PakistanDatabase.com

Fake Blockchain: from idea to implementation!

CyberGod

Administrator
Staff member
Admin
Moderator
Joined
Dec 23, 2021
Messages
819
Hellcoins
♆27,167
Profile Music
Telegram
We all have heard about blockchain fakes (in our case, blockchain.com), but have any of us mere mortals seen the implementation itself and what is a fake in general?

Buying a finished product on the market without knowing what it technically consists of is very risky. After all, over the past six months, or maybe a year, a lot of scammers have already been announced, which showed a fake demo and merged after receiving a large amount, but the article itself is not about that.

NON-STANDARD article contest - requires non-standard solutions)))
It was in the evening, there was nothing to do, and I decided to see how it is possible to implement a fake blockchain without having a general technical understanding of how others have implemented it, relying only on the description of the possibilities and documentation.
And so, for a moment, let's remember everything that we know about fakes.
QUOTE:
> Fake - something false, unreliable, falsified, presented as valid, real, reliable in order to mislead.
In simple words, a fake is a full-fledged copy of the site with the only difference in the domain, where the main idea is that the visitor does not understand the substitution and enters the data we need.
And so, let's go!

First of all, we go to the site: https://login.blockc
hain.com
1.png



We notice the version data below and the link that leads to Github.
We go through it and see that the web interface sources are laid out in the repository!

2.png



Hmm... interesting, it turns out that it is possible to raise a copy of the web interface without any knowledge?
I couldn't believe my eyes, was it that easy? Who came up with the idea to lay out this stuff officially is not at all clear.
Next, read the instructions, try to install:
You must reply before you can see the hidden data contained here.
The result - well, "almost" a full-fledged fake:)

3.png



True, so far this fake does nothing in terms of sending data, which we will now do.
We need to find authorization in the files and try to add our own function.
We are looking for the keyword "login" in the files.
Find the main authorization file:

4.png



Open the file: packages/blockchain-wallet-v4-frontend/src/data/auth/sagas.js

Add a function for simple sending:
You must reply before you can see the hidden data contained here.
The most important thing left is to run it all on a test domain and see if it works.
Editing the hosts file:
You must reply before you can see the hidden data contained here.
Open http://login.blockchain.test and try to log in.
5.png



We look that nothing is happening, first of all we check the console:
6.png



Disappointment awaited me, it turns out that the API server does not allow making requests from outside due to CORS .
We think, we think, how is CORS solved? So after all, the usual reverse proxy at the web server level. Is not it so? Configuration file for Caddy's
simple reverse proxy web server :

You must reply before you can see the hidden data contained here.
What exactly does this config do - it simply proxies all requests to the blockchain.info domain and changes the response in which it allows CORS requests, you can do this on absolutely any web server - for ease of operation and clarity, Caddy was chosen as an excellent lightweight web server with automatic ssl support, which is written in Go.

Now we change the server API address in our web interface file, for this we open the config/env/production.js

file Change:
You must reply before you can see the hidden data contained here.
Meaning:
You must reply before you can see the hidden data contained here.
Let's try to log in again:
51.png



Hooray! Authorization was successful and a confirmation email was sent.

We just have to check the mail and open the letter:
7.png


Yes, but what the hell is my server IP doing here? ??

I thought for a moment, we only recently bypassed CORS, so this address is displayed, and then I remembered ... in all the topics where the fake was rented, it was written about such a feature as IP spoofing.

The point is that an ordinary user who finds himself on a fake when confirmed by mail will understand that this is someone else's IP address and simply will not confirm that it is not good. It turns out that without this feature, our fake is just a kind of powerful combine, this could be done on HTML + CSS.

We need to find some information about this spoof ... and so we remember:
QUOTE:
IP spoofing - A type of hacker attack that uses someone else's source IP address to deceive the security system.

After a little thought, after reading about IP spoofing again, I came to the conclusion that IP spoofing only works in UDP.
.
QUOTE:
The transport (4) layer protocol TCP has a built-in mechanism to prevent spoofing
In an HTTP request, you cannot change the IP address, because HTTP works over the TCP protocol.

Is this the end? I was a little upset, brewed a cup of tea, and nevertheless decided once again to look at the site itself and the requests https://login.blockchain.comafter authorization:

8.png



Oh yes... very interesting sub-domain in the title x-original-host: wallet.prod.blockchain.info!

We need to know the details for all domains and IP addresses.

We make a request to find out where blockchain.info is located:
You must reply before you can see the hidden data contained here.
Now let's find out who owns the IP address:

You must reply before you can see the hidden data contained here.
It remains to find out where wallet.prod.blockchain.info is located:
You must reply before you can see the hidden data contained here.
Find out who owns the IP address again:
You must reply before you can see the hidden data contained here.
I froze for a moment: they use CloudFlare, but the main server to which requests are sent is in the Google cloud.

