Showing posts with label security bypass. Show all posts
Showing posts with label security bypass. Show all posts

Saturday 8 December 2012

DNS Rebinding Attack Using Rebind

Rebind is a tool that implements the multiple A record DNS rebinding attack. Although this tool was originally written to target home routers, it can be used to target any public (non RFC1918) IP address.

Rebind provides an external attacker access to a target router's internal Web interface. This tool works on routers that implement the weak end system model in their IP stack, have specifically configured firewall rules, and who bind their Web service to the router's WAN interface. Note that remote administration does not need to be enabled for this attack to work. All that is required is that a user inside the target network surf to a Web site that is controlled, or has been compromised, by the attacker.



Important Links


Download rebind

Tested Routers (Affected + Not affected)

Rebind FAQ

Defcon Slides



Kind of interesting vector and I guess many are vulnerable out there.


Read more...

Friday 17 August 2012

Bypass Android Pattern Lock In Easy Steps

Android devices has this security feature known as pattern lock which prevents the access of other people in your device. One of the senior members at XDA has revealed a way to bypass this pattern lock feature completely.

There have been several attempts on finding different methods for bypassing pattern unlocking in the android devices. Early methods were tracking the smudges on the screen and guessing since human are more likely to use the patterns they have already seen.

This method, posted in XDA developers forum by m.sabra, requires the USB debugging to be enabled in the android device and then you can use ADB (Android Debug Bridge), a part of Android SDK to easily bypass the pattern unlock with few lines of commands. The user has revealed two methods for bypassing this, the first one involves running few SQLite queries and the second one requires deleting the associated key.

You will need to download the Android SDK in order to continue with this hack.

Method 1:

adb shell
cd /data/data/com.android.providers.settings/databases
sqlite3 settings.db
update system set value=0 where name='lock_pattern_autolock';
update system set value=0 where name='lockscreen.lockedoutpermanently';
.quit

AND/OR

Method 2:

adb shell rm /data/system/gesture.key

You can either choose one of the methods or perform both of the methods (method 1 first and method 2 second). Be sure to reboot once you perform any of the above mentioned methods.



Users have said that this method is not working on the latest Android Jelly Bean and other custom ROMs such as Cyanogen Mod. But, earlier android versions are vulnerable to this hack.

Even if the USB debugging is disabled, you can still run these methods if custom recovery was installed in the android device. You will have to mount the working partition. Just go to 'Mounts and Storage' and mount /data. Then you can follow the above methods to bypass the lock.


Read more...

Saturday 28 May 2011

Etherchange : Command Line Tool To Change MAC Address

I've already discussed on how to change mac adress of your ethernet card under windows as well as linux. One more such tool which is command line tool, is etherchange.

EtherChange can change the Ethernet address of the network adapters in Windows.

Usage instructions

Download the exe file and run it from a Command Prompt. It will give you the instructions you need. EtherChange only works if your account is in the Administrators group.

Download link: EtherChange

Read more...

Tuesday 10 May 2011

Learn Web Hacking With WackoPicko

WackoPicko is a website that contains known vulnerabilities. It can prove as a very efficient way to master web hacking skills. This project is similar to Damn Vulnerable Web Application and is a collection of common web vulnerabilities.

For more information and downloads, you can check the WackoPicko github page.

Vulnerabilities

Reflected XSS
http://localhost/pictures/search.php?query=blah
The query parameter is vulnerable.

Stored XSS
http://localhost/guestbook.php
The comment field is vulnerable.

SessionID vulnerability
http://localhost/admin/login.php
The session cookie value is admin_session, which is an auto-incrementing value.

Stored SQL Injection
http://localhost/users/register.php -> http://localhost/users/similar.php
The first name field of the register users form contains a stored SQL injection which is then used unsanitized on the similar users page.

Reflected SQL Injection
http://localhost/users/login.php
The username field is vulnerable.

Directory Traversal
http://localhost/pictures/upload.php
The tag field has a directory traversal vulnerability enabling a malicious users to overwrite any file the web server uses has access to.

Multi-Step Stored XSS
http://localhost/pictures/view.php?picid=3
The comment field is vulnerable to XSS, however must go through a preview form.

Forceful Browsing
http://localhost/pictures/highquality.php?picid=3&key=highquality
The user doesn't have to purchase the picture to see the high quality version.

Command-line Injection
http://localhost/passcheck.php
The password field is vulnerable to a command line injections.

File Inclusion
http://localhost/admin/index.php?page=login
The page is vulnerable to a file inclusion vulnerability, however you have to include at the end.

Parameter Manipulation
http://localhost/users/sample.php?userid=1
The userid parameter can be manipulated to see any user's page when you need to be logged in otherwise.

