External Footprinting Tools for Passive Reconnaissance

dmitry

dmitry or the Deepmagic Information Gathering Tool can be used for a variety of reconnaissance purposes. It ships with Kali Linux and can be used to perform a whois lookup on the domain name of a host and save it to a text file like this:
dmitry -winsepo example.txt example.com

whois

Kind of obvious, but very useful to get initial pointers on names as well as IP addresses.
ap-get install whois

BGP

Looking Glass or bgp.he.net can be used to run BGP queries on an ASN.

scans.io

scans.io provides downloads of TCP/UDP port scans as well as service fingerprints like security certificates and DNS records. Its sister project censys.io allows the data to be queried online as opposed to downloading it.

Side note: pigz (parallel implementation of gzip) is a great tool for interrogating downloads quickly by using multiple CPUs and threads.

shodan.io

shodan.io is the search engine for the internet of things.

Common Crawl

An open repository of web crawl data available at commoncrawl.org.

crt.sh

Comodo’s Certificate Search can find certificates by domain name, organisation name or fingerprint.

How to Enable Two-Factor Authentication on Amazon.co.uk

While two-factor authentication (2FA) isn’t officially available on Amazon UK, there is a very simple way of enabling the feature and making sure that your account benefits from that extra layer of security.

Two-Factor Authentication on Amazon

To enable 2FA for your non-US Amazon account, follow the steps below:

  1. Go to https://www.amazon.com and sign in using your Amazon UK credentials.
  2. Navigate to Your Account and locate the Change Account Settings link under Settings.
  3. You may be prompted for credentials again, but after you authenticate, you will be presented with a number of settings. Click Edit next to Advanced Security Settings.
  4. Read the information on the two-step verification page and click Get Started.
  5. Now you need to make a choice between enabling 2FA using SMS text messages or an authenticator app. Let’s consider each option’s features:
    • SMS text message:
      • Doesn’t require a smartphone or extra software, making it very easy to use and manage.
      • It is only available on a single device. If you lose your phone you may be left without access to your Amazon account until you can get a replacement SIM.
      • Requires cell reception to work.
    • Authenticator app (Authy):
      • It is not dependent on cell reception or a connection to the internet.
      • You can generate codes from multiple devices without relying on your phone.
      • Recovering Authy itself, if you only had it on a single device, is likely to rely on SMS verification as well.
      • Amazon uses SMS texts as it’s backup code verification method in case you lose access to your app!
  6. We will go with Authy for this example, although SMS on its own can be just as good in most cases. Click on the Authenticator app option.
  7. Scan the displayed QR code into Authy and type the token that the app displays back in Amazon.
  8. You will now be asked to enter your backup phone number; any country is allowed. Proceed through the form, verifying your number with the code you’ll receive via SMS.
  9. Agree to the caveat and you’re finished!
Caveat: The last step of activating 2FA on Amazon alerts you to a minor inconvenience seen on mobile devices – they don’y support it. You will sill be able to to sign in, but you will have to append the code you receive to the end of your password string.

Caveat for Two-Factor Authentication on Amazon


TL;DR: Enable 2FA under Advanced Security Settings on Amazon.com and it will work for the UK site.

RFID security is a joke – or how I “paid” Amazon with a wristband

bPay bands

bPay bands

So a few days ago I heard that Barclays Bank were giving away their new product for contactless RFID payments – the so called bPay wristband. Knowing that NFC-enabled chips for payment or otherwise are pretty unsecured, I decided that I would like to play with the new band and I ordered one. It was pretty easy to do and you don’t even need to be a Barclays customer or to provide them with real personal information for that matter.

The main goal of these bands is to be used as a replacement for your wallet during festivals – the idea being that you pay for alcohol, but you don’t bring your wallet, which you are prone to lose after you get wasted. Sounds great in theory, I guess, but never mind that now; discussing how unsecured and ridiculous contactless chips for payment and in general are, may be a topic for another post. Barclays have already been called out for their unsecured chips, but to be fair they didn’t quite deserve to take the bad press – every NFC-enabled card is the same.

I received my wristband in the post and for some reason I decided to act as a user first and “woke up” the band on the website – this basically ties the chip number with your account so you can top up money, I guess. I decided not to top up right now, but to dig out the chip, examine it and see what I’ve got.

bPay band chip

bPay band chip

I wasn’t too surprised to find that the fancy bPay wristband was nothing more than a pre-paid MasterCard, save the magnetic strip and all the extra plastic – just in a form factor that you can wear.

I was originally planning to play with the wristband by cloning it on my phone and replaying the signature on a POS terminal – testing how unsafe these are and how I could buy drinks on you after shaking your hand in Hyde Park. Maybe just for fun I was going to replay it remotely via proxy – we’ve had that technology in the public domain for some time now, but it’s cool to see it in action. However, upon noticing the MasterCard logo it struck me – this little thing must have a card number. After all, these wristbands aren’t actually a new payment product, but just a mini card with NFC.

So instead of doing the obvious contactles shenanigans I could try to buy something online with this…

First step is to find out what the card details of this thing actually are. You can do this with your phone and an app that can read NFC. I’m not going to put any links here, but you can do a simple search and find what I’m talking about.

I already know, from reading previous research, that all “tap and go” payment chips contain pretty much everything that would be printed on your card and encoded in the magnetic strip, with the exception of the CVV number, usually seen on the back of the card. I scan the plastic with my phone and surprise, surprise – we have a number and an expiry date. Obviously, these mass-produced cards don’t hold name, address or other personal information, hence why you have to “wake them up” online in your account.

But that shouldn’t stop us – not having CVV or any money on the card doesn’t mean that we can’t prove that it can be used online. There are some merchants that don’t check your address and don’t even require a CVV. Notable examples? Amazon.

After quickly logging in to my account and heading over to the ‘Manage Payment Methods’ section, I find that Amazon is in fact pretty happy with me entering the details of my wristband as a new card and even using a complete nonsense name just to top it all off. Feeling pretty accomplished at this point, I wonder: can you actually complete a transaction using this thing? Because I’m not about to top up the minimum amount of £25 in the middle of the night just to do a silly test, I think: what requires a valid payment method, but doesn’t immediately cost any money? The answer? Audible. I had downloaded the app from an ad in Bacon Reader a few days ago as my way of saying “thank you” to the awesome developers who maintain it. Figured I was going to try the service when I got around to it… Now, the perfect time to start my trial, I click the confirmation button with bPay as my selected payment method and voilà – “Thank you for shopping at Audible”!

Amazon is happy and I have my trial – if I don’t want to continue I’ll cancel and they’ll be none the wiser. Of course I ought to change my payment method if I want to keep the service, because otherwise any request for funds will surely be denied with my modest balance of £0. Obviously if you top up your card you’ll be able to make actual purchases online. The Audible trial was simply a proof of concept using an empty account.

TL;DR: bPay bands are in fact MasterCard(s). They are unsecured. You can use them online and register for an Audible trial by reading their card details with your phone.