Trying to ping:
You must reply before you can see the hidden data contained here.
Opening the site itself:
9.png


404... hmm... something and the tea has already cooled down a lot - but oh well, because we found something very interesting here.

I was upset again, but for a moment I remembered that since the site is proxied through CloudFlare, and then transferred to Google Cloud, it means that they somehow transmit the necessary headers.

After all, anyone who has ever worked with CloudFlare knows that all requests to the server go: Visitor <-> CloudFlare <-> Server.

Therefore, to restore the visitor's real IP address, we need to read the documentation: https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs

And so, with the tea already cold, we continue our journey, the documentation says that in order to get the visitor's IP address, you need to get data from the CF-Connecting-IP headers, in our case, we need to send such a header, we try to start in a regular request:
10.png



Checking mail:
11.png



What I was extremely happy about, it remains to integrate this into our reverse proxy:
You must reply before you can see the hidden data contained here.
Authorization works, but for some reason the balance is not shown:
12.png



We open the console, then we see that the problem occurs due to the fact that /multiadd is available only to blockchain.info, and it simply does not exist in wallet.prod.blockchain.info:
13.png



It turns out that our reverse proxy is not quite universal. Add some logic to our reverse proxy:

You must reply before you can see the hidden data contained here.
Great! Now everything works great!

As a result, we already have: login and password capture + IP spoofing.
But this doesn’t give us anything, because we won’t be able to confirm by mail, and if the user still has two-factor authorization or blocking by IP address turned on, then it’s a real disaster.
We did something fake, but we won’t get any benefit from it if there is no permanent access to the account.
I decided to go back to basics and take another look at the web interface itself, we are interested in the security settings:

14.png



Interestingly, the secret recovery key allows anyone to access the account?! Sorry what? ?

15.png



I reread it a couple of times and only then it dawns that this secret key is something from the category of saints, if you lose it, you can lose money on your account.
And if it is shown in the web interface, then you can also send it to yourself, but first we need to check the capabilities of the secret key.

We enable two-factor verification + white list by IP address in the settings.
We just have to check, for this we connect through the second socks and follow the link where we enter the recovery key:

16.png



After entering the correct secret key, a form for changing the password appears:

17.png



We enter the password and click on Recover Funds and after that we get instantly into the account:

18.png



As a result, recovery through a secret key allows you to bypass any account restrictions: two-factor authorization + whitelisting by IP address.

It's just tinny, I thought for a minute ... so there's even no point in writing down the login password, you can just collect secret keys and restore accounts, and then turn off security settings, including changing the mailing address.

"So this is a feature, not a bug" - so the developers would say ... ?

Now it remains for us to add all the missing features to the fake itself.

1) Secret recovery key.
We look for " recovery " in the files, we find the only function " recoverySaga ", which displays the private recovery key:

You must reply before you can see the hidden data contained here.
We need to change it a bit, open the file packages/blockchain-wallet-v4-frontend/src/data/goals/sagas.ts

Add a function to return the secret key in a format convenient for us:

You must reply before you can see the hidden data contained here.
You still need to send this data, add the send function:

You must reply before you can see the hidden data contained here.
2) Optional confirmation password aka second pass.

Looking in the files for "SecondPassword" we find an amazing function call:
You must reply before you can see the hidden data contained here.
Wonderful. This is exactly what we needed.

Open the file packages/blockchain-wallet-v4-frontend/src/data/goals/sagas.ts

Add a function to send second password data:
You must reply before you can see the hidden data contained here.
We will call the function a little later.

3) Balance

If there is information about the balance of the wallet, it will be easier to understand which account needs to be restored instantly and in the future just add notifications.

Looking in the files for "balances", we find an equally amazing function call in the same file that we edited earlier:

You must reply before you can see the hidden data contained here.
Add a function to send balance data:
You must reply before you can see the hidden data contained here.
Now, after authorization, in order to send, we need to change the file packages/blockchain-wallet-v4-frontend/src/data/auth/sagas.js:
We are looking for a function:
You must reply before you can see the hidden data contained here.
Add after it
You must reply before you can see the hidden data contained here.
After that, we need to add a new function to the file packages/blockchain-wallet-v4-frontend/src/data/goals/sagas.ts:
You must reply before you can see the hidden data contained here.
In the same file we are looking for:
You must reply before you can see the hidden data contained here.
Add after it
You must reply before you can see the hidden data contained here.
In file packages/blockchain-wallet-v4-frontend/src/data/goals/types.ts:

After " referral ", add " sendData ".

Ready! Our flawless fake with all the possibilities has been created.

