Open routers at Dhiraagu hotspots?

Dhiraagu Wifi hotspot is something I had mentioned in an earlier post, however, I hadn't got a chance to experience the service on my laptop till recently. The opportunity popped up when my flight to UK got delayed and had to kill some time at the food outlet at the airport. My laptop readily found the "Dhiraagu Wireless Hotspot" SSID and a stable connection was established. The service was quite decent and I could browse and download in comfort and with speed. It certainly was a luxury that quite a few people would happily pay for.

As ever, curiosity got the better of me and I decided to peek a look at how the service was operating. Access controlled wifi hotspots usually operate by allowing unprotected (that is WEP/WPA free) access to the wireless network and then authenticating the client with a central access controller. The client needs to open a web page, any page, upon which the browser gets redirected to a service login page where the user is prompted to enter the login details that grant them access to the internet thereafter. The login mechanism also serves as a means to facilitate billing.

The Dhiraagu system operates in a similar manner. Below is the screen that we are shown upon connecting. Notice that they are giving the username/password to login with in the current free access promotion they are running.



The browser flickers as the system guides it through a series of links to complete the authentication. Looking at the URLs that the browser hit through, I picked one "interesting" looking IP...

http://202.1.201.230:8002/Portal?NMIP=203.104.25.251?OS=http://www.msn.com/

And voila comes the web administration interface for a Cisco router - the equipment that Dhiraagu is using to provide the Wifi hotspot service!



The router apparently is configured without any administration password and the act of going to the router's IP address provided unfettered access to the wifi router and hence control over the wifi hotspot service.





I wonder if this is true for all the rest of Dhiraagu hotspots splattered across Male'. The service is great, BUT is this how the system was deployed? This configuration of the wifi hotspot lets anyone command control over the router and facilitates all kinds of mischief!

Miadhu website attacked

Miadhu, one of Technova's recently launched websites, was attacked yesterday. The intruder gained access to the site via our custom developed Content Management System(CMS) backend that handles the management operations of the site. Access to the CMS was gained by means of password guessing - a work which was made unbelievably trivial with the presence of an account name and password to match - "miadhu" for both! The attackers then attempted to delete existing content and to add data to the website of which the latter they managed to execute successfully. They left behind random messages in the articles they added - messages that were as deep and simple as a "kekeke" to ones dissing Jabir and President Maumoon.

Miadhu notified us of the intrusion and we spent a good hour rummaging through the logs, mapping out the actions of the attacker and assessing the damage. Patching the door through which the attackers entered only involved changing account names and passwords in addition to advising the client to maintain secure password policies.

The website is now back running as it were...

Dhiraagu MMS: kung fu-ed!

Ah. Data back up disks are always nice - especially those with older snaps of work. You find things that you've totally forgotten about. Perhaps it is a photo, a document or maybe that song you used to play all the freaking time. As for me, I just stumbled across a hasty log and an interesting screenshot I had taken around mid 2005.

There is a litter of articles dedicated to Dhiraagu on my blog - there is one about their E-Bill system, another on the WWW proxy server and yet another on their WebSMS service. However, the Dhiraagu MMS service, which I recall as being officially launched in July 05, is something I haven't posted about. But now that I chanced upon this "ancient" screenshot and given that Dhiraagu has revamped their MMS website, I thought I'd share...

The screenshot shows the Dhiraagu MMS internet portal that is intended to be used to retrieve recieved MMS and to acquire MMS content for the phone. The shot shows an SQL injection probe on their website and listed by the system as response is a list of database tables - a couple with interesting names. I leave to your imagination what they contain, for I don't remember going pursuing any further on the matter :-P Note that Dhiraagu seems to have re-programmed their MMS service sometime late last year and I have no idea whether the lapses that gave rise to this exploit exist on the new website.

Dhiraagu MMS exploited?

Dhiraagu E-Bill flaw!

I came back from shopping this evening to find that my brother had messaged me on MSN Messenger saying he wanted to talk to me about something quite urgently. I called him up only to find him answering on the first ring and then unloading a megaton worth of speech in under a minute. He sounded excited and mostly illegible so I took my time digesting what he was saying. Basically what he said was that he had been checking the monthly call details of our home line when he got curious and took a look at the Dhiraagu E-Bill system to see what goes on under the skin. What he found was more than intriguing and he wanted me to investigate it further. (My brother has a bit of what he found out on his blog.) Now, here's my take on it.

Overview
The flaw Jaheen stumbled across lies in the online phone records viewing facility called E-Bill provided by Dhiraagu. Specifically, the flaw exists in the bill downloading section of this online application that allows registered users to download the call records for their line. The lapse in appropriate security measures and the utmost trusting of the data provided by the user seem to let a (malicious?) user view the call details for ANY account number of a Dhiraagu customer.

Walk-through
First, I should note that in order to access and execute the flaw, you need to be a registered user of the E-Bill facility. You need to log in and have a valid session underway to access the required bill downloading facility.

That said, viewing the bill of a specific user is not that trivial a task either. The account number of the desired customer needs to be provided to the system instead of merely providing the customer's telephone number. The account number is printed on the monthly bills that Dhiraagu sends out. The account number is printed in the format XX/XXXXXX/XXXX, where the Xs represent digits. Individual user targeting is thus limited greatly but this is not to say that the consequences of this bug are thus insignificant. It is always possible to mess around and generate a combination of digits which in turn will quite likely correspond with a valid account number of some random customer. A very possible scenario could be an attacker generating all the combinations of the numbers and asking for the bills for each of these generated account numbers!

I duplicated the execution of the flaw using the same "tools" my brother used; i.e. using the Live HTTP Header extension for Mozilla Firefox. This extension is quite handy for these sorts of uses and misc. other debugging purposes.

Forging ahead, first up the E-Bill interface is accessed and login process completed. This gives a cheesy interface that looks like this.


The bills download feature is accessed by clicking on the "Download bills" link from the left menu. The page that comes up next differs depending on the E-Bill account type and the number of telephone numbers combined into the E-Bill account that was logged in with. Skipping ahead, the E-Bill system throws up a page that looks like this:


Now this is where the magic begins. Enter the time duration for which the call records are desired. The select the appropriate links to get to a download page where you are asked to click a button to start the downloading. HTTP Live Header (HLH) extension comes into play at this point. HLH is set to capture the traffic. Then the download button is clicked and soon enough Firefox happily displays the download save dialog for the file being received. The file is saved but there is nothing abnormal till this point still.

Now to execute the amazing rabbit-out-of-hat magic of the E-Bill system, a bit of sleight-of-hand is added the process. The button click in the above mentioned download process creates a HTTP POST request which shows up among the last on the status window of HLH. This request is selected and the "Replay" button clicked to replay the download process with a few changes for the final effect.


As shown above, the highlighted "account=xxxxxxxxx" bit tells the E-Bill system which account number to generate the call records for! This is where our opportunity comes. This number is then changed to a known account number or any random number and the HTTP "replay" continues as normal. Soon as the modified request is replayed, the E-Bill system again spits out a call records file for download. The difference this time? It is no longer the call records for the logged in account but for the account number furnished in the modified replay.


Conclusion
Simply by manipulating a single 12 digit number that the E-Bill system trusts the user?s browser with, we can extract the phone records of ANY Dhiraagu customer. This is a serious flaw and the resulting breach of privacy is a major concern for customers who no doubt would want their phone usage records to be kept safe and confidential.

I, Dhiraagu proxy server

Now I know quite a few people would wet themselves on hearing of the dirty things one can do to Dhiraagu. I also know quite a few people would risk actually trying what I am about to narrate, so here I begin with a disclaimer.

-----
Disclaimer: The information presented in this article is mostly for entertainment purposes and whatever educational value it may posses must be the result of some exotic butterfly flapping its wings under the canopy of the Amazon. At no time do I recommend you or any circus animals attempting these and consequently, I take no responsibility for your actions.
-----

If you are a dialup user on Dhiraagu Dhivehinet then every time you dial-in you get an IP address assigned automatically. An IP address is sort of a unique identifier for your computer on the internet. I was setting up an internet dialup connection to Dhiraagu on a friend's computer a few years ago when I wondered what would happen if I were to specify my own IP address in the settings rather than let Dhiraagu automatically assign me. If things were set correctly at Dhiraagu, what I was about to do should not be possible. However, I decided to try it out anyway, hoping that they might have mucked it up.

