
+-------[ ET LOWNOISE Colombia Nov. 1999] 


       SIMPLE PROBLEM ON HOME BANKING AUTHENTICATION AND
                     OTHER LITTLE BEASTS.
                              




+-------[ DISCLAIMER ]

HEY! This is for YOU, so you can correct YOUR problems. Give a
try and read my stupid shit.


+-------[ INTRODUCTION ]

Sometimes, thinking about tecnical problems and their details,
organizations forget the possibility of simple attacks that 
break all the security infrastructure that they have developed. 

This is not a "Wow" document is a small warning ( a note to
write on those little sticky yellow papers) on a simple OLD attack
in the implemented authentication mechanisms in Home Banking servers
and other services that have equal characteristics in the 
authentication of their clients. 


+-------[ Common SCENARIO ]

Imagine...... .. .

The Bank "UPAC-sucks" wants to offer to its clients the Home
Banking service from its houses. For this,the bank has a WinNT server
'Windows Non Terminated',(first bad desicion =), behind a Firewall. 

The connections use SSL so that the user connects "safe" to the bank 
server and using the web browser, he can enter to his bank account. 

In order to authenticate the user,the client must enter his username,
or account number and a 4 digit secret PIN code (remember, 4 digits 
are used because is easy for a client to remember a key that has 
equal lenght than the ones used on ATMs).To prevent a brute force 
attack the account is closed for 1 hour if there was 3 failed continuos
attempts. Additionally if any operation is not made during 5 minutes the 
connection is aborted. 


+-------[ Upps... ]

Numbers...

If i try to make a brute force attack i will need in the worst case
to complete the 10000 (0000-9999) posibilities. this will take me using 
3 continuos tries an aproximate  of (10000/3) = 3333 hours = 139 days 
if the account is blocked for 1 hour. this is a long time for an attack 
happens unnoticed. Also exists the possibility that the user is very
responsible with his account and  changes his PIN monthly. 


We are not dead, Do u remember the session timeout?
Now if i just make 1 try each 5 minutes (timeout) to complete 10000
posibilities it will take (10000*5) = 50000 minutes = 34 days, divide 
the scan range by 4 PCs and you will have the secret PIN in maximum
4 days (MAXIMUM).

Now you get the idea using a simple detail?.


+-------[ SOLUTION ]

How many times your father told you not to use 4 digits on your 
password!.

The real problem behind this is the short key length, the solution is 
(guess........) change the PIN scheme to use longer keys. 


+-------[ A TOOL ]

From: theory@this.stupid.doc
to:   practice@reality

You need something to show at your whatever-service provider, 
so they can say UPPS..


SSSL Crack v1.0 
==========

Disclaimer: is for better.

Its a simple VB5 application, i even use a SSL ActiveX control demo.

Note: This tool has some limitations to stop the mental retarded 
script kiddies.


HOW TO USE IT
-------------

Fill:

CGI: https://Host/PostLogin.cgi

     PostLogin.cgi is the name of the autentication CGI, if u dont
     know whats the cgi name just connect using your web browser to
     the autentication page and take a look at the source code.

     It must be using POST method.   

Before String: 

     Its the POST string before the PIN goes. It will be something like
     
     username=heyyou&pin= 

     leave the PIN attribute clean, the program will put the PIN there.

After String:

     Its the POST string after the PIN goes. It will be something like
     
     &Accept=Accept 


NOTE: The POST string is: Before String + PIN + After String


Timeout: In MINUTES. How many times between each group of continuos
         tries.
   
Continuos Tries: guess.

Begin: First PIN to try. (4 digits)

End: Last PIN to try. (4 digits)

PIN: It will show you the actual PIN status.

Response size: It will show you the size of the response whn you send 
               the data.

OK size: put in there the size of a correct response. (ex. size of the 
         base frame when your username and password is correct).

NOTE: if (Response size == OK size){ We found the PIN!; }


postdata: click to debug the data to send.
response: click to view the response page.

CRACK: Weeeeeeeeeeeee..
Abort: aughhhhhhhhhhh..


+-------[ The END ]

Efrain 'ET' Torres
[LoWNOISE] Colombia. 1999
et@cyberspace.org

http://my.narco-goverment.sucks.co
http://the.guerrilla.sucks.more.co

----------------------------------------------------------------------
"Guerrilla = Narcos, por que no extraditan a la guerrilla tambien ah?"
----------------------------------------------------------------------




















 


