Saturday, September 10, 2011

Attacking A Windows XP Machine With SET - Browser Exploitation

Social engineering toolkit is a must have thing for penetration testers, Basically Social Engineering Toolkit a.k.a SET is the combination of all the exploits present in metasploit which are related to social engineering and involve the interaction of the target user. Social Engineering toolkit was created was David Keneddy who is a well known Penetration tester, He is also the the developer of the very famous Fastrack. So In this tutorial I will show you step by step procedure for attacking webbrowsers with Metasploit browser Autopwn, The operating system we would be targeting is windows XP and since we are using a browser autopwn attack we will be targeting all the browsers with potential vulnerabilities.


Requirements

Attacking A Windows XP Machine With SET

Step 1:

Once you have got the backtrack loaded, open up your backtrack console and type the following command "cd /pentest/exploits/set", Once you are in the SET directory type ./set to launch the social engineering toolkit.



Step 2:

Once SET has been loaded, You should see wide variety of options, Since we are working with browser exploitation, we will select the second option which us website attack vectors.


Step 3 

Next you would see variety of website attack vectors, but as we are working with browser exploitation,  we would for the second options, which is "The Metasploit Browser Exploit Method".


Step 4

Now, SET will ask you about the type of attack vector you would like to use, I would recommend you to go for the first option, Or if you want to use your own webtemplate, you can go for the third option. Now SET is asking if I am using port forwarding or not, Since I am attacking on a local area network there is no point of using Port forwarding. 

The very next line, you will see the option "Enter the iP address for the reverse connection:", You would need to enter the iP of your bactrack 5 box.


Step 5:

Next you would need to enter the type of browser exploitation attack, you want to use, In this case I am using a browser autopwn, So I will enter the "22" option.

Step 6:

The SET will now ask for the type of payload I would like to use for carrying out this attack, I will be using a simple reverse TCP connection payload.


Step 7:

The SET will now start cloning my local IP address of the backtrack box i.e. 192.168.75.138, After the website has been successfully cloned  and all the browser exploits have been loaded. I will move to my windows box and enter the iP address of the cloned website 192.168.75.138, in the address bar. When the victim on the local area network will visit the above iP address, The cloned Gmail website will be loaded and all the browser exploits will be loaded into the victims browser.


On the other hand on my backtrack 5 box, You can clearly see that a meterpreter session has been opened on the victims box and a new process notepad.exe has been successfully created.


Attacking Outside The Network

The above method is only applicable for attacking inside your local area network, However if you would like to attack outside the network, You would need to obtain a public IP address and would need to do a port forwarding on your router. The port forwarding techniques vary from router to router, Some router support it, however some routers are not capable of doing it. 

I hope you have liked the tutorial, If you have any questions feel free to ask.

Sunday, September 4, 2011

'Theregister.co.uk' Hacked By TG Hacker

Here is one of the most shocking news of today, One of the biggest News website Theregister.co.uk has been hacked few minutes before from Now, The website was not hacked by any traditional web application attacks like SQL Injection, Remote File Inclusion or local file inclusion, However DNS Hijacking or DNS redirection attack was used.  The website was hacked by Turkguvenligi who is also known as TG hacker and is also responsible for the major website defacements in the pasts including Microsoft, Dell and other big websites.



If you would check the hackers zone-h record , You will find that this hacker only goes after major websites, It's quite sad to see that even major websites don't pay proper attention to their website security.


From the above screenshot, you can clearly see that the hacker has redirected the name servers of register.co.uk to his own name server.

Monday, August 29, 2011

Morto Worm Leaves Windows RDP At Risk


RDP stands for Remote Desktop Protocol, which uses TCP Port 3389 and enables users to control the desktop of the other computer, RDP's are mostly used in organizations and business environments. Recently a new worm named as Morto worm has became the cause behind the spike in traffic to TCP Port 3389 (Which is used by RDP) according to a report by Fsecure.




