Verzon.net Exploit PoC

Introduction
This is a Proof of Concept article describing a BlackBox pentest on a low-level target giving way to a High-level vulnerability in a big name company.

During Pre-engagement the target was identified only by BSSID and ESSID (great..one of those tests). The reinterpreted mission Scope: "Reconnect target 'without' brute-force or noisy network activity." The verbatim Scope: "Discover any possibilities of attacking victim or victims account status without using aggressive attack methods."

For this mission 'Wifi Hacking', 'Common Sense', & 'Possible Social Engineering' are at the disposal of the attacker.

You can read my notes at the end of this article

[disclaimer statement]

For obvious reasons detailed steps are omitted for sake of brevity and the safety of other innocent targets which are not aware of attacker activities. Please note: I am trained and authorized to perform these objectives disclosed in this article. I assume no responsibility for others attempting to reproduce the actions discussed in this article. If you are aware of the missing information, please be ethical in your actions.

As always, the information I provide in articles is purely for Educational purposes ONLY!

[/disclaimer statement]

Mission 1: Identify the Target

Identifying the target proved to be an easy task since the target is identified by BSSID and ESSID only. Naturally, a scan within range of the Pre-engagement site topped the list of 'to-dos'. To begin this objective Airmon-ng, Airodump-ng and Aircrack-ng are the tools of choice.

(Note: If you are unaware of the steps required to perform this attack, consult google. Describing the syntax and options used in a Wifi attack are beyond the scope of this article. This is not a tutorial)

//Airmon-ng succeeded in starting interface
//Airodump-g succeeded in displaying APs

At this point, the attack became focused on the BSSID, Channel, WPS & ESSID of target. It is essential at this stage to avoid disrupting network traffic using 'deauth' or 'packet injection' as it goes against the Scope of the project. Thus, this scan was conducted at an adverage rate of apprx:2hrs. (Amazingly, the hours went by without bother from client) "How's it coming" "Sent memo" etc..

One surprise I found was that the target was using a WEP CIPHER!! (WOW)

Mission 2: Access the Target Network

After the proper amount of .ivs were captured it was time for aircrack-ng to get to work. I named the file with the first few characters of the APs ESSID.

//Aircrack-ng succeeded in finding the APs PSK

root@kali:~# <strong>aircrack-ng -b 00:12:0E:88:42:6A 07FX08-01.cap</strong>

Opening 07FX08-01.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 10374 ivs.

  Aircrack-ng 1.2 rc2


                 [00:00:09] Tested 14201 keys (got 10427 IVs)

   KB    depth   byte(vote)
    0    6/ 11   [b]DD(14080)[/b] 16(13824) 7F(13824) DB(13824) FD(13824)
    1    2/ 15   [b]43(15360)[/b] E1(15104) 09(14848) F2(14592) C6(14336)
    2    7/ 10   9D(14080) CA(13824) E2(13824) F6(13824) 5E(13568)
    3    0/  1   [b]9F(17408)[/b] 3D(15360) 31(15104) 7B(15104) B1(14592)
    4    6/  9   [b]98(14592)[/b] B0(14592) FC(14336) 26(14080) [b]C2(14080)[/b]

                       [geshifilter-bash]  KEY FOUND! [ DD:43:C2:9F:98 ] [/geshifilter-bash]
        Decrypted correctly: 100%

Discovery of the APs PSK lead to its compromise via 802.11. There are still no fireworks yet, the recon phase has to start again.

Mission 3: Verify Target Connectivity

Of course it is always a good idea to check connectivity of AP.

  root@kali:~# ifconfig wlan0

wlan0     Link encap:Ethernet  HWaddr 90:00:4e:08:22:fa  
         [b]inet addr:192.168.1.42[/b]  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::9200:4eff:fe08:22fa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3920 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1969 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1359759 (1.2 MiB)  TX bytes:273598 (267.1 KiB)

root@kali:~#

As bad as I wanted to scan the network for other devices or monitor the network for additional traffic, I had to push on. The next step here, open up a web browser, and simply navigate to a web page where the victim is identified by IP. This is where the real work begins.

At this stage, it is discovered that the victim has internet connectivity with limitations. This is what the client intends. Circumventing these limitations is the vulnerability. Not just bypassing these limitations but doing so as an unauthorized user.

Mission 4: Reconnect Target

//Target supplied victims account information successfully without brute-force or noisy network traffic

Verizon User ID:        username1

Secret Question:        What was the first live concert you attended?

Contact Email:  [email protected]

Mobile Number:  555-555-5555

Verizon Email Setup:    verizon.com/accountprofile

Verizon Support:        verizon.com/support

As show above, this information is vital to my initial objective. The ease of acquiring this information is troublesome. In the next few lines I will explain how simple this attack was to circumvent the client and exploit their target by using their customer as my victim, thus, reconnecting the target.

NOTES

Because the victim is a customer it is important for the client to have some say so in their account status should events occur requiring the customer to be 'cast'. This role in this case means the client has a limitation on network connectivity, meaning the customer cannot access the Internet until other conditions are met. i.e (activating an account, paying a bill, or signing-up for service)

In order to succeed at this mission I needed to go Overt. First step: "Identify the reason for the limitation". For convenience of the customer, the client provides them with a way to 'comply' with the conditions needed to restore service. This is a bonus for an attacker because it is a way for the attacker to understand the target. Notice I say target because the victim is the customer and the client is the company..the target is objective or client's controls.

The limitation discovered here is "Service Disruption". So since there is no way to simply restore it through authorized means, I must look into the profile of the customer and restore service in their name, but how?

Second step: "Access victims account". After reviewing the controls set for the customer I noticed that everything asked of the customer is personal information known only to the customer his/herself.

Details include :"Last Name, First Name, Zip" >> "Account Number, Zip" >> "Username, Password"

Guessing any of this information leads back to breaking the SCOPE of project as it requires either brute-forcing or raising flags to the target, thus banning of IP addresses required to access the information. Not a good look! It is obvious to view the source code of these controls to discover not-so-confidential information to further the cause.

Viewing the source code to search for file paths was my only hope. I discovered the following file paths which lead to the confidential information of the victim giving way to removing the controls set by the client::

 Verizon Images images/


login_people.gif

laptop_girl.jpg

pre_login_girl.gif

modal_close.gif

bwg/continue_button.gif

        //interesting info about server
                The required query parameter [wsrp-url] in the submitted request.

        //Usage through activate.verizon.net
                <a href="https://activate.verizon.net/eActivation/start?rapFlowType=HSI" title="https://activate.verizon.net/eActivation/start?rapFlowType=HSI">https://activate.verizon.net/eActivation/start?rapFlowType=HSI</a>

This information will never be hidden however, it is important for the client to authenticate the user in a limited manner to prevent circumventing the controls set forth. This attack did not require SQLi, XSS, Directory Traversal, Brute Forcing, or the usage of MSF.

The information provided could have lead to further exploitation of the victim rather than just the target...for example.

Verizon User ID:        username1 << can be changed to prevent victim from accessing account

Secret Question:        What was the first live concert you attended? <<obtain through social-engineering

Contact Email:  <a href="mailto:[email protected]">[email protected]</a> << send key-logging file to this email-address or other malicious content

Mobile Number:  555-555-5555 << track this number to find GPS/ use to social-engineer victim

Verizon Email Setup:    verizon.com/accountprofile

Verizon Support:        verizon.com/support

Mission 5: Write PoC

You are looking at it... I hope you enjoyed exploring this with me. Leave a comment about what you have learned or what you would have done if you had this objective. PS I think you are cool too!

os13115