Tuesday, February 5, 2013

The End Game: Part 1

Last weekI posted about some of the reconnaissance tools that attackers are using against E-Commerce sites, then about what some of the evidence looks like in the logs. Now I want to go over what they are doing with their ill-gotten access.

Attackers aren't just in it for the fun anymore. While we still see our share of political defacement's and attacks that are pulled off just to prove a point, most of the cases that forensics firms like mine are working involve the theft of data. Attackers are stealing Personally Identifiable Information and selling it to crooks that use it to defraud Medicare/Medicaid and other social programs. The same data can be used to commit classic "Identity Theft" and open accounts under other peoples names.

Even easier is the theft of Cardholder Data, there is a sophisticated black market built around the sale of credit card numbers. I talk about it in my conference presentation "Hunting Carders for Fun and Profit" (coming to a con near you in 2013) and it really blows people away how readily available the hardware, plastics and card numbers are. It's really easy for an attacker to gather card numbers and sell them in bulk to a middleman that specializes in parting out these "dumps" for a set price.

All of this data capture and sale really is the "End Game". It's how they get there that I want  to talk about.

The top way I see data being exfiltrated is SQL injection. I talked about this in my last post and put up a quick example. I usually see an attacker hammer away at a site for a couple of days with different tools, but once they find that vulnerable page, it's over in a matter of minutes or hours. This is a very direct kind of attack. They poke around until they find a way to directly access your DB and just suck all the records right out. It's very effective but not terribly sophisticated (usually, see Hunting Carders for a very sophisticated attack).

The second most common thing I see is web shell upload. There are hundreds of different vulnerabilities that allow the upload of a file to a website. If the user that owns the web instance has elevated privileges, it's all over but the crying. I regularly see these web shells deployed to a system and the attacker quickly using them to become intimately familiar with a website.
 If you haven't seen a modern PHP web shell in action, I recommend poking around the internet to find some examples. They've come a long way since the first generation "webmin" clients.

Screenshot from a modern web shell.

Nothing is safe, almost all E-Commerce sites have config files that spell out IP's, DB types, usernames and passwords in clear text. Once you know where to look, it takes seconds to take over a site.
Another thing that I find is a false sense of security on behalf of site owners. I've heard "What does it matter if they got the database?, It's all encrypted" a number of times in the last year.This is a partially correct line of thought, real encryption would negate a huge number of breaches. The problem is that the average site does not feature encryption, it features encoding. During the database write they sneak in an MD5 hashing routine or Base64 encoding. This encoding is trivial to reverse and does no good at all. It's so bad now that I can recognize Base64 like it's the English language.

Worse yet, I see programmers getting almost all the way to real encryption with certs and two piece keys, but they hard code the keys and the encryption/decryption methods right into the site. They even name it things like "encryption_funcs.php". Again, it becomes trivial for the attacker to dump and decode if a web shell is in place.

Embedded decrypt function, complete with key. Owned!

In some cases, the attacker becomes so familiar with a site that they actually modify checkout pages, shopping carts and authorization API's to drop transactions to a log file or another server in real time!

More on that soon in  "The End Game: Part 2. Persistence"



  1. Grayson,

    Interesting post. It's kind of fun to see SQLi still being used so prolifically, even years after I left the PCI scene.

    During the database write they sneak in an MD5 hashing routine or Base64 encoding. This encoding is trivial to reverse...

    Did you mean to include the "MD5 hashing routine" phrase in that sentence? I ask, b/c MD5 isn't something that can be reversed, per se.

    Some other questions, if you don't mind...

    One of the things I saw that was absolutely fascinating was how the shell was actually uploaded to the system. In some cases, SQLi was used to create and then launch an FTP script, which could often be recovered easily, either from the SQLi "logged" in the web server logs, or directly from the system itself. In some instances, I saw where the .exe file was uploaded to the database in 512 byte chunks, and then a command was run to append all of the cell entries together, in order, on the file system in order to reconstitute the .exe. There were apparently no "transporter malfunctions" because the functioning .exe made it through! ;-)

  2. Harlan,

    I guess I would amend that to say "they encrypt the data with the MD5 algorithm and a static key or base64 encode it before dropping it into the database". I'm certain that you know about the sites offering on-the-fly MD5 decoding of hashed password values, though it may serve the other readers to hear about them. There are also rainbow tables available for MD5 now.
    The point I was trying to make is that when your encryption features a static key and the encryption algorithm/method is stored in clear text on the site, they are finding it and they are using it to decrypt data. We do it ourselves or via our reversing team as a "proof of concept".

    One of my favorite hacks was a very small PHP uploader that was written to a server file system via the SQL INTO OUTFILE command. They uploaded 3 times to work out the kinks before successfully using it to upload a full webshell. After that, it was all over for the client unfortunately.

    Thanks for the questions/comments/retweets Harlan!

  3. Grayson,
    Congrats on your expertise journey. I'm proud to say that I bumped into you when you were just starting out. Soon, I'll be able to say I knew you before you were famous!

    A prez at a con is pretty cool.

    When your book comes out, I want an autographed copy. :)

    Go man, go!

  4. Eхcellеnt post! Thanks for Sharing. Keep up the gгeat work.

    Computer Forensics