I decided I would attempt using the IP for the Dhiraagu proxy server, i.e. assign myself the same identity as the web proxy operated by Dhiraagu. As you might already know, all WWW traffic flows through a proxy server if you are a Dhivehinet customer, therefore the proxy server knows what you browse, when you browse and can totally keep tabs on you. Similarly, by assuming myself its identity I should be able to see what the real proxy sees. I should be able to grant myself the same power! Sure enough, as soon as I dialed in with the forced IP, the connection status icon at the bottom of the screen lit up. The received packet count in the connection status window kept on increasing endlessly. I was getting bombarded by the web traffic coming into the proxy! I had successfully assumed its identity. I then disconnected and I sat there with a wicked smile painted on my face, imagining the possibilities this opened up.

Few minutes later, my fingers were flying over the keyboard furiously as I wrote a quick ?n dirty proxy server software. Its purpose was to act as a proxy, logging all the data it receives. I could have done a kazillion fun things to add to that but I resisted the temptation. An hour or so later, I had the proxy program working as I wanted and so went back to dialing in. As soon as my connection got established, the program started displaying the various requests coming in from users on the Dhiraagu network. Less than a minute into the dialup and my program crashed due to overflow. There was too much data! I reprogrammed bits to fix the issue and went back on, logging data for about 5 minutes before disconnecting.

I opened up the log file created by my program and analyzed the various connection attempts. By the end of going over the log, I had another reason to be quite amused. The log indicated that about 75% of all requests I had intercepted was for pornographic websites. This was proof that much of the Maldivian internet users used the internet for porn!!

Anyway, this "flaw" gives rise to a whole set of opportunities. I could impersonate any server on Dhiraagu. I could become one of their FTP servers and start logging username/passwords. I could become one of the web servers and start serving rogue web pages. I could become the email server and log username/password as people attempt to check mail. The possibilities were almost endless...

I have mailed Dhiraagu several times over the years regarding this issue but never received a reply. Sadly, this was still working about 6 months ago according to a friend who tried it. However, it may have been fixed in the recent endeavor by Dhiraagu to improve the security in their networks.


UPDATE (11-09-2005):
I just received a log from "Fatty" of Digitial Squid that re-confirms what I revealed in the article. Thanks Fatty!

Below is a screenshot of the captured traffic in Ethereal where I have placed a "http" filter to list only the web traffic. On the right side, it shows the various websites people are browsing and on the left of that is the associated IP address requesting that particular page. It is interesting to note that 53 percent of the requests are for porn :-)

For the technical lot who are keen to see the actual Ethereal capture, HERE is the log that Fatty provided me with.


Captured data on Ethereal when posing as Dhiraagu proxy

Battling for privacy: Keeping your computer data and internet communications secure

We live at a time where we have little or no privacy. All information about us is recorded, from birth to death. The quality and quantity of details logged may differ from society to society but the details collected about a person extend beyond the visible and the obvious.. To make things worse, we tend to rely and store private and personal information on the products of the digital revolution - mobile phones, PDA's and of course computers, all of which are subject to confistication and interception.

Let me impart some information on how to battle this belittling of the individual and gain a bit more privacy and security for your computer data and Internet communications.

TrueCrypt
Say you have a lot of documents, photos and emails that you don't want to be accessible by all. Say you want to be able to securely store data somewhere on your harddrive or USB data device. Then TrueCrypt is the answer. It is a free, opensource utility available for flavours of MS Windows and is available at http://www.truecrypt.org/

Now, aside from most of the technical mumbo-jumbo it may present to you, the utility is pretty easy to use. The concept it operates on is that it creates a special encrypted file and uses that file to store all of your data inside that single file. So all you have to do is, "mount" the encrypted file with the program and suddenly, your system should show a new disk drive. This drive is now fully secure and you can continue working; saving and editing the files on the drive as you would with any other files. When you are done working simply "unmount" the drive with the program. You can choose to carry the encrypted file on your USB storage device and even move the encrypted file between computers.

The encryption used is pretty secure and several types of encryption are available including 448bit Blowfish. The access to the encrypted files is gained by means of a passphrase, which of course has to be wisely chosen. Follow the general password rules - combination of characters and numbers and make it long.

Eraser
When you delete a file using the standard Windows delete facility, you expect the file to be gone for good. However, files deleted using this method can be easily recovered in full by anyone with access to your system/drive! Enter Eraser. This is a nifty free, opensource utility for MS Windows that specializes in deleting files securely. It is available at http://sourceforge.net/projects/eraser/

It supports several deletion methods, including two US Department of defense standard deletes. To make the deleted data nonrecoverable, the utility writes over the data to be deleted with random garbage. This is done enough of times to ensure there is no recoverable residue of the data that was deleted.

To delete a file securely, right click on the file and select "Erase". This is a habit you have to get used to, otherwise you may just end up with the standard "Delete" button deletes.

VPN
Every time you connect to the Internet, you are effectively entering into a warzone in your birthday suit. If you are in the Maldives, then your browsing data passes through either the proxy servers at Focus Infocom or Dhiraagu. The data is logged and will be used against you whenever required to.

How do you get out of this? Well, an ideal answer would be a cryptographic VPN. However, this may go beyond the technical or financial abilities of many. If you are really paranoid about the security of your internet traffic, I suggest you look into the many VPN service providers. Quite a few of the web hosting companies provide it as part of their deal. Or if you are the technical sorts, you can simply rent your own server located anywhere remote in the world and install and run a VPN server.

A VPN basically creates a virtual network on top of the network you are actually connected to, which in this case is the Internet. The data then seems to flow from your computer to the VPN server but uses the actual network to carry it. The VPN can be encrypted to make the data secure and private and prevent snoops from keeping tabs on you. If you do get around to setting up a VPN, I recommend IPSec encryption for your VPN. If not SSL can be an alternative.

Here is a couple of interesting sites/software regarding VPNs: VPN Labs , iOpus iPig, OpenVPN

Tor
When you are on the Internet, anyone from the ISP, the government to a variety of other services you connect to on the Internet may keep data on you. They keep track of your Internet traffic and effectively intrudes on your privacy and anonymity needs by checking where you go and when you go.

Tor is a free, opensource utility that can combat traffic analysis. It is available at http://tor.eff.org/ and versions for Windows, Mac and Linux exist. Tor uses a method called "onion routing" to bounce your traffic several times with different hosts on the internet before going to the final destination. This way the origin and the destination are kept secret and helps keep prying eyes at bay. It runs in the background, silently working to secure you internet traffic as you generate it.

Proxy
If your ISP makes you go through a proxy to access websites then the sites you visit, the emails you send and read, the porn you jack off to late at night and even the political sites you sneak into but know you shouldn't access, are probably all logged. If you are a Maldivian, using the Dhiraagu proxy server as your browser proxy then you are letting Dhiraagu store all communications you make on the WWW. This is true for Focus Infocom customers as well.

In this case, one of the easiest methods to add more security to your internet communications is by the use of an alternative proxy server. Now depending on your ISP and their proxy configuration you may not be able to use proxy servers running on various ports. Head over to http://www.atomintersoft.com/proxylist/ and select a proxy server of your liking. You may need to test out a few for speed and accessibility. Generally, you should avoid proxies running on port 80 for reasons I am too lazy to type right now. If you don't know how to change your proxy server in your browser, head over to http://www.proxz.com/tutorial.php

Well, I guess that is enough "advice" for now. Enjoy!

Dhiraagu WebSMS secrets

Dhiraagu WebSMS has been a dear friend to a lot of us. Some of us see it as a means of communicating with friends cheaply when we are strapped for cash while some others use it for more malicious purposes. Anyway, I took a different interest in it since its introduction some years ago.

Once upon a time...

When WebSMS was introduced, Dhiraagu relied on the interface scripts provided by Comverse for their SMS system purchased from Comverse. One part of the web interface had minor changes brought to sport Dhiraagu logos and copyright lines and was offered to the public as WebSMS. It was free for use and had no limits and no Dhiraagu signature lines appended. It was total fun! Ofcourse the fun was just beginning and I forayed into the scripts and ended up with access to the rest of the system that "websms" was actually part of... Dhiraagu then started to bring changes. I suspect these changes were politically influenced rather than being for their own financial or technical reasons.