Reflected XSS Behind JavaScript
http://localhost/piccheck.php
The name parameter is vulnerable.

Logic Flaw
http://localhost/cart/review.php
A coupon can be applied multiple times reducing the price of an order to zero. The coupon in the initial data is SUPERYOU21.

Reflected XSS Behind a Flash Form
http://localhost/submitname.php
The value parameter is vulnerable.

Weak username/password
https://localhost/admin/login.php
There is a default username/password combination of admin/admin.


Read more...

Sunday 24 April 2011

Automatic SQL Injection And Database Takeover With SQLMap 0.9

sqlmap is an open source SQL injection penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. SQLMap consists of a very accurate detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

SQLMap v. 0.9 is out on April 10, 2011 and now consists of more features than ever with numerous improvements in coding. This time the SQL Injection engine has been re-written in v. 0.9 and the tool will be very useful for security experts, enthusiasts and hackers. The feature list of SQLMap is available over HERE.

The tool can be downloaded from the sourceforge page HERE.

Read more...

Saturday 23 April 2011

A Very Basic Guide To SSH Tunnelling To Bypass Web Filters

SSh, Secure Shell, is a program and protocol for securely logging in to and running programs on remote machines across a network, with encryption to protect the transferred information and authentication to ensure that the remote machine is the one desired; To use ssh to connect to a remote computer. In this tutorial, I'll show you how to do simple ssh tunnelling to bypass web filters.

We'll be using a ssh client in this tutorial. One such SSh client is putty and we be using putty in our tutorial. It can be downloaded from HERE. We need a working SSh account and there are lots of free as well as paid free shell providers. I'll be using one of the shell accounts for this tutorial.

After downloading putty, open the program and enter the host and port information. The screenshot below will be helpful for you.


Now go to the SSh option below in the left menu of Putty. And select the tunnels submenu. Set the source port to any higher ports. I chose 8080 in my example. Then select the dynamic option. And click on Add by leaving other options as they are.


Now, click on Open and login to your SSh server. The only thing left now is to setup your favourite browser to work with the SSh tunnel. In firefox(under ubuntu), I go to Edit - Preferences - Advanced - Network - Settings to set the proper proxy configuration. The setup entry will be:

Socks host: localhost
Port: 8080

That's all for setup. Now you can use the ssh tunnel to browse webspace by bypassing web filters in your school or office. I hope it was useful. Thanks. :)

Read more...

Thursday 21 April 2011

Practise, Learn and Master Web Application Hacking With DVWA

DVWA, which stands for Damn Vulnerable Web Application, is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.


The DVWA v. 1.07 can be downloaded from HERE.

You will need to install Apache+PHP+MySQL environment(use LAMPP or XAMPP packages) to run and test this web application. This will definitely help you learn to spot web vulnerabilities of the varied levels. I hope this was useful. :)

Read more...

Sunday 17 April 2011

How To Steal Stored Passwords From Firefox

Many of us use the Firefox's built-in password manager to remember and store the password of the sites we login to frequently. While this can be very useful feature, it can be exploited by anyone with physical(or any other form of access to the filesystem) access to know the saved passwords of the user. In this post, I will discuss how you can view and save the stored passwords of your friends for future reference.

When we select "Remember Me" option to store passwords, the passwords are stored in two files.
1.key3.db
2. signons.sqlite

These two files are in the profile directory of the mozilla firefox application data for the respective user. Profile folders are placed in a common location by default but are named randomly for additional security (e.g., "xxxxxxxx.default" is the profile folder name for the "default" profile, where xxxxxxxx represents a random strung of characters). This directory is available at different places according to the distribution.

Under windows: %APPDATA%\Mozilla\Firefox\Profiles folder will list the profiles and you can open any of the profiles from there.

Under linux: ~/.mozilla/firefox/xxxxxxxx.default folder is the profile folder. So you can navigate to ~/.mozilla/firefox/ to view the profiles.

Under MAC: ~/Library/Mozilla/Firefox/Profiles/ or ~/Library/Application Support/Firefox/Profiles/ are the folders containing the profile directories.

You can follow any of the following two methods to view the stored passwords:

Method 1: In the target computer, go to Edit->Preferences->Security and click on Saved Passwords and then click on Show Passwords to view the login details of the victim in linux. In windows, you will have to go to Tools->Options->Security.

Method 2: The first method would be applicable only for viewing the login details in victim PC. Whenever you want to save these details for further reference, you will have to copy the previously mentioned two files and save to your USB drive(or maybe in mailbox). Now, all you have to do is copy these two files to the profile directory of your PC and then go to the menus mentioned in method #1.

I hope this was useful. Thanks. :)

Read more...