Hacking my own ISP

As you know ISP stands for Internet Service Provider, those guys who let you connect to the Internet, usually over against a particular amount of fee. The title says hack, but it's not really a hack, but a pretty good bug exploit.

It was before a festival, some guys got in trouble for a dirty business (nothing happened after all), but I got acquainted with one of them. He was a real hacker, without the slightest knowledge of programming. He has his own "friends", passwords, programs and money-making prospect (and I'm not talking about working here, it's more like stealing).

He lives close to me, close enough to have the same ISP. He told me that our Internet Service has a bug. Our provider gives dynamic IP (for me became static since I have router and not turning off too often), which I knew about. The trick I didn't knew, was that different IP addresses got different bandwidths. Inside the local network (it's larger than the whole city) there's about 2-5 MB/s speed, outside is 255-500 KB/s. But there are a few IP addresses which got more then 5 MB/s speed outside of the local network.

That was the time he became my costumer. I had programming knowledge, and he had every other. Helped me a lot to create the bot, which search for the owning IP. It was simple: connect, calculate the bandwidth, if it was good enough exit, else disconnect and start over. For connecting and disconnecting I used RasDial, for bandwidth calculation RapidShare. The whole thing was implemented in C#.

A little reference for both of them:

• RasDial in C#
• Upload to RapidShare using C#

I think the second link is a broken one, or just the server is down temporary, either way I'll post my complete source code:

• RapidShare Upload Class : used for bandwidth calculation. Completely copied from the second site I gave before.
• Main program
• XML template file for user informasion

The program is very simple. I created a file (it's size is 1MB, but it can be changed), which is uploaded each time the bandwidth is calculated. The calculation is simple too, measure the time, and divide the uploaded file's size with it, then convert to KB/s.

To sum up, this wasn't that great of a hack. These IP's would have been allocated for users anyway, and a user could get access manually too, I just created a search bot to speed up the process. And I never taught about telling anyone in charge, I mean who don't wants speed? And why not to use it, if there's already outside somewhere?

If you have a dynamic IP, RasDial with the BotNet presented in the previous post can be used on anonymous voting polls. Vote, change IP and vote again (and do not accept any cookie). Maybe someday I'll create a software for that too. Another use would be brute-forcing logins. It's rustic but impossible to create defense against it. At least I couldn't do it.

But for now, I'll stay on Lamer, and attack it for a few more times.

Forth Attack: Click-Fraud-Bot (part 2)

At first I was thinking to get a simple browser with an open code written in C#, and use it's source to learn. After all, I needed an automated browser. But that was too complicated because I didn't needed the visualization of the response, just the request and response headers. And briefly the body too. But a whole browser was just too much. And anyway, most of them used premade libraries, which knew too much. Eh, I wanted a bit control.

After a bit research I decided to use the HttpWebRequest and HttpWebResponse classes, and wrote my own Browser class.

Source codes:

• Browser
• BotNet
• XML template containing user information.

I used Fiddler 2 for creating the headers. I visited the website using Internet Explorer while Fiddler was opened. It's a web debugger, working as a local proxy, monitoring all incoming and outgoing requests. By comparing the headers created by IE and those crated by my program I could get a good job pretty fast.

The biggest problem were cookies. The site needed them, a non-member user can't do almost anything. Cookies most be stored then reseeded, but I just couldn't find where did they appeared. I squandered a whole day just with cookies. But after all it came out pretty good.

I regretted using C#. It's damn slow. My program too, I know, but still... it was running for a half an hour. But the result worth everything.  I got a .txt file with more than 30000 E-Mail addresses. It wasn't completely clear, tho, because some users used their E-mail as their User ID, and by doing this they screwed 2 other e-mails. It happened thanks to an option on the profile page of visiting the previous and next profiles, these being at the top of the page. Another problem was if users used @ in other fields like Name.

After another 20 minutes of clearing the text document, I finally got what I desired. Pure 30500 E-Mail addresses each one in a single line. Each of them validated and unique (but maybe deprecated).

Think about it. You have a business, great services for low price, but no one knows about you. Me, as your good friend, offer you 100 E-Mail addresses for 1 dollar. I think at least 20 will read it, 3 of them will get interested, and 2 of them will buy your service, and let's say one of them will return to you in the future. If every service earns you lets say 10$, you earned with this around 25$. By paying me 1$. Not a bad business so far right? OK, now let's think big. I sell you all of them, each 100 E-mail address 1$. I will earn 300$ and you around 500 costumer. The only loser is the administrator.

