox. Doesnt work on chrome. Never bothered testing on IE ;) . 

THIS INFORMATION IS STRICTLY FOR EDUCATIONAL PURPOSES AND I AM NOT RESPONSIBLE FOR ANY TROUBLE YOU FIND YOURSELF IN WITH IT.

Thank you for reading, good night :)

Implementation of Apriori Algorithm

          Apriori algorithm is used for finding frequently occurring items and associative rule mining from from an input database which is transactional. Associative rule mining and Apriori algorithm are part of a bigger domain of data mining. Data mining is basically the process of discovering patterns in large data sets. There can be many applications of apriori algorithm e.g. market basket analysis. Here is a link I found particularly useful for learning Apriori Algorithm and associative rule mining:

http://www.cs.uic.edu/~liub/teach/cs583-spring-12/cs583.html

I have implemented the first two passes of Apriori Algorithm as a part of an academic assignment. It was for constructing attack graphs which are used for threat prediction and vulnerability assessment. The algorithm is implemented in python and its very simple. It can be extended for k passes of the algorithm.

Here is the code:

minsup = 0.3
minconf = 0.8
 
def count_first(transactions):
    adict = {}
    for t in transactions:
        for item in t:
            if item in adict:
                adict[item] += 1
            else:
                adict[item] = 1
    return adict
 
def find_frequent(Candidate, minsup, no_of_lines):
    adict={}
    for key in Candidate:
        if ((float)(Candidate[key]/no_of_lines)) >= minsup:
            adict[key] = Candidate[key]  
    return adict
 
def candidate_gen(keys):
    adict={}
    for i in keys:
        for j in keys:
            if i != j and (j,i) not in adict:
                adict[tuple([min(i,j),max(i,j)])] = 0
    return adict
 
def add_frequency(Candidate, transactions):
    for key in Candidate:
        for t in transactions:
            if key[0] in t and key[1] in t:
                Candidate[key] += 1
    return Candidate
 
f = open("testcase.txt","r")
transactions = []
no_of_lines=0
 
for line in f:
    split_line = line.split()
    transactions.append(split_line)
    no_of_lines = no_of_lines + 1
 
print(no_of_lines) 
#First iteration
C1 = count_first(transactions)
F1 = find_frequent(C1,minsup,no_of_lines)
#Second iteration
C2 = candidate_gen(F1.keys())
C2 = add_frequency(C2,transactions)
F2 = find_frequent(C2,minsup,no_of_lines)
print(F2)
It accepts input data from the file "testcase.txt". In this file, each new line represents one transaction. Each such transaction contains items represented by 'integers' and separated by spaces. So, essentially, each line is a collection of integers separated by spaces.
The program makes two passes of apriori over input data. It outputs pairs of frequent item sets along with their 'support' metric values. 

Comments and suggestions are welcome :)

Sunday, January 12, 2014

Why are social networking sites a hit?

        Before a couple of decades, no one would have thought something like online social networking sites would become phenomenal. The fever and reach of social networking websites has increased exponentially in the last decade and will continue to do so. People are appreciating it and the creators of these sites are enjoying huge success in relatively short period of time. It has been the new buzzword around for quite some time. Everyone of us is
signed up on at least one or the other social networking sites. People are appreciating it. In this article, I will try to probe into reasons which makes social networking a huge success. This writing is largely applicable to facebook and similar sites.


        If you ask yourself or ask around about reasons of using social networking, you are likely to get a couple of common answers:
1. You can remain connected to your friends and family across the world.
2. You can share the stuff you like with your friends.
If you dig a little deeper, you can get more answers like 'keeping up to date with happenings with our friends' and similar. These reasons are perfectly valid, however, I think it goes beyond that. When asked why do they use social networking, people generally think superficially and answer what they are consciously able to observe - sharing, connecting and expressing their opinions. Notice that these reasons are related to what people observe. I believe that actual reasons can be found out using psychology rather than sociology.

        Being human beings, we all have certain kinds of desires or feelings. Social networking websites exploit exactly these desires. Bitter it may sound, but it is the truth. There are lot of different desires a typical person can unconsciously have - lust, jealousy, hatred, narcissism, appetite for recognition and fame and the need to look socially cool. (I am not remarking these as good or bad). The websites like facebook give a perfect platform where these desires or feelings are given scope for satisfaction.
A surprisingly large number of facebook users stalk someone. This perfectly compliments their feelings of jealousy or hatred  without disrepute of their social image.
Stalking can also be out of lust. This can be prominently observed in Indian users where there is significantly large cultural and lifestyle gap between people.
Consider the recent mushrooming of photographers and their clients on facebook. Lot of people are getting professionally photographed and edited. This can be attributed to the appetite for recognition and fame. Good photos get more 'likes' which satistifes the appetite for recognition.
Take narcissism and self-obsession. Yes, a lot of us share this trait and facebook gives a perfectly good platform to upload your good looking photos and showing off which cool places you've been to. Especially, photos with an attractive person of opposite sex are the first ones to make it to facebook.
Desire of lust is a perfect reason for photos of attractive females getting more 'likes' than their male counterpart.
Jealousy and depression are addictive. A person feeling jealous or depressed continues to do acts which makes him/her more jealous (stalking, for example). The worst sufferers are people with social awkwardness, low self-esteem or those who have inactive social life, typically introverts. They get exposed to the happening life of people around them which leads to jealousy which makes them more addicted to it. The vicious cycle continues. There is another term for it - "Fear of Missing Out" (FOMO). Wikipedia defines FOMO as -
Fear of missing out or FOMO is a form of social anxiety — a compulsive concern that one might miss an opportunity for social interaction, a novel experience, profitable investment or other satisfying event.
It is commonly found in people who have unsatisfied psychological needs such as love and respect.

        All in all, Social networking sites compliment many of the unconscious desires we all have. Everything mentioned above leads to more and more use of them, thereby, making them a huge hit.

        This post is not intended for any specific person or group. It is just a my neutral observation of the world around me. Please note that my views expressed here are not applicable to everyone out there, but they hold true for masses of young people on internet.