RSS

NIC-BANK’s poor Ebanking System and possible security Flaws

24 Apr

NIC-Bank upgraded its core banking to T24 around September 2012. For a muggle reading this with no knowledge of what T24 is please click here to find out more>>.

original

 

I can confidently speak well of t24 and in my books I would say the below 4 are the best in  Core banking systems

  1. Temenos T24 (NIC,KCB,CBA,Cooperative Bank etc)
  2. Sungard SYMBOLS (2 banks that denied me a loan)
  3. Finacle 10 (Equity Bank)
  4. Misys (Our Local Chamaa :-) )

Back to NIC bank…so jana I log into the online banking system kama kawaida,check my deposits Ju I was all drained after Easter,ma balance,ATM withdrawals za 3AM, Another at 3.05AM….(Hii Pombe ni Mbaya) Everything was OK…I was a little bored after watching Game of Thrones S04e03 so I decided to put to test what the old Master Idd Salim taught me .I decide to poke and probe the banking portal,I was actually look to see if they patched the Heartbleed vulnerability on the SSL and viola just like a girl would drop her thong for me,NIC bank reveald the goodies.

nic bank1

 

I was inside the Localhost Jboss directory…pretty simple right…then from there I clicked on TomCat Status and the result was as below

nic bank

 

 

Again kama hujui una soma nini I suggest you read about Vera Sindika bleaching on Ghafla…its about to get technical. From this point I basically could read all traffic being directed to the T24 servelet that is there ebanking portal. I could easily for example tell how long this  portal>> had been running as shown below…Sema Orgasm Number 1

 

nic bank3

Lets get back to the logs shall we …from the posted Image  it all looks giberish right I mean What use would the following Isolated GET commands have? Nothing right? Look closely at the bolded lines.. USERNAME and PASSWORDS (pole hashed passwords)  za watu in real time as they log in,if you are keen at it you can actually see the actual transaction they are doing

10.2.100.205 ************** GET /t24arcib1/servlet/BrowserServlet?method=post&user=GTUSER&windowName=TERM296575598304&WS_FragmentName=TERM296575598304&contextRoot=&companyId=KE0010001&compScreen=COMPOSITE.SCREEN_LENAIB76311333EQ_296575598306&command=globusCommand&skin=arc-ib&enqaction=SELECTION&requestType=OFS.ENQUIRY&enqname=AI.AA.AD.ARRANGEMENT.NIC&routineArgs=NONE&reqTabid=&WS_replaceAll=&WS_parentComposite=DataAreas069005505702 HTTP/1.1
10.2.100.205 ************** GET /t24arcib1/servlet/BrowserServlet?method=post&user=GTUSER&windowName=TERM171895621804&WS_FragmentName=TERM171895621804&contextRoot=&companyId=KE0010001&compScreen=COMPOSITE.SCREEN_RNDERITU_171895621806&command=globusCommand&skin=arc-ib&enqaction=SELECTION&requestType=OFS.ENQUIRY&enqname=AI.AA.AD.ARRANGEMENT.NIC&routineArgs=NONE&reqTabid=&WS_replaceAll=&WS_parentComposite=DataAreas171895621702 HTTP/1.1
10.2.100.205 **************GET /t24arcib1/servlet/BrowserServlet?method=post&user=GTUSER&windowName=TERM259965634004&WS_FragmentName=TERM259965634004&contextRoot=&companyId=KE0010001&compScreen=COMPOSITE.SCREEN_PARAPETLTD_259965634006&command=globusCommand&skin=arc-ib&enqaction=SELECTION&requestType=OFS.ENQUIRY&enqname=AI.AA.AD.ARRANGEMENT.NIC&routineArgs=NONE&reqTabid=&WS_replaceAll=&WS_parentComposite=DataAreas280095633902 HTTP/1.1

10.2.100.205 ************** GET /t24arcib1/servlet/BrowserServlet?method=post&user=GTUSER&windowName=TERM216595639404&WS_FragmentName=TERM216595639404&contextRoot=&companyId=KE0010001&compScreen=COMPOSITE.SCREEN_GAITAJ36751_216595639406&command=globusCommand&skin=arc-ib&enqaction=SELECTION&requestType=OFS.ENQUIRY&enqname=AI.AA.AD.ARRANGEMENT.NIC&routineArgs=NONE&reqTabid=&WS_replaceAll=&WS_parentComposite=DataAreas280095586702 HTTP/1.1
10.2.100.205 ************** GET /t24arcib1/servlet/BrowserServlet?method=post&user=GTUSER&windowName=TERM216595650904&WS_FragmentName=TERM216595650904&contextRoot=&companyId=KE0010001&compScreen=COMPOSITE.SCREEN_DCHEMERIL_216595650906&command=globusCommand&skin=arc-ib&enqaction=SELECTION&requestType=OFS.ENQUIRY&enqname=AI.AA.AD.ARRANGEMENT.NIC&routineArgs=NONE&reqTabid=&WS_replaceAll=&WS_parentComposite=DataAreas259965644102 HTTP/1.1

 

