Desktop Phishing Tutorial - The Art of Phishing

Desktop phishing is another type of Phishing. In desktop phishing hackers change your Windows/System32/drivers/etc/hosts file, this file controls the internet browsing in your PC.This method is a bit advanced and if you are a newbie then I would recommend you to read the following posts first:

•  How to hack facebook password
•  4 ways to hack facebook password
•  Sniperspy keylogger For Mac OS Launched

Difference between phishing and desktop phishing is as follows.

In phishing

1. Attacker convinces the victim to click on the link of fake login page which resembles a genuine login page.
2.Victim enters his credentials in fake login page that goes to attacker.
3. Victim is then redirected to an error page or genuine website depending on attacker.

But main drawback in phishing is that victim can easily differentiate between fake and real login page by
looking at the domain name. We can overcome this in desktop phishing by spoofing domain name.

In desktop phishing

1. Attacker sends an executable file to victim and victim is supposed to double click on it. Attacker's job is done.
2. Victim types the domain name of orignal/genuine website and is taken to our fake login page.
But the domain name remains the same as typed by victim
and victim doesn't come to know.
3. Rest of the things are same as in normal phishing.


What is Hosts File ?

The hosts file is a text file containing domain names and IP address associated with them.
Location of hosts file in windows: C:\Windows\System32\drivers\etc\, Whenever we visit any website, say www.anything.com , an query is sent to Domain Name Server(DNS) to look up for the IP address associated with that website/domain. But before doing this the hosts file on our local computer is checked for the IP address associated to the domain name.

Suppose we make an entry in hosts file as shown. When we visit www.anywebsite.com , we would be taken to this 115.125.124.50. No query for resolving IP address associated with www.anywebsite.com would be sent to DNS.

What is the attack ?
 
I hope you have got an idea that how modification of this hosts file on victim's computer can be misused.
We need to modify victim's hosts file by adding the genuine domain name and IP address of our fake website /phishing page.Whenever victim would visit the genuine website , he would be directed to our fake login page and domain name in the URL box would remain genuine as typed by victim. Hence domain name is spoofed.

Steps to perform attack 

1. Host phishing page on your computer.
Since the webshosting sites like 110mb.com,ripway.com etc where we usually upload our phishing page do not provide a IP that points to your website like www.anything.110mb.com. An IP address points to a webserver and not a website. So we need to host the phishing page on our computer using a webserver software like wamp or xampp.

Download the wamp or xampp.

• Copy your phishing page and paste it in the WWW directory in wamp, the default path is "C:\Wamp\WWW" 

• Run Wamp server on your pc

• Right click the wamp icon in the system tray and select Start all services, Visit your public IP address and you must see your phishing page

2.Modify Hosts file.
If you dont have physical access to victim's computer. Then copy your hosts file and paste anywhere.
Edit it with any text editor and associate your public IP address with domain you wish as show.

Like in this case , when victim would visit gmail.com , he would be take to website hosted on IP 'xxx.xxx.xxx.xxx'.

Replace it with your public IP.
 
3. Compress hosts file such that when victim opens it, it automatically gets copied to default
location C:\Windows\system32\drivers\etc and victim's hosts file get replaced by our modified hosts file.
 

The you can bind this file with any exe using a binder or directly give it to victim. He/she is supposed to click it
and you are done .

Limitation of attack
 
1.Since our pubilc IP address is most probably dynamic that it gets changed everytime we disconnect and
connect. To overcome this we need to purchase static IP from our ISP.
2. The browser may warn the victim that Digital Certificate of the website is not genuine.

If you are a beginner and want to learn Ethical Hacking then I would recommend you reading "A Beginners Guide To Ethical Hacking"

Countermeasures:-
 
Never just blindly enter your credentials in a login page even if you yourself have typed a domain name in
web browser. Check the protocol whether it is "http" or "https" . https is secure,
For more information on https protocol see the following post:

• What is Secure Sockets Layer (SSL)?

Plus there is a piece of software called Macros which protects your hosts file

About the Author 

Aneesh M Maker is a student of University College of Engineering, Punjab, He has written several guest post on this blog, If you are interested in writing guest post read the guidelines here

RHA Blessed With Page-Rank 3.0!!

It hasen't been more than 4 months since I moved rafayhackingarticles.blogspot.com to a custom domain(http://rafayhackingarticles.net), Today RHA has been surprisingly blessed with Page-Rank 3.0 and I am very shocked to see it, though when RHA was on a subdomain it had PR 4 but after I redirected all the traffic to the custom domain the pagerank became zero. Luckily not only RHA's homepage but internal pages also managed to get 2-3 page rank.

I would like to thank all my readers for continuous support and especially my buddy Mustafa Ahmedzai from http://mybloggertricks.com for his love and support. I expect RHA to get atleast PR-5 on next update. My other blog on iPhone jailbreaking And Unlocking http://techlotips.com also managed to get PR 1.