How Does The Morto Worm Work?


Morto worm works by starting infecting a single maching (with remote desktop), Once the single machine has been infected it then scans the network for other computers with remote desktop, In technical words scanning network for port 3389 enabled, Once it finds the target computer , it then try to connect with those Remote desktop computers by using the RDP default passwords, here is the list of the passwords which moto tries:

*1234
0
111
123
369
1111
12345
111111
123123
123321
123456
168168
520520
654321
666666
888888
1234567
12345678
123456789
1234567890
%u%
%u%12
1234qwer
1q2w3e
1qaz2wsx
aaa
abc123
abcd1234
admin
admin123
letmein
pass
password
server
test
user

As you can see from the above password list, that Morto worm is using a very basic dictionary attack to compromise the remote desktops. The worm also creates several new files including dll and txt files. As reported by Fsecure:

The infection will create several new files on the system including \windows\system32\sens32.dll and
\windows\offline web pages\cache.txt
Morto can be controlled remotely. This is done via several alternative servers, including jaifr.com and qfsl.net
We've seen several different samples. Some MD5 hashes include:
0c5728b3c22276719561049653c71b8414284844b9a5aaa680f6be466d71d95b

The worm could get more devivasting if brute forcing support is enabled, or a tool like Ncrack is integrated in to this worm, Ncrack is a very powerful RDP Cracker, but it's slow some times and will work on vulnerable machines only.

[Flash 10 is required to watch video]

By now you might have figured out the solution of this problem by your self, If not, It's simple "Use Strong passwords".

Zero Day DOS Vulnerability In Apache Leaves Half Of Internet Vulnerable



Few days ago a massive DOS vulnerability was found in Apache's version 1.3 and 2.x, leaving more than 50% of the internet vulnerable to DOS attack, This Dos attack is so powerful that a single computer can take down the whole server. A new tool named Apachekiller has been observed actively in wild.


According to Apache:

Apache HTTPD Security ADVISORY
==============================
Title: Range header DoS vulnerability Apache HTTPD 1.3/2.x
CVE: CVE-2011-3192:
Date: 20110824 1600Z
Product: Apache HTTPD Web Server
Versions: Apache 1.3 all versions, Apache 2 all versions
Description:
============
A denial of service vulnerability has been found in the way the multiple
overlapping ranges are handled by the Apache HTTPD server:
http://seclists.org/fulldisclosure/2011/Aug/175

An attack tool is circulating in the wild. Active use of this tools has
been observed.
The attack can be done remotely and with a modest number of requests can
cause very significant memory and CPU usage on the server.

The default Apache HTTPD installation is vulnerable.
There is currently no patch/new version of Apache HTTPD which fixes this
vulnerability. This advisory will be updated when a long term fix
is available.

A full fix is expected in the next 48 hours.


Apache Killer

Apache killer is a DDOS/DOS tool written in Perl which sends HTTP GET REQUESTS with multiple byte ranges, These byte ranges occupy a wide variety of portions in the memory space which when abused causes Apache to malfunction.

Currently there is no patch released by Apache regarding this issue, However apache have suggested some immediate mitigation tips. Which are stated as follows:

Mitigation:
============
However there are several immediate options to mitigate this issue until
a full fix is available:
1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then
either ignore the Range: header or reject the request.
Option 1: (Apache 2.0 and 2.2)
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range
# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range
Option 2: (Also for Apache 1.3)
# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
RewriteRule .* - [F]
The number 5 is arbitrary. Several 10's should not be an issue and may be
required for sites which for example serve PDFs to very high end eReaders
or use things such complex http based video streaming.
2) Limit the size of the request field to a few hundred bytes. Note that while
this keeps the offending Range header short - it may break other headers;
such as sizeable cookies or security fields.

LimitRequestFieldSize 200
Note that as the attack evolves in the field you are likely to have
to further limit this and/or impose other LimitRequestFields limits.
See: http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize
3) Use mod_headers to completely dis-allow the use of Range headers:
RequestHeader unset Range

Note that this may break certain clients - such as those used for
e-Readers and progressive/http-streaming video.
4) Deploy a Range header count module as a temporary stopgap measure:
http://people.apache.org/~dirkx/mod_rangecnt.c
Precompiled binaries for some platforms are available at:
http://people.apache.org/~dirkx/BINARIES.txt
5) Apply any of the current patches under discussion - such as:
http://mail-archives.apache.org/mod_mbox/httpd-dev/201108.mbox/%3cCAAPSnn2PO-d-C4nQt_TES2RRWiZr7urefhTKPWBC1b+K1Dqc7g@mail.gmail.com%3e


Apache Killer In Action

Friday, August 26, 2011

Android Is The Number 1 Target Of Hackers


If you are an android users, you could be or might be the next victim of hackers, According to a report by Mcafee, Google android has became the number 1 target of hackers, The Mcafee report also says that the recent attacks from hacktivists Anonymous and Lulzsec security helped in driving a massive increase in Online attacks.
According to the threat report the reason why google android is the number 1 target, is because google is not monitoring the active distribution of mobile apps. As a result of which android users are being the victim of massive malware attacks.


What kind of Malware is being distributed?

According to Mcafee report, the android malware takes over the identity of android user, hence causing an identity theft attack, Once the malware has been installed, the hacker has complete access to any kind of information including personal data, GPS logs and carrier and billing code information.

According to Dave Marcus the Director Of Mcafee Security Labs:
“There is malware ending up on Android phones that is coming out of China and is being used to steal the identity of Android users, Once hackers take control of an Android device, they have access to any kind of information on there including personal data, GPS logs and carrier and billing code information.”
According to me the reason why android is being targeted the most is because most android users do not bother to use any antivirus at all, or if they use it, they do not update it all. As a reason of which it becomes fairly easy for hackers to promote and distribute malware, I don't think that there are any zero days being used, A simple trojan is being used with a little bit code obfuscation to bypass the antiviruses.

How Can I protect My Self From Android Malware?

It's simple install a good antivirus and update it regularly, New malware come up every day, so you should make sure that your antivirus is updated, Plus avoid downloading any untrusted mobile apps which you are not sure about. It would be nice if you could do a little research on the google before installing any google app.

You can download the Mcafee report by clicking here

Saturday, August 20, 2011

Advanced SQL Injection - Defcon 17


According to OWASP top 10 vulnerabilities of 2010, SQL injection is the most dangerous and most common vulnerability around, A SQL Injection vulnerability occurs due to improper input validation or no input validation at all, what I mean by improper or no input validation is the user input is not filtered(for escape characters) before it gets passed to the SQL database, A Sql injection attack can be any many forms, but it's usually categorized into 3 types:

1. Inband
2. Out of band
3. Inferential

While browsing on the internet, I came across an excellent presentation on Advanced SQL Injection techniques by john Mccray, In this presentation john Mccray discusses some of advanced SQL Injection methods and topics such as IDS evasion, filter bypassing etc.


Wednesday, August 17, 2011

Apple Store Down, Hacked?


Well, currently apple store is down in lots of countries, A rumor is currently floating that if it's hacked or a victim of a Dddos attack, which makes people think if the hackivists group anonymous might be behind this attack, Usually when ever apple store is down, apple arrives with a new product launch, however if this is the case and apple is planning for a new product launch, the apple store should have been down in all other countries.


According to a ping test which I ran on apple store, apple store down in few countries where as it's acessible in e coutries, which leaves a possibility for a DDOS attack. Here is the screenshot of apple's app store as you can see it's down and inaccessible.


Here is the screenshot of the just-ping scan which shows that it's apple's store is down in lots countries, with packetloss over 40% is some countries.


We will update you, as soon as we get more information on apple store's status.