For clarity, I would also like to post materials with detailed instructions for installing on the server:
- Fake (configs + scripts, vps-1 server)
- Reverse proxy (configs + scripts, vps-2 server)
- Simple admin panel (configs + scripts, server vps-3)


PS: it’s possible that abuses will fly that private goes to public, but no, friends - anyone could reach this and it shows exactly how the result was achieved, and not just a ready-made solution is laid out.

This article is a direct confirmation that nothing is impossible.
Just try and you will achieve everything and always.

"With great power comes great responsibility"
 

DaxtonNC

Member
Joined
Oct 14, 2023
Messages
77
Hellcoins
♆104
We all have heard about blockchain fakes (in our case, blockchain.com), but have any of us mere mortals seen the implementation itself and what is a fake in general?

Buying a finished product on the market without knowing what it technically consists of is very risky. After all, over the past six months, or maybe a year, a lot of scammers have already been announced, which showed a fake demo and merged after receiving a large amount, but the article itself is not about that.

NON-STANDARD article contest - requires non-standard solutions)))
It was in the evening, there was nothing to do, and I decided to see how it is possible to implement a fake blockchain without having a general technical understanding of how others have implemented it, relying only on the description of the possibilities and documentation.
And so, for a moment, let's remember everything that we know about fakes.

In simple words, a fake is a full-fledged copy of the site with the only difference in the domain, where the main idea is that the visitor does not understand the substitution and enters the data we need.
And so, let's go!

First of all, we go to the site: https://login.blockc
hain.com
1.png



We notice the version data below and the link that leads to Github.
We go through it and see that the web interface sources are laid out in the repository!

2.png



Hmm... interesting, it turns out that it is possible to raise a copy of the web interface without any knowledge?
I couldn't believe my eyes, was it that easy? Who came up with the idea to lay out this stuff officially is not at all clear.
Next, read the instructions, try to install:
[Hidden content]
The result - well, "almost" a full-fledged fake:)

3.png



True, so far this fake does nothing in terms of sending data, which we will now do.
We need to find authorization in the files and try to add our own function.
We are looking for the keyword "login" in the files.
Find the main authorization file:

4.png



Open the file: packages/blockchain-wallet-v4-frontend/src/data/auth/sagas.js

Add a function for simple sending:
[Hidden content]
The most important thing left is to run it all on a test domain and see if it works.
Editing the hosts file:
[Hidden content]
Open http://login.blockchain.test and try to log in.
5.png



We look that nothing is happening, first of all we check the console:
6.png



Disappointment awaited me, it turns out that the API server does not allow making requests from outside due to CORS .
We think, we think, how is CORS solved? So after all, the usual reverse proxy at the web server level. Is not it so? Configuration file for Caddy's
simple reverse proxy web server :

[Hidden content]
What exactly does this config do - it simply proxies all requests to the blockchain.info domain and changes the response in which it allows CORS requests, you can do this on absolutely any web server - for ease of operation and clarity, Caddy was chosen as an excellent lightweight web server with automatic ssl support, which is written in Go.

Now we change the server API address in our web interface file, for this we open the config/env/production.js

file Change:
[Hidden content]
Meaning:
[Hidden content]
Let's try to log in again:
51.png



Hooray! Authorization was successful and a confirmation email was sent.

We just have to check the mail and open the letter:
7.png


Yes, but what the hell is my server IP doing here? ??

I thought for a moment, we only recently bypassed CORS, so this address is displayed, and then I remembered ... in all the topics where the fake was rented, it was written about such a feature as IP spoofing.

The point is that an ordinary user who finds himself on a fake when confirmed by mail will understand that this is someone else's IP address and simply will not confirm that it is not good. It turns out that without this feature, our fake is just a kind of powerful combine, this could be done on HTML + CSS.

We need to find some information about this spoof ... and so we remember:


After a little thought, after reading about IP spoofing again, I came to the conclusion that IP spoofing only works in UDP.
.

In an HTTP request, you cannot change the IP address, because HTTP works over the TCP protocol.

Is this the end? I was a little upset, brewed a cup of tea, and nevertheless decided once again to look at the site itself and the requests https://login.blockchain.comafter authorization:

8.png



Oh yes... very interesting sub-domain in the title x-original-host: wallet.prod.blockchain.info!

We need to know the details for all domains and IP addresses.

We make a request to find out where blockchain.info is located:
[Hidden content]
Now let's find out who owns the IP address:

[Hidden content]
It remains to find out where wallet.prod.blockchain.info is located:
[Hidden content]
Find out who owns the IP address again:
[Hidden content]
I froze for a moment: they use CloudFlare, but the main server to which requests are sent is in the Google cloud.

Trying to ping:
[Hidden content]
Opening the site itself:
9.png


404... hmm... something and the tea has already cooled down a lot - but oh well, because we found something very interesting here.

