Get best of the week

Kulhacker. Start

image

A short story about how to quickly join the information security. An old story, a long start, but perhaps I’ll start ...

Episode 1. Introduction, captcha, cutting out bots


I have one Internet project of a personal nature, so to speak, with the beginning back in 2006. The project is very personal, so I do not publish the link, but I can give those who wish the link in PM. At the moment, the project is slowly dying, it has already gone through the growth and prosperity stage, it seems like it needs to be buried, but we still won’t decide on this step.

Move in 2006 was bought, it’s no secret - DLE, and in about a year it was heavily dopped on its own, dopped so much that we stopped updating since 2007. Saytets, where people hang out, write, comment, communicate in PM on various burning topics.

Distinctive features of the project were its own improvements, but so simple that sometimes I was very surprised at why others had not thought of it before. One of these improvements is related to captcha.

When all such projects introduced captcha to protect against bots, a friend and I decided to introduce captcha, but quickly realized that we were stupidly losing our audience, and there were more and more bots and they continued to spam. As a result, the captcha remained, but only as a roulette, displaying the dropped out number, which does not affect the ability to leave a comment - in other words, we completely cut out the captcha verification mechanism, but left the generation and display. And after a fairly short period of time, it became a chip - the people in the comments were measured by the numbers of captcha, who is more beautiful, etc. “Whatever the child may amuse, if only not with his hands,” we thought.

But if you recall the history of captcha, then it is intended to protect against bots, from those that are massively spammed on the Internet, and we drank this protection mechanism because it did not work. Nevertheless, we were able to analyze the behavior of bots and cut all without a trace. There is a site, there is the possibility of simple, consider easy, commenting, without SMS and registration, no captcha, no bots.

This was a worthy application of POST and GET requests to site scripts from my side.

Episode 2. Engine updates, getting to know the kulhacker


Because The site’s engine was not updated, periodically some vulnerabilities surfaced, and some other episodes of applying specific vulnerabilities to our site.

It’s good if we found out about this vulnerability on 0day resources before this vulnerability was applied to our site, or in the form of technical support for our engine, again until the moment when this vulnerability was applied to our site. But it also happened that we learned about the vulnerability from the analysis of POST and GET requests for site scripts, either in fact, for example, a deface, or other manipulations with the site.

And then came the day when the version of the site engine became so old that messages about this engine and this version simply stopped appearing on 0day resources, not to mention that on the TP forum over the past 5 years there are simply no new posts about our version of the engine appeared.

And then he appears - a kulhacker.

I will not talk about who it is, I will tell you about the fun that we received. It all started with the fact that the owner of the site received a message that the site was hacked, chase the hats, otherwise all the khan. In the first letter, the amount of 100K rubles in bitcoins was announced.

These are the times, we thought, and got down to analytics. First, it was necessary to find the result of hacking. A script was quickly found that was not related to the site engine, but disguised as a typical script for our engine, and also modified site scripts were found - the site was malfunctioned. Work level - kulhacker, it was not possible to get to the server.

Through simple manipulations, the entire POST and GET requests to the site were analyzed for the name of a new script, and of course, the passed parameters were found in the POST request to the site, as a result of which a vulnerability was found, an attack vector was determined, and a weak one was found to the front a variable, and of course, the vulnerability was closed, and a “rollback to safe” state was made for the site engine. An additional observation was established for the kulhacker - suddenly he still knows what we don’t know, and in the public there is practically no unknown information, and our case was clearly not described anywhere.

Episode 3. Kulhacker strikes back, bargaining


After some time, the letter again, this time saying that we are bad people, that he will not forgive us for this, that if we do not pay the caps, then we will not be greeted again.

These are the two, we thought, and again ignored the letter. After a couple of days, we received a website deface with the requirement to pay caps. We again analyzed POST and GET requests, again found the attack vector, discovered a new weak variable to the front end, closed the vulnerability again, and again made a “rollback to a safe” state.

We already understood that the kulhacker should begin to suspect us that we are using his knowledge in our own interests, and that we are not running towards him with a bag of money, so it was decided to write a letter to our “client” from a certain “secretary”, who does not understand what is at stake, and what she needs to do, and even more so she does not understand what bitcoins are. We hoped that this should, in a sense, fuel the interest of our kulhacker, which would make him demonstrate the vulnerabilities of our engine a couple more times, if he had any left over.

We also analyzed the first and second attack vectors, determined the general weakness of the site engine, and then analyzed all the scripts for suitable variables that were found to be vulnerable to the weaknesses. Quickly closed a few more bottlenecks.

The response of the kulhacker was not long in coming, again there was a threat that we would feel bad, the site was defaced again, but now the sum of requirements has decreased by 10 times, which gave us the assumption that our ward’s ideas were over, which means next time he will not come to us.

Standard manipulations with the analysis of requests to the site, a new attack vector, a new set of variables, closing vulnerabilities, "rollback to a safe" state.

Episode 4. Farewell


As expected, there were no new cases of hacking, but there was a new letter from our client stating that we were radishes, that we behaved extremely unprofessionally, and that we could pay caps at least for showing us the vulnerabilities of our engine .

We exchanged contacts, found several closed communities with 0day information, where vulnerabilities unknown to this time for our engine were published - they were pleasantly surprised. They said thanks to Kulkhatsker and threw money on a phone whose number he didn’t tell us;)

Episode 5. Working Moments


New company, new tasks. Out of my ear I hear the conversation of IT engineers about the fact that the main site of the company has been hacked for the umpteenth time, that the company that developed the site several years ago wants money for updating the engine and closing vulnerabilities, what should I do, but soon they will start tearing at the flags. I wedge myself into a conversation, I offer help.

The classic is, nevertheless, to the point of madness is simple, all kulhackers begin with this. To begin, I propose to enable the analysis of POST requests, as in GET logs it is empty that is logical. After a couple of hours, I get an answer that the hoster said that it is impossible, that they do not keep such logs, that if you want to collect POST, then collect it yourself. The guys are upset.

These are the three, I thought, and told how to force the collection of POST requests from all site scripts. The next day, an attack vector was discovered, the vulnerability was promptly closed, and IT engineers gained invaluable experience in analyzing the situation, which they probably still use today. There was no IS in the company.

Conclusion


If you want to learn the basics of information security, start with kulhacking. If the direction becomes interesting - step to the next step. The more you know about hacking methods, the more you can counter attackers.

And yes, when you get to the selection of access to the person, then you can begin to draw up competent IS regulations.

“What about bots?” - You ask. And I will answer you: “Analyze the behavior, find the attack vector, patterns and general points - you can deal with them!” - very similar to the general approach to ensuring security in fact. Preventive measures are only based on experience.

More articles:


All Articles