The worst is, I could have used this bot in a much better way. The site offered an E-Mail system too, you fill a form and it sends an E-Mail. I found a bug, whereby you could send E-Mail to those members as well who hid their E-Mail addresses (with simple URL SQL Injection). This way, I could have sent at least one E-Mail to 52000 user, and not being afraid that my IP and E-mail or those used to E-Mail gets to a black list, blocked, become spammer suspect and so on. After all it was the server who sent the E-Mails.

That's all. Nothing happened on your server, but one day you see that Mozilla is giving you a warning, Opera won't let you proceed to your own website, you get errors while sending E-Mails, your ISP is coming for you... big problems. Protect sensitive information!

What's the solution?

Sensitive information shouldn't be displayed as plain HTML. Use JavaScript to divide string. Example:

<script type="text/javascript">
at = '@';
document.write('mai'+'lto:'+'myemai'+'laddress'+at+'myemailpr'+'ovider');
</script>

The best would be to randomly cut up the string using PHP, put inside empty strings with random names, name string parts using random names then use as should, briefly randomly generate this JavaScript from PHP. The more complicated is the more secure will get.

Another method to secure would be to generate an image, which contains the E-Mail address. You can do this from PHP:

<?php
header("Content-type: image/jpeg");

$Str = "myemailaddress@myemailprovider.domain";
$NewImage = imagecreatefromjpeg("img.jpg");
$red = 50; $green = 50; $blue = 255;
$TextColor = imagecolorallocate($NewImage, $red, $green, $blue);
$fontSize = 8; $posX = 0; $posY = 0;
imagestring($NewImage, $fontSize, $posX, $posY, $Str, $TextColor);

imagejpeg($NewImage);
?>

If ./img.jpg looks like this:

the result is:

Much harder to hack (don't think it's impossible). This image was generated on my local server.

Stand by, very soon another post will come.

A Newbie's Observation

There were 4 successful attacks so far on Lamer. And one more task accomplished, I'll write about that later. I think it's enough to create a point of view about the reaction of the other's, in different positions.

The first part of the audience I would like to mention are the users of Lamer. They fell in my XSS trap, without even thinking. The link wasn't looking normal (it started with javascript: not with http://), but even if they hadn't had programing knowledge, they shouldn't had been so trustful. I mean, it was a YouTUBE video, why not use a direct link? The attack was browser-dependent, I think IE 6 couldn't handle is. There were users, who were still using that old-fashioned, really bad browser, and they went pretty far, by mentioning after my post, that the link is not working. And other's replayed that "Yes, it does". So they double checked it, and even after that no one had the smallest doubt. Those guys were trusting me too well, just because I was around for years. What's the moral? Do not trust anyone on the Internet.

Now let's talk about the administrator of Lamer. The site was hacked (before me) for a few times. There's just two types of attacks I know about: once the image-upload was hacked, by uploading a script, and the voting system was hacked several times. But I gained access to the whole database, several user forum-posts, user accounts and some user passwords too. That is, I think I accomplished more than everyone before. I mean, I'm not prising myself, it's just not an IT community. I'm saying that I'm starting to be a threat to Lamer. If it worked for 4 time, it may happen again. My relationship with the administrator, well I'm admiring him, not everyone writes a website, with several thousand line of code by himself, they use Joomla, Templates or premade scripts (just like this blog).

Briefly we came along well. After the first attack he thanked me, after the second attack he thanked me and he gave me access to a test user on Lamer, and to a test copy of Lamer at his local machine. We were discussing on how should he pay me. Not with money tho, with a service. He told me that he'll mention my name on the Impression section on Lamer. My reaction was telling him, not to do it. Sites got hacked every day, I don't want to be suspected in that community anything happens, not even if I'm the delinquent. Instead I asked for the source code of the site. Not the JavaScript and HTML you can download, but the PHP you can't (in a legal and easy way, with my knowledge I'll just say I can't). He told me, that he'll do it right away after installing a FTP server (was a few days ago, still nothing, but oh well, good things don't come fast).  It's a profit for both of us. I get reference material for future PHP project's (good for me), meanwhile I'll debug it (good for him).

Let's stick to the topic. Peoples reactions. I have a good friend, a girl, with pretty low knowledge of computers (I don't think she's not smart, yes she is, but it's not her side). It's true that it's against rule 3, but well, I told her. Her reaction: she panicked. She never could imagine that somebody can access her account just because she clicked a random link. There are cases when normal links, to trusted sites are malicious too. For example that description I gave before on Elite Hacker's forum, hacking the LA-PD's website. It's not good for session hijack but good enough to downloading a key-logger.