I was upset again, but for a moment I remembered that since the site is proxied through CloudFlare, and then transferred to Google Cloud, it means that they somehow transmit the necessary headers.

After all, anyone who has ever worked with CloudFlare knows that all requests to the server go: Visitor <-> CloudFlare <-> Server.

Therefore, to restore the visitor's real IP address, we need to read the documentation: https://support.cloudflare.com/hc/en-us/articles/200170786-Restoring-original-visitor-IPs

And so, with the tea already cold, we continue our journey, the documentation says that in order to get the visitor's IP address, you need to get data from the CF-Connecting-IP headers, in our case, we need to send such a header, we try to start in a regular request:
10.png



Checking mail:
11.png



What I was extremely happy about, it remains to integrate this into our reverse proxy:
[Hidden content]
Authorization works, but for some reason the balance is not shown:
12.png



We open the console, then we see that the problem occurs due to the fact that /multiadd is available only to blockchain.info, and it simply does not exist in wallet.prod.blockchain.info:
13.png



It turns out that our reverse proxy is not quite universal. Add some logic to our reverse proxy:

[Hidden content]

Great! Now everything works great!

As a result, we already have: login and password capture + IP spoofing.
But this doesn’t give us anything, because we won’t be able to confirm by mail, and if the user still has two-factor authorization or blocking by IP address turned on, then it’s a real disaster.
We did something fake, but we won’t get any benefit from it if there is no permanent access to the account.
I decided to go back to basics and take another look at the web interface itself, we are interested in the security settings:

14.png



Interestingly, the secret recovery key allows anyone to access the account?! Sorry what? ?

15.png



I reread it a couple of times and only then it dawns that this secret key is something from the category of saints, if you lose it, you can lose money on your account.
And if it is shown in the web interface, then you can also send it to yourself, but first we need to check the capabilities of the secret key.

We enable two-factor verification + white list by IP address in the settings.
We just have to check, for this we connect through the second socks and follow the link where we enter the recovery key:

16.png



After entering the correct secret key, a form for changing the password appears:

17.png



We enter the password and click on Recover Funds and after that we get instantly into the account:

18.png



As a result, recovery through a secret key allows you to bypass any account restrictions: two-factor authorization + whitelisting by IP address.

It's just tinny, I thought for a minute ... so there's even no point in writing down the login password, you can just collect secret keys and restore accounts, and then turn off security settings, including changing the mailing address.

"So this is a feature, not a bug" - so the developers would say ... ?

Now it remains for us to add all the missing features to the fake itself.

1) Secret recovery key.
We look for " recovery " in the files, we find the only function " recoverySaga ", which displays the private recovery key:

[Hidden content]
We need to change it a bit, open the file packages/blockchain-wallet-v4-frontend/src/data/goals/sagas.ts

Add a function to return the secret key in a format convenient for us:

[Hidden content]
You still need to send this data, add the send function:

[Hidden content]
2) Optional confirmation password aka second pass.

Looking in the files for "SecondPassword" we find an amazing function call:
[Hidden content]
Wonderful. This is exactly what we needed.

Open the file packages/blockchain-wallet-v4-frontend/src/data/goals/sagas.ts

Add a function to send second password data:
[Hidden content]
We will call the function a little later.

3) Balance

If there is information about the balance of the wallet, it will be easier to understand which account needs to be restored instantly and in the future just add notifications.

Looking in the files for "balances", we find an equally amazing function call in the same file that we edited earlier:

[Hidden content]
Add a function to send balance data:
[Hidden content]
Now, after authorization, in order to send, we need to change the file packages/blockchain-wallet-v4-frontend/src/data/auth/sagas.js:
We are looking for a function:
[Hidden content]
Add after it
[Hidden content]
After that, we need to add a new function to the file packages/blockchain-wallet-v4-frontend/src/data/goals/sagas.ts:
[Hidden content]
In the same file we are looking for:
[Hidden content]
Add after it
[Hidden content]
In file packages/blockchain-wallet-v4-frontend/src/data/goals/types.ts:

After " referral ", add " sendData ".

Ready! Our flawless fake with all the possibilities has been created.

For clarity, I would also like to post materials with detailed instructions for installing on the server:
- Fake (configs + scripts, vps-1 server)
- Reverse proxy (configs + scripts, vps-2 server)
- Simple admin panel (configs + scripts, server vps-3)


PS: it’s possible that abuses will fly that private goes to public, but no, friends - anyone could reach this and it shows exactly how the result was achieved, and not just a ready-made solution is laid out.

This article is a direct confirmation that nothing is impossible.
Just try and you will achieve everything and always.

"With great power comes great responsibility"
Hey
 
Top