Breaking Into Banks (Ethically)
Hacking banks ….whoaa!!! sounds something Very complex hacking process where you will just break into bank’s server and computers and steal the accounts and data of users.
Not actually , But don’t be disappointed i am gonna Talk about something which is equivalent to what you imagined after reading the Title, and the best part of this exploitation is everyone will understand how and why did it happen. As i have said earlier Hacking is an art , an art of “Thinking Out Of The Box” , an art of Looking at a diffrent persepctive where you constantly think about what it should not be doing rather than what it should be doing. But before we dive into let’s discuss about a few things which most of us(Computer science graduates) have already read in colleges.
CONCURRENCY
Concurrency is one of the amazing ability of an OS , where diffrent parts of a program can be executed simultaneously without affecting the final outcome of the program computation. so in more simple language
“Concurrency is the execution of the multiple instruction sequences at the same time. It happens in the operating system when there are several process threads running in parallel. The running process threads always communicate with each other through shared memory or message passing”. Concurrency results in sharing of resources result in problems like deadlocks and resources starvation.
It helps in techniques like coordinating execution of processes, memory allocation and execution scheduling for maximizing throughput.
A little bit more about it.
To utilize fully and improve the performance there is Multithreading and multiprocessing . Multi-threading is the process where applications that have two or more threads that runs concurrently. and A multiprocessing system has more than two processors. The CPUs are added to the system that helps to increase the computing speed of the system.
RACE CONDITION
A race condition is an undesirable situation that occurs when a device or system attempts to perform two or more operations at the same time, but because of the nature of the device or system, the operations must be done in the proper sequence to be done correctly.
For example While i was in chennai , there used to be a fight for the AC where people from my front desk always asked to decrease the temperature of the Ac and my back desk people used to ask to increase and in between i used to suffer cause i had The Redmi note 5 phone…(sed lyf)…ok so the point is i could access the Ac because i had the phone , but if i can control the temp then probably everyone can ,whoever had a redmi phone. so think about the condition as two of us tried to control the AC and pressed the increase temp button exactly at the same time ….what will happen next?? One instruction might cancel the other or the two actions OR might trip the circuit breaker(in case of electronics) ..….Just a lame example i know but i don’t care so….Duck Off!!
A race condition may occur if commands to read and write a large amount of data are received at almost the same instant, and the machine attempts to overwrite some or all of the old data while that old data is still being read. for example →(Pic Credit :Vickie Li)
But, if the two threads are run simultaneously, without resource locks (a mechanism that blocks other threads from operating on the same resource) or synchronization (a mechanism that ensures that threads that utilize the same resources so not execute simultaneously), the execution could be scheduled like this:
In this case, the final value of the global variable becomes 1, which is incorrect. (The expected value is 2.)
This happens because the outcome of the execution of one thread depends on the outcome of another thread. When the two threads are executed simultaneously, unexpected outcomes can occur.
Okk now enough of Boring OS concepts let’s move to the intresting part . Let’s find out what happens when you transfer money from your Account to Another Account (Your Account: A, Another Account: B).
- Check if account A has enough balance.
- Add the money to account B.
- Deduct the money from account A.
- So suppose you made a payment of 500$ from account A to account B.
So the ideal Threads that will be executed will look like something
But You are a Hacker you are not going to do things normally ofcourse. so what if we treid messing with the sequence of requests. let’s do that.
So here you end up having more money than you sent in another account. and it has not been sent by Modiji (that will be 15lacs).
Ok this was a basic overview how does it work and let’s get practicle.
capture the request of the transaction in the Burp send it to Intruder and let intruder do the work for you.
Not going in deep as i beleive everyone is smart enough to figure it on their own and also i don’t want my name in newspaper where it qoutes A NooB Hacker inspired Another NooB Hacker to Exploit bank and ended up badly.(Lots of things i still have to do). So please don’t try this untill unless you have a clear permission to test.
“Be Ethical and keep Hunting”.