10.2.100.205 ************** GET /t24arcib1/servlet/BrowserServlet?method=post&user=GTUSER&windowName=TERM270885699604&WS_FragmentName=TERM270885699604&contextRoot=&companyId=KE0010001&compScreen=COMPOSITE.SCREEN_VSAJJAN_270885699606&command=globusCommand&skin=arc-ib&enqaction=SELECTION&requestType=OFS.ENQUIRY&enqname=AI.AA.AD.ARRANGEMENT.NIC&routineArgs=NONE&reqTabid=&WS_replaceAll=&WS_parentComposite=DataAreas052495694502 HTTP/1.1
10.2.100.205 ************** GET /t24arcib1/servlet/BrowserServlet?method=post&user=GTUSER&windowName=TERM293145773704&WS_FragmentName=TERM293145773704&contextRoot=&companyId=KE0010001&compScreen=COMPOSITE.SCREEN_GODFREYIB32010232EQ_293145773706&command=globusCommand&skin=arc-ib&enqaction=SELECTION&requestType=OFS.ENQUIRY&enqname=AI.AA.AD.ARRANGEMENT.NIC&routineArgs=NONE&reqTabid=&WS_replaceAll=&WS_parentComposite=DataAreas185385772902 HTTP/1.1

10.2.100.205 ************** GET /t24arcib1/servlet/BrowserServlet?method=post&user=GTUSER&windowName=TERM076165652004&WS_FragmentName=TERM076165652004&contextRoot=&companyId=KE0010001&compScreen=COMPOSITE.SCREEN_JOANJ_076165652006&command=globusCommand&skin=arc-ib&enqaction=SELECTION&requestType=OFS.ENQUIRY&enqname=AI.AA.AD.ARRANGEMENT.NIC&routineArgs=NONE&reqTabid=&WS_replaceAll=&WS_parentComposite=DataAreas076165651802 HTTP/1.1

10.2.100.205 ************** GET /t24arcib1/servlet/BrowserServlet?method=post&user=GTUSER&windowName=TERM105555915704&WS_FragmentName=TERM105555915704&contextRoot=&companyId=KE0010001&compScreen=COMPOSITE.SCREEN_GOTIENO_105555915706&command=globusCommand&skin=arc-ib&enqaction=SELECTION&requestType=OFS.ENQUIRY&enqname=AI.AA.AD.ARRANGEMENT.NIC&routineArgs=NONE&reqTabid=&WS_replaceAll=&WS_parentComposite=DataAreas030935915402 HTTP/1.1

10.2.100.205************** GET /t24arcib1/servlet/BrowserServlet?method=post&user=GTUSER&windowName=TERM095146107304&WS_FragmentName=TERM095146107304&contextRoot=&companyId=KE0010001&compScreen=COMPOSITE.SCREEN_IODHIAMBO_095146107306&command=globusCommand&skin=arc-ib&enqaction=SELECTION&requestType=OFS.ENQUIRY&enqname=AI.AA.AD.ARRANGEMENT.NIC&routineArgs=NONE&reqTabid=&WS_replaceAll=&WS_parentComposite=DataAreas095146105602 HTTP/1.1

10.2.100.205 ************** GET /t24arcib1/servlet/BrowserServlet?method=post&user=GTUSER&windowName=TERM257346163204&WS_FragmentName=TERM257346163204&contextRoot=&companyId=KE0010001&compScreen=COMPOSITE.SCREEN_BENJAMINIB2510897EQ_257346163206&command=globusCommand&skin=arc-ib&enqaction=SELECTION&requestType=OFS.ENQUIRY&enqname=AI.AA.AD.ARRANGEMENT.NIC&routineArgs=NONE&reqTabid=&WS_replaceAll=&WS_parentComposite=DataAreas257346163002 HTTP/1.1

10.2.100.205 ************** GET /t24arcib1/servlet/BrowserServlet?method=post&user=GTUSER&windowName=LOANS076165652005&WS_FragmentName=LOANS076165652005&contextRoot=&companyId=KE0010001&compScreen=COMPOSITE.SCREEN_MUTUMAK_076165652006&command=globusCommand&skin=arc-ib&enqaction=SELECTION&requestType=OFS.ENQUIRY&enqname=AI.AA.LOAN.FRONT.NIC&routineArgs=NONE&reqTabid=&WS_replaceAll=&WS_parentComposite=DataAreas076165651802 HTTP/1.1

Sorry But I will not reveal how to actually hash out the password but I did actually try it and the results are shocking …if this landed to the wrong hands basically  an Account with only one signatory would be drained in Minutes. Orgasm Number 2

Haya Tuendelee…wacha niende ka delmonte narudi…

nic bank2

 

 

The above shows all the applications running of the server,including but not limited to the actuall t24 (t24arcib1) manze hata hawaku change Jina…sawa tu.

A closer look at one of the Applications they are  running jbossws and the version is a below

Runtime information

 

So I leave it at that……I have since moved all my savings to my mattress account. If NIC-bank reads this feel free to ask for the vulnerabilities. Na msinitumie polisi I am not a thug

 
1 Comment

Posted by on April 24, 2014 in Uncategorized

 

One response to “NIC-BANK’s poor Ebanking System and possible security Flaws

  1. amo

    May 6, 2014 at 8:09 am

    wow the kenyan Adrian lamo ….. be careful they may not be that kind.

     

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: