presumably part of the challenge was to do it without using already known information, as he probably already had her email and phone number but still looked for them
I just typed catb.org (random website I know only serves HTTP) into Chrome's address bar and it landed me on the HTTP version, no warnings or anything. I assume Firefox works the same, but I can't be bothered to disable HTTPS-only mode.
sslstrip will still work today on any website that doesn't use HSTS. It will work for the first ever visit (by that browser) of a website that uses HSTS if they aren't on the preload list. A surprising number of websites have neither.
That's assuming the average internet user types a url into their address bar instead of using their browser's "new tab page" with recent sites (all probably HTTPS) and finding non-history pages through a search engine that will be HTTPS by default and point mostly to HTTPS endpoints.
So yes, you can catch a subset of users who type new urls into their address bar, but that's a minority of people a minority of the time.
Perhaps in the world where you (the red-teamer) sets up their phone and/or laptop as an unencrypted/open wifi hotspot access point and then follow them (the blue-teamer) to their favorite coffee spot / burger bar / etc?
If I recall correctly even current phones will connect to open wi-fi spots preferentially and/or automatically. Bingo, job MITM done! Bonus points for having a tool on the red-teamers' laptop that can send wi-fi de-auth packets :)
That would be the first thing I would look in to to see if it is still do-able today if the problem was 'hmmmmm. Given the parameters, how could I MITM the blue-teamer?'
I'm sure that others can come up with even wilder ideas involving can-tennas or bird-dogging the blue-teamer into a elevator with a 'running useful and interesting stuff' laptop in a backpack and wait for the blue-teamers' cell phone to start reaching out desperately for a way to remain connected (cell tower, wifi, 2G cell signal etc) either of which might work
With HTTPS a lot of this doesn't work anymore. You generally need to install a MITM certificate on the target device so that it doesn't say "HEY EVERY WEBSITE YOU VISIT HAS A CERTIFICATE ISSUE!" and fail to load unless you find an esoteric button/link/series of clicks that lets you load the insecure page.
You can capture netntlm hashes if you control the network, but you’d still have to crack them. HSTS and secure cookie flags help a lot with sslstrip type attacks though.
Passwords feel more like extra usernames these days with 2FA.
Why bother changing them when hashes will be leaked immediately by the incompetent idiots at <insert this week's big company that had data stolen yet again>.
I don't think those work with today's code generators, since nothing is ever sent to the user. SMS and other types of 2FA should hopefully be obsolete soon.
Ha, not if they won't let you make an account without one in the first place. Looking at you, OpenAI asshats.
The only ones I've seen still use SMS confirmation are banks, not so much because of advertising because they already have just about every shred of info that's possible to get about you without sequencing your DNA, but because they're too cheap to overhaul their systems.
No. Always remember that just by being on this website you are likely to be in the top 5% for computer literacy and ability. 2FA is non existant to the general population barring systems that enforce it.
No. You have clearly an infinite battery on your phone, money on your account, guaranteed world-wide service, absence of thieves, monkeys and gravity. And travels. And trains, toilets, ... hammers? Nothing can go wrong with your phone, right?
Sweet hesus, installing a keylogger on your own system to steal passwords from friends who are trying to help you?
And the content doesn't show any awareness of the issue. Perhaps it'd be more clear to that poster if one of those friends would've used the keyboard access to type "format c:<enter>".
We'd do similar tricks but only between a small group who all knew what they'd signed up for. It definitely helped to make you more aware of people trying to get into your accounts. To the point where someone would have to add a long list of disclaimers on sending an innocent link to their holiday pictures if they expected you to view them. And there are still some people who can't get me to click any link they send me (fool me once, etc).
Even so to do it to unsuspecting people isn't nice at all and essentially a breach of trust, especially using a keylogger. Even today I'm not going to use someone else's device to do anything requiring a login so some of the paranoia lingers, but leave your device out of sight for long enough and it might as well be somebody else's.
Samy's little tools always impress me, he gets a ton of mileage out of this stuff and it is a really good warning to read his posts every now and then to get an idea of what a talented individual can achieve.
I don't see any mention of keylogging in the blog post, did I miss it? Or might you be referring to a comment on another HN submission of the same post? https://news.ycombinator.com/item?id=14921120
I feel like this may break the rule about not interrupting her daily life.
Since the other easy password documented in the article wasn't her current one, it is at least possible that she had chosen a more difficult password as her current one. Downgrading from her current password back to the old easy one makes her vulnerable to other attackers-- especially if she did not quickly reset it to something other than qwerty1.
If it sounds like I'm nitpicking, just imagine that the game was "try to hack my old bitcoin and send it around and back." The moment the hacker sends to the "qwerty1" address it's going to get immediately eaten by some automated script by one of a thousand other hackers.
Skipping through kilobytes of humor, a voice start speaking in my head. Imperial voice. From TES Oblivion: "That's... a bit excessive, don't you think?"
Ok, I HAVE to add. The whole story revolves around a really bad password. Yet, the takeaway is "GO FOR 2FA", which is utter bullshit. Strong unique passwords (and a good password manager, if you can't remember) will suffice and won't lock you away if you ever lose your cell service.
50 comments
[ 4.7 ms ] story [ 102 ms ] threadA classic story!
If you start on HTTPS and never access plain HTTP resources, it's powerless, otherwise there would be no way to be safe on a public network at all.
sslstrip will still work today on any website that doesn't use HSTS. It will work for the first ever visit (by that browser) of a website that uses HSTS if they aren't on the preload list. A surprising number of websites have neither.
So yes, you can catch a subset of users who type new urls into their address bar, but that's a minority of people a minority of the time.
If I recall correctly even current phones will connect to open wi-fi spots preferentially and/or automatically. Bingo, job MITM done! Bonus points for having a tool on the red-teamers' laptop that can send wi-fi de-auth packets :)
That would be the first thing I would look in to to see if it is still do-able today if the problem was 'hmmmmm. Given the parameters, how could I MITM the blue-teamer?'
I'm sure that others can come up with even wilder ideas involving can-tennas or bird-dogging the blue-teamer into a elevator with a 'running useful and interesting stuff' laptop in a backpack and wait for the blue-teamers' cell phone to start reaching out desperately for a way to remain connected (cell tower, wifi, 2G cell signal etc) either of which might work
I'm sure there's tons of folks who just click "maybe later" and forget entirely.
Why bother changing them when hashes will be leaked immediately by the incompetent idiots at <insert this week's big company that had data stolen yet again>.
Don't most companies force SMS for 2FA primarily to get your phone number for advertisement tracking purposes?
The only ones I've seen still use SMS confirmation are banks, not so much because of advertising because they already have just about every shred of info that's possible to get about you without sequencing your DNA, but because they're too cheap to overhaul their systems.
https://news.ycombinator.com/item?id=18391120
And many other submissions besides that one.
For instance
https://news.ycombinator.com/item?id=14919845
And the content doesn't show any awareness of the issue. Perhaps it'd be more clear to that poster if one of those friends would've used the keyboard access to type "format c:<enter>".
We'd do similar tricks but only between a small group who all knew what they'd signed up for. It definitely helped to make you more aware of people trying to get into your accounts. To the point where someone would have to add a long list of disclaimers on sending an innocent link to their holiday pictures if they expected you to view them. And there are still some people who can't get me to click any link they send me (fool me once, etc).
Even so to do it to unsuspecting people isn't nice at all and essentially a breach of trust, especially using a keylogger. Even today I'm not going to use someone else's device to do anything requiring a login so some of the paranoia lingers, but leave your device out of sight for long enough and it might as well be somebody else's.
Samy's little tools always impress me, he gets a ton of mileage out of this stuff and it is a really good warning to read his posts every now and then to get an idea of what a talented individual can achieve.
https://samy.pl/poisontap/
https://news.ycombinator.com/item?id=14921120
I intended to reply to that comment, but clearly failed.
I feel like this may break the rule about not interrupting her daily life.
Since the other easy password documented in the article wasn't her current one, it is at least possible that she had chosen a more difficult password as her current one. Downgrading from her current password back to the old easy one makes her vulnerable to other attackers-- especially if she did not quickly reset it to something other than qwerty1.
If it sounds like I'm nitpicking, just imagine that the game was "try to hack my old bitcoin and send it around and back." The moment the hacker sends to the "qwerty1" address it's going to get immediately eaten by some automated script by one of a thousand other hackers.
4 years ago https://news.ycombinator.com/item?id=18391120
6 years ago https://news.ycombinator.com/item?id=14919845
I love a making fun of both Microsoft and Kingdom Hearts double whammy.
Otherwise, a pretty decent OSINT job so far.