Reverse Engineering the We Heart It API

Introduction

A while back, I came across the article from the The Washington Post describing We Heart It, a social network claiming over 30 million users. If you haven’t seen it, We Heart It (from here on out abbreviated as WHI) is a social network which encourages people to post and share photos and images of things that inspire them.

Having such a large user-base, I was interested in seeing what kind of API the site offered developers. However, I was disappointed when I found out that the API was closed to “partners”, and even this is not a full REST API, but rather a simple button developers can place on their website to allow users to interact with WHI.

With this being the case, I decided to take a look at the Android and iPhone apps using both static and dynamic analysis in an experiment to see if I could reverse engineer the API used on the backend. Here are the results.

Read More

How to Hunt Down Phishing Kits

Introduction

Sites like phishtank and clean-mx act as crowdsourced phishing detection and validation. By knowing how to look, you can consistently find interesting information about how attackers work, and the tools they use to conduct phishing campaigns. This post will give an example of how phishing kits are used, how to find them, as well as show a case study into other tools attackers use to maintain access to compromised servers.

Read More

A Look at Comment Spam Generator Scripts

Introduction It’s been a while! I’ve been busy getting gophish closer and closer to beta. Should be ready soon! Until then, here’s a quick look at some comment spam scripts I discovered when perusing through the content over at phishtank.com. As a side note, the scripts were bundled as some Louis Vuitton spam, though that doesn’t seem to relate to the content of the spam scripts at all. The Spam Scripts Here are the scripts - the format looks very similar to those found by Alex King. Read More

Building GoPhish - How to Send Email with Go

Introduction

I’ve been playing around with Go for about a month now, and I’ve really grown to like it. After getting used to the syntax and remembering what a pointer is for (thanks, Python), Go has become a favorite language to develop with. I’m even using it for the Matasano Crypto Challenges (which are awesome).

While the standard library in Go is definitely robust, being a young language, there are a few niceties that aren’t yet included. Sending email is one of them. Don’t get me wrong, Go has a wonderful SMTP package, MIME package, and even a Mail package (which only parses existing email messages). However, there is no library to actually create emails in a meaningful way. Since Gophish relies heavily on sending emails, I’ve sought to change this. And, after reading more RFC’s than I normally prefer, I believe I’ve created a package that provides intuitive, robust, and flexible email creation and sending called email.

Let’s see how to use it.

Read More

Building Gophish - Day 1

Introduction

Since the Simple Phishing Toolkit (SPT) was discontinued, I’ve wanted to create a simple, effective, and open-source phishing toolkit. In recent years, we’ve seen a rise in spear-phishing attacks targeting large organizations, most of which are largely successful. The goal of this toolkit will be to provide businesses and penetration testers with the ability to quickly and easily perform in-house or contracted phishing engagements, and track the responses to see where improvements can be made. This toolkit will be called gophish.

In addition to this, I’ve been casually poking around at go for a while now, and have decided it would be good to finally put it to use in a larger project. I’m a fan of seeing the steady development and updates of projects as they are created. I believe it can help keep the developer motivated and the users informed and involved, so this is what I’m going to do. Hopefully, these posts will allow others to learn alongside me, as well as spur improvements from experienced go developers so that gophish can be the best product possible.

With that being said - let’s get started!

Read More

Wireless Attacks with Python: Part One - The "Dnspwn Attack"

Introduction

A while back, I published a post on the Raidersec blog demonstrating how to perform a deauthentication attack using Python and Scapy. I enjoyed writing the post, since I got the opportunity to learn in-depth about how different wireless attacks work, beyond just learning how to exclusively use the aircrack suite.

So, with that being said, this post will kick off a short series of posts discussing how to perform common wireless attacks using Python. I hope you enjoy the posts and, as always, never hesitate to let me know if you have any comments or questions below.

Read More

How to Pentest iPhone Apps with Burp

Introduction

When looking at the functionality of mobile apps, it’s clear that they aren’t that different than web applications. They often just serve as a frontend for the data stored on a central backend server or database. As such, if developers aren’t careful to protect these apps, many of the same vulnerabilities we find in standard web applications (such as injection attacks on unvalidated input) can be exploited by attackers.

This post will show how to setup the iPhone to work with the popular Burp Suite so that traffic from apps can be intercepted and tested for vulnerabilities.

Read More

Linkedin's Response to My "Phishing with Intro" Post

The Initial Post

I recently published a blog post which showed a practical attack against Linkedin’s Intro. The post reached the front page of Hacker News (a full writeup of my experience with the “Hacker News Effect” will be posted soon for those interested), which caused the post to gain quite a bit of publicity and traction. Soon after, I was contacted by Linkedin’s security team. This was their response.

Read More

Author image Jordan Wright

Phishing with Linkedin's Intro

Update 10/28/2013 6:30PM CDT - I have been in contact with Linkedin’s security team and a hotfix has recently been released to address the findings below. This fix applies the styling rules to a randomly generated ID, as opposed to the class based styling seen below. This provides more specificity in applying the rules, making it more difficult to override.

I am no CSS expert so there could very well be tricks to still get around this and remove the content (or even just hide it and overlap it) - email me if you know of one! I will be continuing my work with Linkedin’s security team to iron out any bugs we can find. Users are reminded that no solution is perfect, and that seeing this data in an email in no way definitively proves the senders legitimacy.

I would also like to thank Linkedin’s security team for their quick and effective response to these findings.

“Intro”duction

On October 23, Linkedin introduced an application called “Intro”. The premise is simple: allow iPhone users to see details about the people they are emailing within the native iPhone Mail App. Think Rapportive for the iPhone Mail App, because that’s essentially what this is (and made by the same people).

However, when reading the initial description of Intro, there was one part that caught my eye:

David says Crosswise would love to work with you. Is this spam, or the real deal?

With Intro, you can immediately see what David looks like, where he’s based, and what he does. You can see that he’s the CEO of Crosswise. This is the real deal.

This is not much different than Linkedin saying “we’ve put a picture of a lock in your email, so you know for sure it’s secure”. Linkedin is simply giving its users a false sense of security. In this post, we’ll take a look and see what exactly Linkedin is doing to its users’ email, as well as how we can spoof this information, gaining full control of the information shown to the user.

Read More

Automated Social Engineering Recon Using Rapportive

Introduction

When performing a social engineering engagement, recon is key. In a previous post, I demonstrated a few ways in which we could automate the recon process. However, the methods I showed were simply ways to find the profiles of people that might belong to a particular organization.

During SE engagements, we often either run across email addresses (by, say, simply scraping the main website) or want to enumerate the email address structure in use by an organization (generating possible alternatives using tools like jigsaw.rb). It would be helpful if it were possible to automate the process of validating those email addresses by associating them to additional information or social networking profiles. This is where Rapportive comes in handy.

Read More