First, Dhiraagu had a signature line appended to messages. The message was easy to get rid of by merely modifying the form data being submitted to the server. Ofcourse, Dhiraagu fixed it (sorta) in due time.

Next up, they decided to add user registration. It was still free thankfully. This was the first in a step of moves they've made to gather more and more specific data on the users. This initial user registration allowed anyone with an email address to open an account. This ofcourse meant, you can use throw-away free emails and aliases to open WebSMS accounts without revealing any real info on yourself.

Then few months later, the registration with email addresses was scrapped and people were required to have a mobile number to register. The old accounts were ofcourse purged after this change. This new change ruled out random people opening accounts and sending SMS - you needed to be their customer to send SMS via the web.

Sometime late 2004, they decided to limit the number of SMS to 10 per day per account. Now to implement this, they used a messed up implementation of sessions and cookies. When you login, you got assigned a cookie that set a key "Dhi" with a value of the form "12345%2cWanker%2cWho". Simply by altering the "12345", which is probably something meant to act as a session id, one could override the 10 SMS per day limit. By changing this value, you effectively assume the identity of another user - but all without any authentication! Simply change the number and you are good for another 10 SMS. Interesting thing was that user/session id didn't need to exist on their server - you could very well use 1000000 and move onto 1000001, 1000002 and so on for more SMS. I had the pleasure of getting my server blocked/ignored by Dhiraagu after I added this 'hack' to my Email2SMS service offered at the time via maldivianunderground.net - but the block wasn't placed until after my Email2SMS service had dispatched around 2000 SMS total using the 'hack' by the second/third day after they brought the "upgrade".

I should mention there were other interesting but less trivial flaws in the WebSMS system - like being able to reset the password for (all) users on the system via SQL injection. The database table they had, had the following fields (amongst others) : userid, username, password, mobileno. The login and password change facilities had SQL injection and logic deduction possibilities...

Soon after the 10 SMS limit "upgrade", in May 2005, Dhiraagu made another of its upgrades to make the messages that were being sent via the system seem to originate from the number of the WebSMS account holder. Uptil then, the originating number was "+000". This new upgrade killed the anonymity of messages being recieved by a WebSMS recipient. It killed the fun ofcourse and I had to find some way to get around it - just to piss off friends. It turned out Dhiraagu had simply appended the account holder's number to the cookie that is set when a user logins - and then uses that number from the cookie to represent the originating number whenever a SMS is sent. If you are having a hard time imagining how it looked, the cookie was of this form: Dhi=12345%2cJawish%2cJaa%2c770000. This opened up new possibilities! I could make SMS appear to originate from any number. I could make it that of a friend's or foe's. I could make the number an international one or even a landline one. Seeing my dad stare at the phone in disbelief when he received an SMS from himself was fun enough! Hehe.

Sadly, these "features" were fixed when Dhiraagu upgraded the system yet again in August 2005. No wild originating fun for now. I haven't messed around with it yet - much.

Psst. Tricks!

To finish off this lengthy post on Dhiraagu WebSMS, I'm sharing two neat tricks that you may like and still works on Dhiraagu WebSMS as of today.

No signature line: Don't want the "(Dhiraagu WebSMS)" line to appear in messages you send via the WebSMS system? Then simply add a equal sign ("=") as the last character in your post!

Long messages: Do you have some looonnggg message to send to someone and it's hard to fit in the 140 character limit that WebSMS imposes on you? Worry no more. You don't need to split the message into bits and send as separate messages and risk decreasing that dreaded 10 SMS limit you have for the day. All you need to do is disable JavaScript support in your browser temporary (It is an easy feat - consult your browser documentation on how to do this). When you type in the messages now, the limit counter will stay the same and you can go on typing forever. The messages are sent to the recipient as discrete SMS messages of text limit ~140 characters each. However, you will be penalized for only one SMS in the WebSMS daily limit counter.

Enjoy!

Update (14 Oct 2005): Dhiraagu has fixed the bugs that made possible the two tricks revealed above. Too bad :-)