This is a fictional adventure with
fictional characters that have fictional (non)skills based on true
events. This post was created for informational purposes only and no
admins lost their job during the writing of this story. It was inspired by Troy Hunt's "Hacking is child's play" article.
Bob, a 20-something year old boy, never
considered himself a computer “guru”. He started using computers
around the age of 18, late compared to his friends. What he lacked in
experience, he gathered through patience.
Saturday morning news, July 2012: Yahoo
voices was breached, half a million emails and passwords were leaked.
The attack was made possible due to a SQL injection flaw on their
servers.
SQL injection? Sound like a medical
term. Bob moves to his computer and starts typing:
sql injection attacks
He goes through the results, reads
various topics and his eyes fall on:
Havij - an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.
He was never very tech-savvy so this
might be what he was looking for. Another search follows:
havij torrent
Bam, first results, his beloved
piratebay. The torrent is small in its size so it should be ready soon enough. In
the meantime he'll grab a coffee, smoke a cigarette or two and wait.
Minutes later when he returns, the
download session is complete. He registers – by using the
all-too-easy provided steps - and fires-up the application.
But, he
remembers that he needs some websites to test it on. Opens Firefox
again, set's the homepage to google.uk and enters:
inurl:newsitem.php?num=
This is the google “dork” he choose
from a list. It's an example of “advanced search string operators”
- termed by some people as “dorking”. Since Bob is inexperienced,
he doesn't really care what these are or why they're named “dorks”.
He starts copying and pasting the
available results into Havij. First site doesn't work, Havij returns:
MySQL
error based injection method cant be used!
MySQL
time based injection method can't be used!
He moves on to the other results.
Finally, one site seems to be vulnerable, he pressed “Analyze”
and in less than 5 seconds:
This is getting interesting.
From all the tables, only one seems to have the data he's looking
for: labeled_user. He selects the table and clicks on “Get
columns”. The important columns are there:
☐ forename☐ surname☐ username☐ password
He selects three of them:
email, username and password, then presses on “Get data”.
Finally, he has access to the admins usernames and passwords. But the
passwords are encrypted so he needs to dig-on.
Havij has an MD5 decryption
option available, let's try that one. He tries with the first
encrypted password - Havij is using online resources to decrypt
passwords.
Success! The results came in
seconds and the password has been revealed: johnC1980 – it's a combination between the name of the web admin and his birthday dates - common password combination. Bob moves to the
“Find admin” tab and clicks on start. The program found something
like nameofthesite.co.uk/admin . He pastes the link into his browser
and tries the username and password combination:
admin
John121980
He's in. It was easier than
he thought and now he has access to admin panels of this recruitment
agency from the UK. He'll dig more into it tomorrow but for now he's
done. He wants to celebrate his script-kiddie success.
Bob's back early in the
morning. What if those
five users are “recycling” their passwords? This was usually the
cause for many famous successful break-ins in the past.
People are lazy and they
don't want to remember 12 passwords used on 12 different websites:
what they do instead? They use the same password for all sites. You
got access to one, you have access to all of them.
After two hours, Bob was
able to access John's Gemail, Linked-in, Facebook and
twitter account. He used the same password on all of them: John121980.
Worse yet: John creates and
administrates websites for other companies also. Obviously he's using
the same password. From here on, Bob can get access to a huge amount
of login details.
If you're curios enough, the
sky is the limit.
