Difficulty: Medium

Theyre not just trusted hosts, but trusted sources

Creator: m101

Have you ever thought to yourself, now how the hell did that
computer get hacked? Was that really possible? This just
doesnt make sense, that computer only had a single
unvulnerable service, it cant have been hacked...

Apart from the extensive use of 0day exploits to hack into

seemingly invincible systems, it really doesnt seem possible for
many hacks to have taken place. However, you are sadly
mistaken, the system is only as secure as paranoia of its
users. Everyone has heard of trusted hosts and how they can
be used to break into computer systems, but there is a larger
scope than this. That is why i call them trusted sources.

One of the most famous hacks on record (not necessarily the

most impressive) was the one done by Mitnick to hack into
Tsutomu Shimomura's 'secure' box. This was done by Mitnik
first disabling the client box, and then spoofing his own
connection to make it appear that he was the client, from here
he could easily do what he want as he was now a trusted
source. Now, not everyone is vulnerable to this, and it can also
be an extermely dificult excercise these days to perfom, but
the principals and ideas behin it can be used in many
situations.

Here is a situation that will truly show you how to hack

hotmail. I can already hear all the kiddies yelling for joy.
Although gaining root access on the server is pretty damn
tricky, the average kiddie wishes to gain access to a friend,
enemy or girlfriends email account for reasons of all types of
bullshit. Anyway, lets set the situation up a little: Hacker
wants to break into targets email account, now target isnt
stupid enough to give any people their password. This would
theoretically stop most people straight away from gaining
access.
Lets look at what happens when target attempts to login to
hotmail with their all important password. Target walks to their
computer, and sits down to use it. Next they connect to the
internet and request hotmails login page. Then after receiving
it, they send their password to hotmail to authenticate
themselves. They are now logged in. So you ask, where is the
vulnerability in the situation? Lets break the process down
further and discover the trusted sources:
Target--Computer--ISP--Hop1--Hop2..HopX--Hotmail Domain
So from here we have the following trusted sources between
the target and hotmail:
Their computer
The ISP
Hop number 1
...
Hop number X
Generally 'X' would be roughly atleast 10. That means there
are atleast 11 trusted sources inbetween the target and
hotmail. The target has unwillingly just trusted their password
to a number of total strangers. If any single one of these
targets was to be hit by the hacker, then they would gain the
targets password through simple packet sniffing.

This case was just to give you an idea of how bad trust can be,
but it probably still doesnt explain how to hack the
unhackable. Let us take a real target and see how it may be
flawed. Cyberarmy is an excellent example, but how would you
gain access? Well here is how the system was once setup to
the public:
www.cyberarmy.com

ca-pr.info ca-osi.org ca-cia.org zzine.org exploitresearch.net

These at one point were the main domains of Cyberarmy, but i
can garauntee you that hacking a single target is not going to
gain you access to the main domain, so how is it possible to
hack the main page? Here is the major list directly off the main
site:
:: Structure:
The CyberArmy - C/O: Commander in Chief scanjack
X/O: ViceCinC wa1800z
X/O: ViceCinC Wang
Gen Penguin
Mar dimplesx
Ret. CinC Chawmp
Mar snarkles
CyberArmy University - Gen SHEPHERD
CyberArmy Privacy Commision - Gen Tacheon
Open Source Institute - ViceCinC barnseyboy
Special Operations - Gen zifnab
Ready Response - ViceCinC Wang
CyberArmy Public Relations - Mar CHi
CyberArmy Intelligence Agency - Gen Leto
CyberArmy IRC - Gen wewalkin
CyberArmy Exploit Research - Gen Goldfish
Internal Command - Mar axem
CyberArmy Services And Support - Gen Goliath
Thats a total of 18 people who run the sites as admins.
However, they do not all have access to the main domain,
infact only scanjack and one or two more have it. Also the
password system randomly generates new passwords for the
accounts on a regular basis.

The first thing is to pick a target host, then play with it and see
if we can somehow exploit it. The newest host in the list is
actually ca-osi.org, the open source insutute of cyberarmy.
The guy who runs it (barnseyboy) aint too bad a bloke. After a
bit of research into the site, we find the following people
appear to have priveledged rights to the server:
barnseyboy barnseyboy@mail.com
Xenic xenicp@yahoo.es
aton aton1337@hotmail.com
shn webmaster@shnonline.com
pertinax pertinax@completeecom.com
fightgravity anon.ymous25@excite.com
sefo sefo@ca-osi.com
w0lf w0lf@ca-osi.com
sliptop sliptop@ca-osi.com
avataru avataru@ca-osi.com
So now we have a couple more sources for the tree. You can
easily do a search on google for sites that these individuals
visit, and from there gain even more sources. The target for
example may be www.shnonline.com, the owner being
ofcourse 'shn'.

After a bit of exploration of the website, we discover shn

doesnt care to much about it and doesnt know how to update
software that well. We find that his messageboard is
vulnerable to a six month old vulnerability, and shn is too lazy
to fix it. So ofcourse we break into the site and head straight
for the password files. On inspection, the MD5 hashes it stores
contains a damn long password, so brute forcing is useless. At
this point many would give up, but you have to remember that
shn would obviously beleive that his OWN site is a trusted
host, so therefore it would be quite easy after already having
access to make the login scripts save plain text passwords to a
seperate file. After the necessary changes are made, a week
later shn logs in to check his messageboard and BAM! we now
have his plaintext password and he is none the wiser. From
this point shn probably doesnt care to much, what the hell is
anyone going to do with shnonline.com? Absolutely nothing,
however we now try his password on ca-osi.com and find.....
IT WORKS!

Thats right, we have now broken the trust barrier of one

individual to gain access to another host. Now, ca-osi just so
happens to be another one of them php nuke sites, and since
shn is an admin, we can just click a few buttons and download
the user database. What goodies would you expect to find in
the database? Well here are some possible examples:
merryb mbeekman@redhat.com Federal Marketing
Manager
Wim abr@pandora.be
http://www.abrsecurity.com
ieetglue ieetglue@exploitresearch.net
http://www.exploitresearch.net
daijo daijo@irc-dev.net
http://www.sionhq.com
gabbana gabbana@zzine.org
http://www.zzine.org
Paradox dfayra00@umail.ucsb.edu
VooDoo VooDoomaster@secureroot.com
elybis elybis@getroot.net
http://www.getroot.net
oleg o.ursu@csuohio.edu
rayzorx rayzorx@earthlink.net www.rayzorx.com
(These are just general addresses that were gathered from
around the net)

From this small list, there is a high possiblity we could get

ourselves a few web server, .edu accounts and various other
interesting things. The average database will contain all types
of juicy information, and guess what, you would have just
violated around 500 peoples trusted sources in one go. As you
can see from this, you could now use the new information, and
the trusted source itself to gain more and more access to the
systems. From there im sure you could find a way to gain
access to one of the leaders personal computer, and from
there easily log their password to access the main website. If
you are wondering this was ONLY a case study, not an actual
hack.

Heres another quick case study of how totally stupid most

people are. Everyone knows the problems that exist in smtp to
allow people to somewhat forge mail, but not many people
even consider how it could also become a powerful trusted
source. I garauntee that if you were to receive an email from
your girlfriend or best mate that didnt look sus, you would
happily open it and not even realise youve just installed a
trojan on your box.

Trusted sources come into everything, you dont have to think

much to find them. It all really just turns into a mass ammount
of social engineering. A target is only really as secure as the
ammount of effort the hacker puts into breaking it. The same
applies to most situations in life, your house key doesnt
protect from someone running a car through the door does it?
No it doesnt, it only stops the casual burglar with not much
intent....