“Recommend this site/page” Client-side Attack
Looks like these past few week, I got some inspiration. So let's abuse it.
One of the issues while performing a social engineering / client-side attack is that if a smart administrator finds the emails are all coming from a single location it will just add a rule to the firewall or SMTP server to not server/respond that IP.
Yes this is easily bypassable, using different IP addresses or even using several free services such as hotmail, gmail, yahoo, etc (All supported in EMaily http://www.github.com/FreedomCoder/emaily ) but what if we want to keep the attacks hidden and coming from one or more random sites or what if the SPAM filters are so good that it is just simply too difficult to send emails, but the client has a "recommend this site/page" on their web application and because the source IP is within the DMZ, the SPAM rules won't apply those emails, etc…
It is worth noting from the beginning that if we do not have proper permissions to use the web application this is not the most recommended way to hide and attack from a legal perspective; nevertheless for those cases in which wedo have permissions there is a way to search for already available web applications that contained methods such as the ones that let you recommend a site/page and write a message ( i.e Google.com )
After looking through a few of the links shown above, we found that some of them are well programmed and only will let you put an email and name, but a lot of them after looking a little deeper, we found that a lot of them are just a POST or GET request form that lets you send an email to anyone with any subject, message and From/return-to address.
For example, the one show below lets you specify TO, FROM, body message and the "captcha" shown in the Figure it doesn't really matter, since it is only checked on the browser, hence when we send a POST request we have no need to include it. Using this information, now we know that it can be easily automated to send hundred or millions of emails with a small message that maybe it will support HTML and if not it will most surely allow us to send a URL to a controllable site.
When we click on the “Recommend Now !” Button, it will create a simple POST request as it is shown below:
Now, how can we take full advantage of these freely available MAIL FORM services ? To my knowledge there is not a tool capable of using such forms on a uniform matter and send round of emails. It would be nice to have a small script capable of sending such emails rounds. After writing a few Proof of Concepts, I realized that EMaily was the right tool to do exactly that. It already has 90 % of the code implemented and I only need to add a few methods here and there and create some new options for the new "binary" emaily_web. Once I finish coding I should be able to send huge rounds of emails using something like the following commands:
> emaily_web --add-server --name site_example --uri site.example.com --port 80
> emaily_web --server site --form site_post_req.txt --list emails.csv --block 50 --sleep 60So instead of using an email template in html format, we have to provide a file containing a POST or GET request like the one shown below, which contains the request to send an email but the special words used by emaily to generate each individual email(request).
POST /cgi-bin/mailform HTTP/1.1
Host: www.example.com
Referer: http://www.example.com/cgi-bin/mailform
Cache-Control: max-age=0
Origin: http://www.example.com
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.0 (KHTML, like Gecko) Chrome/6.0.408.1 Safari/534.0
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Content-Length: 229
your_name=%%FNAME%%&your_email=%%FROM%%&friend_name=%%TNAME%%&friend_email=%%EMAIL%% &txt_body=%%MESSAGE%%&btn_submit=+Recommend+Now+%21+
Once we run the application it should generate an output like the one below stating each email and if it was successful or if it fail when sending it.
Output sample:
___________ .__.__
\_ _____/_____ _____ |__| | ___.__.
| __) _/ \__ \ | | |< | |
| \ Y Y \/ __ \| | |_\___ |
/_______ /__|_| (____ /__|____/ ____| W E B
\/ \/ \/ \/
DISCLOSURE: This code is not bug free. If you find one do not hesitate to report it.
All bugs are greatly appreciate it.
------------------------------------------------------------------------
Creating Email for test1@gmail.com
Successfully sent test1@gmail.com
Creating Email for test2@hotmail.com
Successfully sent test2@hotmail.com
Creating Email for test3@yahoomail.com
Successfully sent test3@yahoomail.com
Creating Email for matt_test1@hotmail.com
Successfully sent matt_test1@hotmail.com
Creating Email for matt_test2@gmail.com
Successfully matt_test2@gmail.com
Creating Email for matt_test3@yahoomail.com
Successfully sent matt_test3@yahoomail.com
------------------------
Happy Hacking 
Good Bye.
This it is now part of the EMaily 0.3 released in-sync with this post, so most of the already known emaily features still work.
Happy Hacking !!!
Amazon Users’ info Crawler
Another weekend and another crawler. This time it is not emails, but nonetheless interesting data from a big gadget store.
Surfing through the site for gadgets, I found that Amazon has some interesting Profile data about it's users such as location, date of birth, wish list, interested persons list, reviews done to gadgets, etc ...
Looking at the URL it was obvious that this could be automated to obtain most, if not the entire list of amazon users. As it turns out a simple Google search with
site:http://www.amazon.com/gp/pdp/profile/
Once I saw that, it was just a matter of writing a small script to harvest all the profiles out of Google and then parse each individual profile for useful information, as it is shown on the screenshot below where it is shows how simple is to gather information such as user location.
Once I had a proof of concept done. I started to think how could I use this data, besides the fact that is a simple info disclosure from the part of amazon.
As you might imagine I'm always on the hunt for new ways to improve ESearchy info gathering. I've reached a limit into how many emails or new persons I can easily get for free online. Because of these, lately, I have changed/expanded the searches from adding more persons to adding more detailed information about each individual target. First it was the profiling option on esearchy that searches within each users profile for other social networks, friends/co-workers, photos, or personal sites.
Having this now, I thought that we could expand the information to shopping information offered on the profiles, such as the wish list, the reviewed items --which is almost sure that they own such item--, etc ..
So what if we wanted to target each individual target, we could crawl the entire google results DB one and store that into an offline DB, and or look for a way to search for individual persons from this results. What if we take the persons name obtained from LinkedIn, Spoke, etc and add that to our Google Search parameter.
site:http://www.amazon.com/gp/pdp/profile/ Susan Emery
That will easily return only a few results for which we could use some kind of partial regular expresion with percentage for completeness and take a huge leap into saying that both persons are the same and that those are the times that he/she wants.
So there it goes, more possible useful information that will allow us to generate even better and more targeted attacks against a particular person.
Happy Hacking
Proof of Concept Code: