Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Social Security Administration + Social Security Advisory Board Internal Database Leak
- Below is my notes i wrote when auditing SSA + SSAB
- This is one of the exploit information i sent to @Ihazcandy in hope he could get it fixed
- unless he came at me like i was some skid
- With that said due to his actions and showing me the reality of how White Hat hackers act and that there is truly indeed no one willing to help another person in this world when it comes to this
- With that said Ihazcandy has shown me the light
- That apparently there just is not people that wants to help one another and even the greatest threats of all ( National Security ) can still not put people together
- Yet they come at you like your some dipshit and have no idea what your talking about
- But when it hits them in the face they decide to freak out - such as the 2,000 SCADA leak
- Well thankyou ihazcandy i truly want to thank you for inspiring me how white hat hackers truly are
- You are pathetic , and a disgrace to the Hacking Community
- ---------------------------------------------------------------------------------------------------------
- Social Security Administration + Social Security Administration Advisory Board
- SSA.gov
- Uses a Security Set - Providers Referr info * Note to self dont fucking type in shit in google dumbass *
- http://70.245.174.181/ - Social Security Office IP
- PORt - 3011 Admin-J511-5873 - What fucking JACE is it
- Social Security Administration Switch - Nigaera
- switches uses LonWork possibly - LonWork - I have exploit on them hmmmm
- http://70.245.174.181/ - moving on
- Network Map Matrix USA States
- Arizona
- Arizona Architecture is using SSL for Security
- Using Oracle10g for Database Software
- Oracle Application Server
- Arizona SSA System info
- 1U Quad-Core Dual Core Xon3200 3000 Series ZSuper server Brandname Super micor model super server 60158 T+V
- Using Linux as OS
- Possible Social Engineering INfo:
- Admin
- Deb Hemstra
- 602-364-1261
- 1818 W Adams Phoenix AZ 85007
- California
- Is using SSL for Security
- Using Oracle 9i for Database software
- using J2EE for Java Application Server
- Server type = IBM xSeries 365
- OS : Linux Redhat Linux Enterprise
- Social Engineering Info
- David Fisher
- 916-552-9213
- 1501 Capitol Ave Sacramento Co 95899
- Dfisher2@dhs.ca.gov
- JCE_5x1 Uses ASCII ENcryption E89
- Bureau of Vital Statistics BVS
- find fire4wall
- Try and see if i can pull GET request from the XMl's off the server
- Jace_51x
- tridium niagara (( sample default user name / pass - still need to find the rest ))
- How to hack the Social Security Administration
- you will be targeting the niagara Tridium JACE_51x Controller / Electronic Data Records/ Electronic Death Records/ SSN# etc etc
- port scan ip 70.245.174.181
- ull get port 3011
- 3011 = Jace 51_x
- U can connect either GUI or via Website
- The Jace 51_x uses 2 options for Security
- 1. SSL
- 2. VPN
- Lucky you i will provide you with a list of all the systems in each state of the United states of america detailing which system
- uses SSL or VPN + what operating system they are using + what Database Software and other random info
- Things to note:
- WHen you connect to the ip address and start Sniffing the network
- You will have to focus on the HEADER information
- When a Staff logins to the Electronic Death Records/ Jace_51x Website it requires a Top Secret PIN + Username + password
- Well the dumbass moron that coded this shit is a complete fucking moron that needs to be fired
- So what happens is
- U send request
- Firewalll Kicks in
- user Logs in
- Sends Header information
- encrypt via Base64
- ---- Where is the fail?
- well for one the dumbass sets up the firewall before the user log's into the application + fuck tard decided to encrypt the data with Base 64 so the whole Firewall is fucking pointless now due to the fact
- We know what systems use SSL and VPN - Obviously to get the SSL u will have to Sniff - etc etc im going to assume u know how to do that
- When ever u get that cert start to sniff
- pull Base4 Encoder information
- Decrypt
- Login
- You now have 100% access to the United States Social Security Administration
- -------------------------------------------------------------------------------------
- Social Security Administration Advisory Board
- I reported this vuln back in 2006 and it has been active ever since then
- Just drop the db's tis just a SQLI
- http://www.ssab.gov/PublicationViewOptions.aspx?ssab_pub=-104%27
- ----------------------------------------------------------------------------------------
- You can thank ihazcandy everyone for showing us the reality of the facts of hacking
- there is truly no one willing to help
- with that said everyone give a big fuck you to ihazcandy
- By: Hex00010
Add Comment
Please, Sign In to add comment