Gmail Cookie Stealing And Session Hijacking Part 2

In my previous post Gmail Cookie Stealing And Session Hijacking Part 1, I discussed all the basics and fundamentals in order to understand a Session Hijacking attack, If you have not read the part 1, Kindly read the part 1 first in order to get good grasp of the topic.

Well after a tremendous feedback and response of readers on Session hijacking, I thought to extend this topic and write more on it, In this tutorial I will explain you some methods to capture Gmail Gx cookies.

Gmail GX Cookie

In gmail the cookie which authenticates users is called a GX cookie, Now as we cannot use a cookie stealer since by now we don't know any XSS vulnerability in gmail.

Tools You will be required


1.Cain And Abel
2.Network Minner
3.Wireshark

How To Capture Cookies?

Now there are couple of ways you can use to capture unsecured Gmail cookie which depend on the type of network you are on.

Packet Sniffing


 If you are on a Hub based network you can use packet sniffing in order to capture local traffic. You may use any packet sniffer you want to capture cookies, but I would recommend you to either use wireshark or Network Miner because they are quite userfriendly.

Wireshark

Wireshark is my recommended choice if you are on a hub based network and are looking forward to capture an unsecured Gmail Gx Cookie. Here is how you can capture a gmail GX cookie via Wireshark.

Step 1 - First of all download wireshark from the official website and install it.

Step 2 - Next open up wireshark click on analyze and then click on interfaces.

Step 3 - Next choose the appropriate interface and click on start.

Step 4 - The wireshark will now start to capture the traffic, In the mean time log in to your gmail account but make sure that you have selected "Don't use https://" in Gmail account Settings.

Step 5  - Next set the filter to on the top left to http.cookie contains "Gx", What this filter will do is that it will filter out all the traffic for the gmail authentication cookies named as GX.

Step 6 - Once you have found the suitable line of Gmail GX cookie right click on it and click on Copy and then select Bytes (Printable Text Only)

Step 7 - Now you have successfully captured Gmail GX unsecured cookie.

Network Miner

You can also use network miner to capture, it's more easier and userfreindly than wireshark.

Note: You would need a Winpcap before capturing traffic from either Network Miner or Wireshark.

ARP Spoofing Or Man In The Middle Attack:

Now if you are on a switched based lan network, packet sniffing will probably not work for you as the traffic meant for the particular system will only reach it, So packetsniffing becomes useless in Switch based networks.

1. Cain And Abel.

Cain and Abel should be your only choice if you are on windows operating system, You can easily place your self between the victims computer and the gateway and capture all the traffic going through it and hence successfully launching a man in the middle attack, afterwards you can filter out cookie information from the captured traffic. Here is a screenshot of captured traffic from Cain and abel.

2.EtterCap

Now if you are on a linux machine, You should probably use Ettercap as it's one of the best sniffers I have ever played with, With Ettercap you can easily launch a Man in the middle attack(ARP Poisoning) and capture unsecured Gmail GX cookie.

How can I prevent this kind of attack?

So friends till now you might have known the importance of using https:// connections. In order to prevent these kinds of attacks always use a https:// connection or a VPN solution while logging in to your email accounts.

So friends this concludes the part 2 of my series on cookie stealing, In part 3 we will look on variety of different methods used to inject cookies in to our browser to gain access to the account.

Update: Part 3 has been published, Read it here

You might also like:

Firesheep Makes Facebook Hacking Easy

Gmail Cookie Stealing And Session Hijacking Part 1

Well I have posted lots of articles on Phishing and keylogging, but today I would like to throw some light on a very useful method which hackers use to hack gmail, facebook and other email accounts i.e. Stealing.  One of the reasons why I am writing this article as there are lots of newbies having lots of misconceptions related to cookie stealing and session hijacking, So I hope this tutorial cover all those misconception and if not all most of them.

What is a Cookie?

A cookie is a piece of code which is used to authenticate a user on a website, In other words when ever you login to a website such as Facebook, Gmail, Orkut etc your browser assigns you a cookie which basically tells the browser that for how long the user should be logged it, Apart of authentication purpose a cookie can be used for variety of different purposes, If you would like to know more about cookie stealing kindly google it up.

What is a Session Token?

After an authentication is completed , A webserver hands the browser a session token which is used because a webserver needs a way to recognize between different connections, If a hacker could capture your session token then it's a cakewalk for the hacker to hack into your gmail, facebook or any other account.

What is a Session Hijacking Attack?

A session hijacking attack is basically an act of capturing session token and injecting it into your own browser to gain acess to victims account.

What is a Cookie Stealer?

A cookie stealer is basically a script used to steal victims authentication cookies, Now for a cookie stealing process to work the website or the webpage should be vulnerable to an XSS attack, This is the most common and widely known misconception among newbies.

How the stealing process work?

1. The attacker creates a PHP script and uploades it to a webhosting site.

2. The attacker then asks the victim to visit that particular link containing the PHP code.

3. Once the victim visits it his/her authentication cookie is saved in a .txt file.

4. Next the attacker uses a cookieinjector or a cookie editor, There are lots of firefox addons, google chrome extensions to do the work for you. Personally I use Cookie manager v1.5.1 as it's quite user friendly.

You can also use the webdeveloper toolbar to do the work for you.

5. The attacker replaces his own cookies with the victims cookies as a result of which the victims session is hijacking

Why it does not work on a website which is not vulnerable to XSS?

It's due to the browser's same origin policy, and according to it the browsers don't allow the javascripts to acess the cookies.

Gmail GX Cookie

By now I believe that I might have cleared lots of misconceptions related to cookie stealing, but all of those information is only good for you if you try to do it practically,  So let's get to the main topic.

In gmail the cookie which authenticates users is called a GX cookie, Now as we cannot use a cookie stealer as by now we don't know any XSS vulnerability in gmail, So if you are on a LAN  you can use wireshark or any other packet sniffer to steal gmail Unsecured GX cookie and use it to gain acess.

Will this hack always work?

Well this trick won't work on all Gmail accounts and as Gmail now offers End to End https:// encryption, Which encrypts the session token so even if we could get our hands on the GX cookie it's useless, but if a user has turned off the End to End https:// encryption in gmail it can work for sure.

I hope you have liked the post uptill now, I will cover the method to steal gmail gx cookies and using it to hack gmail accounts in the next post, So stay tuned !.


Update:Part2 has been published, You can read it here

Telecommunication Network Hacking And Security

Hacking does not only mean to deface a website or steal to someone confidential information, you have heard so many times about computer network security or just computer security but what about Telecommunication security or Telecommunication network security. Well there is so many articles on computer security but this time I have decided to write on Telecommunication network security.



Telecommunication has a broad field and it contain different areas like Optical fiber network, mobile and wireless network and satellite network etc. We have considered wireless network specially for GSM network, GSM or global system for mobile communication is a  2G network but when it provides GPRS (data) service it can call 2.5G network.

The 1G network or AMPS has so many vulnerabilities like eavesdropping and handset cloning because it was work on analog domain while the 2G network works on digital environment and  uses different sort of encryption algorithm to protect the data.

It is good practice to first describe the initial architecture of GSM network so that you can easily understand the security holes. Now consider the basic diagram. 

SIM  Subscriber Identity Module        HLR  Home Location Register
MS   Mobile Station                    VLR  Vistor Location Register
BTS  Base Transceiver Station          EIR  Equipment Identity Register
BSC  Base Station Controller           AC   Authentication Center
MSC  Mobile services Switching Center  PSTN Public Switched Telecomm Network
VLR  Visitor Location Register         ISDN Integrated Services Digital Network

Just like a computer network, GSM network also use some authentication process to allow SIM (user) to enter into the network, just assume there are 4 operator that provides GSM services and you have purchased a connection from 1 service provider, now it does not mean that your mobile phone cannot detect the signal of other three network, your cell phone can get the signal of 4 operators but it only can connect to the network of that appropriate SIM because the network identify its user by SIM.

Understand The Phenomena Of Authentication In GSM

The SIM (Subscriber Identity Module) is a small and smart card contain both programming and information. SIM contain a temporary cipher key for encryption, temporary subscriber identity(TIMSI) and International Mobile Subscriber Identity (IMSI). It also contain a PIN (Personal Identification Number) and a PUK (PIN unblocking key).

SIM stores a 128-bit authentication key provided by the service provider, IMSI is a unique 15-digit number that has a three part.

• Mobile Country Code (MCC)
• Mobile Network Code(MNC)
• Mobile Subscriber Identity (MSIN)

Now as you have seen the importance of IMSI, if you have a IMSI of another user than you can identify yourself on the network by the identity of the other user (So dangerous).

But what, is authentication a only way to crack into GSM network? answer is no.

The air interface i mean Um interface between the handset and BTS is encrypted by A5 algorithm but the interface between BTS to BSC and BSC to MSC is usually does not encrypted and normally uses Microwave link or in cases it uses optical fiber link or depends on the geographical area. So the point is that if someone start sniffing on that link so the GSM has not defined any standard to protect this sniffing, so now you can understand the main hole in GSM network.

About The Author:

This guest post has been written by Irfan Shakeel, Irfan is a Telecommunication engineer and a IT security Geek,  Irfan wrote so many article for different blogs and he is currently running a blog related to Ethical Hacking and Penetration testing.